Nginx 入口控制器身份验证不起作用
Nginx ingress controller authentication not working
我是 运行 gke 集群 (v1.16.15gke.4300),nginx 入口验证失败。下面的代码片段用于外部 oauth2 身份验证,但即使是基本身份验证也不起作用。看来nginx是完全忽略了这些注解。
使用 google api 的 oauth2 代理实际上工作正常,但是 nginx 没有在他自己的配置中包含 auth 配置。我可以在 nginx 运行 pods 上轻松检查。那里没有授权会议。
nginx 入口控制器:
repoURL: 'https://helm.nginx.com/stable'
targetRevision: 0.6.1
version: nginx/1.19.2
受 oauth2 保护的入口服务的实时清单:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
ingress.kubernetes.io/auth-signin: https://oauth2.####.net/oauth2/start?rd=$escaped_request_uri
ingress.kubernetes.io/auth-url: https://oauth2.####.net/oauth2/auth
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"extensions/v1beta1","kind":"Ingress","metadata":{"annotations":##########}
creationTimestamp: "####"
finalizers:
- networking.gke.io/ingress-finalizer-V2
generation: 1
labels:
argocd.argoproj.io/instance: k8s-default
name: dashboard-ingress
namespace: kubernetes-dashboard
resourceVersion: "22174124"
selfLink: /apis/extensions/v1beta1/namespaces/kubernetes-dashboard/ingresses/dashboard-ingress
uid: 34263f6b-6818-403f-####-4c6acb196c49
spec:
rules:
- host: dashboard.###.net
http:
paths:
- backend:
serviceName: kdashboard-kubernetes-dashboard
servicePort: 8080
path: /
tls:
- hosts:
- dashboard.###.net
secretName: reflect-certificate-secret-internal
status:
loadBalancer:
ingress:
- ip: ##.##.##.##
当 运行 我从未获得 403/401 的服务时:
curl -I 'https://dashboard.###.net/'
HTTP/1.1 200 OK
Server: nginx/1.19.2
Date: Mon, 14 Dec 2020 19:50:05 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 1272
Connection: keep-alive
Accept-Ranges: bytes
Cache-Control: no-store
Last-Modified: Mon, 22 Jun 2020 14:25:00 GMT
编辑:
根据您提供的信息,您似乎正在使用 Nginxinc Ingress Controller and not the NGINX Ingress Controller which are not the same. Nginxinc Ingress Controller is different from the NGINX Ingress controller in kubernetes/ingress-nginx repo and also different from the default GKE Ingress Controller. The main difference that would affect your use case is that they all use different annotations and those annotations can only be satisfied by a proper Controller. You can find the key differences between the mentioned above here and here。
下面是一些有用的 docs/guides:
External OAUTH Authentication:auth-url 和 auth-signin 注释允许您使用外部身份验证提供程序来保护您的 Ingress 资源。
Securing your website with OAuth2 using NGINX Ingress Controller:NGINX Ingress Controller 可以与 oauth2_proxy 结合使用,以启用许多 OAuth 提供程序,例如 Google、GitHub 等。
-
总结一下:
我是 运行 gke 集群 (v1.16.15gke.4300),nginx 入口验证失败。下面的代码片段用于外部 oauth2 身份验证,但即使是基本身份验证也不起作用。看来nginx是完全忽略了这些注解。
使用 google api 的 oauth2 代理实际上工作正常,但是 nginx 没有在他自己的配置中包含 auth 配置。我可以在 nginx 运行 pods 上轻松检查。那里没有授权会议。
nginx 入口控制器:
repoURL: 'https://helm.nginx.com/stable'
targetRevision: 0.6.1
version: nginx/1.19.2
受 oauth2 保护的入口服务的实时清单:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
ingress.kubernetes.io/auth-signin: https://oauth2.####.net/oauth2/start?rd=$escaped_request_uri
ingress.kubernetes.io/auth-url: https://oauth2.####.net/oauth2/auth
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"extensions/v1beta1","kind":"Ingress","metadata":{"annotations":##########}
creationTimestamp: "####"
finalizers:
- networking.gke.io/ingress-finalizer-V2
generation: 1
labels:
argocd.argoproj.io/instance: k8s-default
name: dashboard-ingress
namespace: kubernetes-dashboard
resourceVersion: "22174124"
selfLink: /apis/extensions/v1beta1/namespaces/kubernetes-dashboard/ingresses/dashboard-ingress
uid: 34263f6b-6818-403f-####-4c6acb196c49
spec:
rules:
- host: dashboard.###.net
http:
paths:
- backend:
serviceName: kdashboard-kubernetes-dashboard
servicePort: 8080
path: /
tls:
- hosts:
- dashboard.###.net
secretName: reflect-certificate-secret-internal
status:
loadBalancer:
ingress:
- ip: ##.##.##.##
当 运行 我从未获得 403/401 的服务时:
curl -I 'https://dashboard.###.net/'
HTTP/1.1 200 OK
Server: nginx/1.19.2
Date: Mon, 14 Dec 2020 19:50:05 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 1272
Connection: keep-alive
Accept-Ranges: bytes
Cache-Control: no-store
Last-Modified: Mon, 22 Jun 2020 14:25:00 GMT
编辑:
根据您提供的信息,您似乎正在使用 Nginxinc Ingress Controller and not the NGINX Ingress Controller which are not the same. Nginxinc Ingress Controller is different from the NGINX Ingress controller in kubernetes/ingress-nginx repo and also different from the default GKE Ingress Controller. The main difference that would affect your use case is that they all use different annotations and those annotations can only be satisfied by a proper Controller. You can find the key differences between the mentioned above here and here。
下面是一些有用的 docs/guides:
External OAUTH Authentication:
auth-url和auth-signin注释允许您使用外部身份验证提供程序来保护您的 Ingress 资源。Securing your website with OAuth2 using NGINX Ingress Controller:NGINX Ingress Controller 可以与
oauth2_proxy结合使用,以启用许多 OAuth 提供程序,例如 Google、GitHub 等。
总结一下: