Skip to main content

Otterize OSS

Otterize OSS implements intent-based access control (IBAC) in a single Kubernetes cluster. It is a fully standalone, free and open-source software implementation of IBAC built for cloud-native teams that use Kubernetes at the core of their infrastructure.

It consists of several components:

  • The Otterize intents operator that translates ClientIntents resources to access controls using plugins, which currently include:
    • A network policies manager to control pod-to-pod access.
    • An ACL configurator for in-Kubernetes Kafka clusters to control client access.
  • The Otterize credentials operator that integrates with SPIFFE/SPIRE or the Otterize Cloud-managed credentials service to handle pod identities and manage certificates.
  • The Otterize network mapper that sniffs pod-to-pod traffic and builds a network map, which is useful on its own and may also be exported as client intents files for bootstrapping IBAC.

The Otterize OSS code base and issues are managed on GitHub.

To get started with Otterize OSS, see the tutorials for network policies, Kafka, network mapping, and mTLS.

The near-term roadmap for Otterize OSS currently includes:

  • [Done] Adding network map visualization capabilities to the Otterize CLI, so you can get network map images from the network mapper.

  • Adding a Kafka clients watcher (name TBD) to supply more detailed information to the network mapper about calls to any Kafka server: which clients are performing which operations against which topics. This complements the current map built up in the network mapper, which only records which clients called which servers, without any more granular information about those calls. With this new capability, users can bootstrap client intents that contain granular Kafka access intent information, and Otterize Cloud can display topic-level shadow mode information and insights also for Kafka servers and their clients.

  • Adding support for Istio service mesh access controls. This includes:

    • Pod-to-pod access controls (akin to the current network policies support).
    • Granular HTTP resource- and method-level access controls (akin to the current Kafka topic-level access control support).
    • Adding HTTP resource- and method-level intent information to the network mapper, and to the information optionally sent to Otterize Cloud to support shadow mode in the access graph.