All integrations
Contour
Authorization extensions

Policy-driven authorization for Contour via Envoy ext_authz

Cerbos enforces fine-grained authorization at the Contour ingress layer, using the same Envoy ext_authz protocol that powers the native Envoy integration.

Built on Envoy ext_authz

Built on Envoy ext_authz

Contour uses Envoy as its data plane, so Cerbos integrates via the same native ext_authz protocol

Unified policies

Unified policies

The same Cerbos policies that govern your application layer extend to your Kubernetes ingress

Ingress-level enforcement

Ingress-level enforcement

Unauthorized requests are rejected at the ingress before reaching your services

How Cerbos works with Contour

Contour provides a native integration point for Cerbos, extending policy-driven authorization to another layer of your stack without custom glue code.

Cerbos policies are written in human-readable YAML supporting RBAC, ABAC, and conditional rules. The same policies that govern your application layer now extend to Contour, enforced consistently everywhere.

A unified control plane means one set of policies, one audit trail, and one management workflow, regardless of how many services and infrastructure layers your system spans.

Policy-as-codeHuman-readable YAML policies managed like source codeScalable PDPStateless policy decision point with sub-millisecond latencyCentralized managementManage, test, and deploy policies from a single control plane

How Cerbos works with Contour

Contour is a Kubernetes ingress controller built on Envoy, maintained by VMware. Because it uses Envoy as its data plane, Cerbos integrates via the same ext_authz gRPC protocol used in standalone Envoy deployments.

  1. Create an ExtensionService, Define a Contour ExtensionService resource that points to your Cerbos PDP deployment.
  2. Attach an AuthorizationPolicy, Apply an AuthorizationPolicy to your HTTPProxy resources to route authorization checks through the Cerbos ExtensionService.
  3. Cerbos evaluates your policies, The same YAML policies used across your entire stack are evaluated and an allow or deny decision is returned.
  4. Contour enforces the decision, Authorized requests are routed to your upstream services. Unauthorized requests receive a 403.

FAQ

How does Cerbos integrate with Contour?

Contour is built on Envoy, so it inherits Envoy's ext_authz protocol. Cerbos acts as the external authorization service — Contour forwards each request to Cerbos for policy evaluation via its ExtensionService CRD before routing to your upstream services.

Is this the same integration as Envoy?

Yes. Contour uses Envoy as its data plane. The Cerbos integration uses the same ext_authz gRPC protocol, same policy evaluation, and same configuration. You configure it via Contour's ExtensionService and AuthorizationPolicy resources.

Do I need to change my application code?

No. Authorization happens at the ingress layer. Your services receive only pre-authorized traffic.

Learn more about Cerbos

How Cerbos worksCerbos PDPCerbos HubWebinars and ebooksFeatures & use casesSuccess stories

Related integrations

View all integrations →
Apigee
ApigeeCerbos policy checks via Apigee service callout policies on API proxy requests
API gateways
AWS API Gateway
AWS API GatewayLambda authorizer that evaluates Cerbos policies for API Gateway
API gateways
AWS App Mesh
AWS App MeshCerbos authorization via Envoy ext_authz within AWS App Mesh sidecars
Authorization extensions
Azure API Management
Azure API ManagementCerbos policy evaluation via Azure API Management inbound policies on each request
API gateways
Cloudflare
CloudflareCerbos policy checks within Cloudflare Workers at the network edge
API gateways
Consul Connect
Consul ConnectCerbos authorization via Envoy ext_authz within Consul Connect sidecars
Authorization extensions

Cerbos + Contour

  • Contour delegates authorization to Cerbos via native integration
  • One set of policies enforced across the entire stack
  • Unified audit trail for all authorization decisions
  • Policies managed without code changes or redeployments
Book a free policy workshopTry the Playground