Service to Service Communication with Keycloak Gatekeeper Active for RBAC

9/9/2019

I am using ProxyInjector to inject keycloak-gatekeeper into any pod I want to restrict access to. It works in that I can restrict access, and users that should have access can access it just fine after they login to keycloak.

But how can I let other 'dumb' (ones that don't have their own auth support) kubernetes services access it? It currently denies them because they aren't logged in, but it is necessary for these services to talk to each other. Either by letting them bypass the authentication, or by attaching a service account or something to their requests.

Edit:

After further investigation, I found out I can access it by adding another port to the service as follows:

---
kind: Service
apiVersion: v1
metadata:
  name: testservice
spec:
  selector:
    app: testapp
  ports:
    - protocol: TCP
      name: testapp
      port: 8080
      targetPort: 8080
    - protocol: TCP
      name: testapp-backend
      port: 8081
      targetPort: 8080

By having the ingress point to port 8080, it locks out the app for those who try to access it outside the cluster. I have the other internal services pointing to testapp:8081, which connects.

But this is just a workaround, as any other service on kubernetes could attempt to connect to testapp:8081 and succeed without authentication, right?

-- cclloyd
keycloak
kubernetes
rbac

0 Answers