I have Jenkins running in a pod, in an on-prem Kubernetes cluster. My company uses AD, and my Jenkins instance outside the cluster (I'm migrating from this to the cluster instance) uses LDAP for authentication. The cluster is running an nginx ingress controller which funnels http and https requests to appropriate apps inside the cluster based on the URL, e.g. jenkins.cluster.mycompany.com
I could make a firewall request for all my cluster members-->Company AD controller, but that seems short-sighted, as there will be multiple other apps in addition to Jenkins requiring same type of authentication via LDAP.
What I thought I was looking for was some type of an internal cluster-service that would proxy an AD/LDAP authentication call, and all cluster apps could use it. Proxy, because the actual AD servers are Windows and I don't want to run a Win2kXs container as AD replica inside the cluster. This way my firewall rule would be a single IP, that of the proxy's external NET address.

Any thoughts or recommendations on how to do this? I've just started researching, and want to build the cluster and apps right. There is a lot of info on how to hook LDAP to Kubernetes, but for that I use certs; I need to be able to give users access to the internal apps rather than the cluster itself.

Mike Rysanek
  • 174
  • 1
  • 8
  • It's an on-prem cluster, but members of the cluster can't talk to your AD domain controllers? Is there a reason that your AD isn't open to your entire organization? I would expect that any company's directory services should be open to all of the networks that company controls. Only given the information that you provided in this post, it seems like this should be handled by your AD admins who have failed to make their service available to your whole company. – jayhendren Sep 06 '18 at 22:50

0 Answers0