Authentication between microservices in Google Kubernetes Engine
up vote
1
down vote
favorite
We have several microservices implemented in Java/Kotlin and Spring MVC, running in Tomcat docker images. These services provide public APIs which are authenticated by user's cookies/sessions. These work correctly.
Now, we would like to create an internal endpoint, which wouldn't be accessible either outside of GKE or via some kind of internal authentication.
What would be the good way to go especially for Spring MVC and GKE?
EDIT:
I would like to achieve to authenticate different endpoints on one service. For instance:
/public/- no auth
/private/- user must be logged in
/internal/- only other microservices can access
I would prefer to implement such auth on the application level, but I am not sure what would be the best way. IP range of internal Google IPs? Some other way of securely identifying the caller?
Maybe my idea is bad, if so, I will be happy to change my mind.
spring-mvc
kubernetes google-kubernetes-engine asked Nov 8 at 15:01
Vojtěch
2,681156096
add a comment |
up vote
1
down vote
favorite
We have several microservices implemented in Java/Kotlin and Spring MVC, running in Tomcat docker images. These services provide public APIs which are authenticated by user's cookies/sessions. These work correctly.
Now, we would like to create an internal endpoint, which wouldn't be accessible either outside of GKE or via some kind of internal authentication.
What would be the good way to go especially for Spring MVC and GKE?
EDIT:
I would like to achieve to authenticate different endpoints on one service. For instance:
/public/- no auth
/private/- user must be logged in
/internal/- only other microservices can access
I would prefer to implement such auth on the application level, but I am not sure what would be the best way. IP range of internal Google IPs? Some other way of securely identifying the caller?
Maybe my idea is bad, if so, I will be happy to change my mind.
spring-mvc
kubernetes google-kubernetes-engine asked Nov 8 at 15:01
Vojtěch
2,681156096
add a comment |
up vote
1
down vote
favorite
up vote
1
down vote
favorite
We have several microservices implemented in Java/Kotlin and Spring MVC, running in Tomcat docker images. These services provide public APIs which are authenticated by user's cookies/sessions. These work correctly.
Now, we would like to create an internal endpoint, which wouldn't be accessible either outside of GKE or via some kind of internal authentication.
What would be the good way to go especially for Spring MVC and GKE?
EDIT:
I would like to achieve to authenticate different endpoints on one service. For instance:
/public/- no auth
/private/- user must be logged in
/internal/- only other microservices can access
I would prefer to implement such auth on the application level, but I am not sure what would be the best way. IP range of internal Google IPs? Some other way of securely identifying the caller?
Maybe my idea is bad, if so, I will be happy to change my mind.
spring-mvc
kubernetes google-kubernetes-engine asked Nov 8 at 15:01
Vojtěch
2,681156096
We have several microservices implemented in Java/Kotlin and Spring MVC, running in Tomcat docker images. These services provide public APIs which are authenticated by user's cookies/sessions. These work correctly.
Now, we would like to create an internal endpoint, which wouldn't be accessible either outside of GKE or via some kind of internal authentication.
What would be the good way to go especially for Spring MVC and GKE?
EDIT:
I would like to achieve to authenticate different endpoints on one service. For instance:
/public/- no auth
/private/- user must be logged in
/internal/- only other microservices can access
I would prefer to implement such auth on the application level, but I am not sure what would be the best way. IP range of internal Google IPs? Some other way of securely identifying the caller?
Maybe my idea is bad, if so, I will be happy to change my mind.
spring-mvc
kubernetes google-kubernetes-engine spring-mvc
kubernetes google-kubernetes-engine asked Nov 8 at 15:01
Vojtěch
2,681156096
asked Nov 8 at 15:01
Vojtěch
2,681156096
edited Nov 8 at 20:33
asked Nov 8 at 15:01
Vojtěch
2,681156096
asked Nov 8 at 15:01
Vojtěch
2,681156096
asked Nov 8 at 15:01
Vojtěch
2,681156096
2,681156096
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
up vote
1
down vote
Your question isn't GKE specific. It's broadly a Kubernetes question.
I encourage you to search Kubernetes service authentication.
There are many ways to do this, including rolling your own auth model. One feature that can help here is Kubernetes NetworkPolicy resource (it's like firewalls), you can learn more about it here https://kubernetes.io/docs/concepts/services-networking/network-policies/ and see here for some examples: https://github.com/ahmetb/kubernetes-network-policy-recipes (Keep in mind that this is a firewall, not authentication.)
If you want to get this automatically, you can use Istio (https://istio.io) which allows you to automatically set up mutual TLS between all your services without any code changes. Istio also gives a strong identity to each workload. You can use Istio's authentication policies to set up auth between your microservices without changing your application code which is really cool: https://istio.io/docs/tasks/security/authn-policy/
answered Nov 8 at 16:54
Ahmet Alp Balkan - Google
16.3k2683146
Thanks, these are all interesting, however it is probably not what I am looking for. See my edits. I tried to search for the query you suggested even before, but I didn't find what I was looking for.
– Vojtěch
Nov 8 at 20:34
Kubernetes can’t do that for you. You should code your app accordingly. Kubernetes doesn’t know your app is http at all; it’s a container scheduler. Look at Istio, it can help you achieve /internal/ part, but user authentication is something you need to implement in your app.
– Ahmet Alp Balkan - Google
Nov 11 at 23:10
add a comment |
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
1
down vote
Your question isn't GKE specific. It's broadly a Kubernetes question.
I encourage you to search Kubernetes service authentication.
There are many ways to do this, including rolling your own auth model. One feature that can help here is Kubernetes NetworkPolicy resource (it's like firewalls), you can learn more about it here https://kubernetes.io/docs/concepts/services-networking/network-policies/ and see here for some examples: https://github.com/ahmetb/kubernetes-network-policy-recipes (Keep in mind that this is a firewall, not authentication.)
If you want to get this automatically, you can use Istio (https://istio.io) which allows you to automatically set up mutual TLS between all your services without any code changes. Istio also gives a strong identity to each workload. You can use Istio's authentication policies to set up auth between your microservices without changing your application code which is really cool: https://istio.io/docs/tasks/security/authn-policy/
answered Nov 8 at 16:54
Ahmet Alp Balkan - Google
16.3k2683146
Thanks, these are all interesting, however it is probably not what I am looking for. See my edits. I tried to search for the query you suggested even before, but I didn't find what I was looking for.
– Vojtěch
Nov 8 at 20:34
Kubernetes can’t do that for you. You should code your app accordingly. Kubernetes doesn’t know your app is http at all; it’s a container scheduler. Look at Istio, it can help you achieve /internal/ part, but user authentication is something you need to implement in your app.
– Ahmet Alp Balkan - Google
Nov 11 at 23:10
add a comment |
up vote
1
down vote
Your question isn't GKE specific. It's broadly a Kubernetes question.
I encourage you to search Kubernetes service authentication.
There are many ways to do this, including rolling your own auth model. One feature that can help here is Kubernetes NetworkPolicy resource (it's like firewalls), you can learn more about it here https://kubernetes.io/docs/concepts/services-networking/network-policies/ and see here for some examples: https://github.com/ahmetb/kubernetes-network-policy-recipes (Keep in mind that this is a firewall, not authentication.)
If you want to get this automatically, you can use Istio (https://istio.io) which allows you to automatically set up mutual TLS between all your services without any code changes. Istio also gives a strong identity to each workload. You can use Istio's authentication policies to set up auth between your microservices without changing your application code which is really cool: https://istio.io/docs/tasks/security/authn-policy/
answered Nov 8 at 16:54
Ahmet Alp Balkan - Google
16.3k2683146
Thanks, these are all interesting, however it is probably not what I am looking for. See my edits. I tried to search for the query you suggested even before, but I didn't find what I was looking for.
– Vojtěch
Nov 8 at 20:34
Kubernetes can’t do that for you. You should code your app accordingly. Kubernetes doesn’t know your app is http at all; it’s a container scheduler. Look at Istio, it can help you achieve /internal/ part, but user authentication is something you need to implement in your app.
– Ahmet Alp Balkan - Google
Nov 11 at 23:10
add a comment |
up vote
1
down vote
up vote
1
down vote
Your question isn't GKE specific. It's broadly a Kubernetes question.
I encourage you to search Kubernetes service authentication.
There are many ways to do this, including rolling your own auth model. One feature that can help here is Kubernetes NetworkPolicy resource (it's like firewalls), you can learn more about it here https://kubernetes.io/docs/concepts/services-networking/network-policies/ and see here for some examples: https://github.com/ahmetb/kubernetes-network-policy-recipes (Keep in mind that this is a firewall, not authentication.)
If you want to get this automatically, you can use Istio (https://istio.io) which allows you to automatically set up mutual TLS between all your services without any code changes. Istio also gives a strong identity to each workload. You can use Istio's authentication policies to set up auth between your microservices without changing your application code which is really cool: https://istio.io/docs/tasks/security/authn-policy/
answered Nov 8 at 16:54
Ahmet Alp Balkan - Google
16.3k2683146
Your question isn't GKE specific. It's broadly a Kubernetes question.
I encourage you to search Kubernetes service authentication.
There are many ways to do this, including rolling your own auth model. One feature that can help here is Kubernetes NetworkPolicy resource (it's like firewalls), you can learn more about it here https://kubernetes.io/docs/concepts/services-networking/network-policies/ and see here for some examples: https://github.com/ahmetb/kubernetes-network-policy-recipes (Keep in mind that this is a firewall, not authentication.)
If you want to get this automatically, you can use Istio (https://istio.io) which allows you to automatically set up mutual TLS between all your services without any code changes. Istio also gives a strong identity to each workload. You can use Istio's authentication policies to set up auth between your microservices without changing your application code which is really cool: https://istio.io/docs/tasks/security/authn-policy/
answered Nov 8 at 16:54
Ahmet Alp Balkan - Google
16.3k2683146
answered Nov 8 at 16:54
Ahmet Alp Balkan - Google
16.3k2683146
answered Nov 8 at 16:54
Ahmet Alp Balkan - Google
16.3k2683146
answered Nov 8 at 16:54
Ahmet Alp Balkan - Google
16.3k2683146
16.3k2683146
Thanks, these are all interesting, however it is probably not what I am looking for. See my edits. I tried to search for the query you suggested even before, but I didn't find what I was looking for.
– Vojtěch
Nov 8 at 20:34
Kubernetes can’t do that for you. You should code your app accordingly. Kubernetes doesn’t know your app is http at all; it’s a container scheduler. Look at Istio, it can help you achieve /internal/ part, but user authentication is something you need to implement in your app.
– Ahmet Alp Balkan - Google
Nov 11 at 23:10
add a comment |
Thanks, these are all interesting, however it is probably not what I am looking for. See my edits. I tried to search for the query you suggested even before, but I didn't find what I was looking for.
– Vojtěch
Nov 8 at 20:34
Kubernetes can’t do that for you. You should code your app accordingly. Kubernetes doesn’t know your app is http at all; it’s a container scheduler. Look at Istio, it can help you achieve /internal/ part, but user authentication is something you need to implement in your app.
– Ahmet Alp Balkan - Google
Nov 11 at 23:10
Thanks, these are all interesting, however it is probably not what I am looking for. See my edits. I tried to search for the query you suggested even before, but I didn't find what I was looking for.
– Vojtěch
Nov 8 at 20:34
Thanks, these are all interesting, however it is probably not what I am looking for. See my edits. I tried to search for the query you suggested even before, but I didn't find what I was looking for.
– Vojtěch
Nov 8 at 20:34
Kubernetes can’t do that for you. You should code your app accordingly. Kubernetes doesn’t know your app is http at all; it’s a container scheduler. Look at Istio, it can help you achieve /internal/ part, but user authentication is something you need to implement in your app.
– Ahmet Alp Balkan - Google
Nov 11 at 23:10
Kubernetes can’t do that for you. You should code your app accordingly. Kubernetes doesn’t know your app is http at all; it’s a container scheduler. Look at Istio, it can help you achieve /internal/ part, but user authentication is something you need to implement in your app.
– Ahmet Alp Balkan - Google
Nov 11 at 23:10
add a comment |
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53210404%2fauthentication-between-microservices-in-google-kubernetes-engine%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
