Blank white background with no objects or features visible.

TrueFoundry announces the acquisition of Seldon AI, expanding its Control Plane for Enterprise AI. Full press release β†’

Authenticated gRPC service on Kubernetes

By Abhishek Choudhary

Published: August 6, 2024

In our blog series on Kubernetes, we talked about buildings scalable MLOps on Kubernetes, architecture for MLOps, and solving application development. In this blog, we will talk about hosting a GRPC service on AWS EKS cluster. The process is roughly going to be the same for every Kubernetes clusterβ€Šβ€”β€Šhowever, we had to do some specific settings on the AWS Load balancer for this to work.

What is gRPC & our usecase

gRPC is an open-source RPC framework that can run in any environment. It is capable of efficiently connecting services within and between data centers, with the ability to plug in support for load balancing, tracing, health checking, and authentication.

Our usecase: Β Hosting Tensorflow models as APIs that accepted a payload of around 100MB in size. GRPC performs much better for larger payloadsβ€Šβ€”β€Šso we exposed the GRPC port on port 5000.

Hosting the service

We hosted the service on Kubernetes using the Deployment YAML below:

apiVersion: apps/v1
kind: Deployment
metadata:
Β name: ml-api
Β namespace: ml-services
spec:
Β replicas: 1
Β selector:
Β  Β matchLabels:
Β  Β  Β truefoundry.com/component: ml-api
Β template:
Β  Β metadata:
Β  Β  Β labels:
Β  Β  Β  Β truefoundry.com/application: ml-api
Β  Β spec:
Β  Β  Β containers:
Β  Β  Β  Β - name: ml-api
Β  Β  Β  Β  Β image: >-
Β  Β  Β  Β  Β  Β XXXX.dkr.ecr.us-east-1.amazonaws.com/ml-services-ml-api:latest
Β  Β  Β  Β  Β ports:
Β  Β  Β  Β  Β  Β - name: port-8500
Β  Β  Β  Β  Β  Β  Β containerPort: 8500
Β  Β  Β  Β  Β  Β  Β protocol: TCP
Β  Β  Β  Β  Β resources:
Β  Β  Β  Β  Β  Β limits:
Β  Β  Β  Β  Β  Β  Β cpu: '4'
Β  Β  Β  Β  Β  Β  Β ephemeral-storage: 2G
Β  Β  Β  Β  Β  Β  Β memory: 4G
Β  Β  Β  Β  Β  Β requests:
Β  Β  Β  Β  Β  Β  Β cpu: '1'
Β  Β  Β  Β  Β  Β  Β ephemeral-storage: 1G
Β  Β  Β  Β  Β  Β  Β memory: 500M
Β  Β  Β  Β  Β imagePullPolicy: IfNotPresent
Β  Β  Β restartPolicy: Always
Β  Β  Β terminationGracePeriodSeconds: 30
Β  Β  Β dnsPolicy: ClusterFirst
Β  Β  Β securityContext: {}
Β  Β  Β imagePullSecrets:
Β  Β  Β  Β - name: ml-api-image-pull-secret
Β  Β  Β schedulerName: default-scheduler
Β strategy:
Β  Β type: RollingUpdate
Β  Β rollingUpdate:
Β  Β  Β maxUnavailable: 25%
Β  Β  Β maxSurge: 0

This will bring up the pod. We need to create the Service object using the YAML below:

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
Β labels:
Β  Β argocd.argoproj.io/instance: tfy-istio-ingress
Β name: tfy-wildcard
Β namespace: istio-system
spec:
Β selector:
Β  Β istio: tfy-istio-ingress
Β servers:
Β  Β - hosts:
Β  Β  Β  Β - 'ml.example.com'
Β  Β  Β port:
Β  Β  Β  Β name: http-tfy-wildcard
Β  Β  Β  Β number: 80
Β  Β  Β  Β protocol: HTTP
Β  Β  Β tls:
Β  Β  Β  Β httpsRedirect: true
Β  Β - hosts:
Β  Β  Β  Β - 'ml.example.com'
Β  Β  Β port:
Β  Β  Β  Β name: https-tfy-wildcard
Β  Β  Β  Β number: 443
Β  Β  Β  Β protocol: HTTP

Exposing the service

We are using Istio as the ingress layer in Kubernetes. Istio provisions a Load Balancer when the istio-ingress is installed. The load balancer configuration can be customized using annotations on the istio gateway. The spec for creating the Istio Gateway is as follows:

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
Β labels:
Β  Β argocd.argoproj.io/instance: tfy-istio-ingress
Β name: tfy-wildcard
Β namespace: istio-system
spec:
Β selector:
Β  Β istio: tfy-istio-ingress
Β servers:
Β  Β - hosts:
Β  Β  Β  Β - 'ml.example.com'
Β  Β  Β port:
Β  Β  Β  Β name: http-tfy-wildcard
Β  Β  Β  Β number: 80
Β  Β  Β  Β protocol: HTTP
Β  Β  Β tls:
Β  Β  Β  Β httpsRedirect: true
Β  Β - hosts:
Β  Β  Β  Β - 'ml.example.com'
Β  Β  Β port:
Β  Β  Β  Β name: https-tfy-wildcard
Β  Β  Β  Β number: 443
Β  Β  Β  Β protocol: HTTP

We are doing the SSL termination on the AWS Load Balancer. For this we have to attach the certificate to the Load Balancer. This can be achieved using the annotations below to the istio gateway chart (https://istio-release.storage.googleapis.com/charts).

"service.beta.kubernetes.io/aws-load-balancer-type": "nlb"
"service.beta.kubernetes.io/aws-load-balancer-backend-protocol": "tcp"
"service.beta.kubernetes.io/aws-load-balancer-ssl-cert": "<certificate-arn>"
"service.beta.kubernetes.io/aws-load-balancer-ssl-ports": "https"
"service.beta.kubernetes.io/aws-load-balancer-alpn-policy": "HTTP2Preferred"

The alpn-policy is important to specify to allow GRPC traffic. Our service ml-api can be exposed by creating a VirtualService pointing to the Kubernetes service. The YAML for the Virtual Service is as follows:

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
Β labels:
Β  Β argocd.argoproj.io/instance: ml-services_ml-api
Β name: ml-apiport-8500-vs
Β namespace: ml-services
spec:
Β gateways:
Β  Β - istio-system/tfy-wildcard
Β hosts:
Β  Β - ml.example.com
Β http:
Β  Β - route:
Β  Β  Β  Β - destination:
Β  Β  Β  Β  Β  Β host: ml-api
Β  Β  Β  Β  Β  Β port:
Β  Β  Β  Β  Β  Β  Β number: 8500

Once the virtual service is exposed, we can make requests to our service at ml.example.com. We then wanted to add an authentication to the API so that everybody cannot call the API. We could have added the authentication in the code, but we decided to add it at the istio layer so that it can be a unified layer across all services.

To add authentication at the istio-ingress layer, we decided to go ahead with a IstioWasm Plugin. The yaml for the plugin looks something like:

apiVersion: extensions.istio.io/v1alpha1
kind: WasmPlugin
metadata:
Β name: ml-services-ml-api-0
Β namespace: istio-system
spec:
Β phase: AUTHN
Β pluginConfig:
Β  Β basic_auth_rules:
Β  Β  Β - credentials:
Β  Β  Β  Β  Β - username:password
Β  Β  Β  Β hosts:
Β  Β  Β  Β  Β - ml.example.com
Β  Β  Β  Β prefix: /
Β  Β  Β  Β request_methods:
Β  Β  Β  Β  Β - GET
Β  Β  Β  Β  Β - PUT
Β  Β  Β  Β  Β - POST
Β  Β  Β  Β  Β - PATCH
Β  Β  Β  Β  Β - DELETE
Β selector:
Β  Β matchLabels:
Β  Β  Β istio: tfy-istio-ingress
Β url: oci://ghcr.io/istio-ecosystem/wasm-extensions/basic_auth:1.12.0

Once you have applied the above spec to the cluster, the app will ask for the username and password once you open it in the browser.

We have made it super easy on TrueFoundry

To make the above process much easier, we decide to make it really easy on the Truefoundry platform.

GRPC service on Kubernetes

The fastest way to build, govern and scale your AI

Sign Up
Table of Contents

One Gateway for Every LLM, Agent and MCP Server

Book a 30-min with our AI expert

Book a Demo

The fastest way to build, govern and scale your AI

Book Demo
Summarize with
ChatGPT logo by OpenAI
Perplexity AI logo
Blurry red snowflake on white background, symmetrical frosty design with soft edges and abstract shape.

Discover More

November 5, 2025
|
5 min read

Data Residency in the Age of Agentic AI: How AI Gateways Enable Sovereign Scale and Compliance

August 27, 2025
|
5 min read

Mapping the On-Prem AI Market: From Chips to Control Planes

August 27, 2025
|
5 min read

AI Gateways: From Outage Panic to Enterprise Backbone

Secure AI Gateway with MCP: Enterprise-Ready Protection
July 4, 2025
|
5 min read

Secure AI Gateway with Centralized MCP for Enterprises

July 6, 2026
|
5 min read

LLM model comparison: MiniMax M3 matched Claude Opus 4.8 on every task. It cost 16x less.

LLMs & GenAI
July 6, 2026
|
5 min read

Microsoft Agent 365 and TrueFoundry: comparing two approaches to the agent control plane.

No items found.
July 6, 2026
|
5 min read

5 Lessons on Running Agentic AI in Production - From the Fireside chat

No items found.
TrueFoundry AI gateway is an enterprise alternative to Helicone and LiteLLM
July 6, 2026
|
5 min read

Helicone vs LiteLLM: A Practical Comparison for Engineering Teams in 2026

No items found.
No items found.

Recent Blogs

Black left pointing arrow symbol on white background, directional indicator.
Black left pointing arrow symbol on white background, directional indicator.
Take a quick product tour
Start Product Tour
Product Tour