Installation
The installation of KubeAuth.io is very straight forward. There are not many steps to install KubeAuth.io on your personal Kubernetes.
Prerequisites
KubeAuth.io assumes you have a running Kubernetes, it does not matter if it is a cluster or a Minikube. The following prerequisites are needed for your environment:
- Kubernetes, Version >= 1.16.0
- In Kubernetes the MutatingAdmissionWebhook as an admission controller
- For the installation admin rights are needed
- Helm
HELM install
Add our Helm Repo. Credentials are not needed, it is free to use.
helm repo add yotron-helm-charts http://helm.yotron.de
Download und UnTar the repo from our Helm Repository.
helm pull yotron-helm-charts/kubernetes-authentication --untar
Now, you find the folder kubernetes-authentication with the Helm Package. Now you can change the configuration
according to your needs. Most changes must be done in the setup of the proxy with the authentication. This is done
in file proxy-configs.yml.
The installation of KubeAuth.io is done with:
helm install kubeauth ./kubernetes-authentication
Installation of the Demo
If you want to integrate the demo of KubeAuth.io with our identity provider, you can install the package in with
helm repo add yotron-helm-charts http://helm.yotron.de
and
helm install kubeauth yotron-helm-charts/kubernetes-authentication
No you can use our demo environment
Validation
KubeAuth.io is installed into the namespace kubeauth-system of Kubernetes. The following pods are installed and must
have the status Running.
$ kubectl get pods -n kubeauth-system
NAME READY STATUS RESTARTS AGE
kubeauth-controller-5b547b859d-cv529 1/1 Running 0 2m19s
kubeauth-server-5868dd469d-hp9pj 1/1 Running 0 2m19s
Uninstall
You can remove the package with:
helm uninstall kubeauth
Activation in your Deployment
To activate KubeAuth.io for your individual Kubernetes Pod you need to label the Pods properly in their manifests.
Labels
kubeauthUniqueName (mandatory): The unique name of the Proxy. The name can be chosen freely
but must reflect the prerequisites for
Object Names of Kubernetes
kubeauthConfig (mandatory): The name of the Proxy settings which shall be used for the Reverse Proxy.
kubeauthInit (optional, [“true” or “false”], default “false”): You must activate KubeAuth.io for a Pod.
Default KubeAuth.io will not set the Reverse Proxy of a Pod. Set it to ’true’ if you want to activate KubeAuth.io.
kubeauthService (optional, [“LoadBalancer”, “NodePort”, “ClusterIP”]): KubeAuth.io adds a Kubernetes service
which is mapped onto the Reverse Proxy. You just have to choose which kind of Kubernetes service you want. If you do not
want a service, just leave out or leave it empty.
kubeauthLogLevel (optional, [“TRACE”, “DEBUG”, “INFO”, “WARNING”, “ERROR”, “FATAL” and “PANIC”], default “INFO”): Setup the log level for the Proxy. The logs can get with the ordinary
Kubernetes tools (kubectl logs ...)
Example
Here is an example how set up a manifest for a Kubernetes Pod with all proper Labels (based from our Demo):
apiVersion: apps/v1
kind: Deployment
metadata:
name: webapp
spec:
replicas: 1
selector:
matchLabels:
kubeauthUniqueName: kubeauth-test
template:
metadata:
labels:
kubeauthUniqueName: kubeauth-test
kubeauthInit: true
kubeauthConfig: AWSCognito
kubeauthLogLevel: DEBUG
kubeauthService: LoadBalancer
spec:
containers:
- name: webapp
image: yotronpublic/proxytest:1.1.0
imagePullPolicy: Always
ports:
- containerPort: 8080
- containerPort: 8081
Configuration
You are able to set up your Reverse Proxy in a very detailed way. We provide a lot of defaults which is working for most of your scenarios.
All configs are done in the file proxy-configs.yml which you find in the root folder of the Helm package.
In the default file in the package you find examples of configurations, based on our Demo.
This file contains, the settings for the authentication of a request as well as the settings for the requesting like timeout setting.
You can add as much Proxy Configurations as you like, e.g. for different purposes tenants or environment (prod, test, …).
An example of a complete setup of a proxy can be found here Download
Parameter: active
active (mandatory, [“true” or “false”]): To activate a proxy settings this flag must be set to “true”.
If you want to deactivate a setting, then set it to “false”. Then it cannot be used during the bringup of a Kubernetes Pod.
Parameter for Authentication
There are two possibilities of authentication checking, we call it online if the Authentication validation shall be done by the identity provider (Keycloak, AWS-Cognito, …) and offline When the check is done without a connection to the identity provider.
Pro online:
- Actively revoked token are handled as failed.
- Is usable independently from the Encryption Types like RSA, EC, …
Pro offline:
- The requests to check the tokens can be a lot. Less load on your identity provider.
- No network connection needed
- Faster
You have to set up one of the both possibilities. If you set up both, offline will be used.
Online authentication
For the online validation, KubeAuth.io needs a URL to check if the authorization token is valid. This can be every
URl to the identity provider which needs an authentication. OpenID Connect or OAuth2 always provide an USERINFO-API to get
the user data stored in the identity provider. We recommend using this API. As an example the userinfo Api of AWS-Cognito
has the URL https://
authUrl The complete URL to the identity provider, like https://auth.kubeauth.io/oauth2/userInfo
Offline authentication
When you want to use the offline check, KubeAuth.io provides different checks, reflecting the requirements of the different identity provider and encryption types (kty). For example mostly RSA (Rivest–Shamir–Adleman) is used as the key encryption type (kty). RSA expects an encoded public key for the validation of a token. If you are using ECDSA (Elliptic Curve Digital Signature Algorithm) a simple “password” is sufficient.
All information are provided by the identity provider (Keycloak, Okta, AWS-Cognito, …) you are using.
Please be aware that the key (PEM or “Password”) must be added base64 encoded.
PEM vs. JWK Sets
KubeAuth.io is providing two ways to define an RSA Public Key:
- PEM encoded Certificate
- JSON Web Key Sets (JWK Sets) for Public Keys (JWK)
Settings
These settings are used when your identity provider provides a PEM encoded Public Key. You can have more than one Key for validation. They are all separated by a “key id”.
kid (mandatory): The Key Identifier of the Key or Password the identity provider is using.
kty (mandatory, [“RSA”, “HMAC”, “ECDSA”, “EDDSA”]): The encryption type of the key. Most tokens are RSA encrypted.
The following settings are needed if your identity provider is providing a PEM-File or a “Password”:
key (optional): The PEM formatted certificate or the “Password” of the key.
Both must be added Base64 encoded.
The following settings are needed if your identity provider is providing JWK Sets:
alg (mandatory): The algorithm of the RSA encryption, like RS256, HS256,
e (mandatory, [“AQAB”, “AAEAAQ”]): The public exponent of the key, like AQAB or AAEAAQ.
n (mandatory): The modulus of the key.
use (mandatory): Public Key Use. Most of the keys are used for signature (sig)
Examples
Some entries are shortened for the readability.
Online authentication
- kid: kGSxpEoT0jr1dUbgKr7OAUPJB-mbT65DoIwiErjktcw
kty: RSA
key: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJJakFOQmdr ... BUUFCCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
Offline authentication
- kid: /599i4T4UPFbC0pEuMXBEs88CjnTq5GWxB+TKk7hCYk=
alg: RS256
e: AQAB
kty: RSA
n: yuLQaBl5EYnn__bKDMQviUSG ... xBoss5N_1K_WHeS-dmxljzXLqH2XgDzmEfxtpQ
use: sig
Parameter for the Reverse Proxy
For the Reverse Proxy you have the follwoing settings.
- TLS for the communication via https. KubeAuth.io is providing a default setup for the SSL-Key and Certs, but you are able to add an own Key and Cert.
- Listener Ports
- Default Kubernetes Services to allow the communication with the Reverse Proxy for all pods using this setting.
- Timeout settings for Request reachin the Proxy and Request forwarded to the Application.
Settings for https
tls (optional, [“true”, “false], default “false”): If you want to use TLS (HTTPS), set this to true.
tlsKey (optional): The Base64 encoded certificate of the TLS.
tlsCrt (optional): The Base64 encoded key of the TLS.
Ports and Kubernetes Service
appListenerPort (optional, default 8080): The port your application server is listening on.
proxyListenersPort (optional, default with TLS: 7443, without: 8080): The port the Reverse Proxy is listening on.
proxyServiceType (optional, [LoadBalancer”, “NodePort”, “ClusterIP”]): When you want to get an additional Kubernetes Service
for the Reverse Proxy, please define the type of Kubernetes Service.
Request timeouts
Settings for the Server
These settings are usable for all requests the Reverse Proxy is reaching.
idleTimeoutSeconds (optional, default 10): The maximum amount of time in seconds to wait for the
next request when keep-alives are enabled.
readTimeoutSeconds (optional, default no timeout): The maximum amount of time allowed to read the complete Request (Header and Body).
Example:
proxyRevServerConfig:
idleTimeoutSeconds: 50
readTimeoutSeconds: 5
Outgoing
These settings are usable for all outgoing requests from the Reverse Proxy to your application.
disableKeepAlives (optional, [“true”, “false”], default false): All sessions are stopped after finishing.
maxIdleConns (optional, default 100): Maximum number of idled connections when keep-alive is active. Zero means no limit.
maxIdleConnsPerHost (optional, default 100): Maximum number of idled connections per host when keep-alive is active. Zero means no limit.
maxConnsPerHost (optional, default no limit): Maximum amount of connections allowed per Host. Zero means no limit.
idleConnTimeoutSeconds (optional, default 90): The time in seconds that idled connections are closed. Zero means no timeout.
Example:
proxyRevRequestConfig:
disableKeepAlives: false
maxIdleConns: 10
idleConnTimeoutSeconds: 40
expectContinueTimeoutSeconds: 20
maxIdleConnsPerHost: 3
maxConnsPerHost: 3