Authservice Protection
To enable authentication for applications that do not have native OIDC configuration, UDS Core can utilize Authservice as an authentication layer.
Follow these steps to protect your application with Authservice:
- Set
enableAuthserviceSelector
with a matching label selector in thesso
configuration of the Package. - Ensure that the pods of the application are labeled with the corresponding selector or use an empty selector to protect all of them
apiVersion: uds.dev/v1alpha1kind: Packagemetadata: name: httpbin namespace: httpbinspec: sso: - name: Demo SSO httpbin clientId: uds-core-httpbin redirectUris: - "https://httpbin.uds.dev/login" enableAuthserviceSelector: app: httpbin
For a complete example, see app-authservice-tenant.yaml
Limitations:
Section titled “Limitations:”Authservice is intended for simple, basic protection scenarios where an absolute level of protection is acceptable. For more advanced authentication requirements, you should implement authentication directly in your application or via a more comprehensive solution.
Authservice is currently not supported for ambient workloads (Package CR network.serviceMesh.mode
of ambient
). Package CRs with ambient configuration will be denied when applying if an Authservice SSO client is present. This restriction will be removed in the future once supported is added for this in the UDS Operator.