我正在尝试使用Traefik作为Ingress控制器在Nginx示例上配置基本身份验证。
我只是在Kubernetes的秘密上创建秘密"mypasswd"
。
这是我正在使用的Ingress:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: nginxingress
annotations:
ingress.kubernetes.io/auth-type: basic
ingress.kubernetes.io/auth-realm: traefik
ingress.kubernetes.io/auth-secret: mypasswd
spec:
rules:
- host: nginx.mycompany.com
http:
paths:
- path: /
backend:
serviceName: nginxservice
servicePort: 80
我检查了Traefik仪表板,看来,如果我访问nginx.mycompany.com,我可以查看Nginx网页,但没有基本身份验证。
这是我的nginx部署:
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: nginx-deployment
spec:
replicas: 3
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:1.7.9
ports:
- containerPort: 80
Nginx服务:
apiVersion: v1
kind: Service
metadata:
labels:
name: nginxservice
name: nginxservice
spec:
ports:
# The port that this service should serve on.
- port: 80
# Label keys and values that must match in order to receive traffic for this service.
selector:
app: nginx
type: ClusterIP
答案 0 :(得分:11)
使用基本身份验证很受欢迎。参考Kubernetes documentation,您应该能够使用以下步骤保护对Traefik的访问:
htpasswd
工具创建身份验证文件。系统会要求您输入密码:htpasswd -c ./auth
kubectl
使用htpasswd
创建的文件在监控命名空间中创建一个秘密。kubectl创建秘密通用mysecret --from-file auth --namespace =监测
ingress.kubernetes.io/auth-type:“basic”
ingress.kubernetes.io/auth-secret:"mysecret“
因此,基本身份验证的完整示例配置可能如下所示:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: prometheus-dashboard
namespace: monitoring
annotations:
kubernetes.io/ingress.class: traefik
ingress.kubernetes.io/auth-type: "basic"
ingress.kubernetes.io/auth-secret: "mysecret"
spec:
rules:
- host: dashboard.prometheus.example.com
http:
paths:
- backend:
serviceName: prometheus
servicePort: 9090
kubectl create -f prometheus-ingress.yaml -n monitoring
这应该没有任何问题。