Authentication microservices, databases in Kubernetes

6/7/2021

I am working in data platform on Kubernetes. Therefore, I will need to install

  • several databases like Ceph (or Minio), Postgresql, Elasticsearch
  • A kafka cluster
  • a SQL engine like Trino (former PrestoSQL)
  • several api servers

Multiple users and applications (internal to Kubernetes or not) will need to be authenticated and authorized to use theses components above.

For authorization I have found a project like Open Policy Agent which fits my wish to have a centralized and unified way to control it. I would like the same thing for authentication but I am still looking for it.

There are different ways to authenticate, the most interesting ones being:

  • TLS certificate

  • OAuth2

  • Kerberos

But all the above components does not implement these methods.

For instance, I was interested to use Keycloak. It is perfectly suited for API servers, Kafka but not for Postgresql.

Do you know some solutions, alternatives to my problem?

-- Yassir S
authentication
authorization
kubernetes
microservices

1 Answer

6/8/2021

Like Jonas good mentioned in the comment:

This totally depends on what your systems support. It is easiest if they support JWT-tokens for authentication, then the microservices can use its serviceAccount.

One of the solutions might be to use service-mesh, like istio and JWT (JSON Web Tokens). Here is also istio documentation about JWT. In simple terms, microservice will generate a JWT and istio will check if the token is correct. This guide shows exactly, how Istio Authorization Policy works.

Here you can find a very good article that explains how such authorization works step by step. It presents various methods of implementation. It shows their strengths and weaknesses.

It's also worth taking a look here. The official istio security documentation explains how to approach the subject of authorization. You can find there all supported authorization methods.

You can also create your custom action to delegate the authorization to external system. Here is the guide, how you can do it.

Kubernetes also supports 3rd party authentication tools: Keycloak, Auth0 or Google Auth. Here are guides, how to secure Kubernetes clusters with:

-- Mikołaj Głodziak
Source: StackOverflow