We have several microservices implemented in Java/Kotlin and Spring MVC, running in Tomcat docker images. These services provide public APIs which are authenticated by user's cookies/sessions. These work correctly.
Now, we would like to create an internal endpoint, which wouldn't be accessible either outside of GKE or via some kind of internal authentication.
What would be the good way to go especially for Spring MVC and GKE?
EDIT:
I would like to achieve to authenticate different endpoints on one service. For instance:
/public/ - no auth/private/ - user must be logged in/internal/ - only other microservices can accessI would prefer to implement such auth on the application level, but I am not sure what would be the best way. IP range of internal Google IPs? Some other way of securely identifying the caller?
Maybe my idea is bad, if so, I will be happy to change my mind.
Your question isn't GKE specific. It's broadly a Kubernetes question.
I encourage you to search Kubernetes service authentication.
There are many ways to do this, including rolling your own auth model. One feature that can help here is Kubernetes NetworkPolicy resource (it's like firewalls), you can learn more about it here https://kubernetes.io/docs/concepts/services-networking/network-policies/ and see here for some examples: https://github.com/ahmetb/kubernetes-network-policy-recipes (Keep in mind that this is a firewall, not authentication.)
If you want to get this automatically, you can use Istio (https://istio.io) which allows you to automatically set up mutual TLS between all your services without any code changes. Istio also gives a strong identity to each workload. You can use Istio's authentication policies to set up auth between your microservices without changing your application code which is really cool: https://istio.io/docs/tasks/security/authn-policy/