1

I have a Kubernetes cluster with services and I use Ambassador as an API gateway between outside world and my services.

With Ambassador I know that I can use a service, which I have, to check authentication and authorization for incoming requests but does this only apply for requests coming outside the cluster?

I want to intercept service-to-service calls as well.

Nordkraft
  • 125
  • 2
  • 9

2 Answers2

0

I would be surprised if you cannot.

This answer needs some terminology, to avoid getting lost in word-soup.

  • App-A is a consumer of an in-cluster Service, and the one which will be authenticating to Ambassador
  • App-Z is the provider of an in-cluster Service (the selector would target its Pods)
  • The k8s Service for app-Z we'll call z-service in the z namespace, for a FQDN of z-service.z.svc.cluster.local

It seems like you can use its v-host support and teach it to honor the in-cluster virtual host (the aforementioned FQDN), then update the z-service selector to target the Ambassador Pods rather than the underlying app-Z Pods.

From app-A's point of view, the only thing that would change is that it now must provide authentication for contacting z-service.z.svc.cluster.local.

Without studying Ambassador's setup more, it's hard to know if Ambassador would Just Work™ at that point, or whether you would then need a "implementation" Service -- such as z-for-real.z.svc.cluster.local -- so that Ambassador knows how to find the actual app-Z Pods.

mdaniel
  • 31,240
  • 5
  • 55
  • 58
0

I have the same problem at the moment. Ambassador routes every request to an auth service (if provided), the auth service can be anything. So you can setup http basic auth, oauth, jwt auth and so on. The next important thing to mention is that your services may use header based routing (https://www.getambassador.io/reference/headers). Only if a bearer (or something similiar) is present the request will hit your service, otherwise will fail. In your service you can check for permissions and so on. So all in all ambassador can help you, but you have still to program something by yourself.

If you want something ready from start or more advanced you can try https://github.com/ory/oathkeeper or https://istio.io.

If you already found a solution, it would be interesting to know.

Marco
  • 1,579
  • 1
  • 19
  • 34
  • i tried using my custom spring security oauth2 with istio with no success using policy or requestauthentication , using the same custom security with ambassador, what would be the steps to follow ? tks – Tiago Medici May 10 '20 at 19:52
  • @TiagoMedici You should create your own question. The comment field is not enough to answer your question properly. – Marco May 29 '20 at 09:23