使用基本身份验证的Nginx-ingress Kubernetes路由

时间:2020-08-10 12:18:39

标签: kubernetes kubernetes-ingress nginx-ingress

我无法在其中一条路径上设置基本身份验证。我想通过基本身份验证来保护/auth路径,所有其他路径都不需要基本身份验证。因此,我创建了两个指向相同后端的入口文件:

非身份验证入口:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: main-ingress
  annotations:
    kubernetes.io/ingress.class: "nginx"
    nginx.ingress.kubernetes.io/use-regex: "true"
    cert-manager.io/cluster-issuer: "letsencrypt-prod"
    nginx.ingress.kubernetes.io/ssl-redirect: "false"
spec:
  tls:
    - hosts:
        - example.com
      secretName: example-tls
  rules:
    - host: example.com
      http:
        paths:
          - path: /.*
            backend:
              serviceName: example-service
              servicePort: 4000

Authingingress:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: auth-ingress
  annotations:
    kubernetes.io/ingress.class: "nginx"
    nginx.ingress.kubernetes.io/use-regex: "false"
    cert-manager.io/cluster-issuer: "letsencrypt-prod"
    nginx.ingress.kubernetes.io/ssl-redirect: "false"
    nginx.ingress.kubernetes.io/auth-type: basic
    nginx.ingress.kubernetes.io/auth-secret: basic-auth
    nginx.ingress.kubernetes.io/auth-realm: "Authentication Required"
spec:
  tls:
    - hosts:
        - example.com
      secretName: example-tls
  rules:
    - host: example.com
      http:
        paths:
          - path: /auth
            backend:
              serviceName: example-service
              servicePort: 4000

所有机密均已正确设置。 我缺少什么,如何使它工作?

1 个答案:

答案 0 :(得分:0)

尝试为需要身份验证的后端创建另一个服务:

  1. main-ingress包含不需要通过nginx进行身份验证的服务的规范,例如。 example-service
  2. auth-ingress包含需要通过nginx进行身份验证的服务的规范(在我的情况下是基本的),例如。身份验证服务。

您的auth-ingress应该看起来像:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: auth-ingress
  annotations:
    kubernetes.io/ingress.class: "nginx"
    nginx.ingress.kubernetes.io/use-regex: "false"
    cert-manager.io/cluster-issuer: "letsencrypt-prod"
    nginx.ingress.kubernetes.io/ssl-redirect: "false"
    nginx.ingress.kubernetes.io/auth-type: basic
    nginx.ingress.kubernetes.io/auth-secret: basic-auth
    nginx.ingress.kubernetes.io/auth-realm: "Authentication Required"
spec:
  tls:
    - hosts:
        - example.com
      secretName: example-tls
  rules:
    - host: example.com
      http:
        paths:
          - path: /auth
            backend:
              serviceName: auth-service
              servicePort: <auth-service-port>

此外,您可以尝试在首次进入时尝试拒绝到/authmain-ingress路径的流量。

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: main-ingress
  annotations:
    kubernetes.io/ingress.class: "nginx"
    nginx.ingress.kubernetes.io/use-regex: "true"
    cert-manager.io/cluster-issuer: "letsencrypt-prod"
    nginx.ingress.kubernetes.io/ssl-redirect: "false"
    nginx.ingress.kubernetes.io/configuration-snippet: |
    
      location /auth {

           deny all;  
      }
spec:
  tls:
    - hosts:
        - example.com
      secretName: example-tls
  rules:
    - host: example.com
      http:
        paths:
          - path: /.*
            backend:
              serviceName: example-service
              servicePort: 4000

看看:ingress-nginx-issueskubernetes-ingress-network-deny-some-pathskubernetes-ingress-nginx-re-write-does-not-match

相关问题
最新问题