Kubernetes API behind reverse proxy

[Torsten Bronger]

Hallöchen!

I have a k8s API server behind an nginx as reverse proxy. Because my
kubectl uses client certificate authentication, the nginx must check
that. However, the nginx replies to the kubectl that “No required
SSL certificate was sent”. The ~/.kube/config file clearly contains
TLS cert data for that user (and this works locally, without nginx
inbetween). Must kubectl be triggered or forced somehow to actually
sent the TLS cert data?

Tschö,
Torsten.

--
Torsten Bronger

[Alexander W Creek]

Nginx is stripping out the client cert when it proxies the request. You
have to setup raw tcp forwarding instead of http proxying. You can use
the ngx_stream_proxy_module available in nginx 1.9.0 or haproxy which does
it out of the box.

Alex






On 2/3/17, 2:37 AM, "Torsten Bronger" <kubernet...@googlegroups.com

>--
>You received this message because you are subscribed to the Google Groups
>"Kubernetes user discussion and Q&A" group.
>To unsubscribe from this group and stop receiving emails from it, send an
>email to kubernetes-use...@googlegroups.com.
>To post to this group, send email to kubernet...@googlegroups.com.
>Visit this group at https://groups.google.com/group/kubernetes-users.
>For more options, visit https://groups.google.com/d/optout.

[Torsten Bronger]

Hallöchen!

Am Freitag, 3. Februar 2017 14:30:47 UTC+1 schrieb Alex Creek:

Nginx is stripping out the client cert when it proxies the request.  You
have to setup raw tcp forwarding instead of http proxying.  You can use
the ngx_stream_proxy_module available in nginx 1.9.0 or haproxy which does
it out of the box.

Note that it is nginx – rather than k8s – that denies the request.  If I switch off client certificate checking in nginx, I can communicate successfully with k8s.  This is because I told nginx to use that same cert when contacting k8s.  So the second part works but not the first part.

Seemingly, the cert is not sent from kubectl in the first place.  But why shouldn't it?

I got it working now by using Basic Auth between kubectl and nginx, and the TLS cert between nginx and k8s.  It would still be nice if both connections used the client certificate.

[Alex Creek]

When I ran into this I was trying to pass the client with through nginx with something like this in my proxy config: 

     proxy_set_header X-SSL-CLIENT-CERT $ssl_client_cert;

I found some SO articles about it and an old posting on the nginx forum from Maxim regarding issues proxying client certs https://forum.nginx.org/read.php?2,236546,236546#msg-236546

I settled with the stream_proxy module I mentioned before and just proxy raw TCP to the kube api.  

--

You received this message because you are subscribed to the Google Groups "Kubernetes user discussion and Q&A" group.

To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-users+unsubscribe@googlegroups.com.
To post to this group, send email to kubernetes-users@googlegroups.com.

Visit this group at https://groups.google.com/group/kubernetes-users.
For more options, visit https://groups.google.com/d/optout.

--

Alex

[Torsten Bronger]

Hallöchen!

Alex Creek writes:

> [...]

>
> I settled with the stream_proxy module I mentioned before and just
> proxy raw TCP to the kube api.

Unfortunately, I cannot do that because I use minikube, and thus I
have no control about the domain names that minicube uses for its
server certificate – it is always "minikubeCA". And since I have to
connect to it with a totally different name from another machine,
kubectl wouldn't accept that.

[George Poenaru]

I have same problem as you Torsten. Did you found a solution to forward the certificate ?

[Torsten Bronger]

Hallöchen!

George Poenaru writes:

> I have same problem as you Torsten. Did you found a solution to
> forward the certificate ?

I'm afraid I haven't revisited the problem so far. But
https://github.com/kubernetes/minikube/pull/1149 may help you.

[Daniel Smith]

Hi, sorry I didn't see this the first time it came around. It is actually possible to do this, but complicated. The proxy must do authentication (identity verification). The path between the proxy and kube-apiserver must be mutual TLS auth. The proxy has to set a header to inform kube-apiserver who is at the other end of the connection.

The kube-aggregator component is basically intended to be this proxy. I think you should be able to set it up with nginx, but there's no docs and no guarantees.