Authentik SSO Integration Guide
This guide covers the setup and management of Authentik Single Sign-On (SSO) in our Kubernetes cluster.
Architecture Overview
Authentik is deployed with two main components:
-
Authentik Server
- Core authentication service
- User management interface
- Policy configuration
- Accessible at https://sso.pc-tips.se
-
Proxy Outpost
- Authentication proxy (ports 9000/9443)
- Handles SSO for protected applications
- Integrated with Cilium Gateway API
Proxy Architecture
graph LR
A[External User] --> B[Gateway API]
B --> C[Authentik Proxy]
C --> D[Auth Flow]
D --> E[Internal Service]
C -.-> F[Authentik Server]
Configuration Guide
1. Protecting a New Application
Step 1: Authentik Configuration
- Access Authentik admin interface (https://sso.pc-tips.se)
- Create a new Proxy Provider:
name: my-application
external_host: app.pc-tips.se
internal_host: http://my-service.namespace.svc:8080
mode: forward_single - Create an Application:
name: My Application
slug: my-application
provider: my-application-proxy
policy_engine_mode: any
Step 2: Gateway Configuration
Create an HTTPRoute:
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: my-application
namespace: my-namespace
spec:
parentRefs:
- name: external # or internal based on access needs
namespace: gateway
hostnames:
- "app.pc-tips.se"
rules:
- matches:
- path:
type: PathPrefix
value: /
backendRefs:
- name: authentik-proxy
namespace: auth
port: 9000
2. Security Best Practices
Network Policies
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: allow-authentik-proxy
namespace: my-namespace
spec:
endpointSelector:
matchLabels:
app: my-service
ingress:
- fromEndpoints:
- matchLabels:
app: authentik-proxy
io.kubernetes.pod.namespace: auth
TLS Configuration
- Always use HTTPS for external access
- Certificates managed by cert-manager
- Internal communication can use HTTP
Maintenance Guide
1. Regular Tasks
- Monitor Authentik logs for security events
- Review access policies quarterly
- Update Authentik version when available
- Rotate API tokens annually
2. Troubleshooting
Authentication Issues
- Check Proxy Status:
kubectl -n auth logs -l app=authentik-proxy
- Verify Network Policies:
kubectl -n auth get ciliumnetworkpolicies
- Test Authentication Flow:
curl -v https://app.pc-tips.se
# Should redirect to SSO
Common Issues
-
503 Service Unavailable
- Check Proxy deployment status
- Verify backend service health
- Review network policies
-
Authentication Loop
- Clear browser cookies
- Check Provider configuration
- Verify cookie domains
-
Backend Unreachable
- Verify service DNS resolution
- Check network policy rules
- Validate service ports
Integration Examples
Basic Web Application
# HTTPRoute for a basic web app
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: webapp
namespace: apps
spec:
parentRefs:
- name: external
namespace: gateway
hostnames:
- "webapp.pc-tips.se"
rules:
- matches:
- path:
type: PathPrefix
value: /
backendRefs:
- name: authentik-proxy
namespace: auth
port: 9000
API Service
# HTTPRoute for an API service
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: api
namespace: services
spec:
parentRefs:
- name: internal
namespace: gateway
hostnames:
- "api.internal.pc-tips.se"
rules:
- matches:
- path:
type: PathPrefix
value: /
backendRefs:
- name: authentik-proxy
namespace: auth
port: 9000
Performance Optimization
-
Caching Configuration
- Enable Redis caching
- Configure appropriate TTLs
- Monitor cache hit rates
-
Resource Allocation
resources:
requests:
cpu: 500m
memory: 512Mi
limits:
cpu: 1000m
memory: 1Gi
Monitoring
Key Metrics
- Authentication success/failure rates
- Response times
- Session counts
- Token validity
Alert Rules
alerts:
- auth_failure_rate > 10%
- response_time_95th > 2s
- proxy_5xx_rate > 1%