Bypass vouch for IP range with k8s ingress

Question

Bypass vouch for IP range with k8s ingress

flipsed opened this issue 2 years ago · comments

Describe the problem
I have vouch configured on a k8s ingress and I would like to add a bypass rule based on an IP range. This is a similar question to #378 but specific to k8s ingress. I'm using okta as an IdP.

Expected behavior
When using the annotations below I would expect the following behaviour from the k8s ingress: if a request comes from one of the whitelisted IP, it would bypass authentication due to the satisfy any constraint. If it is not in the whitelist, I would expect a redirection to vouch. Unfortunately, with this config, the internal whitelisted IPs are also getting redirected to vouch.

    nginx.ingress.kubernetes.io/auth-response-headers: X-Vouch-User
    nginx.ingress.kubernetes.io/auth-signin: https://vouch.example.com/login?url=$scheme://$http_host$request_uri&vouch-failcount=$auth_resp_failcount&X-Vouch-Token=$auth_resp_jwt&error=$auth_resp_err
    nginx.ingress.kubernetes.io/auth-snippet: |
      auth_request_set $auth_resp_jwt $upstream_http_x_vouch_jwt;
      auth_request_set $auth_resp_err $upstream_http_x_vouch_err;
      auth_request_set $auth_resp_failcount $upstream_http_x_vouch_failcount;
    nginx.ingress.kubernetes.io/auth-url: https://example.com/validate
    nginx.ingress.kubernetes.io/configuration-snippet: |
      satisfy any;
      allow <internal IP CIDR>;
      allow <internal IP CIDR>;
      allow <internal IP CIDR>;
      deny all;

Desktop (please complete the following information):

OS: macOS monterey
Browser firefox
Version [e.g. 22]

Additional context
I've also tested using these annotations for the IP range bypass but the behaviour is the same:

nginx.ingress.kubernetes.io/satisfy: "any"
nginx.ingress.kubernetes.io/whitelist-source-range: <internal IP CIDR>, <internal IP CIDR>

Benjamin Foote · Answer 1 · Wed Nov 30 2022 12:06:42 GMT+0800 (China Standard Time)

@flipsed I'm not currently a k8s user so I may not be the best resources to help here.

Could you please add a bit more context? The README describes the preffered method of submitting an issue, please do those. But also I'm curious about where your k8s is hosted and anything else about that operating environment.

This is an interesting discussion which may be relevant...
kubernetes/ingress-nginx#7354

Philippe · Answer 2 · Thu Dec 01 2022 12:36:13 GMT+0800 (China Standard Time)

This turned out to be a networking issue rather than a vouch-proxy or k8s ingress annotation problem. I had disabled proxying in cloudflare and I was making a request directly to the ELB that was in front of my ingress but the nginx logs were still showing the origin as being one of cloudflare's IP.

For anyone facing the same issue, my solution was to re-enable cloudflare proxying and use the nginx real-ip module http://nginx.org/en/docs/http/ngx_http_realip_module.html