Securing kubernetes resources that you want to expose to only some users externally is often done through IP allowlisting and a VPN. While this is a tried and true method, there are some drawbacks. By Brian Sizemore.
Instead of manual VPN setup, this approach uses OAuth2 Proxy (an open-source tool) paired with Ingress-Nginx (a Kubernetes ingress controller). OAuth2 Proxy authenticates users via their company’s existing identity provider (e.g., Google Workspace, Microsoft) and controls access to resources before they reach Kubernetes. Ingress-Nginx acts as a reverse proxy, redirecting unauthenticated users to the IDP’s login page instead of blocking calls outright.
Here’s how it works:
- Authentication: When a user tries to access a Kubernetes resource, Ingress-Nginx (the gateway to your cluster) redirects them to OAuth2 Proxy.
- Validation: OAuth2 Proxy checks if the user is logged into their company’s identity provider (e.g., Google Workspace, Microsoft) using OAuth 2.0 or OpenID Connect.
- Access Control: If authenticated, the user is granted access. If not, they’re sent to their company’s login page.
By using OAuth2 Proxy, you can simplify access control to internal applications and eliminate the need for a VPN. This approach leverages existing company login credentials and enables fine-grained access control using groups. Good read!
[Read More]