Protect your application on kubernetes with authelia
It turns out that a lot of security risks are caused if your web application don’t have a proper authentication and authorization implementation. Part of your job as developer who build web applications and host applications on kubernetes is to be aware of the threats that causes due to an in-proper authentication system for your web application.
Authelia is an open-source authentication and authorization server providing 2-factor authentication and single sign-on (SSO) for your applications via a web portal.
This blog covers the implementation of authelia on a kubernetes eco system
In our implementation we will be using Nginx as our Proxy. Authelia can also work with other proxies like Traefik, HAProxy etc.
Deploy Nginx Ingress Controller on your Kubernetes Cluster
$ kubectl apply -f https://github.com/findpritish/k8s/blob/master/authelia/01_nginx-ingress-controller.yaml$ kubectl apply -f https://github.com/findpritish/k8s/blob/master/authelia/02_nginx-ingress-controller-service.yaml
By applying the above yaml it will create service accounts , cluster roles, role bindings ,config map and a Load balancer ServiThere are two ways to store the users along with their password:ce which is required for ingress controller. With this step we are ready to create an Ingress object in our cluster.
Create a default backend for routing requests from unknown routes.
kubectl apply -f https://github.com/findpritish/k8s/blob/master/authelia/03_default-http-backend.yaml$ kubectl apply -f https://github.com/findpritish/k8s/blob/master/authelia/04_default-http-backend-svc.yaml
A deployment named default-http-backend created with one pod running. A service named default-http-backend is created which is listening on port 80 and routes the traffic to default-http-backend pod.
Deploy Authelia on Kubernetes
Authentication Backend: There are two ways to store the users along with their password, File and LDAP. In our example we will use file based where users are stored in YAML file with a hashed version of their password.
authentication_backend:
disable_reset_password: false
file:
path: /var/lib/authelia/users.yml
password:
algorithm: argon2id
iterations: 1
salt_length: 16
parallelism: 8
memory: 1024
Below is the format of users.yaml which contain hashed passwords instead of plain text passwords for security reasons.
users:
john:
password: "$argon2id$v=19$m=65536,t=3,p=2$BpLnfgDsc2WD8F2q$o/vzA4myCqZZ36bUGsDY//8mKUYNZZaR0t4MFFSs+iM"
email: john.doe@authelia.com
groups:
- admins
- dev
harry:
password: "$argon2id$v=19$m=65536,t=3,p=2$BpLnfgDsc2WD8F2q$o/vzA4myCqZZ36bUGsDY//8mKUYNZZaR0t4MFFSs+iM"
email: harry.potter@authelia.com
groups: []
For instance to generate a hash with the docker image just run:
$ docker run authelia/authelia:latest authelia hash-password yourpassword
Password hash: $argon2id$v=19$m=65536$3oc26byQuSkQqksq$zM1QiTvVPrMfV6BVLs2t4gM+af5IN7euO0VB6+Q8ZFs
Storage Backend: Authelia supports multiple storage backends like MariaDB, Mysql, Postgres, SQLLite etc. We will use SQLLite
storage:
local:
path: /var/lib/authelia/db.sqlite3
User Session: Authelia relies on session cookies to authenticate users. When the user visits a website of the protected domain example.com
for the first time, Authelia detects that there is no cookie for that user. Consequently, Authelia redirects the user to the login portal through which the user should authenticate to get a cookie which is valid for *.example.com
, meaning all websites of the domain. For the session to be stored we would need an in memory database. we will use redis for this
redis:
host: redis-master.redis.svc.cluster.local # your redis cluster addressport: 6379
# This secret can also be set using the env variables AUTHELIA_SESSION_REDIS_PASSWORD
password:
Deploy Redis on Kubernetes
In this Example as it is not a production grade we will deploy only single node/redis master. In Production environment you should consider HA requirements.
$ Kubectl apply -f https://github.com/findpritish/k8s/blob/master/authelia/05_authelia_redis.yaml
Authelia Configuration
Authelia uses a YAML file as configuration file. Note that you can create your own configuration file from Template which can be found at authelia github repo
Create Configmap on kubernetes based on the configuration.yaml and users.yaml file
$ Kubectl -n authelia apply -f create configmap authelia-config --namespace=authelia --from-file=https://github.com/findpritish/k8s/tree/master/authelia/configmap/
Authelia Deployment
Create a deployment with the authelia image and also create a service for the deployment. Note: Authelia is running on port 9091 as defined in configuration.yaml
$ Kubectl apply -f https://github.com/findpritish/k8s/blob/master/authelia/06_authelia-deployment.yaml
Now authelia is deployed, with an ingress route created which routes to the login page of authelia (home.example.com) . if we access the ingress url will be directed to login page of authelia
Deploy a web application and Test the authentication with Authelia
$ Kubectl apply -f https://github.com/findpritish/k8s/blob/master/authelia/07_test_application_authelia.yaml
With this we have deployed a toy web application and secured it with authelia.
Domain: secure.example.com and singlefactor.example.com is secured now.
More details on Authelia can be found on official documentation of Authelia