I have a kubernetes cluster. I created the cluster using the Google Cloud, but not using the GKE, but using GCE. I've created one master node and two worker nodes using VM instances. Kubeadm is used for joining the master and worker nodes along with kube-flannel.yml file. I am exposing my cluster outside in postman using my Vm's public ip & nodePort. I am able to hit to that URL. publicip:nodePort/adapter_name. The hit is reaching my pods and logs are generating. When I used minikube before, I've used port-forwarding to expose my port. Now i am not using that.
There is a default kubeconfig file called config is present in the location $HOME/.kube/config. It have the following content in it.
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM1ekNDQWMrZ0F3SUJ....
server: https://10.128.0.12:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: kubernetes-admin
name: kubernetes-admin@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: kubernetes-admin
user:
client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURFe....
client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb.....
The server IP is https://10.128.0.12:6443. Can I change this default URL to the one required for authentication[my rest api url]??
My requirement is to provide authentication for my rest api url, that my application enables, while running in the kubernetes pod.
How can I authenticate my rest api url with this kubeconfig method or by creating a new kubeconfig file and using that??
http://docs.shippable.com/deploy/tutorial/create-kubeconfig-for-self-hosted-kubernetes-cluster/
I got few ideas from above two blogs and tried to implement that, but none of them is satisfying my requirement. Authentication via postman using any JWT token is also acceptable.
Kubernetes version:
Client Version: version.Info{Major:"1", Minor:"19", GitVersion:"v1.19.4", GitCommit:"d360454c9bcd1634cf4cc52d1867af5491dc9c5f", GitTreeState:"clean", BuildDate:"2020-11-11T13:17:17Z", GoVersion:"go1.15.2", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"19", GitVersion:"v1.19.4", GitCommit:"d360454c9bcd1634cf4cc52d1867af5491dc9c5f", GitTreeState:"clean", BuildDate:"2020-11-11T13:09:17Z", GoVersion:"go1.15.2", Compiler:"gc", Platform:"linux/amd64"}
The best method to authenticate our client api/end point url is to use Istio
I documeneted whole process of providing security via Istio in a PDF file which i am attaching here. Istio is used for the verification of the token and Keycloak is used for the generation of the JWT Token.