11 software delivery problems solved by intelligence software delivery platform  Download
Select Page
Share

Introduction: 

If we have Kubernetes hosted application, then if we want to secure it with LDAP protocols we have to follow the a few steps. Through this, only authorized users can have access to the host server or the application. 

Although this blog is generic for any host server, but open source Spinnaker users will find it handy to secure their application. You can reduce the vulnerability risks of your website and servers by restricting all unauthorized access.  

Note:

You can either use open source LDAP  or customized LDAP  server for authenticating the user identity. 

Prerequisites for securing  host servers with LDAP:  

  1.   Kubernetes cluster
  2.   nginx ingress controller configured with host
  3.   openldap/custom ldap

It totally involves 4 steps, which are as follows: 

  1. Creating a namespace to deploy  the daemon related resources
  2. Deploy a bitnami LDAP deployment and service in the namespace so created.
  3. Adding the recommended annotation to the ingress resource.
  4. Creating nginx LDAP  proxy to redirect the network calls.

Step 1:

First  you create a namespace to deploy daemon related resources (Ex: nginx-ldap-proxy) with the following command: 

				
					kubectl create namespace <>
				
			

Step 2:

Then you create a  bitnami ldap daemon deployment and service using the below yamls in the namespace that we have used in the previous step. 

Please be noted that this is only a one time step irrespective of the host count. 

This is how the sample deployment and service yaml look like: 

Deployment.yaml:

				
					apiVersion: apps/v1

kind: Deployment

metadata:

  labels:

    io.kompose.service: nginx-ldap

  name: nginx-ldap

spec:

  replicas: 1

  selector:

    matchLabels:

      io.kompose.service: nginx-ldap

  strategy:

    rollingUpdate:

      maxSurge: 25%

      maxUnavailable: 25%

    type: RollingUpdate

  template:

    metadata:

      labels:

        io.kompose.service: nginx-ldap

    spec:

      containers:

      - image: bitnami/nginx-ldap-auth-daemon

        env:

         -  name: NGINXLDAP_LDAP_URI

            value: "ldaps://ldapaddress:636"                   # we can use custom ldap also

         -  name: NGINXLDAP_LDAP_BASE_DN

            value: "ou=users,dc=opsmx,dc=com"

         -  name: NGINXLDAP_LDAP_BIND_DN

            value: "cn=binddn,dc=opsmx,dc=com"

         -  name: NGINXLDAP_LDAP_BIND_PASSWORD

            value: "************"

         -  name: NGINXLDAP_LDAP_FILTER

            value: "(uid=%(username)s)"

        imagePullPolicy: Always

        name: nginx-ldap

        ports:

        - containerPort: 8888

          protocol: TCP

        resources: {}

        terminationMessagePath: /dev/termination-log

        terminationMessagePolicy: File

      dnsPolicy: ClusterFirst

      restartPolicy: Always

      schedulerName: default-scheduler

      securityContext: {}

      terminationGracePeriodSeconds: 30
				
			

Service.yaml 

				
					apiVersion: v1

kind: Service

metadata:

  name: nginx-ldap

spec:

  ports:

  - name: "8888"

    port: 8888

    protocol: TCP

    targetPort: 8888

  selector:

    io.kompose.service: nginx-ldap

  sessionAffinity: None

  type: ClusterIP
				
			

Note:

Please remember that every new host requires authentication by LDAP. For that, you need to add the below recommended ingress annotation.  

Step 3:

So, add the following annotation to the ingress resource as mentioned below: 

				
					    nginx.ingress.kubernetes.io/auth-url: https://$host/auth-proxy
				
			

Step 4:

For the deployment and service yaml we have created before,an ingress resource need to be created. 

Here is the sample ingress.yaml for your reference. 

				
					apiVersion: extensions/v1beta1

kind: Ingress

metadata:

  annotations:

    kubernetes.io/ingress.class: nginx

  name: ldap-proxy

spec:

  rules:

  - host: test1.opsmx.com                                   # add your dns entry here 

    http:

      paths:

      - backend:

          serviceName: nginx-ldap

          servicePort: 8888

        path: /auth-proxy

        pathType: ImplementationSpecific

  tls:

  - hosts:

    - test1.opsmx.com                               # add your dns entry here 

    secretName: sec-authtls
				
			

Note: The host name and the ingress host should match for authentication. The path auth/p will be forwarded to the daemon service.

Step 4A

Similarly, for another ingress host, we need to add the below mentioned code to ingress.yaml that we have mentioned in the step 4 in spec/rules section. 

				
					- host: test2.opsmx.com

    http:

      paths:

      - backend:

          serviceName: nginx-ldap

          servicePort: 8888

        path: /auth-proxy

        pathType: ImplementationSpecific 
				
			

Step 4B

In the spec/tls level, add the following code: 

				
					    - test2.opsmx.com
				
			

After the addition of two ingress hosts, the ingress  looks like this: 

				
					apiVersion: extensions/v1beta1

kind: Ingress

metadata:

  annotations:

    kubernetes.io/ingress.class: nginx

  name: ldap-proxy

spec:

  rules:

- host: test1.opsmx.com

    http:

      paths:

      - backend:

          serviceName: nginx-ldap

          servicePort: 8888

        path: /auth-proxy

        pathType: ImplementationSpecific

  - host: test2.opsmx.com

    http:

      paths:

      - backend:

          serviceName: nginx-ldap

          servicePort: 8888

        path: /auth-proxy

        pathType: ImplementationSpecific  

  tls:

  - hosts:

    - test1.opsmx.com

    - test2.opsmx.com

    secretName: sec-authtls
				
			

Conclusion: 

By following the above mentioned 4 steps, you can secure host servers so that only specified  LDAP  users have access. 

Gopal Jayanthi

Gopal Jayanthi has 15+ years of experience in the software field in development, configuration management, build/release, and DevOps areas. Worked at Cisco, AT&T (SBC), IBM in USA and Accenture, Bank of America, and Tech Mahindra in India. Expertise in Kubernetes, Docker, Jenkins, SDLC management, version control, change management, release management.

0 Comments

Submit a Comment

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.