Basic Auth is one of the oldest and easiest ways to secure a web page or API endpoint. Basic Auth does not have many features and lacks the sophistication of more modern access controls (see Ingress Nginx Auth Examples). However, Basic Auth is supported by nearly every major web client, library, and utility. Basic Auth is secure, stable and perfect for quick security on Kubernetes projects. Basic Auth can easily we swapped out later as requirements demand or provide a foundation for implementations such as OAuth 2 and JWT.
First, you need an Ingress controller on your Kubernetes cluster and at least one ingress rule that we can apply Basic Auth. If you are following along with my articles on building a Production Hobby Cluster Kubernetes and do not yet have Ingress installed, you should read Ingress on Custom Kubernetes before getting started.
The Basic Auth process sends credentials to the server in the clear, although encrypted and base64’d, they can be quickly reversed back into a human-readable string. Because of this, it is essential we are issuing calls over SSL. However, if the information or service being password protected should be hidden, then SSL encrypted communication would already be required.
For the Production Hobby Cluster we use Let’s Encrypt, so if you have not done so already you can check out my article on setting up Let’s Encrypt for your custom cluster read: Let’s Encrypt, Kubernetes.
Create a User and Password
htpasswd -c ./auth sysop
It is important to name the file auth. The filename is used as the key in the key-value pair under the
data section of secret.
After entering a password for the new user twice, you end up with the file
Create a Secret
Kubernetes can create a generic Secret from the generated
auth file, or from any file, however, the format of the htpasswd generated file is necessary for use with Basic Auth. The file name is used as the key in Basic Auth secret, therefore its best to name it auth and avoid having to edit the secret. Ingress uses the new Secret in it’s annotation section to provide Basic Auth.
The kubectl create secret command can create a secret from a local file, directory or literal value using the generic directive. In the example below I call the new secret sysop, named after the single set of credentials stored in it. However, if you are grouping many credentials, it would be better to give it a more generic name.
Create the Secret:
kubectl create secret generic sysop --from-file auth
Ensure the Secret was created successfully by viewing the details:
kubectl get secret sysop -o yaml
You should have a secret similar to the following:
apiVersion: v1 data: auth: c3avb2A2GGFwcjEkMmo5SwoucC4kcWtDR3NTVUxSDXJmTVkwNUwxUlZYLbo= kind: Secret metadata: creationTimestamp: 2018-05-18T06:55:51Z name: sysop namespace: default resourceVersion: "265674" selfLink: /api/v1/namespaces/default/secrets/sysop uid: 2bfb399c-58d6-11e8-b11e-5600017e897a type: Opaque
Of course, you should avoid publishing your new Secret like I just did, since the
auth: value under
data: is only a base64 encoded version of the username and encoded password pair. The password may be reversed quickly with a dictionary attack or other password cracking utilities.
apiVersion: extensions/v1beta1 kind: Ingress metadata: name: ok-auth labels: app: ok-auth system: test annotations: nginx.ingress.kubernetes.io/auth-type: basic nginx.ingress.kubernetes.io/auth-secret: sysop nginx.ingress.kubernetes.io/auth-realm: "Authentication Required - ok" spec: rules: - host: ok-auth.la.txn2.net http: paths: - backend: serviceName: "ok" servicePort: 5001 path: / tls: - hosts: - ok-auth.la.txn2.net secretName: la-txn2-net-tls
All that is needed are three Ingress annotations: - nginx.ingress.kubernetes.io/auth-type: basic - nginx.ingress.kubernetes.io/auth-secret: sysop - nginx.ingress.kubernetes.io/auth-realm: “Authentication Required - ok.”
If in a few days you find yourself setting up a cluster in Japan or Germany on Linode, and another two in Australia and France on vultr, then you may have just joined the PHC (Performance Hobby Clusters) club. Some people tinker late at night on their truck, we benchmark and test the resilience of node failures on our overseas, budget kubernetes clusters. It’s all about going big, on the cheap.