Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Warning

This page was translated from the original Japanese version by PLaMo Translate. The Japanese version is authoritative; the English translation may contain inaccuracies.

Exposing Workloads as Web Applications

The WebApp Identity-Aware Proxy (WebApp IAP) feature in PFCP allows you to expose your workloads as web applications to the internet. The exposed web application will automatically implement authentication for access, allowing only users belonging to the same organization to access it via their browsers.

This section explains how to expose your web application to the internet using WebApp IAP.

Note

For exposing your workloads as web APIs accessible via CLI or other interfaces, please refer to Exposing Workloads as Web APIs.

Exposing a Web Application to Your Entire Organization

  1. Prepare the workload you want to expose and its corresponding Service resource. For this example, assume you can access the workload by connecting to port 80 of the example-svc Service.

  2. Create an Ingress manifest using the following template:

    apiVersion: networking.k8s.io/v1
    kind: Ingress
    metadata:
      name: example-ingress
    spec:
      rules:
      - # Specifies the domain to assign to the Ingress.
        # Note: Unlike web API exposure, you must specify a subdomain of `ingress.pfcomputing.com`.
        host: example.<organization-name>.<cluster-name>.ingress.pfcomputing.com
        http:
          paths:
          - path: /
            pathType: Prefix
            backend:
              # Specifies the name of the Service and its port to expose.
              service:
                name: example-svc
                port:
                  number: 80
    

    Warning

    Subdomain Restrictions

    For web application Ingresses, only the domain *.<organization-name>.<cluster-name>.ingress.pfcomputing.com can be used.

    For example, if your organization name is foo and your cluster name is sr1-01, the valid subdomain would be *.foo.sr1-01.ingress.pfcomputing.com.

  3. Access the Public Endpoints page in the portal, select your cluster name and namespace, and verify that the Ingress’s subdomain appears in the list of generated public endpoints.

  4. Access the specified subdomain in your browser, log in 1, and then verify that you can access the exposed service.

Exposing a Web Application to Select Users Within Your Organization

You can restrict the exposure of your web application to specific users or user groups within your organization.

First, follow the “Exposing a Web Application to Your Entire Organization” instructions to create the Ingress. Then, for the Ingress you want to restrict access to, add the following annotations. The value should be a comma-separated list of email addresses or user group names for users you wish to allow access.

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: example-ingress
  annotations:
    # To allow specific users, add the allowed-users annotation
    ingress.preferred.jp/allowed-users: "foo@example.com, bar@example.com, baz@example.com"
...
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: example-ingress
  annotations:
    # To allow specific user groups, add the allowed-groups annotation
    ingress.preferred.jp/allowed-groups: "foo-group, bar-group"
...

If you add both annotations, access will be permitted for both specified users and user groups.

For managing user groups, please refer to Managing Organizational Users.

Tip

You can check which user groups you belong to using the kubectl auth whoami command. If you’re a member of the bar user group in organization foo, the Groups list will display oidc:org-foo/bar.

Verifying Access Restrictions

After applying the annotations, actually access the Ingress to verify that access restrictions are functioning correctly.

Warning

Changes to user groups may take time to propagate to existing logged-in user sessions. Try logging out and back in, or clearing your browser cookies.

When access restrictions are enabled, the Ingress will automatically include the nginx.ingress.kubernetes.io/auth-url annotation. If this annotation is missing, review your manifest for any annotation typos.

Restoring Exposure to Your Entire Organization

Remove all the following annotations from the Ingress:

  • ingress.preferred.jp/allowed-users
  • ingress.preferred.jp/allowed-groups
  • nginx.ingress.kubernetes.io/auth-url

Limitations

  • Does not support exposing services using Service resources with NodePort, LoadBalancer, or ExternalName types
  • Request body size limit is 10MB

  1. If your browser contains valid authentication cache, the login process will be skipped.