Skip to main content

Module 7: Authorization and Policy Enforcement Slides

Slide walkthrough for Module 7 of Mastering SPIFFE & SPIRE: Zero Trust for Cloud Native Systems: Identity answers who — policy answers what they can do....

This slide page is the visual review companion for the full course module. Use it to recap the architecture, examples, exercises, production warnings, and takeaways after reading the lesson.

Slide Outline

  1. Authorization and Policy Enforcement - Identity answers who — policy answers what they can do
  2. Learning Objectives - 4 outcomes for this module
  3. Why This Module Matters - Authentication tells you WHO is making a request. Without authorization, authenticated services can access anything. OPA
  4. Authentication vs Authorization - Lesson section from the full module
  5. Open Policy Agent (OPA) - Lesson section from the full module
  6. Envoy External Authorization - Lesson section from the full module
  7. Context-Aware Authorization - Lesson section from the full module
  8. Policy Testing - Lesson section from the full module
  9. Real-World Use Cases - API endpoint authorization — which services can call which endpoints, Data access control — limiting which services can read sensitive data
  10. Common Mistakes to Avoid - 4 mistakes covered
  11. Production Notes - 3 practical notes
  12. Hands-On Labs - 2 hands-on labs
  13. Key Takeaways - 5 points to remember

Learning Objectives

  • Understand authentication vs authorization in zero trust
  • Write Rego policies with Open Policy Agent (OPA)
  • Implement identity-aware authorization with SPIFFE IDs
  • Integrate OPA with Envoy for runtime policy enforcement

Why This Module Matters

Authentication tells you WHO is making a request. Without authorization, authenticated services can access anything. OPA with SPIFFE IDs gives you fine-grained, testable, version-controlled authorization — the critical layer between "identified" and "permitted."

Production Notes

  • Always test Rego policies with opa test before deploying. Include both positive and negative test cases.
  • Start with broad allow rules, then tighten incrementally. A deny-all start causes outages.
  • Version your Rego policies in Git and deploy them through CI/CD, just like application code.

Common Mistakes

  • Writing overly permissive policies that allow everything initially and never tightening
  • Not testing policies before deploying — broken policies block legitimate traffic
  • Putting authorization logic in application code instead of a policy engine
  • Confusing OPA with a firewall — OPA makes decisions, Envoy enforces them

Key Takeaways

  • Authentication (who) and authorization (what) are separate concerns
  • OPA provides policy-as-code with the Rego language
  • Envoy ext_authz integrates OPA into the request path transparently
  • Policies should be tested like code — use opa test
  • SPIFFE IDs in policies enable fine-grained service-to-service authorization

Hands-On Labs

  1. Writing Basic Rego Policies

    Learn Rego syntax by writing and testing authorization policies.

    • Write a Rego policy that allows specific SPIFFE IDs
    • Write test cases for the policy
    • Run opa test and verify all tests pass
    • Experiment with more complex rules

    View lab files on GitHub

  2. Integrating OPA with Envoy

    Deploy OPA as an Envoy external authorization filter.

    • Deploy OPA as a sidecar alongside Envoy
    • Configure Envoy ext_authz filter to call OPA
    • Deploy two services with different SPIFFE IDs
    • Verify that policies correctly allow/deny requests

    View lab files on GitHub

Read the full module | Back to course curriculum