How to disable http access to service using Kubernetes Nginx ingress controller? - http

I have a service providing an API that I want to only be accessible over https. I don't want http to redirect to https because that will expose credentials and the caller won't notice. Better to get an error response.
How to do I configure my ingress.yaml? Note that I want to maintain the default 308 redirect from http to https for other services in the same cluster.
Thanks.

In the documentation: you can read the following sentence about HTTPS enforcement through redirect:
By default the controller redirects (308) to HTTPS if TLS is enabled for that ingress. If you want to disable this behavior globally, you can use ssl-redirect: "false" in the NGINX ConfigMap.
To configure this feature for specific ingress resources, you can use the nginx.ingress.kubernetes.io/ssl-redirect: "false" annotation in the particular resource.
You can also create two separate configurations: one with http and https and the other one only for http.
Using kubernetes.io/ingress.class annotation you can choose the ingress controller to be used.
This mechanism also provides users the ability to run multiple NGINX ingress controllers (e.g. one which serves public traffic, one which serves "internal" traffic).
See also this and this similar questions.

Related

How can I use ingress to control the routing between two instances?

I have a service deployed on Kubernetes and it has url app.io (using ingress).
What if I need a user to every time go to app.io and:
if it's running okay with no errors, it redirects to the app.io (on k8s)
and if not running well or have an error, it would redirect on a backup service on Heroku for example with url backup.io.
How can I do that?
Thanks in advance
Fallback routing like you describe is not part of the Ingress standard. It only does routing based on incoming Host header and request path. It's possible some specific Ingress Controller supports this as a custom extension but I don't know of any that do.
I think you may need to put a L7 load balancer like HAproxy in front. Configure your backup location in backend pool, and HAProxy will take care of the rest.
You may want to configure ingress befault-backendto be some sort of fallback service. With most of the cases people tend to use that for some custom 404 but you might just direct it to another service, for example backup-io:
kind: Ingress
metadata:
name: my-ingress
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/rewrite-target: "/"
nginx.ingress.kubernetes.io/default-backend: backup-io
That's of course assuming you're using nginx controller. Kong has also fallback service instructions.

Differences between HTTP Web Server and Ingress?

I am learning the world of k8s and there is a lot of talk about ingress and ingress controllers. Conceptually it sounds identical to a web server which I will define as a service that proxies HTTP requests to web application servers. It can serve up certificates and do basic load balancing...
Whereas ingress: Ingress exposes HTTP and HTTPS routes from outside the cluster to services within the cluster. Traffic routing is controlled by rules defined on the Ingress resource. Ingress may provide load balancing, SSL termination and name-based virtual hosting.
https://kubernetes.io/docs/concepts/services-networking/ingress/
They sound the same! So what exactly is the difference here? I can't be the only one confused by this right?
In general Web Server's is responsible for accepting and fulfilling requests from clients.
A web server‘s fundamental job is to accept and fulfill requests from clients for static content from a website (HTML pages, files, images, video, and so on). The client is almost always a browser or mobile application and the request takes the form of a Hypertext Transfer Protocol (HTTP) message, as does the web server’s response.
Lately you can find many web servers like Apache or Nginx.
Kubernetes Ingress is an API object. In IBM blog - What is Kubernetes Ingress and why is it useful?
Kubernetes Ingress is an API object that provides routing rules to manage external users' access to the services in a Kubernetes cluster, typically via HTTPS/HTTP. With Ingress, you can easily set up rules for routing traffic without creating a bunch of Load Balancers or exposing each service on the node. This makes it the best option to use in production environments.
Also in Kubernetes Ingress Docs you can find that Kubernetes Ingress needs Ingress Controller.
You must have an Ingress controller to satisfy an Ingress. Only creating an Ingress resource has no effect.
There are many ingress controllers like Nginx, Ambassador, Apache, etc.
To sum up:
To use Ingress you need some Web Server as Ingress Controller.
Kubernetes Ingress is an Kubernetes object which helps user to configure Web Server (like Nginx) in Kubernetes Clusters.
As you pointed in documentation it allows you to configure some HTTP/HTTPS routing, traffic load balancing, terminate SSL / TLS, etc.
Ingress exposes HTTP and HTTPS routes from outside the cluster to services within the cluster. Traffic routing is controlled by rules defined on the Ingress resource.

Nginx Ingress Controller with Nginx Reverse Proxy

I am a bit confused with the architecture of load-balancing K8s traffic with Nginx ingress controller.
I learned that an ingress controller is supposed to configure the load-balancer you're using according to ingress configurations.
So if I want to use Nginx ingress controller and I have a Physical server that is running Nginx that stands in front of my network, how can I make the ingress controller configure it?
Ingress exposes HTTP and HTTPS routes from outside the cluster to services within the cluster. Traffic routing is controlled by rules defined on the Ingress resource. You must have an Ingress controller to satisfy an Ingress. Only creating an Ingress resource has no effect. Take a look at the example graph below:
Nginx Ingress Controller is using service of type LoadBalancer to get the traffic enter the controller and then to get rerouted to particular services.
I strongly suggest going through the official documentation in order to get a good understanding of the topic and see some examples of using it.
is the nginx ingress controller supposed to (or can) configure an
Nginx machine?
NGINX Ingress Controller works with both NGINX and NGINX Plus and supports the standard Ingress features - content-based routing and TLS/SSL termination.

Rancher 2 disable HTTP to HTTPS redirect

SSL redirect is enabled by default in a Kubernetes NGINX ingress on Rancher 2. We changed the config map and redeployed the nginx -ingres in the system namespace, but the redirect still happens. Has someone managed to disable it?
Unfortunately I don't think you will be able to disable SSL in Rancher v2.
As per Randcher documentation:
For security purposes, SSL (Secure Sockets Layer) is required when using Rancher. SSL secures all Rancher network communication, like when you login or interact with a cluster.
You can find there few ways to apply this certs:
Default Rancher-generated Self-signed Certificate
Bring Your Own Certificate, Self-signedlink
Bring Your Own Certificate, Signed by a Recognized CA
Let’s Encrypt Certificatelink
Inside this doc you have hyerlinks to further Rancher docs.
As Rancher by default deploying nginx controller you should also check Rancher docs about Nginx Controller.
As an update, rancher can disable http -> https redirection by disabling ingress's TLS and set a custom header "X-Forwarded-Proto: https" from ingress controller -> rancher,
reference:
https://github.com/rancher/rancher/issues/35088

Using nginx as Forward proxy in kubernetes

I am really new to kubernetes and nginx. I am able to use it as a reverse-proxy by setting up ingress resource, however, I am not sure about how should I use it to forward the request from kubernetes to a particular host.
My case is as follows:
I have a container running in kubernetes pod which access an external api url (example www.xxx.com) with some parameters, however, because I have blocked the outgoing requests for all the pods, it can not access that api url.
To solve this I want to setup nginx proxy which will forward my request to the actual api url.
Being new to this and having lack of proper steps documented anywhere to achieve this, I am really stuck. How can I do this?
What you could do is to define a Service object that points to your external API endpoint. This is done by creating an Endpoint object and a Service object both with the same name.
https://kubernetes.io/docs/concepts/services-networking/service/#services-without-selectors
Once you have your service, you could create an Ingress rule that would forward the traffic to that service. Make sure that the Ingress controller can access your API endpoint.

Resources