Giter VIP home page Giter VIP logo

k8s-aad-auth's Introduction

Authenticating a Kubernetes app with Azure AD

The purpose of this project is to provide a starting point for client applications that are hosted alongside a secured microservice API hosted on the Kubernetes orchestrator.

This sample application is based on https://github.com/kubernetes/ingress-nginx/tree/master/docs/examples/auth/oauth-external-auth. See https://github.com/brbarnett/much-todo-about-containers for more details on how to set up the cluster.

Architecture

This project is set up with three primary ingress resources:

  • Unsecured -- this is for any front-end, static content that you wouldn't typically secure. For example, this is where I would serve a React or Angular single-page application.
  • Secured -- these rules are for more sensitive endpoints, such as your API. I am assuming that the SPA delivered by unsecured rules will handle its own authentication against an OAuth 2.0 application, in this case using Azure AD.
  • oauth2_proxy -- this ingress route /oauth2 traffic to the oauth2_proxy service (based on bitly/oauth2_proxy) for Azure AD authentication.

Here is a high-level architectural diagram of how this application works:

High-level architecture

Deploying to Kubernetes cluster

Note: these instructions are specific to an Azure AKS cluster. I assume you have Helm installed and initialized on your cluster. The 104.43.217.79 IP address is a pre-configured static IP address resource in Azure.

helm install stable/nginx-ingress \
    --name nginx-ingress \
    --namespace kube-system \
    --set controller.service.loadBalancerIP=104.43.217.79 \
    --set rbac.create=false \
    --set rbac.createRole=false \
    --set rbac.createClusterRole=false

helm install stable/cert-manager \
    --name cert-manager \
    --namespace kube-system \
    --set ingressShim.extraArgs='{--default-issuer-name=letsencrypt-prod,--default-issuer-kind=Issuer}' \
    --set rbac.create=false

kubectl apply -f cert-issuer.yaml

kubectl apply -f secured-ingress.yaml
kubectl apply -f unsecured-ingress.yaml
kubectl apply -f oauth2-proxy-ingress.yaml

kubectl apply -f oauth2-proxy.deployment.yaml
kubectl apply -f oauth2-proxy.service.yaml

kubectl apply -f web.deployment.yaml
kubectl apply -f web.service.yaml

kubectl apply -f api.deployment.yaml
kubectl apply -f api.service.yaml

Demo

k8s-aad-auth's People

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.