A detailed guide to SSO on Kubernetes

A detailed guide to SSO on Kubernetes(talkingquickly.co.uk)

68 points by talkingquickly 5 years ago | 32 comments

I've leveraged nginx-ingress's OAuth annotations to great success: https://kubernetes.github.io/ingress-nginx/examples/auth/oau...

talkingquickly 5 years ago | |

Yup agree, that's exactly what's being used here, along with some tweaks to make it easier to do things like passing the auth JWT's back to the underlying app etc

varispeed 5 years ago |

My dream is to one day create an SSO solution for companies. I've been doing research for a time being, but I am worried that I wouldn't find any clients, because who would trust an SSO created by one guy in his basement? I think the first step to overcome that would be having a completely Open Source solution, but how to avoid other companies grabbing it and selling as their own? Or do you think it is better to develop it anyway and then worry about customers later?

herodoturtle 5 years ago | |

> because who would trust an SSO created by one guy in his basement?

If you think you've got a good idea and a unique proposition - and your technical skills are up to scratch - then don't worry about starting out from your basement.

Have a look at Thawte Consulting - a certificate authority founded by Mark Shuttleworth in his parents' garage - which he later sold to Verisign for $575 million dollars:

https://en.wikipedia.org/wiki/Thawte

Starting a "high trust" business from one's basement is perfectly fine.

That being said, a far more important point is testing / validating the existence of an actual market for your product.

Whether you build your solution out of your basement or a lavish penthouse office is irrelevant.

The best and brightest team working out of swank office space will still fail if the market for their product doesn't exist.

Hope that helps :-)

traverseda 5 years ago | |

The smaller scale homelab/selfhosting people really need a better solution. I think open source developers do as well.

What we really need is a small easy to set up solution that provides a clear way for us to integrate our app into it.

My ideal would be something that

* Supports ldap and OIDC

* Can be deployed to docker using one compose file

* Only needs to support hundreds of users (keep it simple, easy to deploy, and able to run on a raspberry pi)

* Provides basic user management, I want to be able to put users into groups and (if the app supports it) use those groups for in-app ACL.

If that service worked well in my homelab (a single-pc docker swarm that runs a few private web services like jellyfin) I'd very likely end up deploying it on my employers infrastructure. My employer is a small business with maybe ~30 users.

I'm not sure how to convert something like that into sales though. Still, starting with an open-source solution that solves problems for the little guys often has a "trickle up" effect.

Right now I'm looking towards https://github.com/sonicnkt/glauth-ui/ to solve that problem, but it's definitely not anywhere near there yet.

znpy 5 years ago | | |

Uhm, keycloak does all the things you name and more.

I have it in production at work. Three instances, clustered (infinispan), running in docker containers orchestrated by kubernetes.

Each instance (pod) is upper-limited to 2gb ram (or 3, can't recall the details now).

It works very well and very reliably, serving about 750 users (as in, real people).

If you have 2GB to spare and a physical core, you can run keycloak with no problems at all.

After all, it all depends on the amount of traffic. Little traffic = little cpu load.

Don't dismiss keycloak because it's written in Java... Quite the contrary, you can tune the JVM to work with little memory (-Xms -Xmx iirc).

Ten years ago it was very common to see tips and tricks to make grails web apps work on as little as 64mb of ram on chap VPSes.

red0point 5 years ago | | |

I think Keycloak ticks all those boxed rather nicely. While it does support more than a few hundred users, I doubt that this will be a serious issue.

Perhaps you could enlighten us with a few key differentiators of your ideal solution to other common ones?

Hitton 5 years ago | |

>because who would trust an SSO created by one guy in his basement

You don't have to tell everyone that you are one person company operating from basement. Why not use phrases like "our company", "our clients", have different email addresses like support@, sales@, hr@ subtly insinuating there are more of you, use picture from photobank when listing address of your company's headquarters(basement) etc.. You won't be first nor last person doing this.

And Open Source/Proprietary doesn't need to be either/or problem. You can dual license it as AGPL/Proprietary and make contributors sign CLA.

martin-adams 5 years ago | |

Personally, I think the answer has to come from your customers. If the pain you're solving is great enough that they want it, but the only showstopper is future-proofing, then you might be able to work with them to find a solution.

It might be a case that you deploy into their infrastructure and give them a licence to use the source code should you shut down.

saberdancer 5 years ago | |

There is already Keycloak and various vendor solutions. I feel you'll struggle to break through.

3np 5 years ago | |

The current business players in the space all range across the spectrum of closed blackbox Saas (Auth0) to open core / open source (HC Boundary, arguably)

Before you can answer that - how do you differentiate from the existing competition? What's your target customer?

candiddevmike 5 years ago | |

Would love to hear more about this, I've got a couple of design diagrams and thoughts on my "ideal SSO setup". My contact info is in my profile.

znpy 5 years ago | |

Keep dreaming!

In the meantime people are already offering managed keycloak instances as a service.

isaacpz 5 years ago | | |

Who’s offering managed keycloak as a service? I’ve only come across cloud-iam whose security page didn’t impress me

1cvmask 5 years ago | |

What will be different to other solutions?

cpdean 5 years ago |

I read the headline, "A detailed guide to SSO on Kubernetes", as "A detailed guide to Single-Stage to Orbit on Kerbalnetes" and was thoroughly disappointed after clicking.

gsjjsjsbsb 5 years ago |

Does anybody have a good, comprehensive guide to Keycloak? I looked at it a while back and it seemed like a giant web UI with a million poorly documented knobs, but I keep seeing people who claim to be using it. I've used Auth0, Okta, Dex, and ORY and none of them seemed quite as incomprehensible

rad_gruchalski 5 years ago | |

The thing with Keycloak is: when you know what you are looking for, it's all self descriptive. Server administration documentation is awesome: https://www.keycloak.org/docs/latest/server_admin/index.html

I've written more about Authorization Services: https://gruchalski.com/posts/2020-09-05-introduction-to-keyc...

And can recommend these resources: https://www.janua.fr/tag/technical-blog/

candiddevmike 5 years ago | |

Keycloak is designed to be super flexible and support almost every combination of auth methods out there. A lot of companies don't need this kind of complexity though, which is where something like Dex may be more appropriate--it's quite a bit simpler.

streetcat1 5 years ago | |

I think that keycloak is based on JBoss, which is GPL? Hence I am not sure that you want it for commercial projects. But I might be wrong.

jabiko 5 years ago | | |

Keycloak is licensed under Apache 2.0

nurgasemetey 5 years ago | | |

There are many commercial projects using Keycloak as I know. Are they in danger?