Microservice Authorization with Open Policy Agent and Kuma
Applications architected as microservices are becoming more prevalent every day, but just like their monolithic ancestors, microservice applications must adhere to organization-wide constraints around compliance, zero-trust security, performance, and more. Authorization, controlling which people and machines can perform which actions, is a foundational security problem that requires new solutions in a containerized world because of changes in requirements around performance, availability, and even where authorization gets enforced architecturally.
This talk will discuss these new requirements, architectural choices for how to satisfy them, and modern technologies for rolling them out. We describe taking a policy-as-code approach where authorization policies are decoupled from the underlying microservices yet employ a shared-fate evaluation model so that policies are created and enforced consistently, meet high-availability and performance demands, and enable relatively rapid security reviews and hot-patching. Specifically, we will describe how to achieve zero trust security by design by demoing how to enforce policies through the Kuma service mesh by employing Open Policy Agent.
Co-founder and CTO