在 k8s 中服务请求的身份验证
[英]Authentication in service to service requests in k8s
问题描述
Say I have several services in kubernetes.
假设我在 kubernetes 中有几个服务。 And I have one entry point to the cluster, it's a public facing service that is meant to validate the JWT token (from AWS cognito).我有一个进入集群的入口点,它是一项面向公众的服务,旨在验证 JWT 令牌(来自 AWS cognito)。
The entry point routes the request to an internal service, and that in turn usually makes more requests to other internal services.入口点将请求路由到内部服务,然后通常会向其他内部服务发出更多请求。
My question is: is it enough to validate the JWT only once and make other communications without any form of authentication, just passing the user id (or any other data needed)?我的问题是:是否仅验证 JWT 一次并在没有任何形式的身份验证的情况下进行其他通信,只需传递用户 ID(或任何其他需要的数据)就足够了吗? Or do I need to have some form of authentication when making http requests between services?或者在服务之间发出 http 请求时是否需要某种形式的身份验证? if so, which?如果是,是哪个? should i validate the JWT again?我应该再次验证 JWT 吗? should I have server certificates or something like that?我应该有服务器证书或类似的东西吗?
1 个解决方案
解决方案1
0
Posted a community wiki answer for better visibility.发布了社区 wiki 答案以获得更好的可见性。 Feel free to expand it.随意扩展它。
As David Szalai's comment mentioned, it depends on your security and project requirements:正如 David Szalai 的评论所提到的,这取决于您的安全和项目要求:
If you go with a zero-trust model inside k8s, you can use mTLS with a service mesh between services.
In the current (project) we'll use mTLS with a service mesh, and send JWTs along with requests where the receiver needs info about user, and parse/validate it there again.
If you apps do not have built-in authentication / authorization mechanisms you may try Istio - check these articles:如果您的应用程序没有内置身份验证/授权机制,您可以尝试 Istio - 查看这些文章:
- Istio documentation - Security Istio 文档 - 安全性
- Istio & JWT: Step by Step Guide for Micro-Services Authentication . Istio 和 JWT:微服务认证分步指南。
Also check these articles about authentication in Kubernetes:另请查看有关 Kubernetes 中的身份验证的这些文章:
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.