Skip to main content

Otterize OSS

Otterize OSS implements intent-based access control (IBAC) in a single Kubernetes cluster. It is a fully standalone, free and open-source software implementation of IBAC built for cloud-native teams that use Kubernetes at the core of their infrastructure.

Components

Otterize OSS consists of several components, which work together to provide IBAC capabilities.

  • The Otterize intents operator that translates ClientIntents resources to access controls using plugins, which currently include:
    • A network policies manager to control pod-to-pod access.
    • An ACL configurator for in-Kubernetes Kafka clusters to control client access.
  • The Otterize credentials operator that integrates with SPIFFE/SPIRE or the Otterize Cloud-managed credentials service to handle pod identities and manage certificates.
  • The Otterize network mapper that sniffs pod-to-pod traffic and builds a network map, which is useful on its own and may also be exported as client intents files for bootstrapping IBAC.

This list will grow over time, as more capabilities are added, in particular support for more access controls, credentials managers, and integrations with useful tooling.

The Otterize OSS code base and issues are managed on GitHub.

To get started with Otterize OSS, see the tutorials for network policies, Kafka, network mapping, and Istio service mesh.

Usage metrics

Components in Otterize OSS collect usage information counts of events like INTENTS_APPLIED, NETWORK_POLICY_CREATED, KAFKA_ACL_DELETED, etc. and can report those back to the Otterize team. This is entirely optional and does not affect the functionality of Otterize OSS, but it does help the team at Otterize understand what the community finds useful and hence how to improve it. (Of course, direct feedback through the Otterize Community Slack is very much appreciated too.) For more information, including what is sent and how to turn it off or on, see the usage telemetry documentation.

Roadmap

The near-term roadmap for Otterize OSS currently includes:

  • [Done] Adding network map visualization capabilities to the Otterize CLI, so you can get network map images from the network mapper.

  • [Done] Adding a Kafka watcher to supply more detailed information to the network mapper about calls to any Kafka server: which clients are performing which operations against which topics. This complements the current map built up in the network mapper, which only records which clients called which servers, without any more granular information about those calls. With this new capability, users can bootstrap client intents that contain granular Kafka access intent information, and Otterize Cloud can display topic-level shadow mode information and insights also for Kafka servers and their clients.

  • [Done] Adding support for Istio service mesh access controls. This includes: