How do I enable Kibana user authentication through Kubernetes Ingress and OAuth?
In this guide, we will walk through the steps to enable user authentication for Kibana using Kubernetes Ingress and OAuth. We will set up a Kubernetes Ingress resource with OAuth authentication to secure access to the Kibana dashboard.
Key Points
- Kubernetes Ingress: Manages external access to services in a Kubernetes cluster.
- OAuth: An open standard for access delegation commonly used for token-based authentication.
- Kibana: An open-source data visualization dashboard for Elasticsearch.
Steps
- Create Kubernetes Namespace: Define a namespace to isolate resources.
- Deploy Kibana: Deploy the Kibana service in the namespace.
- Set Up Ingress Controller: Configure an NGINX Ingress controller to manage ingress resources.
- Configure OAuth Proxy: Deploy an OAuth proxy to handle authentication.
- Create Ingress Resource: Define the Ingress resource to route traffic to Kibana through the OAuth proxy.
import * as pulumi from "@pulumi/pulumi";
import * as k8s from "@pulumi/kubernetes";
// Create a namespace for the deployment
const ns = new k8s.core.v1.Namespace("kibana-ns", {
metadata: {
name: "kibana-ns",
},
});
// Deploy Kibana
const kibanaDeployment = new k8s.apps.v1.Deployment("kibana-deployment", {
metadata: {
namespace: ns.metadata.name,
name: "kibana",
},
spec: {
selector: {
matchLabels: {
app: "kibana",
},
},
replicas: 1,
template: {
metadata: {
labels: {
app: "kibana",
},
},
spec: {
containers: [{
name: "kibana",
image: "docker.elastic.co/kibana/kibana:7.10.0",
ports: [{ containerPort: 5601 }],
env: [{
name: "ELASTICSEARCH_URL",
value: "http://elasticsearch:9200",
}],
}],
},
},
},
});
// Expose Kibana as a service
const kibanaService = new k8s.core.v1.Service("kibana-service", {
metadata: {
namespace: ns.metadata.name,
name: "kibana",
},
spec: {
selector: kibanaDeployment.spec.template.metadata.labels,
ports: [{
protocol: "TCP",
port: 80,
targetPort: 5601,
}],
},
});
// Deploy OAuth2 Proxy
const oauth2ProxyDeployment = new k8s.apps.v1.Deployment("oauth2-proxy-deployment", {
metadata: {
namespace: ns.metadata.name,
name: "oauth2-proxy",
},
spec: {
selector: {
matchLabels: {
app: "oauth2-proxy",
},
},
replicas: 1,
template: {
metadata: {
labels: {
app: "oauth2-proxy",
},
},
spec: {
containers: [{
name: "oauth2-proxy",
image: "quay.io/oauth2-proxy/oauth2-proxy:v7.1.3",
args: [
"--provider=google",
"--email-domain=*",
"--upstream=http://localhost:5601",
"--cookie-secret=YOUR_COOKIE_SECRET",
"--client-id=YOUR_CLIENT_ID",
"--client-secret=YOUR_CLIENT_SECRET",
],
ports: [{ containerPort: 4180 }],
}],
},
},
},
});
// Expose OAuth2 Proxy as a service
const oauth2ProxyService = new k8s.core.v1.Service("oauth2-proxy-service", {
metadata: {
namespace: ns.metadata.name,
name: "oauth2-proxy",
},
spec: {
selector: oauth2ProxyDeployment.spec.template.metadata.labels,
ports: [{
protocol: "TCP",
port: 80,
targetPort: 4180,
}],
},
});
// Create an Ingress resource to route traffic through the OAuth2 Proxy to Kibana
const ingress = new k8s.networking.v1beta1.Ingress("kibana-ingress", {
metadata: {
namespace: ns.metadata.name,
name: "kibana",
annotations: {
"nginx.ingress.kubernetes.io/auth-url": "https://$host/oauth2/auth",
"nginx.ingress.kubernetes.io/auth-signin": "https://$host/oauth2/start?rd=$request_uri",
},
},
spec: {
rules: [{
host: "kibana.example.com",
http: {
paths: [{
path: "/",
backend: {
serviceName: oauth2ProxyService.metadata.name,
servicePort: 80,
},
}],
},
}],
},
});
Summary
In this guide, we set up user authentication for Kibana using Kubernetes Ingress and OAuth. We created a namespace, deployed Kibana, set up an NGINX Ingress controller, configured an OAuth proxy, and defined an Ingress resource to route traffic through the OAuth proxy to Kibana. This configuration ensures that only authenticated users can access the Kibana dashboard.
Deploy this code
Want to deploy this code? Sign up for a free Pulumi account to deploy in a few clicks.
Sign upNew to Pulumi?
Want to deploy this code? Sign up with Pulumi to deploy in a few clicks.
Sign upThank you for your feedback!
If you have a question about how to use Pulumi, reach out in Community Slack.
Open an issue on GitHub to report a problem or suggest an improvement.