Filter traffic/authorise requests with Kubernetes sidecar
Question
I want to create external authentication for Service A, which listens to traffic on port 8080 . What I desire is to have a second container ( Service B ) running in the same pod as Service A , that intercepts, evaluates and (maybe) forwards the traffic going in on port 8080 "Maybe" means that Service B should filter out every request, that is not authenticated.
Service B would be injected into every service that is getting deployed in order to ensure consistent authorisation and still keep the deployment process simple.
(How) is this possible?
2 answers
solution1
2 2020-06-08 13:16:19
Look up Traefiks forward auth mode or nginx's mod auth request. They both do what you are looking for. Or more generally this kind of thing is called an API gateway and there are many good ones.
solution2
2 2020-06-08 13:21:12
East-West Traffic Flow
This is of-course possible and you can do your own sidecar or you could use a battle tested sidecar such as envoy. There are service meshes(istio, linkerd) which provides this functionality out of the box as well and some of these service meshes uses envoy internally. The sidecar deployed with each pod will intercept east west traffic between services deployed in the kubernetes cluster.
North-South Traffic Flow
Ingress(nginx etc), API gateway(contour etc) can intercept north-south traffic and provide authentication service at the front door. Some of these ingress controllers use envoy internally as well. In this flow there is no sidecar deployed with each pod.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.