CoursesZero-trust & workload identityIdentity-based authorization

Policy as code & rollout

Version, review, audit→enforce the call graph.

Advanced25 min · lesson 12 of 15

Authorization policy is only as good as the discipline around it. A zero-trust cluster can accumulate hundreds of allow rules across dozens of services, so treating policy as reviewed, version-controlled code — and rolling it out safely — is what keeps it correct and prevents self-inflicted outages.

Policy as code

Every AuthorizationPolicy, PeerAuthentication, and RequestAuthentication should live in git alongside the workloads it governs, be reviewed like application code, and deploy through the same pipeline (ideally GitOps, so the cluster state matches the repo). This makes the security posture auditable — you can see who allowed the frontend to call the orders API, and when — and reversible, since a bad change is a revert. Author policies per workload rather than in one sprawling file, so ownership is clear and a change to one service’s rules does not risk another’s. The same principle applies as to admission, network, and IaC policy elsewhere in the curriculum: if it is not in version control and reviewed, it is not a control you can trust.

policy in git, per workload, GitOps-delivered
# Repo layout: authz policy lives with the workload, reviewed in PRs.
# apps/orders/
# deployment.yaml
# authorizationpolicy.yaml ← who may call orders, as reviewed code
#
# GitOps (Argo CD / Flux) reconciles it, so the cluster matches the repo.
# A bad allow rule is a git revert, not a live-cluster scramble.
# Diff shows exactly what access changed, by whom, when — auditable.

Discover the call graph, then enforce

The dangerous moment is flipping default-deny on: any legitimate service-to-service flow you did not anticipate breaks instantly. Avoid it by discovering the real call graph first — run the mesh in a permissive/audit posture and use its observability (Hubble, Kiali) to see which services actually talk to which, then write allow rules for those flows, and only then enforce default-deny. Roll out namespace by namespace, keep an escape hatch to revert a namespace to permissive, and monitor for denied requests that indicate a missed legitimate flow. This audit-then-enforce, waved rollout is the identical safe pattern used for admission, network, mTLS, and runtime enforcement throughout the course.

Authorization policy lifecycle
as code
in git, per workload
reviewed like app code
GitOps-reconciled
cluster matches the repo
safe rollout
discover the call graph
observe before enforcing
audit → enforce in waves
namespace by namespace
escape hatch + monitor denies
revert fast, catch misses
Version and review policy, learn the real flows, then enforce default-deny gradually. The same audit-then-enforce discipline as every policy in the course.
Default-deny without knowing the call graph is an outage
Enabling default-deny authorization before you know which services legitimately talk to which will sever undocumented but necessary flows the moment it is enforced. Observe the real traffic in a permissive posture first, write allows for it, and enforce in waves with a quick revert path — never flip the whole cluster to deny at once.