Member-only story
Kubernetes Authentication Sidecars: A Revelation in Microservice Architecture
A history of authentication and how to solve authentication in a reusable way using sidecar containers in Kubernetes
As software engineers, we spend way too much time setting up authentication and debugging issues related to authentication. We have all been down one of those rabbit holes where our authentication method is not quite doing what we expect, and we lose days (and hair) scratching our heads!
As the adoption of microservices grows, there are more and more services where we need to implement authentication. In any organisation, there’s now hundreds of different ways that authentication is being handled and lots of different libraries being used.
Over time we have learnt to offload some of our cross-cutting concerns, such as SSL termination and IP authorization to load balancers, API gateways, and reverse proxies. More recently, service meshes such as Istio and Linkerd came along and helped us solve some of these problems closer to where our applications run by using sidecar containers running in the same Kubernetes pod as our services.
The sidecar approach can also be used to offload authentication so that our custom applications do not need to worry about it. This article shows how ASP.NET YARP can be used as a reverse proxy to authenticate requests for a downstream application however, any technology could be used for the downstream application as long as it uses HTTP.
The reverse proxy ideas discussed here are not specific to .NET and could be implemented using most web technologies.
The full code for the authentication proxy can be found on my GitHub here.
A History of Authentication
So, before we look at using sidecars to solve our authentication woes, let’s start by looking at how authentication has evolved.
Cookie authentication
Cookies have been used to authenticate front-end applications for a while, but traditionally they have had some downsides:
- CSRF attacks — A CSRF attack is an attack that forces a user to make…
