Skip to content

Dedicated Authorization Pod Deployment

The Dedicated Authorization Pod Deployment refers to the architecture where an external authorization service, such as the Envoy ext_authz filter implementation, is deployed in a separate Pod from the application workload it protects^[400-devops-07-monitoring-and-observability-k8s-istio-samples-extauthz-readme.md]. This pattern serves as an example of integrating a custom authorization system into a Service mesh like Istio^[400-devops-07-monitoring-and-observability-k8s-istio-samples-extauthz-readme.md].

Deployment

To deploy the authorization service in a dedicated Pod, a specific resource definition—typically named ext-authz.yaml—is applied to the cluster^[400-devops-07-monitoring-and-observability-k8s-istio-samples-extauthz-readme.md]. This creates the necessary Service and Deployment extensions, isolating the authorization logic from the business logic^[400-devops-07-monitoring-and-observability-k8s-istio-samples-extauthz-readme.md].

This dedicated approach contrasts with the local deployment strategy, where the authorization container runs sidecar-style within the same Pod as the application container (e.g., using local-ext-authz.yaml)^[400-devops-07-monitoring-and-observability-k8s-istio-samples-extauthz-readme.md].

Operation

Once deployed, the authorization server listens for authorization check requests^[400-devops-07-monitoring-and-observability-k8s-istio-samples-extauthz-readme.md]. It typically supports communication via either HTTP (commonly on port 8000) or gRPC v2/v3 (commonly on port 9000)^[400-devops-07-monitoring-and-observability-k8s-istio-samples-extauthz-readme.md].

The core logic of the service evaluates incoming requests against specific criteria, such as the presence of a specific header (e.g., x-ext-authz: allow) or the validation of the source workload's service account^[400-devops-07-monitoring-and-observability-k8s-istio-samples-extauthz-readme.md]. Upon evaluation, it returns a determination of allowed or denied^[400-devops-07-monitoring-and-observability-k8s-istio-samples-extauthz-readme.md].

Sources

^[400-devops-07-monitoring-and-observability-k8s-istio-samples-extauthz-readme.md]