Authservice Protection
To enable authentication for applications that do not have native OIDC configuration, UDS Core can utilize Authservice as an authentication layer.
Follow these steps to protect your application with Authservice:
- Set
enableAuthserviceSelector
with a matching label selector in thesso
configuration of the Package. - Ensure that the pods of the application are labeled with the corresponding selector or use an empty selector to protect all of them
apiVersion: uds.dev/v1alpha1kind: Packagemetadata: name: httpbin namespace: httpbinspec: sso: - name: Demo SSO httpbin clientId: uds-core-httpbin redirectUris: - "https://httpbin.uds.dev/login" enableAuthserviceSelector: app: httpbin
For complete examples, see app-ambient-authservice-tenant.yaml and app-sidecar-authservice-tenant.yaml
Multiple Services and Selectors
Section titled “Multiple Services and Selectors”Protecting Multiple Services
Section titled “Protecting Multiple Services”You can protect multiple services with a single SSO client by using a common label selector. This is useful when you want to apply the same authentication rules to multiple related services.
Example: Single SSO Client for Multiple Services
Section titled “Example: Single SSO Client for Multiple Services”# This will protect all pods with the label 'app: myapp'sso: - name: "My App Services" clientId: my-app-auth redirectUris: ["https://myapp.example.com/login"] enableAuthserviceSelector: app: myapp # Matches all pods with label app=myapp groups: anyOf: ["/MyApp/Users"]
Multiple SSO Configurations
Section titled “Multiple SSO Configurations”If you need different authentication rules for different services, you can define multiple SSO clients with different selectors.
Example: Multiple SSO Clients
Section titled “Example: Multiple SSO Clients”sso: - name: "Admin Services" clientId: admin-auth redirectUris: ["https://admin-app.example.com/login"] enableAuthserviceSelector: app: admin groups: anyOf: ["/Admin"]
- name: "User Services" clientId: user-auth redirectUris: ["https://app.example.com/login"] enableAuthserviceSelector: app: user groups: anyOf: ["/Users"]
Limitations:
Section titled “Limitations:”Authservice is intended for simple, basic protection scenarios where an absolute level of protection is acceptable (such as a Web UI or dashboard). For more advanced authentication requirements, you should implement authentication directly in your application or via a more comprehensive solution.
Ambient Mode Support
Section titled “Ambient Mode Support”Authservice is fully supported for packages running in Istio Ambient Mesh mode (spec.network.serviceMesh.mode: ambient
).
How This Works
Section titled “How This Works”- When a Package CR specifies ambient mode and includes an SSO client with
enableAuthserviceSelector
, the UDS Operator will:- Automatically create and manage the necessary waypoint proxy resources for your application.
- Monitor the health and readiness of the waypoint proxy before enabling Authservice protection.
- Associate the waypoint proxy with the correct services based on your selector.
- Clean up the waypoint and related configuration automatically when the package is deleted.
Usage:
- Set
spec.network.serviceMesh.mode: ambient
in your Package CR. - Add your SSO configuration with
enableAuthserviceSelector
as usual. - The operator will handle the rest.