Policy Based Auth with Open Policy Agent with Envoy Proxy
This blog series “5 Minutes with Gloo” will dig into a single feature, what it is used for and how to use it. In this post, we’ll cover our recently released integration of Gloo with a popular new cloud native policy engine, Open Policy Agent (OPA). This is in addition to the various Auth methods already supported in Gloo.
Open Policy Agent, Microservices and API Gateways
Open Policy Agent (OPA) is a general-purpose policy engine that co-exists with your application service to offload all policy decisions from your services. OPA abstracts policies from your services into a sidecar, host-level daemon or library card making it more flexible to the user by removing language dependencies or hard-coding the policy logic to the service.
Gloo Adds Open Policy Agent Support for Auth
Gloo is a next generation API Gateway and Kubernetes native Ingress Controller with a powerful routing engine that can handle a range of use cases from simple API-to-API routing to complex HTTP to gRPC with transformations for your application services.
Let’s start by defining a few core concepts in Gloo:
- Virtual Services define a set of routing rules by specifying the APIs you want to expose on the gateway and which upstreams to route to.
- Upstreams tell Gloo what to route to and define the destinations for routes
- Gateways tell Gloo on what protocols and ports to listen for traffic
As part of the architecture, Gloo stores its configuration as Custom Resource Definitions (CRDs) in Kubernetes. These configurations can be who is allowed to access which Upstream services.
The Gloo integration with OPA provides more options for end users on which Auth approach they would like to use for their cluster and services. Every organization is different and you may have existing Auth systems in place or looking to implement a new Auth methodology with your new microservices applications. OPA is gaining popularity in cloud native designs and we wanted to provide that option for Gloo users.
Authentication is a feature available in Gloo Enterprise and with the addition of the Auth plugin, we can meet a wide range of Auth use cases in the Gloo API Gateway to secure the access to your microservices. If you need help or run into issues, hop into our community slack and join the #Gloo channel.