I configured authentication through nginx to a specific service in k8s.
It works fine with WUI.
I saw some examples
This works fine too:
curl -v http://10.2.29.4/ -H 'Host: foo.bar.com' -u 'foo:bar'
But i need to close other part my url same.
For example /api/v1/upload
I deployd 2nd ingress with path:
spec:
rules:
- host: foo.bar.com
http:
paths:
- backend:
serviceName: service
servicePort: 8000
path: /api/v1/upload
Without nginx i got to type:
curl -XPOST 'file=@/file' http://10.2.29.4:8000/api/v1/upload -H "Authorization:key"
How do i need to try use curl for hide real ip or port and get a good result?
I would really appreciate if you could help me figure it out.
ingress1:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: mobsf
namespace: default
labels:
app: mobsf
# env: dev
annotations:
nginx.ingress.kubernetes.io/auth-type: basic
nginx.ingress.kubernetes.io/auth-secret: mobsf-basic-auth
nginx.ingress.kubernetes.io/auth-realm: "Authentication Required"
spec:
rules:
- host: worker1.mydomain.local
http:
paths:
- path: /
- backend:
serviceName: mobsf
servicePort: 8000
Ingress 2:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: mobsf2
namespace: default
labels:
app: mobsf2
# env: dev
annotations:
nginx.ingress.kubernetes.io/auth-type: basic
nginx.ingress.kubernetes.io/auth-secret: mobsf-basic-auth
nginx.ingress.kubernetes.io/auth-realm: "Authentication Required"
spec:
rules:
- host: worker1.mydomain.local
http:
paths:
- backend:
serviceName: mobsf2
servicePort: 8000
path: /api/v1/
DNS check (correct):
nslookup worker1.mydomain.local
Server: 10.2.67.10
Address: 10.2.67.10#53
Name: worker1.mydomain.local
Address: 10.2.67.203
Services:
kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP 10.233.0.1 <none> 443/TCP 159d
minio-service LoadBalancer 10.233.32.19 <pending> 9001:30809/TCP 104d
mobsf NodePort 10.233.18.34 <none> 8000:30426/TCP 8d
vault NodePort 10.233.43.134 <none> 8200:30820/TCP 69
Ing:
kubectl get ing
NAME HOSTS ADDRESS PORTS AGE
mobsf worker1.dev002.local 80 2d1h
mobsf2 worker1.dev002.local 80 23h
In bare metal installations is not possible to use Ingress
and LoadBalancer
services by default. You can't get EXTERNAL-IP
, as displayed in the outputs that you provided.
The first curl
command you provided show that you are using your service mobsf
as NodePort
, it means you are able to reach your application typing IP of your node + port like this http://<NODE_IP>:8080
, but without authentication since you are not accessing the server through the ingress.
Here is all service types and how that works:
ClusterIP
: Exposes the Service on a cluster-internal IP. Choosing this value makes the Service only reachable from within the cluster. This is the defaultServiceType
.NodePort
: Exposes the Service on each Node's IP at a static port (theNodePort
). AClusterIP
Service, to which theNodePort
Service routes, is automatically created. You'll be able to contact theNodePort
Service, from outside the cluster, by requesting<NodeIP>:<NodePort>
.LoadBalancer
: Exposes the Service externally using a cloud provider's load balancer.NodePort
andClusterIP
Services, to which the external load balancer routes, are automatically created.
The Nginx docs shows how to setup MetalLB to allow your bare metal cluster the usage of LoadBalancer Services.
MetalLB provides a network load-balancer implementation for Kubernetes clusters that do not run on a supported cloud provider, effectively allowing the usage of LoadBalancer Services within any cluster.
Basically, the setup is easy:
kubectl apply -f https://raw.githubusercontent.com/google/metallb/v0.8.3/manifests/metallb.yaml
And then create a ConfigMap to configure: - Edit the ip range according yout network
apiVersion: v1
kind: ConfigMap
metadata:
namespace: metallb-system
name: config
data:
config: |
address-pools:
- name: default
protocol: layer2
addresses:
- 192.168.1.240-192.168.1.250 <= EDIT IP RANGE
Check the installation typing kubectl get pods -n metallb-system
, this is an expected output:
$ kubectl get pods -n metallb-system
NAME READY STATUS RESTARTS AGE
controller-65895b47d4-6wzfr 1/1 Running 0 9d
speaker-v52xj 1/1 Running 0 9d
After MetalLB installed and configured you should be able to use your ingress and Loadbalancer services.
Here there's an example of how setup a Service (ClusterIP) and Ingress:
apiVersion: v1
kind: Service
metadata:
name: mobsf
spec:
selector:
app: mobsf
ports:
- protocol: TCP
port: 8000
targetPort: 8000
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: mobsf-ing
namespace: default
annotations:
nginx.ingress.kubernetes.io/auth-type: basic
nginx.ingress.kubernetes.io/auth-secret: basic-auth
nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required - foo'
spec:
rules:
- host: worker1.mydomain.local
http:
paths:
- path: "/"
backend:
serviceName: mobsf
servicePort: 8000
- path: "/api/v1"
backend:
serviceName: mobsf
servicePort: 8080
Check your ingress with the command kubectl get ing
and look for in EXTERNAL-IP
column.
After that make sure you configure in your local DNS an entry for worker1.mydomain.local
pointing to the ip above.
Please let me know if that helped
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.