How to access app in k8s cluster by aggregator apiservice with Authorization header

I deployed a third-party web application in the k8s cluster with deployment+service. The web application mainly provides login verification api and other web service api. After calling the login api, Bearer token will be responsed, and be set into Authorization Bearer token before calling other web service api. It works well when requests are from k8s cluster inside.

This k8s cluster has a public IP, but strict firewall rules and security group rules are set up. Only port 6443 is exposed to the public network, and additional ports are not allowed. I am wondering if there is any way to access the web app in the cluster through the public IP+6443 port of the k8s cluster.

I found the k8s aggregator apiservice. After creating the apiservice and pointing it to my web service, running curl -X POST --cacert ./ca.crt --cert ./client.crt --key . /client.key -H "contentType: application/json" -d '{username: xx, password: yy}' https://ip:6443/api/v1/namespaces/default/services/my-svc:port-80/proxy/api/login is success, and the Bearer token is responsed, but I run (curl -X POST --cacert ./ca.crt - -cert ./client.crt --key ./client.key -H "contentType: application/json" -H '{Authorization: Bearer ...}' https://ip:6443/api/v1/namespaces/default/services/my-svc:port-80/proxy/api/other-api) to request other api, it returns 401 Unauthorized . I suspect that the header in request was intercepted or consumed by kube-apiserver, and was not passed to my web app.

Here is my question:

  1. Is there any other way to access the applications in the cluster through the public IP + 6443 port of the k8s cluster?
  2. How can I access the applications in the cluster without changing the firewall and security group rules or the third-party application source code, just using the Authorization Bearer toker header through kube-apiserver to complete the authentication?

Any ideas are welcome :hugs: