ingress-controller icon indicating copy to clipboard operation
ingress-controller copied to clipboard

Published 20 hours ago verified publisher icon pomerium

Interop with other Ingress Controllers

Open wasaga opened this issue 3 years ago • 9 comments

Is your feature request related to a problem? Please describe.

Pomerium and Pomerium Ingress Controller provide a feature rich ingress controller with built-in authentication, authorization and audit capabilities. Pomerium uses Envoy as its reverse proxy component and may be relied on for many demanding workflows and configuration options.

There could be situations when it is desirable to run Pomerium behind an existing Ingress Controller, i.e.

  • utilize an existing organization-wide traffic management, monitoring and alerting.
  • receive certain workloads Pomerium is not specialized to handle - i.e. API gateway.
  • perform request transformations, routing and scripting, configure rate limiting, etc.
  • use 3rd party plugins such as WAF, anti-DDOS, etc.

Historically, Pomerium supports forward-auth mode for NGINX and Traefik that allows you to authenticate and authorize requests using Pomerium. However, there are dozens of Ingress Controllers on the market, including those natively provided by the cloud vendors and integrating with each and every of them does not sound feasible.

Describe the solution you'd like

Suppose you have a typical Ingress resource that is talking to your app Service, and you would like to add a drop-in authentication policy that would only allow users from your domain to access the application.

Pomerium Ingress Controller would additionally scan Ingress resources with ingressClass other than pomerium that have ingress.pomerium.io annotations and and create a proxying Service that would implement authentication and authorization.

Thus if you kubectl apply the below spec, Pomerium Controller mutation webhook would

  1. Create a pomerium-my-app Service, pointing to Pomerium Proxy.
  2. Configure Pomerium Proxy Route to your original Service my-app, including applying all the rules set via pomerium-specific Ingress annotations.
  3. mutate the incoming Ingress resource so that my-app would be replaced with pomerium-my-app Service.
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: minimal-ingress
  annotations:
    nginx.ingress.kubernetes.io/rewrite-target: /
    ingress.pomerium.io/policy: |
      - allow:
          and:
            - domain:
                is: pomerium.com
spec:
  ingressClassName: nginx-example
  rules:
  - http:
      paths:
      - path: /testpath
        pathType: Prefix
        backend:
          service:
            name: my-app
            port:
              number: 80

Describe alternatives you've considered

Explain any additional use-cases

Additional context

wasaga avatar Jan 28 '22 00:01 wasaga