Why Authenticate NGINX with LDAP?
If you would like to enable user authentication to secure your application hosted on Kubernetes, then LDAP protocol can be used for the same. By following the steps mentioned below, you can ensure that only authorized users have access to the host server or application.
Although this blog is generic for any host server, open source Spinnaker users in particular will find it handy to secure their application by using NGINX LDAP. You can reduce vulnerability risks on your website and servers by restricting all unauthorized access.
Note:
You can either use open source LDAP or customized LDAP server for authenticating the user identity.
Prerequisites for securing host servers with LDAP:
- Kubernetes cluster
- nginx ingress controller configured with host
- openldap/custom ldap
It totally involves 4 steps, which are as follows:
- Creating a namespace to deploy the daemon related resources
- Deploy a bitnami LDAP deployment and service in the namespace so created.
- Adding the recommended annotation to the ingress resource.
- Creating nginx LDAP proxy to redirect the network calls.
Step 1:
First you create a namespace to deploy daemon related resources (Ex: nginx-ldap-proxy) with the following command:
kubectl create namespace <>
Step 2:
Then you create a bitnami ldap daemon deployment and service using the below yamls in the namespace that we have used in the previous step.
Please be noted that this is only a one time step irrespective of the host count.
This is how the sample deployment and service yaml look like:
Deployment.yaml:
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
io.kompose.service: nginx-ldap
name: nginx-ldap
spec:
replicas: 1
selector:
matchLabels:
io.kompose.service: nginx-ldap
strategy:
rollingUpdate:
maxSurge: 25%
maxUnavailable: 25%
type: RollingUpdate
template:
metadata:
labels:
io.kompose.service: nginx-ldap
spec:
containers:
- image: bitnami/nginx-ldap-auth-daemon
env:
- name: NGINXLDAP_LDAP_URI
value: "ldaps://ldapaddress:636" # we can use custom ldap also
- name: NGINXLDAP_LDAP_BASE_DN
value: "ou=users,dc=opsmx,dc=com"
- name: NGINXLDAP_LDAP_BIND_DN
value: "cn=binddn,dc=opsmx,dc=com"
- name: NGINXLDAP_LDAP_BIND_PASSWORD
value: "************"
- name: NGINXLDAP_LDAP_FILTER
value: "(uid=%(username)s)"
imagePullPolicy: Always
name: nginx-ldap
ports:
- containerPort: 8888
protocol: TCP
resources: {}
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
dnsPolicy: ClusterFirst
restartPolicy: Always
schedulerName: default-scheduler
securityContext: {}
terminationGracePeriodSeconds: 30
Service.yaml
apiVersion: v1
kind: Service
metadata:
name: nginx-ldap
spec:
ports:
- name: "8888"
port: 8888
protocol: TCP
targetPort: 8888
selector:
io.kompose.service: nginx-ldap
sessionAffinity: None
type: ClusterIP
Note:
Please remember that every new host requires authentication by LDAP. For that, you need to add the below recommended ingress annotation.
Step 3:
So, add the following annotation to the ingress resource as mentioned below:
nginx.ingress.kubernetes.io/auth-url: https://$host/auth-proxy
Step 4:
For the deployment and service yaml we have created before,an ingress resource need to be created.
Here is the sample ingress.yaml for your reference.
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: nginx
name: ldap-proxy
spec:
rules:
- host: test1.opsmx.com # add your dns entry here
http:
paths:
- backend:
serviceName: nginx-ldap
servicePort: 8888
path: /auth-proxy
pathType: ImplementationSpecific
tls:
- hosts:
- test1.opsmx.com # add your dns entry here
secretName: sec-authtls
Note: The host name and the ingress host should match for authentication. The path auth/p will be forwarded to the daemon service.
Step 4A
Similarly, for another ingress host, we need to add the below mentioned code to ingress.yaml that we have mentioned in the step 4 in spec/rules section.
- host: test2.opsmx.com
http:
paths:
- backend:
serviceName: nginx-ldap
servicePort: 8888
path: /auth-proxy
pathType: ImplementationSpecific
Step 4B
In the spec/tls level, add the following code:
- test2.opsmx.com
After the addition of two ingress hosts, the ingress looks like this:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: nginx
name: ldap-proxy
spec:
rules:
- host: test1.opsmx.com
http:
paths:
- backend:
serviceName: nginx-ldap
servicePort: 8888
path: /auth-proxy
pathType: ImplementationSpecific
- host: test2.opsmx.com
http:
paths:
- backend:
serviceName: nginx-ldap
servicePort: 8888
path: /auth-proxy
pathType: ImplementationSpecific
tls:
- hosts:
- test1.opsmx.com
- test2.opsmx.com
secretName: sec-authtls
0 Comments