Warning
This page was translated from the original Japanese version by PLaMo Translate. The Japanese version is authoritative; the English translation may contain inaccuracies.
Exposing Workloads as Web Applications
The WebApp Identity-Aware Proxy (WebApp IAP) feature in PFCP allows you to expose your workloads as web applications to the internet. The exposed web application will automatically implement authentication for access, allowing only users belonging to the same organization to access it via their browsers.
This section explains how to expose your web application to the internet using WebApp IAP.
Note
For exposing your workloads as web APIs accessible via CLI or other interfaces, please refer to Exposing Workloads as Web APIs.
Exposing a Web Application to Your Entire Organization
-
Prepare the workload you want to expose and its corresponding Service resource. For this example, assume you can access the workload by connecting to port 80 of the
example-svcService. -
Create an Ingress manifest using the following template:
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: example-ingress spec: rules: - # Specifies the domain to assign to the Ingress. # Note: Unlike web API exposure, you must specify a subdomain of `ingress.pfcomputing.com`. host: example.<organization-name>.<cluster-name>.ingress.pfcomputing.com http: paths: - path: / pathType: Prefix backend: # Specifies the name of the Service and its port to expose. service: name: example-svc port: number: 80Warning
Subdomain Restrictions
For web application Ingresses, only the domain
*.<organization-name>.<cluster-name>.ingress.pfcomputing.comcan be used.For example, if your organization name is
fooand your cluster name issr1-01, the valid subdomain would be*.foo.sr1-01.ingress.pfcomputing.com. -
Access the Public Endpoints page in the portal, select your cluster name and namespace, and verify that the Ingress’s subdomain appears in the list of generated public endpoints.
-
Access the specified subdomain in your browser, log in 1, and then verify that you can access the exposed service.
Exposing a Web Application to Select Users Within Your Organization
You can restrict the exposure of your web application to specific users or user groups within your organization.
First, follow the “Exposing a Web Application to Your Entire Organization” instructions to create the Ingress. Then, for the Ingress you want to restrict access to, add the following annotations. The value should be a comma-separated list of email addresses or user group names for users you wish to allow access.
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: example-ingress
annotations:
# To allow specific users, add the allowed-users annotation
ingress.preferred.jp/allowed-users: "foo@example.com, bar@example.com, baz@example.com"
...
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: example-ingress
annotations:
# To allow specific user groups, add the allowed-groups annotation
ingress.preferred.jp/allowed-groups: "foo-group, bar-group"
...
If you add both annotations, access will be permitted for both specified users and user groups.
For managing user groups, please refer to Managing Organizational Users.
Tip
You can check which user groups you belong to using the
kubectl auth whoamicommand. If you’re a member of thebaruser group in organizationfoo, theGroupslist will displayoidc:org-foo/bar.
Verifying Access Restrictions
After applying the annotations, actually access the Ingress to verify that access restrictions are functioning correctly.
Warning
Changes to user groups may take time to propagate to existing logged-in user sessions. Try logging out and back in, or clearing your browser cookies.
When access restrictions are enabled, the Ingress will automatically include the nginx.ingress.kubernetes.io/auth-url annotation.
If this annotation is missing, review your manifest for any annotation typos.
Restoring Exposure to Your Entire Organization
Remove all the following annotations from the Ingress:
ingress.preferred.jp/allowed-usersingress.preferred.jp/allowed-groupsnginx.ingress.kubernetes.io/auth-url
Limitations
- Does not support exposing services using Service resources with
NodePort,LoadBalancer, orExternalNametypes - Request body size limit is 10MB
-
If your browser contains valid authentication cache, the login process will be skipped. ↩