Skip to content

Instantly share code, notes, and snippets.

@vixus0

vixus0/forward-auth.yaml

Created April 1, 2021 18:35
Show Gist options
  • Save vixus0/def691ac3ff50e1bc41dc838e027a166 to your computer and use it in GitHub Desktop.
Save vixus0/def691ac3ff50e1bc41dc838e027a166 to your computer and use it in GitHub Desktop.
Download ZIP
traefik-pomerium-kubernetes-forwardauth
Raw
forward-auth.yaml
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: forward-auth
namespace: pomerium
spec:
forwardAuth:
address: https://pomerium-proxy.pomerium.svc.cluster.local
trustForwardHeader: true
tls:
insecureSkipVerify: true
authResponseHeaders:
- Authorization
- Impersonate-User
- Impersonate-Group
Raw
kube-api-ingress-route-forwardauth.yaml
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: kube-api
namespace: pomerium
spec:
routes:
- kind: Rule
match: Host(`<kube api external domain>`) && PathPrefix(`/.pomerium`)
services:
- name: pomerium-proxy
namespace: pomerium
port: 443
- kind: Rule
match: Host(`<kube api external domain>`)
services:
- name: kubernetes
namespace: default
port: 443
middlewares:
- name: forward-auth
namespace: pomerium
Raw
kube-api-ingressroute.yaml
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: kube-api
namespace: pomerium
spec:
routes:
- kind: Rule
match: Host(`<kube api external domain>`)
services:
- name: pomerium-proxy
namespace: pomerium
port: 443
Raw
pomerium-policy.yaml
policy:
- from: https://<kube api external domain>
to: https://kubernetes.default.svc
tls_custom_ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
allow_spdy: true
allowed_domains:
- <your domain>
kubernetes_service_account_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment