You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Oathkeeper as ingress-nginx's forward auth supporting different sets of users per host with Ingress annotations (oauth-proxy, Pomerium alternative)
#1075
Hi, I have a few Kubernetes clusters running personal workloads, which should be accessed by different sets of people.
I have been in the past solving this with oauth-proxy, then spinning up one per hostname if I wanted the allowed users to be different, then I switched to pomerium.
The last option works great, it works via Google OAuth and I can easily allow different users to different hosts. Only one problem though, they removed the forward auth functionality, wanting to be the proxy.
This sucks on small environments where not all endpoints would be protected and proxying is already handled from another component.
And then I will be the only one being able to access the adguard service after logging in.
I think this is possible with Kratos + Oathkeeper, but the piece I might be missing is an Authorizer.
Vincent has recommended a configuration like this
# Global configuration file oathkeeper.yml
authorizers:
remote:
# Set enabled to "true" to enable the authenticator, and "false" to disable the authenticator. Defaults to "false".
enabled: true
config:
remote: http://my-remote-authorizer/authorize
headers:
X-Subject: "{{ print .Subject }}"
My idea is that my-remote-authorizer would read the ingress annotations and then reply 200/4xx on this endpoint based on the X-Subject and the Host headers. Perhaps something like this already exists?
This sounds generic enough that I assume somebody might have run into this while trying to replicate a similar functionality, or migrating away from Pomerium/oauth-proxy.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
Hi, I have a few Kubernetes clusters running personal workloads, which should be accessed by different sets of people.
I have been in the past solving this with oauth-proxy, then spinning up one per hostname if I wanted the allowed users to be different, then I switched to pomerium.
The last option works great, it works via Google OAuth and I can easily allow different users to different hosts. Only one problem though, they removed the forward auth functionality, wanting to be the proxy.
This sucks on small environments where not all endpoints would be protected and proxying is already handled from another component.
I can have an ingress that looks like this:
And then I will be the only one being able to access the adguard service after logging in.
I think this is possible with Kratos + Oathkeeper, but the piece I might be missing is an Authorizer.
Vincent has recommended a configuration like this
My idea is that my-remote-authorizer would read the ingress annotations and then reply 200/4xx on this endpoint based on the X-Subject and the Host headers. Perhaps something like this already exists?
This sounds generic enough that I assume somebody might have run into this while trying to replicate a similar functionality, or migrating away from Pomerium/oauth-proxy.
Beta Was this translation helpful? Give feedback.
All reactions