Envoy
    • 01 Sep 2024
    • 1 Minute to read
    • Dark
      Light
    • PDF

    Envoy

    • Dark
      Light
    • PDF

    Article summary

    PlainID offers an API Access Authorization Pattern for this third-party vendor. For more information, see API Access Authorization Pattern.

    The PlainID Envoy Authorizer is a ready-to-use integration for specific service-mesh technologies, delivered as a sidecar, to control authorization on the service-to-service traffic. The Authorizer supports Envoy Proxy external authentication using its External Authorization (ext_authz) filter.
    This allows Envoy to delegate authentication and authorization decisions to the Authorizer.

    The Authorizer supports Istio Service Mesh and Open Service Mesh (OSM) solutions
    as their traffic management is controlled by Envoy Proxy.

    Use Example

    image.png

    Explanation

    1. The end user access the app.
    2. The user is redirected to complete the authentication process on the IDP.
    3. The API call is intercepted by Envoy API GW.
    4. The API proxy calls the PlainID sidecar container for an access decision request.
    5. The PlainID sidecar container requests an access decision from the PlainID PDP, which then responds with a dynamically calculated access decision based on the policies configured within the Platform.
    6. Access Decisions is enforced at the API GW. Request can be denied, permitted as-is, or permitted with PlainID enriching the access token with further Authorization instructions.
    7. The client can access API resources and services.

    Prerequisites

    The following applications are required to install and configure the Authorizer for use with the Platform:

    • Kubernetes 1.16+
    • Istio 1.15+ (for Istio Service Mesh Integration) or OSM 1.2+ (for Open Service Mesh Integration)
    • Helm 3.8.0+

    In addition to running the authorizer itself, the Helm Chart is responsible for installing and configuring the Authorizer to integrate with other components. Helm v3.8.0 is required to properly install and configure the authorizer solution with your Kubernetes cluster.
    For more information on using Helm Chart, see Helm.

    The Policy Authorizer Package Content

    FileDescriptionShould be updated
    /authz-envoy/templates/crds.yamlK8s Custom Resource DefinitionsNo
    /authz-envoy/templates/manager.yamlDeployment configuration for authz-operator (plainid-controller-manager)No
    /authz-envoy/templates/namespace.yamlDeployment configuration for authz-operator (plainid-controller-manager)Optional
    /authz-envoy/templates/rbac.yamK8s Namespace configuration for authz-operator (plainid-controller-manager)Optional
    /authz-envoy/templates/serviceAccount.yamlK8s Service Account configurationOptional
    /authz-envoy/templates/webhook.yamlPlainID Mutating Webhook configurationNo
    /authz-envoy/Chart.yamlContains information about the Helm ChartYes
    /authz-envoy/filter.yamlEnvoy configuration example (EnvoyFilter kind)Yes
    /authz-envoy/values.yamlThe default configuration values for this chart (AuthZ Operator and Sidecar settings)Yes
    /samples/authz_v1_plainidinjector.yamlAuthZ Sidecar Pod-Injection configurationNo
    /samples/sidecar-echo.yamlAuthZ Sidecar configuration example with settingsYes
    /images.txtList of PlainID AuthZ Operator and Sidecar images with tags (versions)No

    Was this article helpful?

    What's Next