Fork me on GitHub Link Search Menu Expand Document Survey contribution
Help the team improve Authelia by taking this 10-second survey.

Deployment on Kubernetes


The following areas are actively being worked on for Kubernetes:

  1. Detailed Documentaiton
  2. Helm Chart (v3)
  3. Kustomize Deployment
  4. Manifest Examples

Users are welcome to reach out directly by using any of our various contact options.

Important Notes

The following section has special notes regarding utilizing Authelia with Kubernetes.

  1. Authelia (and all of your other applications) may receive an invalid remote IP if the service handling traffic to the Kubernetes Ingress of your choice doesn’t have the externalTrafficPolicy setting configured to local as per the Kubernetes preserving the client source ip documentation.
  2. Authelia’s configuration management system conflicts with the enableServiceLinks option when it’s set to true which is the default. This shoudld be changed to false.

NGINX Ingress Controller

If you use NGINX Ingress Controller you can protect an ingress with the following annotations. The assumptions are that your public domain where authelia is running would be and there would be a service called authelia with port 80 in the default namespace.

annotations: Remote-User,Remote-Name,Remote-Groups,Remote-Email |
    proxy_set_header X-Forwarded-Method $request_method; http://authelia.default.svc.cluster.local/api/verify |
    proxy_set_header X-Forwarded-Method $request_method;


RAM usage

If using file-based authentication, the argon2id provider will by default use 1GB of RAM for password generation. This means you should allow for at least this amount in your deployment/daemonset spec and have this much available on your node, alternatively you can tweak the providers settings. Otherwise, your Authelia may OOM during login. See here for more info.