Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Traefik Forward Authentication in k8s ingress controller

Hello I tried looking at the auth options in the annotations for kubernetes traefik ingress. I couldn't find anything where I could configure Forward Authentication as documented here: https://docs.traefik.io/configuration/entrypoints/#forward-authentication

I would like to be able to configure forward authentication per ingress resource. This is possible in the nginx ingress controller.

Is that supported currently?

like image 263
Benjamin Hammer Nørgaard Avatar asked Jun 21 '18 09:06

Benjamin Hammer Nørgaard


People also ask

Is Traefik an ingress controller?

The Traefik Kubernetes Ingress provider is a Kubernetes Ingress controller; that is to say, it manages access to cluster services by supporting the Ingress specification.

What is forward Auth?

The ForwardAuth middleware delegates authentication to an external service. If the service answers with a 2XX code, access is granted, and the original request is performed. Otherwise, the response from the authentication server is returned.

What is Svclb Traefik?

Klipper then creates a DaemonSet called svclb-traefik , which creates a pod on each node to act as a proxy to the service. Each of these pods is accessible from the node's external IP address, and exposes ports 80 and 443 , which map to the respective ports on the service.


1 Answers

According to the Traefik documentation that feature will be available in version 1.7 of Traefik (currently a release candidate).

Here is a link to the authentication documentation

My guess is that you will need to add the following 2 annotations:

ingress.kubernetes.io/auth-type: forward
ingress.kubernetes.io/auth-url: https://example.com

and probably also the following annotation with the corresponding header fields your auth service returns as value:

ingress.kubernetes.io/auth-response-headers: X-Auth-User, X-Secret
like image 145
BeWu Avatar answered Oct 13 '22 13:10

BeWu