Featured image of post Exploring Different Pod Authentication methods..
Kubernetes Security Authentication Cloud DevOps

Exploring Different Pod Authentication methods..

OAuth, JWT, API Gateways and Service Meshes

1. Why Authentication Inside a Pod?

Before we dive in, let’s quickly review why you’d even bother doing authentication inside a pod instead of just at the API gateway.

  • πŸ” Zero Trust Security (Wikipedia) - Every service must authenticate every request, even if it’s internal.
  • 🎭 Identity Propagation - Services need identity-aware access control, like OAuth tokens or mTLS.
  • πŸšͺ Fine-grained access control - You want different pods to have different access levels, instead of just relying on network policies.

Now, let’s implement it!

2. Using OAuth2 Proxy Inside a Pod

One of the easiest ways to add authentication inside a pod is by using OAuth2 Proxy (GitHub).

What is OAuth2 Proxy?

  • It acts as a reverse proxy in front of your app.
  • It requires users to authenticate via an OAuth provider (e.g., Google, GitHub, Okta).
  • It passes authenticated requests to your backend.

Step 1: Deploy OAuth2 Proxy

We’ll assume you’re using Google OAuth. First, create an OAuth client in Google:

  1. Go to Google Cloud Console.
  2. Create OAuth 2.0 credentials.
  3. Set the redirect URI to https://your-app/oauth2/callback.

Now, deploy OAuth2 Proxy inside a pod.

oauth2-proxy Deployment (Kubernetes)

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40

apiVersion: apps/v1
kind: Deployment
metadata:
  name: oauth2-proxy
spec:
  replicas: 1
  selector:
    matchLabels:
      app: oauth2-proxy
  template:
    metadata:
      labels:
        app: oauth2-proxy
    spec:
      containers:
      - name: oauth2-proxy
        image: quay.io/oauth2-proxy/oauth2-proxy:v7.2.1
        args:
        - "--provider=google"
        - "--email-domain=*"
        - "--upstream=http://127.0.0.1:8080"
        - "--cookie-secret=$(COOKIE_SECRET)"
        - "--client-id=$(OAUTH_CLIENT_ID)"
        - "--client-secret=$(OAUTH_CLIENT_SECRET)"
        env:
        - name: OAUTH_CLIENT_ID
          valueFrom:
            secretKeyRef:
              name: oauth-secret
              key: client-id
        - name: OAUTH_CLIENT_SECRET
          valueFrom:
            secretKeyRef:
              name: oauth-secret
              key: client-secret
        - name: COOKIE_SECRET
          valueFrom:
            secretKeyRef:
              name: oauth-secret
              key: cookie-secret

3. Using JWT-Based Authentication

If you need stateless authentication, JWTs (JSON Web Tokens) (Wikipedia) are the way to go.

Step 1: Generate JWTs with Keycloak

Keycloak (Official Site) is a great open-source identity provider. You can deploy it in Kubernetes:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

apiVersion: apps/v1
kind: Deployment
metadata:
  name: keycloak
spec:
  replicas: 1
  selector:
    matchLabels:
      app: keycloak
  template:
    metadata:
      labels:
        app: keycloak
    spec:
      containers:
      - name: keycloak
        image: quay.io/keycloak/keycloak:latest
        args: ["start-dev"]
        env:
        - name: KEYCLOAK_ADMIN
          value: "admin"
        - name: KEYCLOAK_ADMIN_PASSWORD
          value: "admin"

4. Enforcing Authentication with Istio

If you’re using Istio (Wikipedia), you can enforce JWT authentication at the proxy level.

Step 1: Create a JWT Policy in Istio

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
  name: jwt-auth
  namespace: default
spec:
  selector:
    matchLabels:
      app: my-app
  jwtRules:
  - issuer: "https://keycloak.example.com"
    jwksUri: "https://keycloak.example.com/protocol/openid-connect/certs"

Now, any request without a valid JWT will be blocked! 🚫

5. Using Cloud IAM for Workload Identity

Instead of hardcoding API keys, you should use cloud IAM roles.

Example: If you’re running in GCP, you can enable Workload Identity so that pods automatically get IAM permissions.

Step 1: Enable Workload Identity on a GKE Cluster

1

gcloud container clusters update my-cluster   --workload-pool=my-project.svc.id.goog

1
2
3
4
5
6

apiVersion: v1
kind: ServiceAccount
metadata:
  name: my-app-sa
  annotations:
    iam.gke.io/gcp-service-account: "my-gcp-sa@my-project.iam.gserviceaccount.com"

This lets your pod access GCP services securely without hardcoded credentials! πŸŽ‰

Key Takeaways

βœ… OAuth2 Proxy helps enforce SSO authentication.
βœ… JWT authentication enables stateless security.
βœ… Istio enforces zero-trust security with JWT policies.
βœ… Cloud IAM prevents hardcoded credentials.

© 2001 - 2025 Brian Braatz Blog