-3

I'm writing a service to be deployed on Kubernetes. Clients will be other services, not people, and those services may be in other namespaces or even clusters. My goals are:

  1. Authenticate the calling services
  2. Authorize the calling services
  3. Apply some policies based on the identity of the calling service (like quota)

I understand that Kubernetes doesn't provide services that really help with any of these, and I'll need to build something explicit into my service. I'd like to understand what the current best practice is and how to maximize what's available in Kubernetes or in the ecosystem to make these goals achievable while minimizing the coding and administrative burden. A few options that I've considered:

  • Custom username / shared-secret. I could just pass out shared secrets to all of the calling services, and write my own custom code to verify that the shared secret matches. I assume passing these around as Bearer tokens would be the right move. Would using Kubernetes serviceaccount and role objects be reasonable containers for these shared secrets? If so, are there libraries that make the lookups, associations, and policy work easier?

  • JWT. JWT seems more intended for passing around claims, like end-user identity, and would seem to require that all of the participating components share the same JWT secret. Since I don't want calling-service-foo to be able to authenticate as calling-service-bar, it's not clear that JWT is the right move. Thoughts?

  • mTLS. I could issue TLS certificates for all of the participating services. Are there components I can use to automate the issuance of these certificates? Should I try to use Kubernetes serviceaccount or role objects to manage these, or maybe roll my own CRDs?

  • Istio. It seems like Istio can do a lot of this transparently, but so far all of the resources I've found that explain this seem to assume transparency is a goal. Since I will need the identities of the calling services, though, is it possible to get that out of Istio? Can this work if my callers aren't in my cluster?

  • SPIRE (spiffe.io). This looks like it matches well for my use cases, but it seems new and I don't know how much experience people have with it.

Do any of these options (and please correct my understanding of any of them) stand out as best practices, or are there others I should be considering?

Thank you!

David Nesting
  • 9
  • 2

2 Answers2

0

What you need is a component that acts as the gateway to the microservices API endpoints. That kind of component belongs to a category of software called "API management" (Wikipedia page) and its usage is not limited to Kubernetes only.

There are many choices of API management software such as listed in the Wikipedia page but my project uses Gravitee and so far we are loving it due to its simple administration UI. Feel free to explore it at https://gravitee.io/.

N.B. I'm not related in any way to Gravitee.io apart from being one of the users (although I did contribute to one PR)

Lukman
  • 18,462
  • 6
  • 56
  • 66
0

I know I'm late now but if anyone else is looking: Istio has included Multicluster support and it makes the communication painless.

reference: https://istio.io/latest/docs/setup/install/multicluster

code.rookie
  • 346
  • 2
  • 6