Expose Kubernetes Volumes Securely Over HTTP: How to Serve PVC on the Internet
Intro
You may have encountered a situation in your daily product development where you needed to get your hands on some persisted files residing in the Kubernetes cluster. One common & safe approach is to do port-forwarding, whether with the help of Kubectl or pure SSH using a bastion host.
In either case, after you're done with the task, you'd terminate the session, and for every future interaction, you'd go through the same manual process every time.
It might be ideal, security-wise, to keep your environment as sealed as possible, not giving the adversaries any chance & it is a valid reason to keep it like that.
But, if you want long-running exposure to the underlying storage out on the internet, this article is for you.
First Things First: Authentication
As this file server will be exposed publicly to the internet, your first and most important line of defense is the authentication layer. To put that into perspective, a formal definition of authentication is necessary.
Authentication is the act of proving an assertion, such as the identity of a computer system user. [source]
In layperson's terms, authentication happens when a system user proves he is who he claims to be!
Now that we've cleared that let's dig out some options for integrating authentication into our webserver (further below).
- Using Nginx or Apache as a proxy, with the help of
htpasswd, an Apache tool that allows storing an encrypted username-password pair in a file, which can later be used to verify a given password. - Ory Oathkeeper as a proxy, with the help of Kratos, another one of Ory's products, as the identity provider. This is somewhat more complex than the earlier approach, and it takes some learning curve to master the configuration and the provisioning of those two. I will cover another article later about this, so stay tuned!
