Skip to content
Unicorn Delivery Service Unicorn Delivery Service

Authservice Protection

To enable authentication for applications that do not have native OIDC configuration, UDS Core can utilize Authservice as an authentication layer.

Follow these steps to protect your application with Authservice:

  • Set enableAuthserviceSelector with a matching label selector in the sso configuration of the Package.
  • Ensure that the pods of the application are labeled with the corresponding selector or use an empty selector to protect all of them
apiVersion: uds.dev/v1alpha1
kind: Package
metadata:
  name: httpbin
  namespace: httpbin
spec:
  sso:
    - name: Demo SSO httpbin
      clientId: uds-core-httpbin
      redirectUris:
        - "https://httpbin.uds.dev/login"
      enableAuthserviceSelector:
        app: httpbin

For complete examples, see app-ambient-authservice-tenant.yaml and app-sidecar-authservice-tenant.yaml

Multiple Services and Selectors

Section titled “Multiple Services and Selectors”

Protecting Multiple Services

Section titled “Protecting Multiple Services”

You can protect multiple services with a single SSO client by using a common label selector. This is useful when you want to apply the same authentication rules to multiple related services.

Example: Single SSO Client for Multiple Services

Section titled “Example: Single SSO Client for Multiple Services”
# This will protect all pods with the label 'app: myapp'
sso:
  - name: "My App Services"
    clientId: my-app-auth
    redirectUris: ["https://myapp.example.com/login"]
    enableAuthserviceSelector:
      app: myapp  # Matches all pods with label app=myapp
    groups:
      anyOf: ["/MyApp/Users"]

Multiple SSO Configurations

Section titled “Multiple SSO Configurations”

If you need different authentication rules for different services, you can define multiple SSO clients with different selectors.

Example: Multiple SSO Clients

Section titled “Example: Multiple SSO Clients”
sso:
  - name: "Admin Services"
    clientId: admin-auth
    redirectUris: ["https://admin-app.example.com/login"]
    enableAuthserviceSelector:
      app: admin
    groups:
      anyOf: ["/Admin"]


  - name: "User Services"
    clientId: user-auth
    redirectUris: ["https://app.example.com/login"]
    enableAuthserviceSelector:
      app: user
    groups:
      anyOf: ["/Users"]

Limitations:

Section titled “Limitations:”

Authservice is intended for simple, basic protection scenarios where an absolute level of protection is acceptable (such as a Web UI or dashboard). For more advanced authentication requirements, you should implement authentication directly in your application or via a more comprehensive solution.

Ambient Mode Support

Section titled “Ambient Mode Support”

Authservice is fully supported for packages running in Istio Ambient Mesh mode (spec.network.serviceMesh.mode: ambient).

How This Works

Section titled “How This Works”
  • When a Package CR specifies ambient mode and includes an SSO client with enableAuthserviceSelector, the UDS Operator will:
    • Automatically create and manage the necessary waypoint proxy resources for your application.
    • Monitor the health and readiness of the waypoint proxy before enabling Authservice protection.
    • Associate the waypoint proxy with the correct services based on your selector.
    • Clean up the waypoint and related configuration automatically when the package is deleted.

Usage:

  • Set spec.network.serviceMesh.mode: ambient in your Package CR.
  • Add your SSO configuration with enableAuthserviceSelector as usual.
  • The operator will handle the rest.
Cookie Settings Privacy Policy