Background
So, on the journey from monolith(s) mess, to microservices, we've decided to go down the k8s route (already a WIN), on google cloud (likewise), and we're looking for an authentication and authorization solution.
So we're considering using Istio, which again, the RBAC element looks like a WIN, and will allow us to keep authorization outside of the applications, as well as other niceties.
And, cloud IAP. Sweet, we don't need to care about authentication, just grant users (all of which already have g-suite accounts) access via cloud iam.
Question
How do we manage & inject auth data for users? IAP lets us grant access to projects, and presents data via JWT (perfect so far), but we can't add custom application permissions.
We would like to be able to use fine-grained permissions for endpoints, and groups/roles to grant these.
After much searching, I can't find any solution, and this seems like a super common requirement. Have I missed something (am I looking at this wrong?).
There's a couple of solutions I can think of:
Istio (like you mentioned). Which supports:
Consul with Kubernetes and use ACLs with ACL tokens. The tokens could also be managed by Vault. As of this writing, it doesn't integrate with OpenID or Oauth2 providers. Consul will help you provide that fine-grained authorization with ACLs