Ingress annotations only for a specific path

0

Hi,

I have this ingress configuration:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: "oidc-ingress"
  annotations:
    kubernetes.io/ingress.class: alb
    alb.ingress.kubernetes.io/scheme: internet-facing
    alb.ingress.kubernetes.io/target-type: ip
    alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS":443}]'
    alb.ingress.kubernetes.io/actions.ssl-redirect: '{"Type": "redirect", "RedirectConfig": { "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_301"}}'
    alb.ingress.kubernetes.io/load-balancer-attributes: idle_timeout.timeout_seconds=300
    external-dns.alpha.kubernetes.io/hostname: example.com
    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
    alb.ingress.kubernetes.io/auth-type: oidc
    alb.ingress.kubernetes.io/auth-on-unauthenticated-request: authenticate
    alb.ingress.kubernetes.io/auth-idp-oidc: '{"issuer":"https://login.microsoftonline.com/some-id/v2.0","authorizationEndpoint":"https://login.microsoftonline.com/some-id/oauth2/v2.0/authorize","tokenEndpoint":"https://login.microsoftonline.com/some-id/oauth2/v2.0/token","userInfoEndpoint":"https://graph.microsoft.com/oidc/userinfo","secretName":"aws-alb-secret"}'
    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
spec:
  rules:
  - http:
      paths:
      - pathType: Prefix
        path: /
        backend:
          service:
            name: ssl-redirect
            port: 
              name: use-annotation
      - pathType: Prefix
        path: /jenkins
        backend:
          service:
            name: jenkins
            port: 
              number: 8080
      - pathType: Prefix
        path: /
        backend:
          service:
            name: apache
            port: 
              number: 80

If I kubectl appy this Ingress config it will apply annotations to all routing rules, which means:

/*
/jenkins
/jenkins/*

I would like to apply OIDC annotations only for the Jenkins rules, it means:

  1. If I open https://example.com it will be available to everyone.
  2. If I open https://example.com/jenkins, it will redirect me to OIDC auth page.

I can do this manually through AWS console when I remove authenticate rule from /* and leave it for /jenkins/* only.

However I would like to achieve this through Ingress annotations to be able to automate this process.

Please how can I do this?

Thanks for your help.

asked 2 years ago4194 views
2 Answers
1
Accepted Answer

Hi, you should divide into several Ingresswith group annotation. You may want to refer this link

Test it like below!

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: "base"
  annotations:
    alb.ingress.kubernetes.io/group.name: example
    alb.ingress.kubernetes.io/scheme: internet-facing
    alb.ingress.kubernetes.io/target-type: ip
    alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS":443}]'
    alb.ingress.kubernetes.io/actions.ssl-redirect: '{"Type": "redirect", "RedirectConfig": { "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_301"}}'
    alb.ingress.kubernetes.io/load-balancer-attributes: idle_timeout.timeout_seconds=300
    external-dns.alpha.kubernetes.io/hostname: example.com
spec:
  rules:
  - http:
      paths:
      - pathType: Prefix
        path: /
        backend:
          service:
            name: ssl-redirect
            port: 
              name: use-annotation
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: "jenkins"
  annotations:
    alb.ingress.kubernetes.io/group.name: example
    alb.ingress.kubernetes.io/group.order: 10
    alb.ingress.kubernetes.io/target-type: ip
    alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}]'
    alb.ingress.kubernetes.io/auth-type: oidc
    alb.ingress.kubernetes.io/auth-on-unauthenticated-request: authenticate
    alb.ingress.kubernetes.io/auth-idp-oidc: '{"issuer":"https://login.microsoftonline.com/some-id/v2.0","authorizationEndpoint":"https://login.microsoftonline.com/some-id/oauth2/v2.0/authorize","tokenEndpoint":"https://login.microsoftonline.com/some-id/oauth2/v2.0/token","userInfoEndpoint":"https://graph.microsoft.com/oidc/userinfo","secretName":"aws-alb-secret"}'
spec:
  rules:
  - http:
      paths:
      - pathType: Prefix
        path: /jenkins
        backend:
          service:
            name: jenkins
            port: 
              number: 8080
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: "default"
  annotations:
    alb.ingress.kubernetes.io/group.name: example
    alb.ingress.kubernetes.io/group.order: 20
    alb.ingress.kubernetes.io/target-type: ip
    alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}]'
spec:
  rules:
  - http:
      paths:
      - pathType: Prefix
        path: /
        backend:
          service:
            name: apache
            port: 
              number: 80
profile picture
EXPERT
answered 2 years ago
  • Thank you very much! it's working. In case someone in future will try this, I only mention here, that every group must have this annonation as well: kubernetes.io/ingress.class: alb.

0

I would like to ask you, what's your opinion on this OIDC solution in terms of the security? Do you think it's secure to have such an ALB with inbound rules: 0.0.0.0/0 and restrict the paths, which I want to have private with OIDC auth only?

I and my colleagues work from different places, so it would be NOT possible to restrict the inbound rules with some specific IP addresses. We usually don't have a public static IP and we don't like an approach to connect to VPN which could provide us a public static IP address, that we could add to the inbound rules of the ALB.

I know there's an option to use this annotation : alb.ingress.kubernetes.io/scheme: internal, instead of internet-facing, but I'm not sure whether I can use this option for my use case and without a VPN access.

Thanks for your opinions.

answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions