- Newest
- Most votes
- Most comments
Hi, you should divide into several Ingress
with group
annotation. You may want to refer this link
Test it like below!
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: "base" annotations: alb.ingress.kubernetes.io/group.name: example alb.ingress.kubernetes.io/scheme: internet-facing alb.ingress.kubernetes.io/target-type: ip alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS":443}]' alb.ingress.kubernetes.io/actions.ssl-redirect: '{"Type": "redirect", "RedirectConfig": { "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_301"}}' alb.ingress.kubernetes.io/load-balancer-attributes: idle_timeout.timeout_seconds=300 external-dns.alpha.kubernetes.io/hostname: example.com spec: rules: - http: paths: - pathType: Prefix path: / backend: service: name: ssl-redirect port: name: use-annotation
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: "jenkins" annotations: alb.ingress.kubernetes.io/group.name: example alb.ingress.kubernetes.io/group.order: 10 alb.ingress.kubernetes.io/target-type: ip alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}]' alb.ingress.kubernetes.io/auth-type: oidc alb.ingress.kubernetes.io/auth-on-unauthenticated-request: authenticate alb.ingress.kubernetes.io/auth-idp-oidc: '{"issuer":"https://login.microsoftonline.com/some-id/v2.0","authorizationEndpoint":"https://login.microsoftonline.com/some-id/oauth2/v2.0/authorize","tokenEndpoint":"https://login.microsoftonline.com/some-id/oauth2/v2.0/token","userInfoEndpoint":"https://graph.microsoft.com/oidc/userinfo","secretName":"aws-alb-secret"}' spec: rules: - http: paths: - pathType: Prefix path: /jenkins backend: service: name: jenkins port: number: 8080
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: "default" annotations: alb.ingress.kubernetes.io/group.name: example alb.ingress.kubernetes.io/group.order: 20 alb.ingress.kubernetes.io/target-type: ip alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}]' spec: rules: - http: paths: - pathType: Prefix path: / backend: service: name: apache port: number: 80
I would like to ask you, what's your opinion on this OIDC solution in terms of the security? Do you think it's secure to have such an ALB with inbound rules: 0.0.0.0/0
and restrict the paths
, which I want to have private with OIDC auth only?
I and my colleagues work from different places, so it would be NOT possible to restrict the inbound rules
with some specific IP addresses. We usually don't have a public static IP and we don't like an approach to connect to VPN which could provide us a public static IP address, that we could add to the inbound rules
of the ALB
.
I know there's an option to use this annotation
: alb.ingress.kubernetes.io/scheme: internal
, instead of internet-facing
, but I'm not sure whether I can use this option for my use case and without a VPN access.
Thanks for your opinions.
Relevant content
- asked 7 months ago
- asked 9 months ago
- asked 10 days ago
- asked 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a month ago
Thank you very much! it's working. In case someone in future will try this, I only mention here, that every group must have this annonation as well:
kubernetes.io/ingress.class: alb
.