1. 06.27.2022
1
Enforce policy at Ingress using
EnRoute and Open Policy Agent
(OPA)
saaras.io // getenroute.io
Creators of EnRoute OneStep Gateway
2. 06.27.2022
2
Welcome to the
workshop!
Follow along and feel free
to ask questions on slack
!
Join slack.saaras.io for discussions
Request an enterprise license
getenroute.io/contact
4. 06.27.2022
4
What is this talk
about? • EnRoute - A lightweight
Ingress Controller API Gateway
built on Envoy Prox
y
• Open Policy Agent - General
Purpose Policy Engine
EnRoute Integration with
Open Policy Agent (OPA)
7. 06.27.2022
7
How is EnRoute
di
ff
erent?
• Built on Envoy Prox
y
• Works for both Kubernetes and
non-Kubernete
s
• Declarative No-YAML
Con
fi
guratio
n
• OSS / Community / Enterprise
getenroute.io/features
8. 06.27.2022
8
What is Open
Policy Agent?
• General Purpose Policy Engin
e
• ABAC v/s RBA
C
• RBAC: Restrict access to
fi
nance app to CFO or
g
• ABAC: Restrict access to
fi
nance app to the CFO
org, while at company headquarters in CA, only
when they are using their work laptops during
work hours
9. 06.27.2022
9
Demo: EnRoute-Integration-OPA
• Install EnRoute with OPA Integratio
n
• Install example workload (httpbin), secure it
using JW
T
• Enforce JWT Claims using OP
A
• Program OPA Polic
y
• Verify OPA Policy is Enforce
d
• HTTP Return Code, OPA Logs