September 27-30, 2021
Seattle, Washington, USA + Virtual
View More Details & Registration

The Sched app allows you to build your schedule but is not a substitute for your event registration. You must be registered for Open Source Summit + Embedded Linux Conference + OSPOCon 2021 to participate in the sessions. If you have not registered but would like to join us, please go to the event registration page to purchase a registration.

This schedule is automatically displayed in Pacific Daylight Time (UTC -7). To see the schedule in your preferred timezone, please select from the drop-down menu to the right, above "Filter by Date." The schedule is subject to change.

IMPORTANT NOTE: Timing of sessions and room locations are subject to change.

Back To Schedule
Wednesday, September 29 • 4:55pm - 5:45pm
(VIRTUAL) Distributed Authorization for Microservices Powered by Kubernetes, Istio and Open Policy Agent - Gong Mengnan, Ninja Van

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
Managing user access could be hard. Previously, Ninja Van adopted a typical RBAC (Role-based access control) approach and applied it to the application layer. The permissions required for accessing endpoints are only available in the code itself. It’s difficult for engineers to get the whole picture of the permissions required for a service/endpoint, and it’s even more difficult for non-technical users to understand our system. What’s worse, the account managers have to guess the permissions behind the name and often end up granting undesirable permissions, which compromises the overall system security. Mengnan introduced a new authorization flow leveraging the power of Kubernetes, Istio and OPA (Open Policy agent). The OPA is deployed as a sidecar, resides side by side with the Envoy proxy. Envoy talks to OPA via the external authorization interface to evaluate all the incoming requests. The access policy is defined as Kubernetes CRD, managed by our in-house Kubernetes operator and then distributed to all the OPA sidecars. The distributed authorization approach eliminates the single point of failure, extracts the access control out of code and integrates it with CI/CD pipeline. Furthermore, the user access can be shown as an interactive tree now ;)

avatar for Gong Mengnan

Gong Mengnan

Senior Software Engineer, Ninja Van
Mengnan is a software engineer with 5 years of experience in backend, infrastructure, and cloud. He is also a Certified Kubernetes Administrator / APAC TUG (TiDB User Group) ambassador / Gopher / Open-source enthusiast. He is part of the infra team in Ninja Van, a logistics company... Read More →

Wednesday September 29, 2021 4:55pm - 5:45pm PDT
MeetingPlay Platform + Virtual Learning Lab
  Cloud Native Development, Security/Authentication