Learnings from CNCF’s Envoy and OPA Creators Matt Klein and Tim Hinrichs
Applications architected as microservices are becoming more prevalent every day, but just like their monolithic ancestors, microservice applications must adhere to organization-wide constraints around compliance, security, performance, etc. Authorization — controlling which people and machines can perform which actions — is a foundational security problem that requires new solutions in a microservice world because of changes in requirements around performance, availability and even where authorization gets enforced architecturally.
This talk discusses these new requirements, architectural choices for how to satisfy them and modern technologies for rolling them out. We describe taking a policy-as-code approach, where authorization policies are decoupled from the underlying microservices yet employ a shared-fate evaluation model so that policies are consistent, enforced consistently, meet high-availability and performance demands, and enable relatively rapid security reviews and hot-patching. Specifically, we describe how to employ the Open Policy Agent for a unified approach to policy-as-code, where policies are enforced through the Kuma service mesh.