Policy Based Auth with Open Policy Agent with Envoy Proxy

Solo.io Engineering
Published in
3 min readAug 22, 2019


Gloo, a modern API gateway built on Envoy Proxy integrates with open policy agent

This blog series “5 Minutes with Gloo” will dig into a single feature, what it is used for and how to use it. In this post, we’ll cover our recently released integration of Gloo with a popular new cloud native policy engine, Open Policy Agent (OPA). This is in addition to the various Auth methods already supported in Gloo.

Open Policy Agent, Microservices and API Gateways

Open Policy Agent (OPA) is a general-purpose policy engine that co-exists with your application service to offload all policy decisions from your services. OPA abstracts policies from your services into a sidecar, host-level daemon or library card making it more flexible to the user by removing language dependencies or hard-coding the policy logic to the service.

OPA streamlines policy definition, implementation and management for use cases like HTTP API Authorization, Remote Access, Data Filtering with Partial Evaluation, and Kubernetes Admission Control.

Gloo Adds Open Policy Agent Support for Auth

Gloo is a next generation API Gateway and Kubernetes native Ingress Controller with a powerful routing engine that can handle a range of use cases from simple API-to-API routing to complex HTTP to gRPC with transformations for your application services.

Let’s start by defining a few core concepts in Gloo:

  • Virtual Services define a set of routing rules by specifying the APIs you want to expose on the gateway and which upstreams to route to.
  • Upstreams tell Gloo what to route to and define the destinations for routes
  • Gateways tell Gloo on what protocols and ports to listen for traffic

As part of the architecture, Gloo stores its configuration as Custom Resource Definitions (CRDs) in Kubernetes. These configurations can be who is allowed to access which Upstream services.

The Gloo integration with OPA provides more options for end users on which Auth approach they would like to use for their cluster and services. Every organization is different and you may have existing Auth systems in place or looking to implement a new Auth methodology with your new microservices applications. OPA is gaining popularity in cloud native designs and we wanted to provide that option for Gloo users.

Authentication is a feature available in Gloo Enterprise and with the addition of the Auth plugin, we can meet a wide range of Auth use cases in the Gloo API Gateway to secure the access to your microservices. If you need help or run into issues, hop into our community slack and join the #Gloo channel.

Get Started with Gloo and Open Policy Agent