3.3 KiB
title | description | lead | date | draft | images | menu | integration | parent | weight | toc |
---|---|---|---|---|---|---|---|---|---|---|
Istio | A guide to integrating Authelia with the Istio Kubernetes Ingress. | A guide to integrating Authelia with the Istio Kubernetes Ingress. | 2022-10-02T13:59:09+11:00 | false | kubernetes | 551 | true |
Istio uses Envoy as an Ingress. This means it has a relatively comprehensive integration option. Istio is supported with Authelia v4.37.0 and higher via [Envoy]'s external authorization filter.
Example
This example assumes that you have deployed an Authelia pod and you have configured it to be served on the URL
https://auth.example.com
and there is a Kubernetes Service with the name authelia
in the default
namespace with
TCP port 80
configured to route to the Authelia pod's HTTP port and that your cluster is configured with the default
DNS domain name of cluster.local
.
Operator
This is an example IstioOperator manifest adjusted to authenticate with Authelia. This example only shows the necessary portions of the resource that you add as well as context. You will need to adapt it to your needs.
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
spec:
meshConfig:
extensionProviders:
- name: 'authelia'
envoyExtAuthzHttp:
service: 'authelia.default.svc.cluster.local'
port: 80
pathPrefix: '/api/verify/'
includeRequestHeadersInCheck:
- accept
- cookie
- proxy-authorization
headersToUpstreamOnAllow:
- 'authorization'
- 'proxy-authorization'
- 'remote-*'
- 'authelia-*'
includeAdditionalHeadersInCheck:
X-Authelia-URL: 'https://auth.example.com/'
X-Forwarded-Method: '%REQ(:METHOD)%'
X-Forwarded-Proto: '%REQ(:SCHEME)%'
X-Forwarded-Host: '%REQ(:AUTHORITY)%'
X-Forwarded-URI: '%REQ(:PATH)%'
X-Forwarded-For: '%DOWNSTREAM_REMOTE_ADDRESS_WITHOUT_PORT%'
headersToDownstreamOnDeny:
- set-cookie
headersToDownstreamOnAllow:
- set-cookie
Authorization Policy
The following Authorization Policy applies the above filter extension provider to the nextcloud.example.com
domain:
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: nextcloud
namespace: apps
spec:
action: CUSTOM
provider:
name: 'authelia'
rules:
- to:
- operation:
hosts:
- 'nextcloud.example.com'
See Also
- Istio External Authentication Documentation
- Istio Authorization Policy Documentation
- Istio IstioOperator Options Documentation
- Istio MeshConfig Extension Provider EnvoyExtAuthz HTTP Provider Documentation