Open in app

Sign in

Write

Sign in

Auth0 integration with Istio

NIRAV SHAH
2 min readJul 16, 2022

Kubernetes & Istio are the best entry points for our services. However, we have not yet explored authentication from Istio yet. In this blog, I would demonstrate Authentication & authorisation with Auth0. Most of the time I am following documented steps from Auth0 team only.

Create Cluster

Below command would create latest version of EKS cluster.

eksctl create cluster -f ekscluster.yml

# cat ekscluster.yml
apiVersion: eksctl.io/v1alpha5
kind: ClusterConfig
metadata:
  name: auth
  region: eu-north-1
  version: "1.22"nodeGroups:
  - name: ng-1
    instanceType: m5.large
    desiredCapacity: 10
    volumeSize: 80
    ssh:
      allow: true # will use ~/.ssh/id_rsa.pub as the default ssh key
  - name: ng-2
    instanceType: m5.large
    desiredCapacity: 2
    volumeSize: 100
    ssh:
      publicKeyPath: ~/.ssh/id_rsa.pub

Setup Istio

curl -L https://istio.io/downloadIstio | ISTIO_VERSION=1.14.0 TARGET_ARCH=x86_64 sh -
export PATH="$PATH:/Users/nirav/git/localscript/auth-configuration/istio-1.14.0/bin"
istioctl install --set profile=demo -ykubectl get pods -n istio-system
kubectl get svc -n istio-system -l istio=ingressgateway

Setup Bookinfo environment

kubectl create ns demo
kubectl label namespace demo istio-injection=enabled
kubens demokubectl apply -f platform/kube/bookinfo.yaml
kubectl apply -f networking/bookinfo-gateway.yaml
kubectl apply -f networking/bookinfo-virtualservice.yaml

Setup Auth0 Account

This step requires to login to Auth0 website & create api with simple user generation. For this example I have followed all the steps with screenshot mentioned in auth0 document.

Setup Auth rules

kubectl apply -f security/auth0-authn.yaml
kubectl apply -f security/app-credentials.yaml
kubectl apply -f policies/*

Demo

Damn!! It is so Easy

Introducing authentication to the service is too easy. I never thought I could be able to add an entire authentication demo in 2 days!

Code

Below policy tells that AuthorizationPolicy applies to the pods with details label. If the user has permission “read:book-details”, only send the request further.

apiVersion: "security.istio.io/v1beta1"
kind: "AuthorizationPolicy"
metadata:
  name: "details-policy"
  namespace: demo
spec:
  action: ALLOW
selector:
  matchLabels:
    app: details
rules:
 - when:
  - key: request.auth.claims[permissions]
    values: ["read:book-details"]

Reference:

Authenticating and Authorizing end-users with Istio and Auth0

TL;DR: In this article, you will learn how to secure applications running on Kubernetes with Istio and Auth0. You will…

auth0.com

Security

Breaking down a monolithic application into atomic services offers various benefits, including better agility, better…

istio.io

RequestAuthentication

RequestAuthentication defines what request authentication methods are supported by a workload. It will reject a request…

istio.io

Authorization Policy

Istio Authorization Policy enables access control on workloads in the mesh. Authorization policy supports CUSTOM, DENY…

istio.io

Large Scale Security Policy Performance Tests

The effect of security policies on latency of requests. Sep 15, 2020 | By Michael Eizaguirre - Google, Yangmin Zhu …

istio.io

Bookinfo
Auth0
Istio
Kubernetes Cluster
Security

--

--

NIRAV SHAH

Written by NIRAV SHAH

89 Followers

Working as Cloud Architect & Software enthusiastic

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams