Skip to content

Authservice Protection

To enable authentication for applications that do not have native OIDC configuration, UDS Core can utilize Authservice as an authentication layer.

Follow these steps to protect your application with Authservice:

  • Set enableAuthserviceSelector with a matching label selector in the sso configuration of the Package.
  • Ensure that the pods of the application are labeled with the corresponding selector or use an empty selector to protect all of them
apiVersion: uds.dev/v1alpha1
kind: Package
metadata:
name: httpbin
namespace: httpbin
spec:
sso:
- name: Demo SSO httpbin
clientId: uds-core-httpbin
redirectUris:
- "https://httpbin.uds.dev/login"
enableAuthserviceSelector:
app: httpbin

For complete examples, see app-ambient-authservice-tenant.yaml and app-sidecar-authservice-tenant.yaml

You can protect multiple services with a single SSO client by using a common label selector. This is useful when you want to apply the same authentication rules to multiple related services.

Example: Single SSO Client for Multiple Services

Section titled “Example: Single SSO Client for Multiple Services”
# This will protect all pods with the label 'app: myapp'
sso:
- name: "My App Services"
clientId: my-app-auth
redirectUris: ["https://myapp.example.com/login"]
enableAuthserviceSelector:
app: myapp # Matches all pods with label app=myapp
groups:
anyOf: ["/MyApp/Users"]

If you need different authentication rules for different services, you can define multiple SSO clients with different selectors.

sso:
- name: "Admin Services"
clientId: admin-auth
redirectUris: ["https://admin-app.example.com/login"]
enableAuthserviceSelector:
app: admin
groups:
anyOf: ["/Admin"]
- name: "User Services"
clientId: user-auth
redirectUris: ["https://app.example.com/login"]
enableAuthserviceSelector:
app: user
groups:
anyOf: ["/Users"]

Authservice is intended for simple, basic protection scenarios where an absolute level of protection is acceptable (such as a Web UI or dashboard). For more advanced authentication requirements, you should implement authentication directly in your application or via a more comprehensive solution.

Authservice is fully supported for packages running in Istio Ambient Mesh mode (spec.network.serviceMesh.mode: ambient).

  • When a Package CR specifies ambient mode and includes an SSO client with enableAuthserviceSelector, the UDS Operator will:
    • Automatically create and manage the necessary waypoint proxy resources for your application.
    • Monitor the health and readiness of the waypoint proxy before enabling Authservice protection.
    • Associate the waypoint proxy with the correct services based on your selector.
    • Clean up the waypoint and related configuration automatically when the package is deleted.

Usage:

  • Set spec.network.serviceMesh.mode: ambient in your Package CR.
  • Add your SSO configuration with enableAuthserviceSelector as usual.
  • The operator will handle the rest.