Integrating DNS-Based Authorization With GKE Ingress
Introduction
In this guide, we will integrate DNS-based authorization with Google Kubernetes Engine (GKE) Ingress. This involves setting up a GKE cluster, configuring DNS records, and creating an Ingress resource with DNS-based authorization. The key services involved are GKE, Google Cloud DNS, and Kubernetes Ingress.
Step-by-Step Explanation
Step 1: Set Up GKE Cluster
- Create a new GKE cluster using Pulumi’s GCP provider.
- Configure the cluster with the necessary node pools and network settings.
Step 2: Configure DNS Records
- Set up a Google Cloud DNS managed zone.
- Create DNS records that point to the GKE cluster’s external IP address.
Step 3: Create Ingress Resource with DNS-based Authorization
- Define a Kubernetes Ingress resource with the appropriate DNS-based authorization annotations.
- Apply the Ingress resource to the GKE cluster.
Summary
By following this guide, you have successfully integrated DNS-based authorization with GKE Ingress. This setup ensures that only requests from authorized DNS domains are allowed to access your services, enhancing the security of your application.
Full Code Example
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
import * as k8s from "@pulumi/kubernetes";
// Step 1: Set Up GKE Cluster
const cluster = new gcp.container.Cluster("gke-cluster", {
initialNodeCount: 3,
minMasterVersion: "latest",
nodeConfig: {
machineType: "n1-standard-1",
oauthScopes: [
"https://www.googleapis.com/auth/cloud-platform",
],
},
});
// Export the cluster name
export const clusterName = cluster.name;
// Step 2: Configure DNS Records
const managedZone = new gcp.dns.ManagedZone("gke-managed-zone", {
dnsName: "example.com.",
description: "Managed zone for GKE ingress",
});
// Export the DNS name
export const dnsName = managedZone.dnsName;
// Step 3: Create Ingress Resource with DNS-based Authorization
const appLabels = { app: "my-app" };
const namespace = new k8s.core.v1.Namespace("my-namespace", { metadata: { name: "my-namespace" } });
const appService = new k8s.core.v1.Service("app-service", {
metadata: {
labels: appLabels,
namespace: namespace.metadata.name,
},
spec: {
ports: [{ port: 80, targetPort: 80 }],
selector: appLabels,
},
});
const ingress = new k8s.networking.v1.Ingress("app-ingress", {
metadata: {
namespace: namespace.metadata.name,
annotations: {
"nginx.ingress.kubernetes.io/auth-url": "https://example.com/auth",
"nginx.ingress.kubernetes.io/auth-signin": "https://example.com/signin",
},
},
spec: {
rules: [{
host: "example.com",
http: {
paths: [{
path: "/",
pathType: "Prefix",
backend: {
service: {
name: appService.metadata.name,
port: { number: 80 },
},
},
}],
},
}],
},
});
// Export the Ingress name
export const ingressName = ingress.metadata.name;
Deploy this code
Want to deploy this code? Sign up for a free Pulumi account to deploy in a few clicks.
Sign upNew to Pulumi?
Want to deploy this code? Sign up with Pulumi to deploy in a few clicks.
Sign upThank you for your feedback!
If you have a question about how to use Pulumi, reach out in Community Slack.
Open an issue on GitHub to report a problem or suggest an improvement.