Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Warning

This page was translated from the original Japanese version by PLaMo Translate. The Japanese version is authoritative; the English translation may contain inaccuracies.

Exposing Workloads as Web APIs

The API Identity-Aware Proxy (API IAP) feature in PFCP allows you to expose your workloads as web APIs available over the internet. The exposed web APIs will automatically implement authentication for access, requiring a Kubernetes ServiceAccount token for authorization.

This section explains how to expose your web APIs over the internet using API IAP.

Note

For deploying your workloads as web applications accessible via browsers, please refer to Exposing Workloads as Web Applications.

Supported Protocols

The following protocols are supported.

  • HTTP/2
  • HTTP/1.1

Note

  • HTTP/2 is terminated by API IAP and forwarded to the Service as HTTP/1.1
  • gRPC is not supported

Exposing Web APIs Using Ingress Resources

  1. Prepare the workload and Service resources you wish to expose. For this example, assume you can access the workload by connecting to port 80 of the example-svc Service.

  2. Create an Ingress manifest using the following template:

    apiVersion: networking.k8s.io/v1
    kind: Ingress
    metadata:
      name: example-ingress
    spec:
      rules:
      - # Specifies the domain to assign to the Ingress.
        # Note: Unlike web application deployments, you must specify a subdomain of `api.iap.pfcomputing.com`.
        host: example.<organization-name>.<cluster-name>.api.iap.pfcomputing.com
        http:
          paths:
          - path: /
            pathType: Prefix
            backend:
              # Specifies the name of the Service and its port to expose.
              service:
                name: example-svc
                port:
                  number: 80
    

    Warning

    Subdomain Restrictions

    For web API Ingresses, only the domain *.<organization-name>.<cluster-name>.api.iap.pfcomputing.com can be used.

    For example, if your organization name is foo and cluster name is sr1-01, the valid subdomain would be *.foo.sr1-01.api.iap.pfcomputing.com.

  3. Create a Kubernetes ServiceAccount for accessing the Ingress using the following template:

    apiVersion: v1
    kind: ServiceAccount
    metadata:
      name: example-sa
      # Specify the same Namespace as the Ingress.
      namespace: org-foo
      labels:
        # Specifies the name of the Ingress resource to allow access.
        ingress.preferred.jp/allowed-ingress: example-ingress
    

    Warning

    Default ServiceAccount

    The Kubernetes-automated default ServiceAccount cannot be used for accessing Ingress resources.

  4. Generate a Kubernetes ServiceAccount token using kubectl. The Audience field must be set to the domain configured for the Ingress resource, with https:// prepended. You may adjust the token’s expiration period as needed.

    $ kubectl create token example-sa --duration 12h --audience https://example.<organization-name>.<cluster-name>.api.iap.pfcomputing.com
    eyJ...
    

    Note

    Token Expiration

    Tokens with infinite validity cannot be issued. Instead, specify a sufficiently long duration.

  5. Access the configured domain by including the generated token in the Authorization HTTP header. Verify that you can successfully access the exposed service.

    $ curl --dump-header - -H "Authorization: Bearer eyJ..." https://example.<organization-name>.<cluster-name>.api.iap.pfcomputing.com
    

Managing Tokens

To deactivate a previously issued Kubernetes ServiceAccount token, simply delete the corresponding ServiceAccount. For granular token deactivation per token, consider using Bound ServiceAccount Tokens.

Removing the ingress.preferred.jp/allowed-ingress label from a Kubernetes ServiceAccount can temporarily block access without deactivating the token. To re-enable access, simply reapply the label.

You can check the list of Kubernetes ServiceAccounts with Ingress access permissions using the kubectl command:

$ kubectl get serviceaccount --selector ingress.preferred.jp/allowed-ingress
NAME         SECRETS   AGE
example-sa   0         4s

Limitations

  • Does not support exposing services using Service resource types NodePort, LoadBalancer, or ExternalName
  • If multiple Ingress resources are configured with the same domain matching the token’s Audience, authentication will fail with a 401 Unauthorized status code
  • Connections will be terminated after 24 hours of inactivity
  • Request body size is limited to 10MB