[GLBC] Support Identity-Aware Proxy

[matthewg]

Identity-Aware Proxy is a new feature announced at Next, where Cloud HTTPS load balancer performs access control. It'd be great to support it natively in Kubernetes. It's part of the GCE beta API on the backend service, docs here.

(Sadly, there's no public API for creating an OAuth2 client ID, so users would have to create that out of band and specify it in their ingress config.)

[patricklecuyer]

I'm interested in working on this, as I have a use case, but the Go client for GCP does not support Cloud IAP yet. As soon as the Go client is updated, I'll work on a POC.

[matthewg]

Great to hear Patrick! The IAP fields are only present in the GCE "beta" API, since IAP itself is in beta, but they do seem to be present at https://code.googlesource.com/google-api-go-client/+/refs/heads/master/compute/v0.beta/compute-gen.go#2847 . Does that help?

[patricklecuyer]

Good, will take a look at this over the weekend :)

[matthewg]

Hi Patrick, have you had a chance to look at this yet?

[patricklecuyer]

Hi, sorry, got stuck on a work emergency, hadn't time to take a look at this yet. Starting to work on a POC now :)

[matthewg]

I just checked in the change to add the IAP fields to the GCE v1 API. It'll probably be a few weeks before that gets deployed.

[piyushnigam]

Hey Patrick,

I am also interested in contributing to this. Did you get a chance to look into it?

Thanks.

[matthewg]

Good news, IAP is in the golang compute/v1 API now: https://godoc.org/google.golang.org/api/compute/v1#BackendServiceIAP

[matthewg]

I've proposed an approach for exposing controller-specific settings in ingress backend config, in kubernetes/kubernetes#46177. I'd love some feedback on that, if there are better ways to expose controller-specific configuration I'm happy to go a different direction.

[matthewg]

Current plan: the fix for #243 will also address this.

[victornoel]

@matthewg I see you closed this issue, so how does one use IAP with nginx-ingress (instead of the gce ingress)?

[matthewg]

@victornoel IAP is a feature of GCLB, so it only works with the GCE ingress.

[victornoel]

@matthewg ha, I see, I suppose that this issue is here as some remnant of the past when GCLB was tackled here then. Thanks for the clarification!

[aledbf]

I suppose that this issue is here as some remnant of the past when GCLB was tackled here then.

The gce and nginx implementations shared this repository until a year ago.

[muradmomani]

Hi @matthewg Do you if Google IAP can work with Nginx controller now ? or still not supported?

In my case I have an Nginx Controller with many ingress resources I want o make authentication through the IAP then pass the request to Nginx controller so it then routes the request to the appropriate host!

Thanks in advance.

[piyushnigam]

IAP still does not have support for nginx controller. I don't think there are any plans to support that either.

[victornoel]

@muradmomani if it is possible for you, pomerium, an opensource implementation of the zerotrust model of IAP is able to work with ingress-ingress. See this example: https://www.pomerium.io/recipes/kubernetes.html#putting-it-all-together

[muradmomani]

@piyushnigam seems that, Thank you. @victornoel Thanks for the suggestion seems the pomerium will work for our case, Thanks alot .

[seunroava]

Unfortunately, IAP still doesn't have support for nginx-ingress. Like @victornoel muradmomani said, I have many ingresses running on several gke clusters and only want to secure all with IAP. This is not possible as nginx-ingress does not support Google HTTPS global loadbalancer. IAP only seems to work with this type of loadbalancer. Sad!