Kubernetes ingress controller for authenticating apps

Rahul Mahale

By Rahul Mahale

on August 14, 2018

Kubernetes Ingress has redefined the routing in this era of containerization and with all these freehand routing techniques the thought of "My router my rules" seems real.

We use nginx-ingress as a routing service for our applications. There is a lot more than routing we can do with ingress. One of the important features is setting up authentication using ingress for our application. As all the traffic goes from ingress to our service, it makes sense to setup authentication on ingress.

As mentioned in ingress repository there are different types of techniques available for authentication including:

  • Basic authentication
  • Client-certs authentication
  • External authentication
  • Oauth external authentication

In this blog, we will set up authentication for the sample application using basic ingress authentication technique.


First, let's create ingress resources from upstream example by running the following command.

2$ kubectl create -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/mandatory.yaml
3namespace "ingress-nginx" created
4deployment "default-http-backend" created
5service "default-http-backend" created
6configmap "nginx-configuration" created
7configmap "tcp-services" created
8configmap "udp-services" created
9serviceaccount "nginx-ingress-serviceaccount" created
10clusterrole "nginx-ingress-clusterrole" created
11role "nginx-ingress-role" created
12rolebinding "nginx-ingress-role-nisa-binding" created
13clusterrolebinding "nginx-ingress-clusterrole-nisa-binding" created
14deployment "nginx-ingress-controller" created

Now that ingress controller resources are created we need a service to access the ingress.

Use following manifest to create service for ingress.

1apiVersion: v1
2kind: Service
4  annotations:
5    service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp
6  labels:
7    k8s-addon: ingress-nginx.addons.k8s.io
8  name: ingress-nginx
9  namespace: ingress-nginx
11  externalTrafficPolicy: Cluster
12  ports:
13    - name: https
14      port: 443
15      protocol: TCP
16      targetPort: http
17    - name: http
18      port: 80
19      protocol: TCP
20      targetPort: http
21  selector:
22    app: ingress-nginx
23  type: LoadBalancer

Now, get the ELB endpoint and bind it with some domain name.

2$kubectl create -f ingress-service.yml
3service ingress-nginx created
5$ kubectl -n ingress-nginx get svc  ingress-nginx -o wide
6NAME            CLUSTER-IP      EXTERNAL-IP                                                               PORT(S)                      AGE       SELECTOR
7ingress-nginx   abcghccf8540698e8bff782799ca8h04-1234567890.us-east-2.elb.amazonaws.com   80:30032/TCP,443:30108/TCP   10s       app=ingress-nginx

Let's create a deployment and service for our sample application kibana. We need elasticsearch to run kibana.

Here is manifest for the sample application.

2apiVersion: extensions/v1beta1
3kind: Deployment
5  labels:
6    app: kibana
7  name: kibana
8  namespace: ingress-nginx
10  replicas: 1
11  template:
12    metadata:
13      labels:
14        app: kibana
15    spec:
16      containers:
17        - image: kibana:latest
18          name: kibana
19          ports:
20            - containerPort: 5601
22apiVersion: v1
23kind: Service
25  annotations:
26  labels:
27    app: kibana
28  name: kibana
29  namespace: ingress-nginx
32  ports:
33    - name: kibana
34      port: 5601
35      targetPort: 5601
36  selector:
37    app: kibana
39apiVersion: extensions/v1beta1
40kind: Deployment
42  labels:
43    app: elasticsearch
44  name: elasticsearch
45  namespace: ingress-nginx
47  replicas: 1
48  strategy:
49    type: RollingUpdate
50  template:
51    metadata:
52      labels:
53        app: elasticsearch
54    spec:
55      containers:
56        - image: elasticsearch:latest
57          name: elasticsearch
58          ports:
59            - containerPort: 5601
61apiVersion: v1
62kind: Service
64  annotations:
65  labels:
66    app: elasticsearch
67  name: elasticsearch
68  namespace: ingress-nginx
70  ports:
71    - name: elasticsearch
72      port: 9200
73      targetPort: 9200
74  selector:
75    app: elasticsearch

Create the sample application.

2kubectl apply -f kibana.yml
3deployment "kibana" created
4service "kibana" created
5deployment "elasticsearch" created
6service "elasticsearch" created

Now that we have created application and ingress resources, it's time to create an ingress and access the application.

Use the following manifest to create ingress.

1apiVersion: extensions/v1beta1
2kind: Ingress
4  annotations:
5  name: kibana-ingress
6  namespace: ingress-nginx
8  rules:
9    - host: logstest.myapp-staging.com
10      http:
11        paths:
12          - path: /
13            backend:
14              serviceName: kibana
15              servicePort: 5601
2$kubectl -n ingress-nginx create -f ingress.yml
3ingress "kibana-ingress" created.

Now that our application is up, when we access the kibana dashboard using URL http://logstest.myapp-staging.com We directly have access to our Kibana dashboard and anyone with this URL can access logs as shown in the following image.

Kibana dashboard without authentication

Now, let's set up a basic authentication using htpasswd.

Follow below commands to generate the secret for credentials.

Let's create an auth file with username and password.

2$ htpasswd -c auth kibanaadmin
3New password: <kibanaadmin>
4New password:
5Re-type new password:
6Adding password for user kibanaadmin

Create k8s secret.

2$ kubectl -n ingress-nginx create secret generic basic-auth --from-file=auth
3secret "basic-auth" created

Verify the secret.

2kubectl get secret basic-auth -o yaml
3apiVersion: v1
6kind: Secret
8  name: basic-auth
9  namespace: ingress-nginx
10type: Opaque

Use following annotations in our ingress manifest by updating the ingress manifest.

1kubectl -n ingress-nginx edit ingress kibana ingress

Paste the following annotations

1nginx.ingress.kubernetes.io/auth-type: basic
2nginx.ingress.kubernetes.io/auth-secret: basic-auth
3nginx.ingress.kubernetes.io/auth-realm: "Kibana Authentication Required - kibanaadmin"

Now that ingress is updated, hit the URL again and as shown in the image below we are asked for authentication.

Kibana dashboard without authentication

Stay up to date with our blogs. Sign up for our newsletter.

We write about Ruby on Rails, React.js, React Native, remote work,open source, engineering & design.