Cloud Native Authentication on Kubernetes

In the daily job routines, the developers are mainly focusing on gathering, implementing and testing the functional requirements so much needed by the business. However, there is a lot more to it, than the functionality, to make it a successfull production solution. One important aspect is the authentication side of the story.

Cloudless sky of our Milkyway
  • Then we are going to deploy a sample application in the cluster, making sure we publicly expose its UI,
  • Next we will provide a small overview of the oauth2-proxy project and its critical configuration options,
  • Following that, we will install and configure the oauth2-proxy container in our Kubernetes cluster in order to secure the previously installed UI,
  • Finally we will look at some advanced configuration options and their benefits.
  • using an as-a-service flavour from IBM, AWS, Azure, Google or any other cloud services vendors,
  • leveraging an existing k8s instance on-prem or in cloud.

Installing a Kubernetes cluster on the local machine

Next, we will install a kubernetes cluster on the local machine using kind. You can follow these instructions:

curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.9.0/kind-darwin-amd64
Cluster’s pods accross all namespaces
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/static/provider/kind/deploy.yaml

Updating the cluster’s core-dns

This step is necessary only for our local cluster use-case since we will define specific domains like oauth2-proxy.localtest.me and dex.localtest.me . When moving to a public accessible kubernetes cluster you will have a DNS that is created by the cloud provider.

kubectl apply -f https://raw.githubusercontent.com/morarucostel/cloud-native-auth/main/custom-dns.yaml
kubectl delete pod -n kube-system -l k8s-app=kube-dns

Deploying a sample application

Next we want to install an application in our cluster which later we will secure the access to it. Clearly you can use any hello-world applications out there, but for our exercise we’ll install a small http-echo container exposed through an ingress. The kubernetes resources for the sample application are: a conservis/hello-world container that will echo the request body, a service and an ingress.

hello-world application deployment
kubectl apply -f https://raw.githubusercontent.com/morarucostel/cloud-native-auth/main/hello-world.yaml
Unsecured hellow world application in browser

An overview of oauth2-proxy and dex

OAuth2-Proxy is a open source project that provides authentication using various providers like Google, GitHub, Azure, Facebook and many others as well as any provider that implements OpenID Connect protocol which means … everyone. It is written in go, making it very fast in a kubernetes environment and has a mature community behind it.

Installing oauth2-proxy and dex

Now that we have a brief understanding of how this should work, lets install the two frameworks in our cluster. We have defined the necessary kubernetes resources like: ingress definitions, services, configmaps, secrets and deployments for the two frameworks to run, however the most important configuration was described earlier. To install it just simply run the following in the terminal:

kubectl apply -f https://raw.githubusercontent.com/morarucostel/cloud-native-auth/main/oauth2-proxy-dex.yaml
Running oauth2-proxy and dex pods

Protecting our ingress using oauth2-proxy

We have our hello-world application running in our cluster and we were able to access it through the UI. The only thing remaining is to instruct the ingress controller that we want to secure this resource with an external authentication provider. The ingress annotations auth-url and auth-signin allow us to use external authentication providers and to protect the ingress resources, also detailed here.

Unsecured hello-world ingress definition
Securing the ingress via oauth2-proxy service
kubectl apply -f https://raw.githubusercontent.com/morarucostel/cloud-native-auth/main/hello-world-secured-ingress.yaml
email: admin@example.com
password: password
Login screen when accessing the hello-world application

Additional configuration of oauth2-proxy

Let’s have a look at the oauth2-proxy framework in more details and how it works.

nginx.ingress.kubernetes.io/auth-signin: http://oauth2-proxy.localtest.me/oauth2/start
helm install stable/oauth2-proxy --name my-release -f my-values.yaml

Conclusions and what’s next…

In this article we went through quite a few concepts, i.we started by installing on our local machine a single-node kubernetes cluster, ii.we then installed and exposed through an ingress a hello-world application, iii.we introduced and installed oauth2-proxy and dex frameworks and then iv.secured the access to hello-world application.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store