Skip to content

Service account-based authorization

Service account-based authorization is a security mechanism used within Service mesh architectures, specifically demonstrated in Envoy and Istio integrations, where access control decisions are determined by the identity of the source workload.^[400-devops__07-Monitoring-and-Observability__k8s-istio__samples__extauthz__README.md]

Implementation in External Authorization

In an External Authorization (Ext Authz) deployment, this model allows requests to be permitted if the service account of the source workload matches a specific authorized identity.^[400-devops__07-Monitoring-and-Observability__k8s-istio__samples__extauthz__README.md] For example, a default implementation might check if the source workload's service account is a^[400-devops__07-Monitoring-and-Observability__k8s-istio__samples__extauthz__README.md].

Because this value is often implementation-specific for testing purposes, the authorization server typically allows the allowed service account name to be configured dynamically via command-line flags, such as -allow_service_account^[400-devops__07-Monitoring-and-Observability__k8s-istio__samples__extauthz__README.md].

Sources

^[400-devops__07-Monitoring-and-Observability__k8s-istio__samples__extauthz__README.md]