GCP – How to Enable IAP for K8s on GCP

google-app-enginegoogle-cloud-platformgoogle-kubernetes-enginekubernetes

Aim: to enable Identity Aware Proxy (IAP) in conjunction with Kubernetes (k8s).

Methods:

Two apps were deployed
A SSL load balancer was put in front
When one navigates to domain/app1, app1 is shown
This tutorial was followed to enable IAP for k8s https://cloud.google.com/iap/docs/enabling-kubernetes-howto

Results

The Google login screen appears when one navigates to domain/app1
When the login succeeds a ‘default gateway – 404’ is shown instead of the app when IAP is disabled

Discussion

Should a redirect not be configured somewhere? When the authentication and authorization succeeds a URI _gcp_gatekeeper/authenticate was added and a 404 was returned, while a redirect to the app should be done right?
When an App engine is deployed, IAP is enable the IAP works out of the box. What makes this deploy different? Perhaps App Engine contains some elements that are omitted in k8s.

Current problem

When the authentication succeeds the following error is shown:

There was a problem with your request. Error code 11

Best Answer

To begin with, here’s some general information:

To get started with IAP in GCP, add an App Engine app or configure Cloud Load Balancer for IAP. In case you are running Kubernetes cluster, you may have the Load Balancer configured already.

Then you should enable IAP for it here: Menu -> Security -> Identity-Aware Proxy

And finally, that is the place where redirect URI can be configured. You can get there from previous step by selecting triple dot on the right side of your App/LB and choosing Edit OAuth Client.

Menu -> APIs & Services -> Credentials

Create OAuth clientID and set Authorized redirect URIs for it.

Authorized redirect URIs
For use with requests from a web server. This is the path in your application that users are redirected to after they have authenticated with Google. The path will be appended with the authorization code for access. Must have a protocol. Cannot contain URL fragments or relative paths. Cannot be a public IP address.

For App Engine apps this value is predefined, but you can adjust it according to your needs.

Related Solutions

Ssh – Unable to SFTP with password authentication from outside localhost

This was an issue with Kubernetes.

Basically, I tried to make a NodePort service on port 22.

The reason I see:

debug1: Authentications that can continue: publickey

When trying this on a remote host is because Kubernetes is using port 22 on the node.

I fixed this by doing SFTP over a port that wasn't 22. Did this with a service like so:

kind: Service
apiVersion: v1
metadata:
  name: sftp-service
  labels:
    environment: production
spec:
  type: NodePort
  ports:
  - name: ssh
    port: 21
    targetPort: sftp
    nodePort: 30022  <- Used port 30022 for SFTP
  selector:
    app: sftp

This worked for things like FileZilla but I had to setup my service to use another port and used a LoadBalancer instead of a NodePort. I had some software that needed port 22. With a LoadBalancer I was able to get this working (but have to pay for a load balancer for something that's really not a heavy load):

kind: Service
apiVersion: v1
metadata:
  name: sftp-service
  labels:
    environment: production
spec:
  selector:
    app: sftp
  ports:
  - protocol: TCP
    port: 22
    targetPort: sftp
    nodePort: 30022
  type: LoadBalancer

I actually prefer to use the NodePort but I was having an issue using some software (Airflow's SFTPHook) that expected SFTP to go over port 22. If you can handle SFTP over a 3XXXX port (e.g. 30022) then you can just use type: NodePort and save yourself the $$ it takes to run a type: LoadBalancer service.

I open source this setup for folks: https://github.com/mikeghen/kubernetes-gcs-sftp

Message me for help

Best Answer

Related Solutions

Ssh – Unable to SFTP with password authentication from outside localhost

Related Topic