README
¶
Kube Web Proxy
WARNING 2023-01-17: This is unmaintained, and depends on packages with known security problems. I wrote this long ago. It may be useful as a proof of concept. I suspect it probably will no longer work, given that Kubernetes has changed a lot since I last tested this.
This is a hack to make it easy to connect to HTTP debug interfaces inside your Kubernetes cluster. You go to the proxy, and it shows you a list of pods/services in the cluster. You click the port you want, and it connects you. This makes it easy to access internal debugging interfaces. For example, you can access the Go pprof web UI to collect profiling information. This is a bit like the port-forwarding part of Octant, but runs in your cluster so it doesn't require installing anything, and it is very, very ugly.
Since this is a potential security hole, Kube Web Proxy requires requests to have been authenticated with the Google Cloud Identity-Aware Proxy (IAP). Getting this set up is a bit of a pain. My advice is:
- Set up the Ingress, without IAP turned on. The
/healthendpoint should work, but the other paths will return forbidden errors. - Enable IAP for the Ingress, which may require some fiddling.
Limitations
The proxy has to rewrite paths, in order to add /namespace/service/port to the URL path. I have only used a few tiny web applications, so I'm certainly missing some rewrites that are required. Cookies will be shared between all services (TODO: rewrite the header to scope them to paths). This also means JavaScript that embeds paths will probably break. The solution is probably to rewrite the application to use relative paths. A better solution would be to use a wildcard domain, but that is not supported by Google's managed TLS certificates.
Useful Documentation
- Managed Certificates on GKE
- IAP on GKE
- GKE Ingress Health checks Verifying IAP headers requires configuring the health check to use a path other than
/
Set up / using
- Build the container image and publish it.
- Configure IAP for your GKE cluster: https://cloud.google.com/iap/docs/enabling-kubernetes-howto. Most importantly, go to the OAuth Credentals page and get the Client ID and secret, then create the required Kubernetes secret:
kubectl create secret generic iap-secret --from-literal=client_id=xxx.googleusercontent.com --from-literal=client_secret=... - Edit kubewebproxy-deploy.yaml and set
Imageto the value you published, and configure the Ingress host name to the name you want, then apply it. kubectl describe ingress kubewebproxyand get the IP address. Configure your DNS for the host name you want to point to it.- Go to the IAP page, and copy the Signed Header JWT Audience for the ingress.
- Put it in the
--iapAudienceflag inkubewebproxy-deploy.yamland apply it again. - Access the ingress in your web browser. It should ideally work. First test the /health endpoint since it is public.
Note: Health checking on a custom path is a huge pain. The pod needs to exist before the ingress, so I had to delete and re-create the ingress to get it to work.
Kubernetes Service Account
This service the view ClusterRole to read service metadata from the Kubernetes API. I followed the in-cluster configuration example to grant it a service account with permission to view everything:
https://github.com/kubernetes/client-go/tree/master/examples/in-cluster-client-configuration
Run Locally
docker build . --tag=kubewebproxy docker run --rm -ti --publish=127.0.0.1:8080:8080 kubewebproxy
Building with Google Cloud Build
~/google-cloud-sdk/bin/gcloud builds submit . --project=gosignin-demo --substitutions=_LABEL=debug1
Documentation
¶
There is no documentation for this package.
Source Files