Skip to main content

Kubernetes

Securing Kubernetes Applications Exposed via Nginx Ingress with OAuth2 Proxy and OKTA






Securing your applications is crucial, particularly when they are exposed to the public, as unauthorized access can lead to data leaks. This is especially important for environments such as development, where sensitive information might be unintentionally accessible.

A robust method to enhance security is by using OAuth2 Proxy with Nginx Ingress on Kubernetes, leveraging Okta as the OIDC provider. This comprehensive guide will walk you through the steps to set up OAuth2 Proxy to safeguard your applications exposed via Nginx Ingress.

Prerequisites

Before we dive into the configuration, make sure you have the following prerequisites:

  • A running Kubernetes cluster.
  • Nginx Ingress Controller installed.
  • Access to OKTA or A Developer Account on OKTA.
  • Basic understanding of Kubernetes resources.
  • Clone the repository for the full manifests here.

Step 1: Create a Namespace for OAuth2 Proxy

First, create a dedicated namespace for OAuth2 Proxy:

apiVersion: v1
kind: Namespace
metadata:
  name: oauth2-proxy

Step 2: Configure OKTA Application

Go to your OKTA admin dashboard > applications > create app integration. Click here for more information on setting up the app.


Step 3: Configure OAuth2 Proxy

Next, create a ConfigMap to store the OAuth2 Proxy configuration, Ideally you could store the secrets in k8s secrets rather than a configMap. Every config in here is derived from the command line options here. For ConfigMap, you just need to replace hyphens (-) with underscores (_).

apiVersion: v1
data:
  oauth2_proxy.cfg: |
    provider = "oidc"
    oidc_issuer_url = "https://yourdomain.okta.com"
    upstreams = ["https://app.example.com"]
    email_domains = ["*"]
    client_id = "xxxxx8xx"
    client_secret = "xxxxxxxxOxx"
    pass_access_token = true
    cookie_secret = "xxxxx9xx" 
    ...
kind: ConfigMap
metadata:
  name: oauth2-proxy-config
  namespace: oauth2-proxy

Step 4: Deploy OAuth2 Proxy

Deploy the OAuth2 Proxy using a Deployment resource: You can get the full k8s manifest in this Github Repo.

Keep in mind that you can also pass these arguments via ConfigMap. You can find the full list here.

apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: oauth2-proxy
  name: oauth2-proxy
  namespace: oauth2-proxy
spec:
  replicas: 1
  selector:
    matchLabels:
      app: oauth2-proxy
  template:
    metadata:
      labels:
        app: oauth2-proxy
    spec:
      containers:
        - args:
            - '--http-address=0.0.0.0:4180'
            - '--https-address=0.0.0.0:4443'
            - '--config=/etc/oauth2_proxy/oauth2_proxy.cfg'
          image: 'quay.io/oauth2-proxy/oauth2-proxy:latest'
          imagePullPolicy: Always
          livenessProbe:
            failureThreshold: 3
            httpGet:
              path: /ping
              port: 4180
              scheme: HTTP
            initialDelaySeconds: 20
            periodSeconds: 15
            successThreshold: 1
            timeoutSeconds: 30
          name: oauth2-proxy
          ports:
            - containerPort: 4180
              protocol: TCP
          ...
      volumes:
        ...

Step 5: Expose OAuth2 Proxy

Create a Service to expose the OAuth2 Proxy deployment:

apiVersion: v1
kind: Service
metadata:
  labels:
    k8s-app: oauth2-proxy
  name: oauth2-proxy
  namespace: oauth2-proxy
spec:
  ports:
    - name: http
      port: 4180
      protocol: TCP
      targetPort: 4180
  selector:
    app: oauth2-proxy

Step 6: Configure Ingress for OAuth2 Proxy

Create an Ingress resource for the OAuth2 Proxy, this will be your generic domain for handling all the authentication.

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/ssl-redirect: 'true'
  name: oauth2-proxy
  namespace: oauth2-proxy
spec:
  rules:
    - host: oauth2.example.com
      http:
        paths:
          - backend:
              service:
                name: oauth2-proxy
                port:
                  number: 4180
            path: /oauth2
            pathType: Prefix
  tls:
    - hosts:
        - oauth2.example.com
      secretName: wildcard-tls

Step 7: Protect Your Application with OAuth2 Proxy

Finally, update the Ingress resource for your application to use OAuth2 Proxy for authentication. For this, we will be using nginx annotations: auth-response-headers, auth-signin and auth-url. You can find more information here.

  • X-Auth-Request-User: Contains the authenticated user’s email or username.
  • X-Auth-Request-Access-Token: Contains the OAuth2 access token for further API calls.
  • Authorization: Contains the bearer token for authorizing requests within your application.
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/auth-response-headers: 'X-Auth-Request-User,X-Auth-Request-Access-Token,Authorization'
    nginx.ingress.kubernetes.io/auth-signin: 'https://oauth2-proxy.example.com/oauth2/start?rd=$scheme://$host$request_uri'
    nginx.ingress.kubernetes.io/auth-url: 'https://oauth2-proxy.example.com/oauth2/auth'
    nginx.ingress.kubernetes.io/ssl-redirect: 'true'
  name: nginx-ingress
  namespace: app-namespace
spec:
  rules:
    - host: app.example.com
      http:
        paths:
        ...
  tls:
    - hosts:
        - app.example.com
      secretName: your-ssl-certificate

Conclusion

By following these steps, you have successfully secured your applications exposed via Nginx Ingress using OAuth2 Proxy and OKTA. This setup ensures that only authenticated users can access your applications, providing an additional layer of security. Remember to customize the configurations according to your specific requirements and OAuth2 provider details.


Comments

Post a Comment