3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-06-05 20:32:57 +02:00
Code Issues Projects Releases Packages Wiki Activity
pomerium/docs/guide/kubernetes.md
Bobby DeSimone c13459bb88
authorize: add authorization (#59) 
* authorize: authorization module adds support for per-route access policy. In this release we support the most common forms of identity based access policy: `allowed_users`, `allowed_groups`, and `allowed_domains`. In future versions, the authorization module will also support context and device based authorization policy and decisions. See website documentation for more details.
 * docs: updated `env.example` to include a `POLICY` setting example.
 * docs:  added `IDP_SERVICE_ACCOUNT` to  `env.example` .
 * docs: removed `PROXY_ROOT_DOMAIN` settings which has been replaced by `POLICY`.
 * all: removed `ALLOWED_DOMAINS` settings which has been replaced by `POLICY`. Authorization is now handled by the authorization service and is defined in the policy configuration files.
 * proxy: `ROUTES` settings which has been replaced by `POLICY`.
* internal/log: `http.Server` and `httputil.NewSingleHostReverseProxy` now uses pomerium's logging package instead of the standard library's built in one.

Closes #54
Closes #41
Closes #61
Closes #58
2019-03-07 12:47:07 -08:00

85 lines
3.3 KiB
Markdown
Raw Blame History

# Kubernetes
This quickstart will show you how to deploy Pomerium with Kubernetes. For the purpose of this guide, we will be using Google's Kubernetes Engine. However, there are countless ways to work with Kubernetes:
- [Google Kubernetes Engine (GKE)](https://cloud.google.com/kubernetes-engine/)
- [Azure Kubernetes Service](https://azure.microsoft.com/en-us/services/kubernetes-service/)
- [Amazon Elastic Kubernetes Service (Amazon EKS)](https://aws.amazon.com/eks/)
- [OpenShift Kubernetes](https://www.openshift.com/learn/topics/kubernetes/)
- Or locally, with [minikube](https://kubernetes.io/docs/setup/minikube/)
Most of the following steps should be very similar using any other provider.
:::tip
Google Cloud Platform has a [free trial with $300 credits](https://cloud.google.com/free/docs/gcp-free-tier).
:::
## Prerequisites
- A [Google Cloud Account](https://console.cloud.google.com/)
- A configured [identity provider]
- Install [kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl/)
- Install the [Google Cloud SDK](https://cloud.google.com/kubernetes-engine/docs/quickstart)
## Download
Retrieve the latest copy of pomerium's source-code by cloning the repository.
```bash
git clone https://github.com/pomerium/pomerium.git $HOME/pomerium
```
## Configure
Edit the the [example kubernetes files][./scripts/kubernetes_gke.sh] to match your [identity provider] settings:
- `./docs/docs/examples/authorize.deploy.yml`
- `./docs/docs/examples/authorize.service.yml`
- `./docs/docs/examples/authenticate.deploy.yml`
- `./docs/docs/examples/authenticate.service.yml`
- `./docs/docs/examples/proxy.deploy.yml`
- `./docs/docs/examples/proxy.service.yml`
- `./docs/docs/examples/ingress.yml`
Place your domain's wild-card TLS certificate (`privkey.pem` and `cert.pem`) in the root of the repository. If you don't have one handy, the included [script] generates one from [LetsEncrypt].
Edit [./scripts/kubernetes_gke.sh] making sure to change the identity provider secret value to match your [identity provider] settings.
## Run
Run [./scripts/kubernetes_gke.sh] which will:
1. Provision a new cluster
2. Create authenticate, authorize, and proxy [deployments](https://cloud.google.com/kubernetes-engine/docs/concepts/deployment).
3. Provision and apply authenticate, authorize, and proxy [services](https://cloud.google.com/kubernetes-engine/docs/concepts/service).
4. Configure an ingress load balancer.
```bash
sh ./scripts/kubernetes_gke.sh
```
You should see roughly the following in your terminal. Note, provisioning does take a few minutes.
[![asciicast](https://asciinema.org/a/223821.svg)](https://asciinema.org/a/223821)
And if you check out Google's Kubernetes Engine dashboard you'll see something like:
![Google's Kubernetes Engine dashboard](./kubernetes-gke.png)
## Navigate
Open a browser and navigate to `httpbin.your.domain.com`.
You should see something like the following in your browser.
![Getting started](./get-started.gif)
[./scripts/kubernetes_gke.sh]: ../docs/examples.html#google-kubernetes-engine
[example kubernetes files]: ../docs/examples.html#google-kubernetes-engine
[helloworld]: https://hub.docker.com/r/tutum/hello-world
[httpbin]: https://httpbin.org/
[identity provider]: ../docs/identity-providers.md
[letsencrypt]: https://letsencrypt.org/
[script]: https://github.com/pomerium/pomerium/blob/master/scripts/generate_wildcard_cert.sh
Reference in a new issue View git blame Copy permalink