Nginx作为kubernetes的身份验证代理

时间:2018-05-28 05:36:51

标签: nginx kubernetes

我正在尝试将nginx设置为kubernetes的身份验证代理。身份验证端点正在以逗号分隔的单个标头中返回用户的所有组(X-Groups = Group1,Group2)。但是kubernetes希望每个小组都在一个单独的标题中。如何用逗号分割此标头值并使用相同的标题名称添加每个值?

以下是nginx服务器块(这是一个自包含的示例,它调用虚拟端点而不是k8s api来验证代理是否正在传递正确的标头)

server {
    listen  80 default_server;

    location /backend {
            default_type application/json;
            return 200 '{"user": "$http_x_remote_user", "groups", "$http_x_remote_groups"}';
    }
}

server {
    listen  443 ssl default_server;

    location / {
        auth_request /_auth;

        auth_request_set $user $upstream_http_x_user;
        auth_request_set $groups $upstream_http_x_groups;

        proxy_pass http://localhost/backend;
        proxy_set_header X-Remote-User $user;
        proxy_set_header X-Remote-Groups $groups; # instead of this line I want to put some code which iterates on $groups variable value and add X-Remote-Group header for each of the value
    }

    location /_auth {
        internal;

        proxy_pass http://authentication_endpoint/login; # this returns X-User and X-Groups headers with a 200 status code for successful authentication)
        proxy_pass_request_body off;
        proxy_set_header        Content-Length "";
        proxy_set_header X-Remote-User $ssl_client_s_dn;
    }

    ssl_certificate_key "/certs/server.key";
    ssl_certificate "/certs/server.crt";

    # this is required for verifying client certificate
    ssl_verify_client       on;
    ssl_client_certificate "/certs/ca.crt";

    ssl_session_timeout  10m;
    ssl_protocols TLSv1.2;
    ssl_ciphers HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP;
    ssl_prefer_server_ciphers on;
 }

2 个答案:

答案 0 :(得分:0)

尝试查看kube-rbac-proxy。它有几个选项可能对您的情况非常有用:

$ kube-rbac-proxy -h 
Usage of _output/linux/amd64/kube-rbac-proxy: 
...
      --auth-header-groups-field-name string        The name of the field inside an http(2) request header to tell the upstream server about the user's groups (default "x-remote-groups")
      --auth-header-groups-field-separator string   The separator string used for concatenating multiple group names in a group header field's value (default "|")  
...

可以找到其用法示例和YAML清单here

答案 1 :(得分:0)

检查ca.crt,您可能有复制/粘贴错误。如果不正确,nginx将默默地忽略您的客户证书。有了适当的CA,k8s对我来说可以正常工作,并通过$ ssl_client_s_dn也可以。

相关问题
最新问题