authelia/docs/deployment/deployment-kubernetes.md

---
layout: default
title: Deployment - Kubernetes
parent: Deployment
nav_order: 3
---

# Deployment on Kubernetes

<p>
    <img src="../images/logos/kubernetes.png" width="100" style="padding-right: 10px">
</p>

## UNDER CONSTRUCTION

The following areas are actively being worked on for Kubernetes:
1. Detailed Documentaiton
2. [Helm Chart (v3)](https://github.com/authelia/chartrepo)
3. Kustomize Deployment
4. Manifest Examples

Users are welcome to reach out directly by using any of our various [contact options](../about-us.md#contact-options). 

### Important Notes

The following section has special notes regarding utilizing Authelia with Kubernetes.

1. Authelia (and all of your other applications) may receive an invalid remote IP if the service handling traffic to
   the Kubernetes Ingress of your choice doesn't have the `externalTrafficPolicy` setting configured to `local` as per
   the Kubernetes [preserving the client source ip] documentation.
2. Authelia's configuration management system conflicts with the `enableServiceLinks` option when it's set to `true`
   which is the default. This shoudld be changed to `false`.

###  NGINX Ingress Controller 
If you use NGINX Ingress Controller you can protect an ingress with the following annotations.
The assumptions are that your public domain where authelia is running would be https://auth.mypublicdomain.com
and there would be a service called authelia with port 80 in the default namespace.

```yaml
annotations:
  nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Groups,Remote-Email
  nginx.ingress.kubernetes.io/auth-signin: https://auth.mypublicdomain.com
  nginx.ingress.kubernetes.io/auth-snippet: |
    proxy_set_header X-Forwarded-Method $request_method;
  nginx.ingress.kubernetes.io/auth-url: http://authelia.default.svc.cluster.local/api/verify
  nginx.ingress.kubernetes.io/configuration-snippet: |
    proxy_set_header X-Forwarded-Method $request_method;
```

## FAQ

### RAM usage

If using file-based authentication, the argon2id provider will by default use 1GB of RAM for password generation. This means you should allow for at least this amount in your deployment/daemonset spec and have this much available on your node, alternatively you can [tweak the providers settings](https://www.authelia.com/docs/configuration/authentication/file.html#memory). Otherwise, your Authelia may OOM during login. See [here](https://github.com/authelia/authelia/issues/1234#issuecomment-663910799) for more info.

[preserving the client source ip]: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
[DOCS] Bootstrap new documentation website based on just-the-docs (#659) 2020-02-29 00:43:59 +00:00			`---`
			`layout: default`
			`title: Deployment - Kubernetes`
			`parent: Deployment`
			`nav_order: 3`
			`---`

			`# Deployment on Kubernetes`

			`<p>`
docs: add matrix space information and update readme (#2061) * docs: add matrix space information and update readme We recently created a Matrix Space which includes both the original room, and a new contributing room. This commit also performs some basic housekeeping on the README.md, including but not limited to: factorizing the security section, adjusting the main description, clearly outlining areas where help is wanted, adding information related to the helm chart, adding more details in the features summary, grammar, and misc other changes. * docs: update security to be in line with the readme 2021-06-06 05:53:28 +00:00			`<img src="../images/logos/kubernetes.png" width="100" style="padding-right: 10px">`
[DOCS] Bootstrap new documentation website based on just-the-docs (#659) 2020-02-29 00:43:59 +00:00			`</p>`

docs: refactor several areas of documentation (#1726) Updated all links to use https://www.authelia.com/docs/. Removed all comment sections from documented configuration on the documentation site and replaced them with their own sections. Made all documentation inside config.template.yml double hashes, and made all commented configuration sections single quoted. Added .yamllint.yaml to express our desired YAML styles. Added a style guide. Refactored many documentation areas to be 120 char widths where possible. It's by no means exhaustive but is a large start. Added a statelessness guide for the pending Kubernetes chart introduction. Added labels to configuration documentation and made many areas uniform. 2021-04-11 11:25:03 +00:00			`## UNDER CONSTRUCTION`

			`The following areas are actively being worked on for Kubernetes:`
			`1. Detailed Documentaiton`
			`2. [Helm Chart (v3)](https://github.com/authelia/chartrepo)`
			`3. Kustomize Deployment`
			`4. Manifest Examples`

docs: update and unify contact options (#2213) This updates and unifies the contact options so it is easier to maintain. All contact options now link back to one of two locations, and both of these locations are a copy and paste for the most part. Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2021-07-30 04:19:17 +00:00			`Users are welcome to reach out directly by using any of our various [contact options](../about-us.md#contact-options).`
[DOCS] Add FAQ for Kubernetes deployment (#1252) * Add note to Kubernetes page about potential OOM See #1234 2020-08-14 03:30:37 +00:00
docs: add k8s important notes (#3140) Add some implementation notes about k8s. Fixes #2882 2022-04-08 04:15:35 +00:00			`### Important Notes`

			`The following section has special notes regarding utilizing Authelia with Kubernetes.`

			`1. Authelia (and all of your other applications) may receive an invalid remote IP if the service handling traffic to`
			the Kubernetes Ingress of your choice doesn't have the `externalTrafficPolicy` setting configured to `local` as per
			`the Kubernetes [preserving the client source ip] documentation.`
			2. Authelia's configuration management system conflicts with the `enableServiceLinks` option when it's set to `true`
			which is the default. This shoudld be changed to `false`.

docs: add annotations for nginx ingress to k8s doc (#2726) 2021-12-16 22:11:36 +00:00			`### NGINX Ingress Controller`
			`If you use NGINX Ingress Controller you can protect an ingress with the following annotations.`
			`The assumptions are that your public domain where authelia is running would be https://auth.mypublicdomain.com`
			`and there would be a service called authelia with port 80 in the default namespace.`

			```yaml
			`annotations:`
			`nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Groups,Remote-Email`
			`nginx.ingress.kubernetes.io/auth-signin: https://auth.mypublicdomain.com`
			`nginx.ingress.kubernetes.io/auth-snippet: \|`
			`proxy_set_header X-Forwarded-Method $request_method;`
			`nginx.ingress.kubernetes.io/auth-url: http://authelia.default.svc.cluster.local/api/verify`
			`nginx.ingress.kubernetes.io/configuration-snippet: \|`
			`proxy_set_header X-Forwarded-Method $request_method;`
			```

[DOCS] Add FAQ for Kubernetes deployment (#1252) * Add note to Kubernetes page about potential OOM See #1234 2020-08-14 03:30:37 +00:00			`## FAQ`

			`### RAM usage`

			If using file-based authentication, the argon2id provider will by default use 1GB of RAM for password generation. This means you should allow for at least this amount in your deployment/daemonset spec and have this much available on your node, alternatively you can [tweak the providers settings](https://www.authelia.com/docs/configuration/authentication/file.html#memory). Otherwise, your Authelia may OOM during login. See [here](https://github.com/authelia/authelia/issues/1234#issuecomment-663910799) for more info.
docs: add k8s important notes (#3140) Add some implementation notes about k8s. Fixes #2882 2022-04-08 04:15:35 +00:00
			`[preserving the client source ip]: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip`