Reputation: 5224
Ingress with client certificate authentication
I have a service that needs to be protected by client certification. I have this configuration for my ingress resource
nginx.ingress.kubernetes.io/auth-tls-secret: "namespace/ca-chain"
nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"
nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true"
And i get the ssl-client-verify header with a value of SUCCESS delivered to my backend. If this is set, i know that the client certificate was validated correctly.
Is this the correct setup? Doesn't this setup rely on the fact, that my backend is closely coupled with my ingress, and if the ingress goes away, a bad actor can just send a request, with a ssl-client-verify header set to SUCCESS and we let him in.
Two questions comes in mind:
- with a standard ingress setup in k8s, all requests always goes through the ingress, and no requests can go around the ingress? From what i can read, all traffic always go through the ingress: https://kubernetes.io/docs/concepts/services-networking/ingress/#what-is-ingress
- should i validate the chain myself? I get the client certificate delivered in the header? I have only one client, so i actually don't need to do further authentification: if they have valid client certificate, i can let them in
If this is the right pattern, doesn't this mean that we, always need something infront of our app, if we descide to move it out of k8s? Fx if i want to run it on a stand alone server: then i need a nginx in front, with the same configuration, so it can handle client certification for me, or else a bad actor can just call around my nginx and set the ssl-client-verify header to SUCCESS and we think all is a-okay.
Upvotes: 0
Views: 482
Answers (1)
Reputation: 311238
with a standard ingress setup in k8s, all requests always goes through the ingress, and no requests can go around the ingress?
That's correct. A pod runs in an isolated network namespace. Without additional configuration, there's no way to reach it externally. If the ingress service goes down, there's no "going around" it.
should i validate the chain myself?
You can't. Only the service performing SSL termination can perform the certificate validation. Your nginx ingress is handling the SSL connection, so that's where validation happens.
If you want to handle SSL termination yourself, you would probably need to set up a LoadBalancer type service...but I don't think that would really get you much other than increased complexity.
If this is the right pattern, doesn't this mean that we, always need something infront of our app, if we descide to move it out of k8s?
If you're handling authentication with a front-end proxy in Kubernetes...then you would also need to handle authentication with a front-end proxy outside of Kubernetes. That's a common pattern. If you want to write your application so that it can work with or without a frontend proxy, then you would need to add configuration options to enable/disable that behavior.
Upvotes: 1
Related Questions
- Resolving javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed Error?
- Git push results in "Authentication Failed"
- nginx ingress client certificate authentication
- How to configure nginx ingress in kubernetes for HTTPS backends with custom CA?
- Enabling client certificate passthrough without validation
- Nginx Ingress: passing client certificate info to backend
- SSL passthrough not being configured for ingress-nginx backend