- Kubernetes Integration (architecture overview)
- Adding Tracing
- Upgrading Ambassador
- Statistics and Monitoring
- Need Help?
This feature is supported in Ambassador Pro. Ambassador Pro helps developers and operators accelerate their adoption of Kubernetes.
Register here to get started with a free trial of Ambassador Pro.
Ambassador Pro authentication is managed with the
Policy custom resource definition (CRD). This resource allows you to specify which routes should and should not be authenticated by the authentication service. By default, all routes require authentication from the IDP with either a JWT or via a login service.
rule for the
Policy CRD is a set of hosts, paths, and permission settings that indicate which routes require authentication from Ambassador Pro as well as the access rights that particular API needs. The default rule is to require authentication from all paths on all hosts.
Rule Configuration Values
||"*", "foo.com"||the Host that a given rule should match|
||"/foo/url/"||the URL path that a given rule should match to|
||true||a boolean that indicates whether or not authentication is required; default false|
||openid||the rights that need to be granted in a given API. Not all APIs will need a scope defined.
The following policy is shown in the OAuth/OIDC Authentication guide and is used to secure the example
apiVersion: stable.datawire.io/v1beta1 kind: Policy metadata: name: httpbin-policy spec: rules: - host: "*" path: /httpbin/ip public: true scope: openid - host: "*" path: /httpbin/user-agent/* public: false scope: openid - host: "*" path: /httpbin/headers/* scope: openid
Policy defines rules based on matching the
path to a request and refers to the
public attribute to decide whether or not it needs to be authenticated. Since both
path support wildcards, it is easy to configure an entire mapping to need to be authenticated or not.
apiVersion: stable.datawire.io/v1beta1 kind: Policy metadata: name: mappings-policy spec: rules: - host: "*" path: /httpbin/* public: true - host: path: /qotm/* public: false - host: "*" path: /* public: false
policy configures Ambassador Pro authentication to
- Not require authentication for the
- Require authentication for the
- Explicitly express the default requiring authentication for all routes.
apiVersion: stable.datawire.io/v1beta1 kind: Policy metadata: name: multi-domain-policy spec: rules: - host: foo.bar.com path: /qotm/ public: true - host: example.com path: /qotm/ public: false
Imagine you have multiple domains behind Ambassador Pro. A domain
example.com. Imagine a service named
qotm sits behind both of these domains, you want
foo.bar.com to have public access to
qotm without authenticating but requests from
example.com require authentication. The above mapping will accomplish this.
Pass-Through by Default
--- apiVersion: stable.datawire.io/v1beta1 kind: Policy metadata: name: default-policy spec: rules: - host: "*" path: /* public: true
This policy will change the default to not require authentication for all routes. Note Rules applied to higher-level paths, e.g.
/qotm/, will take precedence over ones applied to lower-level paths, e.g