Re: [kubernetes-users] Kubernetes API behind reverse proxy

Fri, 03 Feb 2017 12:24:02 -0800 

When I ran into this I was trying to pass the client with through nginx
with something like this in my proxy config:
     proxy_set_header X-SSL-CLIENT-CERT $ssl_client_cert;

I found some SO articles about it and an old posting on the nginx forum
from Maxim regarding issues proxying client certs
https://forum.nginx.org/read.php?2,236546,236546#msg-236546

I settled with the stream_proxy module I mentioned before and just proxy
raw TCP to the kube api.


On Fri, Feb 3, 2017 at 10:31 AM, Torsten Bronger <
bron...@physik.rwth-aachen.de> wrote:

> Hallöchen!
>
> Am Freitag, 3. Februar 2017 14:30:47 UTC+1 schrieb Alex Creek:
>>
>> Nginx is stripping out the client cert when it proxies the request.  You
>> have to setup raw tcp forwarding instead of http proxying.  You can use
>> the ngx_stream_proxy_module available in nginx 1.9.0 or haproxy which
>> does
>> it out of the box.
>>
>
> Note that it is nginx – rather than k8s – that denies the request.  If I
> switch off client certificate checking in nginx, I can communicate
> successfully with k8s.  This is because I told nginx to use that same cert
> when contacting k8s.  So the second part works but not the first part.
>
> Seemingly, the cert is not sent from kubectl in the first place.  But why
> shouldn't it?
>
> I got it working now by using Basic Auth between kubectl and nginx, and
> the TLS cert between nginx and k8s.  It would still be nice if both
> connections used the client certificate.
>
> --
> You received this message because you are subscribed to the Google Groups
> "Kubernetes user discussion and Q&A" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to kubernetes-users+unsubscr...@googlegroups.com.
> To post to this group, send email to kubernetes-users@googlegroups.com.
> Visit this group at https://groups.google.com/group/kubernetes-users.
> For more options, visit https://groups.google.com/d/optout.
>



-- 
Alex

-- 
You received this message because you are subscribed to the Google Groups 
"Kubernetes user discussion and Q&A" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to kubernetes-users+unsubscr...@googlegroups.com.
To post to this group, send email to kubernetes-users@googlegroups.com.
Visit this group at https://groups.google.com/group/kubernetes-users.
For more options, visit https://groups.google.com/d/optout.

Reply via email to