GKE Ingress Basic Authentication (ingress.kubernet

2019-06-23 03:39发布

I'm trying to get a GKE ingress to require basic auth like this example from github.

The ingress works fine. It routes to the service. But the authentication isn't working. Allows all traffic right through. Has GKE not rolled this feature out yet? Something obviously wrong in my specs?

Here's the ingress:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: super-ingress
  annotations:
    ingress.kubernetes.io/auth-type: basic
    ingress.kubernetes.io/auth-secret: basic-auth
    ingress.kubernetes.io/auth-realm: "Authentication Required"
spec:
  rules:
  - host: zzz.host.com
    http:
      paths:
      - backend:
          serviceName: super-service
          servicePort: 9000
        path: /*

And the basic-auth secret:

$ kubectl get secret/basic-auth -o yaml

apiVersion: v1
data:
  auth: XXXXXXXXXXXXXXXXXXX
kind: Secret
metadata:
  creationTimestamp: 2016-10-03T21:21:52Z
  name: basic-auth
  namespace: default
  resourceVersion: "XXXXX"
  selfLink: /api/v1/namespaces/default/secrets/basic-auth
  uid: XXXXXXXXXXX
type: Opaque

Any insights are greatly appreciated!

2条回答
我想做一个坏孩纸
2楼-- · 2019-06-23 04:08
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    ingress.kubernetes.io/auth-realm: Authentication Required - foo
    ingress.kubernetes.io/auth-secret: basic-auth
    ingress.kubernetes.io/auth-type: basic
    ingress.kubernetes.io/backends: '{"k8s-be-30972--96da70c6fd3c641b":"HEALTHY","k8s-be-31046--96da70c6fd3c641b":"HEALTHY","k8s-be-31655--96da70c6fd3c641b":"HEALTHY"}'
    ingress.kubernetes.io/forwarding-rule: k8s-fw-default-fanout-ingress--96da70c6fd3c641b
    ingress.kubernetes.io/target-proxy: k8s-tp-default-fanout-ingress--96da70c6fd3c641b
    ingress.kubernetes.io/url-map: k8s-um-default-fanout-ingress--96da70c6fd3c641b
  creationTimestamp: 2019-05-30T21:28:34Z
  generation: 1
  name: fanout-ingress
  namespace: default
  resourceVersion: "31579511"
  selfLink: /apis/extensions/v1beta1/namespaces/default/ingresses/fanout-ingress
  uid: e1477897-8321-11e9-a171-42010a800166
spec:
  rules:
  - http:
      paths:
      - backend:
          serviceName: web
          servicePort: 8080
        path: /*
      - backend:
          serviceName: web2
          servicePort: 8080
        path: /v2/*
status:
  loadBalancer:
    ingress:
    - ip: *****```
查看更多
放荡不羁爱自由
3楼-- · 2019-06-23 04:12

The example you linked to is for nginx ingress controller. GKE uses GLBC, which doesn't support auth.

You can deploy an nginx ingress controller in your gke cluster. Note that you need to annotate your ingress to avoid the GLBC claiming the ingress. Then you can expose the nginx controller directly, or create a glbc ingress to redirect traffic to the nginx ingress (see this snippet written by bprashanh).

查看更多
登录 后发表回答