Envoy is a L7 proxy and communication bus designed for large modern service oriented architectures. Envoy (v1.7.0+) supports an External Authorization filter which calls an authorization service to check if the incoming request is authorized or not.
This feature makes it possible to delegate authorization decisions to an external service and also makes the request context available to the service. The request context contains information such as the source of a network activity, destination of a network activity, the network request (eg. http request). All this information can be used by the external service to make an informed decision about the fate of the incoming request received by Envoy.
What is OPA-Envoy Plugin?
OPA-Envoy plugin extends OPA with a gRPC server that implements the Envoy External Authorization API. You can use this version of OPA to enforce fine-grained, context-aware access control policies with Envoy without modifying your microservice.
How does it work?
In addition to the Envoy sidecar, your application pods will include an OPA-Envoy sidecar. When Envoy receives API requests destined for your microservice, it checks with OPA to decide if the request should be allowed.
Evaluating policies locally with Envoy is preferable because it avoids introducing a network hop (which has implications on performance and availability) in order to perform the authorization check.
💡 The OPA-Envoy plugin is frequently deployed in Kubernetes environments as a sidecar container however it can also be used in other environments as a standalone process running next to Envoy.
The OPA-Envoy plugin supports the following configuration fields:
|No||Set listening address of Envoy External Authorization gRPC server. This must match the value configured in the Envoy config. Default: |
|No||Specifies the hierarchical policy decision path. The policy decision can either be a |
|No||Configures the Envoy External Authorization gRPC server to unconditionally return an |
|No||Enables gRPC server reflection on the Envoy External Authorization gRPC server. Default: |
|No||Set the path to a pb that enables the capability to decode the raw body to the parsed body. Default: turns this capability off.|
|No||Set the max message size in bytes the gRPC server can receive. Defaults to 4MB.|
|No||Set the max message size in bytes the gRPC server can send. Defaults to 2048MB.|
|No||Specifies if the plugin should skip parsing the input request body. Default: |
If the configuration does not specify the
envoy/authz/allow will be considered as the default policy
data.envoy.authz.allow will be the name of the policy decision to query in the default case.
dry-run parameter is provided to enable you to test out new policies. You can set
dry-run: true which will
unconditionally allow requests. Decision logs can be monitored to see what “would” have happened. This is especially
useful for initial integration of OPA or when policies undergo large refactoring.
enable-reflection parameter registers the Envoy External Authorization gRPC server with reflection. After enabling
server reflection, a command line tool such as grpcurl can be used to invoke
RPC methods on the gRPC server. See Interacting with the gRPC server
section for more details.
Providing a file containing a protobuf descriptor set allows the plugin to decode gRPC message payloads.
So far, only unary methods using uncompressed protobuf-encoded payloads are supported.
The protoset can be generated using
protoc --descriptor_set_out=protoset.pb --include_imports.
See the following pages on envoyproxy.io for more information on external authorization: