Basic authentication for elasticsearch pod running in kubernetes cluster

1
votes

We need to create basic (username/password) authentication for elasticsearch and kibana oss (Apache license) running into our kubernetes clusters. We have multi-cloud installations in AWS (EKS), Google cloud (GKE), on-premise installations and we plan to use Azure.

I think about nginx reverse proxy with basic authentication running as sidecar container in each elasticsearch/kibana pod. This is will be a simple and known solution.

The question is: What is be the right solution in k8s cluster? What we can take from an infinite number of solutions for easy maintenance?

1
dockerelasticsearchnginxkuberneteskibana

1 Answers

2
votes

Well if you are using nginx ingress controller you can add basic auth like this:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: kibana
  namespace: kibana
  annotations:
    kubernetes.io/ingress.class: "nginx"
    # type of authentication
    nginx.ingress.kubernetes.io/auth-type: basic
    # name of the secret that contains the user/password definitions
    nginx.ingress.kubernetes.io/auth-secret: my-secret-basic-auth
    # message to display with an appropriate context why the authentication is required
    nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required - kibana-admin'
  ...
  ...

The my-secret-basic-auth have to be created with htpasswd:

$ htpasswd -c auth foo
New password: <bar>
New password:
Re-type new password:
Adding password for user foo

Then you need to create the secret:

$ kubectl create secret generic my-secret-basic-auth --from-file=auth
secret "my-secret-basic-auth" created

That's simple and easy to maintain but you will be attach to nginx ingress controller forever.