Skip to content
/ k8s-aad-auth Public

Example of securing a Kubernetes application with Azure AD

23 stars 3 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

brbarnett/k8s-aad-auth

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

27 Commits
images
images
 
 
k8s-manifests
k8s-manifests
 
 
readme.md
readme.md
 
 

Repository files navigation

Authenticating a Kubernetes app with Azure AD

The purpose of this project is to provide a starting point for client applications that are hosted alongside a secured microservice API hosted on the Kubernetes orchestrator.

This sample application is based on https://github.com/kubernetes/ingress-nginx/tree/master/docs/examples/auth/oauth-external-auth. See https://github.com/brbarnett/much-todo-about-containers for more details on how to set up the cluster.

Architecture

This project is set up with three primary ingress resources:

  • Unsecured -- this is for any front-end, static content that you wouldn't typically secure. For example, this is where I would serve a React or Angular single-page application.
  • Secured -- these rules are for more sensitive endpoints, such as your API. I am assuming that the SPA delivered by unsecured rules will handle its own authentication against an OAuth 2.0 application, in this case using Azure AD.
  • oauth2_proxy -- this ingress route /oauth2 traffic to the oauth2_proxy service (based on bitly/oauth2_proxy) for Azure AD authentication.

Here is a high-level architectural diagram of how this application works:

High-level architecture

Deploying to Kubernetes cluster

Note: these instructions are specific to an Azure AKS cluster. I assume you have Helm installed and initialized on your cluster. The 104.43.217.79 IP address is a pre-configured static IP address resource in Azure.

helm install stable/nginx-ingress \
    --name nginx-ingress \
    --namespace kube-system \
    --set controller.service.loadBalancerIP=104.43.217.79 \
    --set rbac.create=false \
    --set rbac.createRole=false \
    --set rbac.createClusterRole=false

helm install stable/cert-manager \
    --name cert-manager \
    --namespace kube-system \
    --set ingressShim.extraArgs='{--default-issuer-name=letsencrypt-prod,--default-issuer-kind=Issuer}' \
    --set rbac.create=false

kubectl apply -f cert-issuer.yaml

kubectl apply -f secured-ingress.yaml
kubectl apply -f unsecured-ingress.yaml
kubectl apply -f oauth2-proxy-ingress.yaml

kubectl apply -f oauth2-proxy.deployment.yaml
kubectl apply -f oauth2-proxy.service.yaml

kubectl apply -f web.deployment.yaml
kubectl apply -f web.service.yaml

kubectl apply -f api.deployment.yaml
kubectl apply -f api.service.yaml

Demo

About

Example of securing a Kubernetes application with Azure AD

Resources

Readme
Activity

Stars

23 stars

Watchers

3 watching

Forks

3 forks
Report repository

Releases

No releases published

Packages

No packages published