Ingress-nginx: nginx basic auth fails with "Permission denied"

Created on 16 Aug 2018  路  3Comments  路  Source: kubernetes/ingress-nginx

Is this a request for help? (If yes, you should use our troubleshooting guide and community support channels, see https://kubernetes.io/docs/tasks/debug-application-cluster/troubleshooting/.): no

What keywords did you search in NGINX Ingress controller issues before filing this one? (If you have found any duplicates, you should instead reply there.):
"Permission denied". Issue https://github.com/kubernetes/ingress-nginx/issues/2247 seems to appear again with 0.18.0

Is this a BUG REPORT or FEATURE REQUEST? (choose one): BUG REPORT

NGINX Ingress controller version: 0.18.0

Kubernetes version (use kubectl version): 1.11.1

Environment:

  • Cloud provider or hardware configuration: OpenStack
  • OS (e.g. from /etc/os-release): Ubuntu
  • Kernel (e.g. uname -a): Linux worker0-stage 4.4.0-130-generic #156-Ubuntu SMP Thu Jun 14 08:53:28 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
  • Install tools:
  • Others:

What happened:
Starting with 0.18.0 ingress resources with HTTP Basic Auth enabled fail with 

[nginx-ingress-controller-rdqpq] 2018/08/16 12:39:12 [crit] 188#188: *111 open() "/etc/ingress-controller/auth/ingress-name.passwd" failed (13: Permission denied), client: ..., server: ...

Which results in a 500 Internal Server Error returned to the client.

This still works properly in 0.17.1.

Potentially related to https://github.com/kubernetes/ingress-nginx/issues/2247 though I checked the source code and the place where it was fixed does not seem to have changed recently.

What you expected to happen:
An ingress with basic auth works properly

How to reproduce it (as minimally and precisely as possible):

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    ingress.kubernetes.io/auth-realm: Authentication Required
    ingress.kubernetes.io/auth-secret: auth-secret
    ingress.kubernetes.io/auth-type: basic
  name: ingress-name
spec:
  backend:
    serviceName: service-name
    servicePort: web
  rules:
  - host: hostname
    http:
      paths:
      - backend:
          serviceName: service-name
          servicePort: web
        path: /

Anything else we need to know:

picture bashofmann

Most helpful comment

Permalink for people looking at this in the future now:
https://github.com/kubernetes/ingress-nginx/blob/87b210499d5338d49e18942c7b5439e3ba269707/deploy/mandatory.yaml#L254-L261

picture metalmatze on 20 Sep 2018
👍4

All 3 comments

Closing. Please make sure the security context is correct https://github.com/kubernetes/ingress-nginx/blob/master/deploy/mandatory.yaml#L254-L261

aledbf picture aledbf on 16 Aug 2018

Thanks, that helped. Sorry for not checking that before.

bashofmann picture bashofmann on 16 Aug 2018
👍1

Permalink for people looking at this in the future now:
https://github.com/kubernetes/ingress-nginx/blob/87b210499d5338d49e18942c7b5439e3ba269707/deploy/mandatory.yaml#L254-L261

metalmatze picture metalmatze on 20 Sep 2018
👍4
Was this page helpful?
0 / 5 - 0 ratings

Related issues

geek876 picture geek876  路  3Comments
lachlancooper picture lachlancooper  路  3Comments
whereisaaron picture whereisaaron  路  3Comments
boazj picture boazj  路  3Comments
briananstett picture briananstett  路  3Comments