Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Unable to disable HTTP access on ingress #6590

Closed
bentcoder opened this issue Dec 8, 2020 · 4 comments
Closed

Unable to disable HTTP access on ingress #6590

bentcoder opened this issue Dec 8, 2020 · 4 comments
Labels
kind/bug Categorizes issue or PR as related to a bug.

Comments

@bentcoder
Copy link

Hi,

Not sure if this is a bug or not so asking here. I followed the doc but nothing seems specific. Tried annotations as listed below but no luck. Coming from kubernetes repo.

Thanks

What happened:
Unable to disable HTTP requests.
This works curl --request GET http://my-address-finder.com but it shouldn't.

What you expected to happen:
Allow only HTTPS access.
Only this should work curl --insecure --request GET https://my-address-finder.com which already works so no problem.

How to reproduce it (as minimally and precisely as possible):

ingress.yaml

apiVersion: networking.k8s.io/v1
kind: Ingress

metadata:
  name: address-finder-ingress
#  annotations:
#    nginx.ingress.kubernetes.io/ssl-redirect: "false"     # HTTP is still accessible
#    kubernetes.io/ingress.class: "nginx"                  # HTTP is still accessible
#    kubernetes.io/ingress.allow-http: "false"             # HTTP is still accessible
#    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" # 502 Bad Gateway

spec:
  tls:
    - hosts:
        - my-address-finder.com
      secretName: address-finder-tls-secret
  defaultBackend:
    service:
      name: address-finder-service
      port:
        number: 80

service.yaml

apiVersion: v1
kind: Service

metadata:
  name: address-finder-service

spec:
  selector:
    app: address-finder
  ports:
    - protocol: TCP
      port: 80
      targetPort: 8888

deployment.yaml

apiVersion: apps/v1
kind: Deployment

metadata:
  name: address-finder-deployment
  labels:
    app: address-finder

spec:
  replicas: 1
  selector:
    matchLabels:
      app: address-finder
  template:
    metadata:
      labels:
        app: address-finder
    spec:
      containers:
        - name: golang
          image: bentcoder/address-finder:latest
          ports:
            - containerPort: 8888

ingress

$ kubectl get ingress -n default
Warning: extensions/v1beta1 Ingress is deprecated in v1.14+, unavailable in v1.22+; use networking.k8s.io/v1 Ingress

NAME                     CLASS    HOSTS   ADDRESS   PORTS     AGE
address-finder-ingress   <none>   *                 80, 443   12s

$ kubectl describe ingress address-finder-ingress
Warning: extensions/v1beta1 Ingress is deprecated in v1.14+, unavailable in v1.22+; use networking.k8s.io/v1 Ingress

Name:             address-finder-ingress
Namespace:        default
Address:          
Default backend:  address-finder-service:80   172.17.0.5:8888)
TLS:
  address-finder-tls-secret terminates my-address-finder.com
Rules:
  Host                                     Path  Backends
  ----                                     ----  --------
                                           * *
%!(EXTRA string=address-finder-service:80   172.17.0.5:8888))Annotations:  <none>
Events:
  Type    Reason  Age   From                      Message
  ----    ------  ----  ----                      -------
  Normal  CREATE  17s   nginx-ingress-controller  Ingress default/address-finder-ingress

service

$ kubectl describe service address-finder-service
Name:              address-finder-service
Namespace:         default
Labels:            <none>
Annotations:       <none>
Selector:          app=address-finder
Type:              ClusterIP
IP:                10.97.201.176
Port:              <unset>  80/TCP
TargetPort:        8888/TCP
Endpoints:         172.17.0.5:8888
Session Affinity:  None
Events:            <none>

secret

$ kubectl describe secret address-finder-tls-secret
Name:         address-finder-tls-secret
Namespace:    default
Labels:       <none>
Annotations:  <none>

Type:  kubernetes.io/tls

Data
====
tls.crt:  1233 bytes
tls.key:  1708 bytes

Environment:

  • Kubernetes version (use kubectl version):
Client Version: version.Info{Major:"1", Minor:"19", GitVersion:"v1.19.3", GitCommit:"1e11e4a2108024935ecfcb2912226cedeafd99df", GitTreeState:"clean", BuildDate:"2020-11-07T19:13:54Z", GoVersion:"go1.15.3", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"19", GitVersion:"v1.19.2", GitCommit:"f5743093fd1c663cb0cbc89748f730662345d44d", GitTreeState:"clean", BuildDate:"2020-09-16T13:32:58Z", GoVersion:"go1.15", Compiler:"gc", Platform:"linux/amd64"}
  • Cloud provider or hardware configuration:
    Using minikube.
minikube version: v1.14.2
commit: 2c82918e2347188e21c4e44c8056fc80408bce10
  • OS (e.g: cat /etc/os-release):
  • Kernel (e.g. uname -a):
Darwin mac.local 16.7.0 Darwin Kernel Version 16.7.0: Sun Jun  2 20:26:31 PDT 2019; root:xnu-3789.73.50~1/RELEASE_X86_64 x86_64
  • Install tools:
  • Network plugin and version (if this is a network-related bug):
  • Others:
$ kubectl get -f ingress.yaml -o yaml

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"networking.k8s.io/v1","kind":"Ingress","metadata":{"annotations":{"kubernetes.io/ingress.class":"nginx"},"name":"address-finder-ingress","namespace":"default"},"spec":{"rules":[{"host":"my-address-finder.com","http":{"paths":[{"backend":{"service":{"name":"address-finder-service","port":{"number":80}}},"path":"/","pathType":"Prefix"}]}}],"tls":[{"hosts":["my-address-finder.com"],"secretName":"address-finder-tls-secret"}]}}
    kubernetes.io/ingress.class: nginx
  creationTimestamp: "2020-11-28T07:32:41Z"
  generation: 1
  managedFields:
  - apiVersion: networking.k8s.io/v1beta1
    fieldsType: FieldsV1
    fieldsV1:
      f:status:
        f:loadBalancer:
          f:ingress: {}
    manager: nginx-ingress-controller
    operation: Update
    time: "2020-11-28T07:33:39Z"
  - apiVersion: networking.k8s.io/v1
    fieldsType: FieldsV1
    fieldsV1:
      f:metadata:
        f:annotations:
          .: {}
          f:kubectl.kubernetes.io/last-applied-configuration: {}
          f:kubernetes.io/ingress.class: {}
      f:spec:
        f:rules: {}
        f:tls: {}
    manager: kubectl-client-side-apply
    operation: Update
    time: "2020-11-28T07:38:41Z"
  name: address-finder-ingress
  namespace: default
  resourceVersion: "168557"
  selfLink: /apis/networking.k8s.io/v1/namespaces/default/ingresses/address-finder-ingress
  uid: 0976a6f4-4996-4795-aaad-699221097347
spec:
  rules:
  - host: my-address-finder.com
    http:
      paths:
      - backend:
          service:
            name: address-finder-service
            port:
              number: 80
        path: /
        pathType: Prefix
  tls:
  - hosts:
    - my-address-finder.com
    secretName: address-finder-tls-secret
status:
  loadBalancer:
    ingress:
    - ip: 192.168.99.100

Ingress Controller details.

$ kubectl get pods --all-namespaces | grep ingress
kube-system                  ingress-nginx-admission-create-tpbrr         0/1     Completed      0          3d
kube-system                  ingress-nginx-admission-patch-vbwvm          0/1     Completed      2          3d
kube-system                  ingress-nginx-controller-799c9469f7-tkz48    1/1     Running        2          3d
$ kubectl describe pod ingress-nginx-controller-799c9469f7-tkz48 --namespace=kube-system
Name:         ingress-nginx-controller-799c9469f7-tkz48
Namespace:    kube-system
Priority:     0
Node:         minikube/192.168.99.100
Start Time:   Fri, 27 Nov 2020 19:20:26 +0000
Labels:       addonmanager.kubernetes.io/mode=Reconcile
              app.kubernetes.io/component=controller
              app.kubernetes.io/instance=ingress-nginx
              app.kubernetes.io/name=ingress-nginx
              gcp-auth-skip-secret=true
              pod-template-hash=799c9469f7
Annotations:  <none>
Status:       Running
IP:           172.17.0.4
IPs:
  IP:           172.17.0.4
Controlled By:  ReplicaSet/ingress-nginx-controller-799c9469f7
Containers:
  controller:
    Container ID:  docker://68580d8531272300dffd88ab7dc75d2b683766f4e8b498a572875f46523b0040
    Image:         us.gcr.io/k8s-artifacts-prod/ingress-nginx/controller:v0.34.1@sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20
    Image ID:      docker-pullable://us.gcr.io/k8s-artifacts-prod/ingress-nginx/controller@sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20
    Ports:         80/TCP, 443/TCP, 8443/TCP
    Host Ports:    80/TCP, 443/TCP, 0/TCP
    Args:
      /nginx-ingress-controller
      --configmap=$(POD_NAMESPACE)/nginx-load-balancer-conf
      --report-node-internal-ip-address
      --tcp-services-configmap=$(POD_NAMESPACE)/tcp-services
      --udp-services-configmap=$(POD_NAMESPACE)/udp-services
      --validating-webhook=:8443
      --validating-webhook-certificate=/usr/local/certificates/cert
      --validating-webhook-key=/usr/local/certificates/key
    State:          Running
      Started:      Sun, 29 Nov 2020 19:57:03 +0000
    Last State:     Terminated
      Reason:       Completed
      Exit Code:    0
      Started:      Sun, 29 Nov 2020 19:56:16 +0000
      Finished:     Sun, 29 Nov 2020 19:57:03 +0000
    Ready:          True
    Restart Count:  2
    Requests:
      cpu:      100m
      memory:   90Mi
    Liveness:   http-get http://:10254/healthz delay=10s timeout=1s period=10s #success=1 #failure=3
    Readiness:  http-get http://:10254/healthz delay=10s timeout=1s period=10s #success=1 #failure=3
    Environment:
      POD_NAME:       ingress-nginx-controller-799c9469f7-tkz48 (v1:metadata.name)
      POD_NAMESPACE:  kube-system (v1:metadata.namespace)
    Mounts:
      /usr/local/certificates/ from webhook-cert (ro)
      /var/run/secrets/kubernetes.io/serviceaccount from ingress-nginx-token-56b94 (ro)
Conditions:
  Type              Status
  Initialized       True 
  Ready             True 
  ContainersReady   True 
  PodScheduled      True 
Volumes:
  webhook-cert:
    Type:        Secret (a volume populated by a Secret)
    SecretName:  ingress-nginx-admission
    Optional:    false
  ingress-nginx-token-56b94:
    Type:        Secret (a volume populated by a Secret)
    SecretName:  ingress-nginx-token-56b94
    Optional:    false
QoS Class:       Burstable
Node-Selectors:  <none>
Tolerations:     node.kubernetes.io/not-ready:NoExecute op=Exists for 300s
                 node.kubernetes.io/unreachable:NoExecute op=Exists for 300s
Events:          <none>

Looks like my version is converted to extensions/v1beta1!!!

$ kubectl edit ingress address-finder-ingress
Warning: extensions/v1beta1 Ingress is deprecated in v1.14+, unavailable in v1.22+; use networking.k8s.io/v1 Ingress

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"networking.k8s.io/v1","kind":"Ingress","metadata":{"annotations":{},"name":"address-finder-ingress","namespace":"default"},"spec":{"defaultBackend":{"service":{"name":"address-finder-service","port":{"number":80}}},"tls":[{"hosts":["my-address-finder.com"],"secretName":"address-finder-tls-secret"}]}}
  creationTimestamp: "2020-11-27T23:22:23Z"
  generation: 1
  name: address-finder-ingress
  namespace: default
  resourceVersion: "165936"
  selfLink: /apis/extensions/v1beta1/namespaces/default/ingresses/address-finder-ingress
  uid: 148a152d-d891-47df-aaa4-782390344e12
spec:
  backend:
    serviceName: address-finder-service
    servicePort: 80
  tls:
  - hosts:
    - my-address-finder.com
    secretName: address-finder-tls-secret
status:
  loadBalancer:
    ingress:
    - ip: 192.168.99.100

If I use the networking.k8s.io/v1beta1 version, HTTP is disabled however why suggested version networking.k8s.io/v1 won't work?

apiVersion: networking.k8s.io/v1beta1
kind: Ingress

metadata:
  name: address-finder-ingress

spec:
  tls:
    - hosts:
        - my-address-finder.com
      secretName: address-finder-tls-secret
  rules:
    - host: my-address-finder.com
      http:
        paths:
          - path: /
            backend:
              serviceName: address-finder-service
              servicePort: 80

My HTTP requests are successfully redirected to HTTPS here.

$ curl -I --request GET http://my-address-finder.com
HTTP/1.1 308 Permanent Redirect
Server: nginx/1.19.1
Date: Sat, 28 Nov 2020 07:13:29 GMT
Content-Type: text/html
Content-Length: 171
Connection: keep-alive
Location: https://my-address-finder.com/

/kind bug

@bentcoder bentcoder added the kind/bug Categorizes issue or PR as related to a bug. label Dec 8, 2020
@aledbf
Copy link
Member

aledbf commented Dec 8, 2020

kubernetes.io/ingress.allow-http: "false"

Closing. This annotation is supported only by ingress-gce

Edit: there is no way to disable HTTP for a particular ingress. If you want to block all access to port 80, then do not expose the port in the ingress-nginx service.

@aledbf aledbf closed this as completed Dec 8, 2020
@bentcoder
Copy link
Author

Edit: there is no way to disable HTTP for a particular ingress. If you want to block all access to port 80, then do not expose the port in the ingress-nginx service.

I changed all port 80s and 8888s to 443 in all configurations files but HTTP is still accessible. As I said above if I use the networking.k8s.io/v1beta1 version, HTTP is disabled. However it is not the case for version networking.k8s.io/v1.

Closing. This annotation is supported only by ingress-gce

I am not sure if this is a feasible reason to close the ticket. I wouldn't close the ticket just because there is an unused piece of code/line I have seen. It is there as an information purposes. I was trying to be as descriptive as possible by providing info on, for example, what else I have tried. Feels more like shrug off.

@shoce
Copy link

shoce commented May 11, 2021

If you want to block all access to port 80, then do not expose the port in the ingress-nginx service.

I am quite new to Kubernetes and could not find this easily. Can you please give any suggestion how to not expose the port 80 in the ingress-nginx service? Because I do not create any Kubernetes Service for Ingress to work, I only have a yaml for creating the Ingress object and it works. But I really need to stop serving on port 80 completely and keep only port 443 that accepts connections only with the authorized client certificate.

@fethibilog
Copy link

fethibilog commented Nov 17, 2021

If any one still looking for a solution adding the tls attribute will only expose the https port. Here is an example :

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: cafe-ingress
spec:
  ingressClassName: nginx
  tls:
  - hosts:
    - cafe.example.com
    secretName: cafe-secret
  rules:
  - host: cafe.example.com
    http:
      paths:
      - path: /tea
        pathType: Prefix
        backend:
          service:
            name: tea-svc
            port:
              number: 80
      - path: /coffee
        pathType: Prefix
        backend:
          service:
            name: coffee-svc
            port:
              number: 80

https://github.com/nginxinc/kubernetes-ingress/blob/v2.0.3/examples/complete-example/cafe-ingress.yaml

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/bug Categorizes issue or PR as related to a bug.
Projects
None yet
Development

No branches or pull requests

4 participants