Advanced Authentication patterns at the Edge
Denis Jannot
Director of Field Engineering - EMEA

2 | Copyright © 2021
About me
@djannot
denis.jannot@solo.io
denisjannot
Denis Jannot
Director of Field Engineering - EMEA @ Solo.io

3 | Copyright © 2021
From Monolith to Microservices
MONOLITH MICROSERVICES

4 | Copyright © 2021
Kubernetes became the most popular platform
MONOLITH MICROSERVICES

New York
JULY
Australia
SEPTEMBER
Singapore
APRIL
Helsinki & North
MARCH
Paris
DECEMBER
London
OCTOBER
Jakarta
FEBRUARY
Hong Kong
AUGUST
JUNE
India
MAY
Check out our API Conferences here
50+ events since 2012, 14 countries, 2,000+ speakers, 50,000+ attendees,
300k+ online community
Want to talk at one of our conferences?
Apply to speak here

5 | Copyright © 2021
How do you expose your apps ? The Ingress way
MICROSERVICES
Ingress
TLS
Basic routing
Kubernetes
Service
Pods

6 | Copyright © 2021
Each team reinvents the wheel
MICROSERVICES
Ingress

7 | Copyright © 2021
Some capabilities must be implemented downstream
MICROSERVICES
Ingress
API
GATEWAY
Rate limiting
WAF

8 | Copyright © 2021
Common challenges
• Each team reinvents the wheel (setting up the same authentication)
• Implementation is different for each language
• Application teams should focus on the business logic instead
• The security team doesn’t have visibility on what’s configured for each application
• Other security mechanisms must be implemented outside of the Kubernetes cluster

9 | Copyright © 2021
What about a Kubernetes-native API Gateway ?
MICROSERVICES
API
GATEWAY
Rate limiting
WAF

10 | Copyright © 2021
That can even expose services outside of Kubernetes
MICROSERVICES
API
GATEWAY
Rate limiting
WAF

11 | Copyright © 2021
Benefits
• Authentication is performed at the API Gateway level
• Application teams can focus on the business logic
• Everything is configured through Kubernetes Custom Resources, so it’s Gitops-
friendly
• Other security mechanisms are enforced by the same Gateway
• Visibility for the security team

12 | Copyright © 2021
Gloo Edge
MICROSERVICES
Rate limiting
WAF

13 | Copyright © 2021
Gloo Edge overview
Gloo Edge is an open-source, flexible and extensible API Gateway built
on Envoy Proxy for microservices environments. Gloo Edge configures
the behavior of the Envoy Proxy data plane to ensure secure
application connectivity and policy based traffic management.
SERVICE A
SERVICE B
SERVICE C
SERVICE D
SERVICE E
NORTH-SOUTH
TRAFFIC

14 | Copyright © 2021
Why Envoy Proxy
• Neutral Foundation (CNCF)
• Large, diverse, vibrant community
• Built ground up for dynamic services
environment
• Dynamic configuration, driven by API
• Highly extensible
• L7 filters (HTTP/1, HTTP/2, gRPC,
redis, mysql, Kafka, etc)
• Deep signals telemetry out of the box
• Versatile deployment options

15 | Copyright © 2021
Gloo Edge architecture
EXTERNAL AUTH
RATE LIMITING
GLOO FILTERS
ROUTER
UPSTREAM
EXTERNAL AUTH SERVER
RATE LIMITING SERVER
DATA LOSS
PREVENTION
LAMBDA
TRANSFORMATION
WEB APPLICATION
FIREWALL (WAF)
WEB ASSEMBLY
JWT

16 | Copyright © 2021
What does Kubernetes-native mean ?
apiVersion: gateway.solo.io/v1
kind: VirtualService
metadata:
name: demo
namespace: gloo-system
spec:
sslConfig:
secretRef:
name: upstream-tls
namespace: gloo-system
virtualHost:
domains:
- '*'
routes:
- matchers:
- prefix: /app1
options:
extauth:
configRef:
name: oauth
namespace: gloo-system
delegateAction:
selector:
namespaces:
- app1
apiVersion: gateway.solo.io/v1
kind: RouteTable
metadata:
name: httpbin-routetable
namespace: app1
spec:
routes:
- matchers:
- prefix: /not-secured
options:
prefixRewrite: '/'
routeAction:
single:
upstream:
name: app1-httpbin-8000
namespace: gloo-system
apiVersion: enterprise.gloo.solo.io/v1
kind: AuthConfig
metadata:
name: oauth
namespace: gloo-system
spec:
configs:
- oauth2:
oidcAuthorizationCode:
appUrl: ${APP_URL}
callbackPath: /callback
clientId: ${client}
clientSecretRef:
name: oauth
namespace: gloo-system
issuerUrl:
"${KEYCLOAK_URL}/realms/master/"
scopes:
- email
headers:
idTokenHeader: jwt

17 | Copyright © 2021
17 | Copyright © 2020

18 | Copyright © 2021
Catalog and expose running APIs
in Gloo Edge or Istio service mesh
to your developers, partners, and
community.

19 | Copyright © 2021
No visibility
MICROSERVICES
API
GATEWAY
Rate limiting
WAF

20 | Copyright © 2021
Welcome Service Mesh
SERVICE MESH
Control
Plane
Encryption
Telemetry
Traffic
management
Access
control
Identity
Management
Certificate
management
Health check
Data Plane

21 | Copyright © 2021
Enterprise Service Mesh for multi
-cluster, cross-
cluster and hybrid environments based on
upstream Istio
https://www.solo.io/products/gloo-mesh/

22 | Copyright © 2021

23 | Copyright © 2021
23 | Copyright © 2020
https://slack.solo.io/

New York
JULY
Australia
SEPTEMBER
Singapore
APRIL
Helsinki & North
MARCH
Paris
DECEMBER
London
OCTOBER
Jakarta
FEBRUARY
Hong Kong
AUGUST
JUNE
India
MAY
Check out our API Conferences here
50+ events since 2012, 14 countries, 2,000+ speakers, 50,000+ attendees,
300k+ online community
Want to talk at one of our conferences?
Apply to speak here

24 | Copyright © 2021
24 | Copyright © 2020
Thank you !

25 | Copyright © 2021