Deploy XtremeCloud Guardian

Zero Impact Authentication in Kubernetes

Introduction

Imagine a world in which your application developers do not have to configure any authentication features into their application. When your cloud-native application is deployed into a Eupraxia Labs-configured cluster the application, and any other annotated applications, will all be protected by the XtremeCloud Single Sign-on (SSO) service. Log into one application, protected by SSO, and all other applications will be authenticated as well for use without having to sign in again.

Background

The XtremeCloud Single Sign-On (SSO) Guardian sidecar container, based on Keycloak Gatekeeper, will protect any application in a Kubernetes namespace without any modification to the application. Keycloak Gatekeeper is an adapter which integrates with the XtremeCloud SSO authentication service. This is deployed on a per-application instance basis. This will be a sidecar container deployed with the application container in the Kubernetes pod. We configure the Kubernetes service of the application so that it points to the Guardian rather than the application itself, so that Guardian can act as a proxy for incoming requests. The Guardian then verifies from the XtremeCloud SSO server if an active authenticated session exists or not. If not, it redirects the client to the XtremeCloud SSO login page. If the session exists, it allows the incoming request to pass through to the application container.

Any application, protected by the XtremeCloud SSO Guardian and not authenticated, will be presented with this login page:

XtremeCloud Guardian is easily deployed from our provided CI/CD pipeline in Codefresh.

Helm Chart in Codefresh - click image to enlarge