Authentication between microservices in Google Kubernetes Engine











up vote
1
down vote

favorite












We have several microservices implemented in Java/Kotlin and Spring MVC, running in Tomcat docker images. These services provide public APIs which are authenticated by user's cookies/sessions. These work correctly.



Now, we would like to create an internal endpoint, which wouldn't be accessible either outside of GKE or via some kind of internal authentication.



What would be the good way to go especially for Spring MVC and GKE?



EDIT:



I would like to achieve to authenticate different endpoints on one service. For instance:





  • /public/ - no auth


  • /private/ - user must be logged in


  • /internal/ - only other microservices can access


I would prefer to implement such auth on the application level, but I am not sure what would be the best way. IP range of internal Google IPs? Some other way of securely identifying the caller?



Maybe my idea is bad, if so, I will be happy to change my mind.






spring-mvc kubernetes google-kubernetes-engine







share|improve this question




























    up vote
    1
    down vote

    favorite












    We have several microservices implemented in Java/Kotlin and Spring MVC, running in Tomcat docker images. These services provide public APIs which are authenticated by user's cookies/sessions. These work correctly.



    Now, we would like to create an internal endpoint, which wouldn't be accessible either outside of GKE or via some kind of internal authentication.



    What would be the good way to go especially for Spring MVC and GKE?



    EDIT:



    I would like to achieve to authenticate different endpoints on one service. For instance:





    • /public/ - no auth


    • /private/ - user must be logged in


    • /internal/ - only other microservices can access


    I would prefer to implement such auth on the application level, but I am not sure what would be the best way. IP range of internal Google IPs? Some other way of securely identifying the caller?



    Maybe my idea is bad, if so, I will be happy to change my mind.






    spring-mvc kubernetes google-kubernetes-engine







    share|improve this question


























      up vote
      1
      down vote

      favorite









      up vote
      1
      down vote

      favorite











      We have several microservices implemented in Java/Kotlin and Spring MVC, running in Tomcat docker images. These services provide public APIs which are authenticated by user's cookies/sessions. These work correctly.



      Now, we would like to create an internal endpoint, which wouldn't be accessible either outside of GKE or via some kind of internal authentication.



      What would be the good way to go especially for Spring MVC and GKE?



      EDIT:



      I would like to achieve to authenticate different endpoints on one service. For instance:





      • /public/ - no auth


      • /private/ - user must be logged in


      • /internal/ - only other microservices can access


      I would prefer to implement such auth on the application level, but I am not sure what would be the best way. IP range of internal Google IPs? Some other way of securely identifying the caller?



      Maybe my idea is bad, if so, I will be happy to change my mind.






      spring-mvc kubernetes google-kubernetes-engine







      share|improve this question















      We have several microservices implemented in Java/Kotlin and Spring MVC, running in Tomcat docker images. These services provide public APIs which are authenticated by user's cookies/sessions. These work correctly.



      Now, we would like to create an internal endpoint, which wouldn't be accessible either outside of GKE or via some kind of internal authentication.



      What would be the good way to go especially for Spring MVC and GKE?



      EDIT:



      I would like to achieve to authenticate different endpoints on one service. For instance:





      • /public/ - no auth


      • /private/ - user must be logged in


      • /internal/ - only other microservices can access


      I would prefer to implement such auth on the application level, but I am not sure what would be the best way. IP range of internal Google IPs? Some other way of securely identifying the caller?



      Maybe my idea is bad, if so, I will be happy to change my mind.






      spring-mvc kubernetes google-kubernetes-engine




      spring-mvc kubernetes google-kubernetes-engine






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Nov 8 at 20:33

























      asked Nov 8 at 15:01









      Vojtěch

      2,681156096




      2,681156096
























          1 Answer
          1






          active

          oldest

          votes

















          up vote
          1
          down vote













          Your question isn't GKE specific. It's broadly a Kubernetes question.



          I encourage you to search Kubernetes service authentication.



          There are many ways to do this, including rolling your own auth model. One feature that can help here is Kubernetes NetworkPolicy resource (it's like firewalls), you can learn more about it here https://kubernetes.io/docs/concepts/services-networking/network-policies/ and see here for some examples: https://github.com/ahmetb/kubernetes-network-policy-recipes (Keep in mind that this is a firewall, not authentication.)



          If you want to get this automatically, you can use Istio (https://istio.io) which allows you to automatically set up mutual TLS between all your services without any code changes. Istio also gives a strong identity to each workload. You can use Istio's authentication policies to set up auth between your microservices without changing your application code which is really cool: https://istio.io/docs/tasks/security/authn-policy/






          share|improve this answer





















          • Thanks, these are all interesting, however it is probably not what I am looking for. See my edits. I tried to search for the query you suggested even before, but I didn't find what I was looking for.
            – Vojtěch
            Nov 8 at 20:34










          • Kubernetes can’t do that for you. You should code your app accordingly. Kubernetes doesn’t know your app is http at all; it’s a container scheduler. Look at Istio, it can help you achieve /internal/ part, but user authentication is something you need to implement in your app.
            – Ahmet Alp Balkan - Google
            Nov 11 at 23:10











          Your Answer






          StackExchange.ifUsing("editor", function () {
          StackExchange.using("externalEditor", function () {
          StackExchange.using("snippets", function () {
          StackExchange.snippets.init();
          });
          });
          }, "code-snippets");

          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "1"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














           

          draft saved


          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53210404%2fauthentication-between-microservices-in-google-kubernetes-engine%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes








          up vote
          1
          down vote













          Your question isn't GKE specific. It's broadly a Kubernetes question.



          I encourage you to search Kubernetes service authentication.



          There are many ways to do this, including rolling your own auth model. One feature that can help here is Kubernetes NetworkPolicy resource (it's like firewalls), you can learn more about it here https://kubernetes.io/docs/concepts/services-networking/network-policies/ and see here for some examples: https://github.com/ahmetb/kubernetes-network-policy-recipes (Keep in mind that this is a firewall, not authentication.)



          If you want to get this automatically, you can use Istio (https://istio.io) which allows you to automatically set up mutual TLS between all your services without any code changes. Istio also gives a strong identity to each workload. You can use Istio's authentication policies to set up auth between your microservices without changing your application code which is really cool: https://istio.io/docs/tasks/security/authn-policy/






          share|improve this answer





















          • Thanks, these are all interesting, however it is probably not what I am looking for. See my edits. I tried to search for the query you suggested even before, but I didn't find what I was looking for.
            – Vojtěch
            Nov 8 at 20:34










          • Kubernetes can’t do that for you. You should code your app accordingly. Kubernetes doesn’t know your app is http at all; it’s a container scheduler. Look at Istio, it can help you achieve /internal/ part, but user authentication is something you need to implement in your app.
            – Ahmet Alp Balkan - Google
            Nov 11 at 23:10















          up vote
          1
          down vote













          Your question isn't GKE specific. It's broadly a Kubernetes question.



          I encourage you to search Kubernetes service authentication.



          There are many ways to do this, including rolling your own auth model. One feature that can help here is Kubernetes NetworkPolicy resource (it's like firewalls), you can learn more about it here https://kubernetes.io/docs/concepts/services-networking/network-policies/ and see here for some examples: https://github.com/ahmetb/kubernetes-network-policy-recipes (Keep in mind that this is a firewall, not authentication.)



          If you want to get this automatically, you can use Istio (https://istio.io) which allows you to automatically set up mutual TLS between all your services without any code changes. Istio also gives a strong identity to each workload. You can use Istio's authentication policies to set up auth between your microservices without changing your application code which is really cool: https://istio.io/docs/tasks/security/authn-policy/






          share|improve this answer





















          • Thanks, these are all interesting, however it is probably not what I am looking for. See my edits. I tried to search for the query you suggested even before, but I didn't find what I was looking for.
            – Vojtěch
            Nov 8 at 20:34










          • Kubernetes can’t do that for you. You should code your app accordingly. Kubernetes doesn’t know your app is http at all; it’s a container scheduler. Look at Istio, it can help you achieve /internal/ part, but user authentication is something you need to implement in your app.
            – Ahmet Alp Balkan - Google
            Nov 11 at 23:10













          up vote
          1
          down vote










          up vote
          1
          down vote









          Your question isn't GKE specific. It's broadly a Kubernetes question.



          I encourage you to search Kubernetes service authentication.



          There are many ways to do this, including rolling your own auth model. One feature that can help here is Kubernetes NetworkPolicy resource (it's like firewalls), you can learn more about it here https://kubernetes.io/docs/concepts/services-networking/network-policies/ and see here for some examples: https://github.com/ahmetb/kubernetes-network-policy-recipes (Keep in mind that this is a firewall, not authentication.)



          If you want to get this automatically, you can use Istio (https://istio.io) which allows you to automatically set up mutual TLS between all your services without any code changes. Istio also gives a strong identity to each workload. You can use Istio's authentication policies to set up auth between your microservices without changing your application code which is really cool: https://istio.io/docs/tasks/security/authn-policy/






          share|improve this answer












          Your question isn't GKE specific. It's broadly a Kubernetes question.



          I encourage you to search Kubernetes service authentication.



          There are many ways to do this, including rolling your own auth model. One feature that can help here is Kubernetes NetworkPolicy resource (it's like firewalls), you can learn more about it here https://kubernetes.io/docs/concepts/services-networking/network-policies/ and see here for some examples: https://github.com/ahmetb/kubernetes-network-policy-recipes (Keep in mind that this is a firewall, not authentication.)



          If you want to get this automatically, you can use Istio (https://istio.io) which allows you to automatically set up mutual TLS between all your services without any code changes. Istio also gives a strong identity to each workload. You can use Istio's authentication policies to set up auth between your microservices without changing your application code which is really cool: https://istio.io/docs/tasks/security/authn-policy/







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Nov 8 at 16:54









          Ahmet Alp Balkan - Google

          16.3k2683146




          16.3k2683146












          • Thanks, these are all interesting, however it is probably not what I am looking for. See my edits. I tried to search for the query you suggested even before, but I didn't find what I was looking for.
            – Vojtěch
            Nov 8 at 20:34










          • Kubernetes can’t do that for you. You should code your app accordingly. Kubernetes doesn’t know your app is http at all; it’s a container scheduler. Look at Istio, it can help you achieve /internal/ part, but user authentication is something you need to implement in your app.
            – Ahmet Alp Balkan - Google
            Nov 11 at 23:10


















          • Thanks, these are all interesting, however it is probably not what I am looking for. See my edits. I tried to search for the query you suggested even before, but I didn't find what I was looking for.
            – Vojtěch
            Nov 8 at 20:34










          • Kubernetes can’t do that for you. You should code your app accordingly. Kubernetes doesn’t know your app is http at all; it’s a container scheduler. Look at Istio, it can help you achieve /internal/ part, but user authentication is something you need to implement in your app.
            – Ahmet Alp Balkan - Google
            Nov 11 at 23:10
















          Thanks, these are all interesting, however it is probably not what I am looking for. See my edits. I tried to search for the query you suggested even before, but I didn't find what I was looking for.
          – Vojtěch
          Nov 8 at 20:34




          Thanks, these are all interesting, however it is probably not what I am looking for. See my edits. I tried to search for the query you suggested even before, but I didn't find what I was looking for.
          – Vojtěch
          Nov 8 at 20:34












          Kubernetes can’t do that for you. You should code your app accordingly. Kubernetes doesn’t know your app is http at all; it’s a container scheduler. Look at Istio, it can help you achieve /internal/ part, but user authentication is something you need to implement in your app.
          – Ahmet Alp Balkan - Google
          Nov 11 at 23:10




          Kubernetes can’t do that for you. You should code your app accordingly. Kubernetes doesn’t know your app is http at all; it’s a container scheduler. Look at Istio, it can help you achieve /internal/ part, but user authentication is something you need to implement in your app.
          – Ahmet Alp Balkan - Google
          Nov 11 at 23:10


















           

          draft saved


          draft discarded



















































           


          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53210404%2fauthentication-between-microservices-in-google-kubernetes-engine%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          -

          Popular posts from this blog

          Schultheiß

          Image
          Der Titel dieses Artikels ist mehrdeutig. Weitere Bedeutungen sind unter Schultheiß (Begriffsklärung) aufgeführt. Ein Schultheiß. Holzschnitt von Peter Flötner (16. Jahrhundert) Der Schultheiß oder Schuldheiß (von althochdeutsch  sculdheizo ‚Leistung Befehlender‘, vgl. mittelniederdeutsch  schult(h)ēte , latinisiert (mittellat.) sculte(t)us , schwäbisch heute noch Schultes für „Bürgermeister“) bezeichnet einen in vielen westgermanischen Rechtsordnungen vorgesehenen Beamten, der Schuld heischt : Er hatte im Auftrag seines Herren (Landesherrn, Stadtherrn, Grundherrn) die Mitglieder einer Gemeinde zur Leistung ihrer Schuldigkeit anzuhalten, also Abgaben einzuziehen oder für das Beachten anderer Verpflichtungen Sorge zu tragen. Sprachliche Varianten des Schultheißen sind Schulte , Schultes oder Schulze . Früher wurde zwischen dem Stadtschulzen und dem Dorfschulzen unterschieden. In der städtischen Gerichts- und Gemeindeverfassung war er ein vom städtischen Rat oder vom L
          Read more

          Liste der Kulturdenkmale in Wilsdruff

          Image
          Wappen von Wilsdruff Die Liste der Kulturdenkmale in Wilsdruff enthält die Kulturdenkmale in Wilsdruff. Die Anmerkungen sind zu beachten. Diese Liste ist eine Teilliste der Liste der Kulturdenkmale im Landkreis Sächsische Schweiz-Osterzgebirge. Diese Liste ist eine Teilliste der Liste der Kulturdenkmale in Sachsen. Inhaltsverzeichnis 1 Legende 2 Wilsdruff 3 Birkenhain 4 Blankenstein 5 Braunsdorf 6 Grumbach 7 Grund 8 Helbigsdorf 9 Herzogswalde 10 Kaufbach 11 Kesselsdorf 12 Kleinopitz 13 Limbach 14 Mohorn 15 Oberhermsdorf 16 Anmerkungen 17 Ausführliche Denkmaltexte 18 Quellen 19 Weblinks Legende | Bild: zeigt ein Bild des Kulturdenkmals und gegebenenfalls einen Link zu weiteren Fotos des Kulturdenkmals Bezeichnung: Name, Bezeichnung oder die Art des Kulturdenkmals Lage: Straßenname und wenn vorhanden Hausnummer des Kulturdenkmals; Grundsortierung der Liste erfolgt nach dieser A
          Read more

          Android Play Services Check

          Image
          up vote 0 down vote favorite Im facing a problem currently im making my app to run on t.v its working fine on mobiles. but the issue is if i run my app on t.v emulator splash screen appears then the app crashes log shows this error. No acceptable module found. Local version is 0 and remote version is 0 i googled this error and came with a solution that my emulator should have latest google play services installed in it.. but in my t.v emulator there is no play store so i cant update my play services to latest version. so is there any way to make a check that if play services version is less then this so run the app instead of crashing, and if the play services version is latest also run the aap... here is my code where im getting the play services version.. int playServicesAvailable = GoogleApiAvailability.g
          Read more