Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Feature Request]: Enable auth for all locations (security opt-out) #3276

Closed
okryvoshapka-connyun opened this issue Oct 22, 2018 · 7 comments
Labels
kind/feature Categorizes issue or PR as related to a new feature. lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed.

Comments

@okryvoshapka-connyun
Copy link
Contributor

Is this a request for help? (If yes, you should use our troubleshooting guide and community support channels, see https://kubernetes.io/docs/tasks/debug-application-cluster/troubleshooting/.): No

What keywords did you search in NGINX Ingress controller issues before filing this one? (If you have found any duplicates, you should instead reply there.):

  • auth
  • auth_request
  • global

Is this a BUG REPORT or FEATURE REQUEST? (choose one):
FEATURE REQUEST

NGINX Ingress controller version:
0.19.0

Kubernetes version (use kubectl version):

Client Version: version.Info{Major:"1", Minor:"10", GitVersion:"v1.10.3", GitCommit:"2bba0127d85d5a46ab4b778548be28623b32d0b0", GitTreeState:"clean", BuildDate:"2018-05-21T09:17:39Z", GoVersion:"go1.9.3", Compiler:"gc", Platform:"linux/amd64"}`
Server Version: version.Info{Major:"1", Minor:"9", GitVersion:"v1.9.7", GitCommit:"dd5e1a2978fd0b97d9b78e1564398aeea7e7fe92", GitTreeState:"clean", BuildDate:"2018-04-18T23:58:35Z", GoVersion:"go1.9.3", Compiler:"gc", Platform:"linux/amd64"}

What happened:
We have several applications (~20) running in the cluster. Most of them need to be protected by external auth (all except UI).
We have a bouncer-service (deployed under the path /srv/bouncer/api/v1) who is responsible for checking the auth header (on /me endpoint).
Looks like that the only official way to protect all services is to protect every service (security opt-in), by adding annotation

nginx.ingress.kubernetes.io/auth-url: "http://bouncer-svc.default.svc.cluster.local:80/srv/bouncer/api/v1/me"

to every service's ingress.

We have found a way around to turn it into security opt-out concept by using snippets.
For nginx configuration we are using location-snippet:

controller:
  config:
    # external auth via bouncer on every location block
    location-snippet: |
      if ($service_name ~ (admin-ui|device-management|user-management|app-main|bouncer-app)) {
      	set $auth_check skip;
      }
      auth_request        /srv/bouncer/api/v1/me;

And for bouncer-ingress we are using annotation:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: bouncer-ingress
  annotations:
    nginx.ingress.kubernetes.io/configuration-snippet: |
        internal;
        if ($auth_check = "skip") {
            return 200;
        }

What you expected to happen:
Would be nice to be able to set the global external auth to protect all the services at once with external auth using nginx-controller configuration.
Then the whole security can be handled very well in combination with no-auth-locations, presented in in #2243

Anything else we need to know:
Unfortunately the presented concept works only when enable-dynamic-configuration: "false" because of https://github.com/kubernetes/ingress-nginx/pull/2280/commits as in our case the external auth location is not an auto-generated locatiob block location = /_external-auth-Lv {}, but a normal one as for any other service with set $proxy_upstream_name "default-bouncer-svc-80";

@aledbf aledbf added the kind/feature Categorizes issue or PR as related to a new feature. label Oct 25, 2018
@bsctl
Copy link

bsctl commented Nov 24, 2018

Hello, having the same requirement here. Thanks

@bsctl
Copy link

bsctl commented Nov 26, 2018

Hello, we worked around by creating a server-snippet

kind: ConfigMap
apiVersion: v1
metadata:
  name: ingress
  namespace: default
  labels:
data:
  server-snippet: |
    auth_basic            "Local Users";
    auth_basic_user_file  /etc/auth/users;

hope this helps

@okryvoshapka-connyun
Copy link
Contributor Author

@Kalise, if you are interested, I have referenced a PR which solves this issue.

@fejta-bot
Copy link

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Mar 4, 2019
@fejta-bot
Copy link

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle rotten

@k8s-ci-robot k8s-ci-robot added lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Apr 3, 2019
@okryvoshapka-connyun
Copy link
Contributor Author

/close

@k8s-ci-robot
Copy link
Contributor

@okryvoshapka-connyun: Closing this issue.

In response to this:

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/feature Categorizes issue or PR as related to a new feature. lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed.
Projects
None yet
Development

No branches or pull requests

5 participants