fine grained authorisation solution for istio

10/24/2018

Background

So, on the journey from monolith(s) mess, to microservices, we've decided to go down the k8s route (already a WIN), on google cloud (likewise), and we're looking for an authentication and authorization solution.

So we're considering using Istio, which again, the RBAC element looks like a WIN, and will allow us to keep authorization outside of the applications, as well as other niceties.

And, cloud IAP. Sweet, we don't need to care about authentication, just grant users (all of which already have g-suite accounts) access via cloud iam.

Question

How do we manage & inject auth data for users? IAP lets us grant access to projects, and presents data via JWT (perfect so far), but we can't add custom application permissions.

We would like to be able to use fine-grained permissions for endpoints, and groups/roles to grant these.

After much searching, I can't find any solution, and this seems like a super common requirement. Have I missed something (am I looking at this wrong?).

-- Dan
google-cloud-platform
istio
kubernetes

1 Answer

10/25/2018

There's a couple of solutions I can think of:

-- Rico
Source: StackOverflow