We have services deployed in K8s with istio as service mesh and exposed using Ingress-nginx.
Now, we would like to add AuthN and AuthZ using Ingress-nginx ingress controller.
- We would like do Oauth2-OpenID. That is passible using oauth2-proxy
module. The jwt token returned is having UUID of user, but not his
group. - We have k8s service which has mapping of user UUID and group
(Backend dynamodb). So we need to retrieve group of user. - We have OPA (open policy agent) based rules for AuthZ of service APIs against usergroup. So service APIs have to be verified against usergroup.
- Once after successful AuthN and AuthZ, http headers
with user UUID, userGroup should be passed to upstream services. - Also we need to set cookies with user UUID, userGroup for client apps to use it.
All these above 5 steps can be performed in bit and pieces using ‘Ingress-nginx’. But, not together as chain of proxies.
Is there a way to do these in ‘Ingress-nginx’ ingress controller? I am looking for Opensource ingress controllers.
Thanks.
Regards,
Prakash
2
Answers
i am not 100% sure but you cannot do it with ingress-nginx, i tried but failed due to Nginx won’t give you much flexibility plus its proxy service.
i would recommend checking once Kong API gateway or you can also use it as ingress controller and it’s open-source also. You can use the open source plugin and use those without any changes.
With Kong plugin it’s easy to set up the AuthZ and AuthN.
Here you can refer to one of my articles over Authz & AuthN with Kong, keycloak : https://faun.pub/kong-jwt-scope-base-auth-with-keycloak-b9938a96d281
Apisix gateway is recommended to support identity authentication and K8S deployment
https://apisix.apache.org/