Kubernetes Deployment
This guide shows the minimum viable Kubernetes manifests to deploy the Envoy Authorization Service with MaxMind GeoIP and ASN analysis capabilities.
Manifests
Create a single envoy-authorization-service.yaml file with the following manifests:
ConfigMap
Create a ConfigMap for service configuration:
yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: envoy-authorization-config
data:
config.yaml: |
server:
address: ":9001"
analysisControllers:
- name: geoip
type: maxmind-geoip
settings:
databasePath: /maxmind/GeoLite2-City.mmdb
- name: asn
type: maxmind-asn
settings:
databasePath: /maxmind/GeoLite2-ASN.mmdb1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
Deployment
Create a Deployment with an init container to download MaxMind databases:
yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: envoy-authorization-service
spec:
replicas: 1
selector:
matchLabels:
app: envoy-authorization-service
template:
metadata:
labels:
app: envoy-authorization-service
spec:
initContainers:
- name: maxmind-db-downloader
image: curlimages/curl:latest
command:
- sh
- -c
- |
curl -L -o /maxmind/GeoLite2-ASN.mmdb https://github.com/P3TERX/GeoLite.mmdb/raw/download/GeoLite2-ASN.mmdb
curl -L -o /maxmind/GeoLite2-City.mmdb https://github.com/P3TERX/GeoLite.mmdb/raw/download/GeoLite2-City.mmdb
volumeMounts:
- name: maxmind-dbs
mountPath: /maxmind
containers:
- name: envoy-authorization-service
image: gtriggiano/envoy-authorization-service:1.4.0
args:
- start
- --config=/config/config.yaml
ports:
- name: grpc
containerPort: 9001
- name: metrics
containerPort: 9090
volumeMounts:
- name: config
mountPath: /config
- name: maxmind-dbs
mountPath: /maxmind
livenessProbe:
httpGet:
path: /healthz
port: 9090
initialDelaySeconds: 10
periodSeconds: 10
timeoutSeconds: 5
failureThreshold: 3
readinessProbe:
httpGet:
path: /readyz
port: 9090
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 3
failureThreshold: 2
resources:
requests:
cpu: 50m
memory: 256Mi
limits:
cpu: 500m
memory: 1Gi
volumes:
- name: config
configMap:
name: envoy-authorization-config
- name: maxmind-dbs
emptyDir: {}1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
Service
Expose the service within the cluster:
yaml
apiVersion: v1
kind: Service
metadata:
name: envoy-authorization-service
spec:
selector:
app: envoy-authorization-service
ports:
- name: grpc
port: 9001
targetPort: 9001
- name: metrics
port: 9090
targetPort: 90901
2
3
4
5
6
7
8
9
10
11
12
13
14
2
3
4
5
6
7
8
9
10
11
12
13
14
Apply
bash
kubectl apply -f envoy-authorization-service.yaml1
Verify the deployment:
bash
kubectl get pods -l app=envoy-authorization-service
kubectl logs -l app=envoy-authorization-service1
2
2
How It Works
- Init Container: Downloads MaxMind GeoLite2 databases (ASN and City) before the main container starts
- Shared Volume: An
emptyDirvolume shares the downloaded databases between init and main containers - Analysis Controllers: The service analyzes requests and adds GeoIP and ASN metadata to request headers
- No Authorization: This configuration performs analysis only without enforcing any authorization policies