Policy-driven authorization for Istio service mesh
Enforce fine-grained Cerbos policies across your Istio mesh, every service-to-service call authorized by the same policy engine that governs your application.
Native Istio support
Cerbos speaks Istio's native protocol, no custom glue code required
Unified policies
The same CEL-based policies that govern your application layer extend to your infrastructure
Defense in depth
Authorization at every layer of your stack, managed from a single control plane
How Cerbos works with Istio Service Mesh
Istio Service Mesh provides a native integration point for Cerbos, extending policy-driven authorization to another layer of your stack without custom glue code.
Cerbos policies are written in human-readable YAML supporting RBAC, ABAC, and conditional rules. The same policies that govern your application layer now extend to Istio Service Mesh, enforced consistently everywhere.
A unified control plane means one set of policies, one audit trail, and one management workflow, regardless of how many services and infrastructure layers your system spans.
Fine-grained authorization across your service mesh
Istio provides powerful traffic management and mTLS-based identity for service-to-service communication. But its built-in authorization policies are limited to network-level attributes, source and destination identities, ports, and paths. For real-world authorization, you need to understand the business context: who is the user, what role do they have, and what resource are they accessing.
Cerbos bridges this gap by acting as an external authorizer within your Istio mesh. Every request can be evaluated against rich, attribute-based policies that understand your domain model.
How it works
- Define an AuthorizationPolicy in Istio that delegates to Cerbos as an external authorization provider.
- Envoy sidecars intercept requests and forward authorization checks to Cerbos, including JWT claims, headers, and request metadata.
- Cerbos evaluates your policies, checking user roles, resource attributes, and contextual conditions, and returns an ALLOW or DENY.
- The sidecar enforces the decision before the request reaches your service.
From network policies to business policies
Istio tells you which service is calling which. Cerbos tells you whether the user behind that call is allowed to perform the requested action on the target resource. Combining both gives you defense in depth, network-level identity plus fine-grained business authorization.
Get started
Cerbos authorization for Istio is available as part of Cerbos enterprise. Talk to us to learn more about deploying Cerbos in your service mesh.
FAQ
How does Cerbos work with Istio?
Cerbos integrates as an external authorizer via Istio's AuthorizationPolicy custom resource. Envoy sidecars in your mesh forward authorization checks to Cerbos, which evaluates your policies against the request context and returns a decision.
Does this replace Istio's built-in authorization?
Cerbos extends Istio's authorization capabilities. Istio's built-in policies handle network-level controls like mTLS and source identity. Cerbos adds fine-grained, attribute-based authorization that understands your application's domain model, roles, departments, resource ownership, and more.
What about performance in a mesh with many services?
Cerbos is designed for low-latency evaluation. Policy decisions typically complete in under a millisecond. Deployed as a sidecar or a shared service within the mesh, network overhead is minimal.
Learn more about Cerbos
Related integrations
View all integrations →
Cerbos + Istio Service Mesh
- Istio Service Mesh delegates authorization to Cerbos via native integration
- One set of policies enforced across the entire stack
- Unified audit trail for all authorization decisions
- Policies managed without code changes or redeployments
Authorization for AI systems
By industry
By business requirement
Useful links
What is Cerbos?
Cerbos is an end-to-end enterprise authorization software for Zero Trust environments and AI-powered systems. It enforces fine-grained, contextual, and continuous authorization across apps, APIs, AI agents, MCP servers, services, and workloads.
Cerbos consists of an open-source Policy Decision Point, Enforcement Point integrations, and a centrally managed Policy Administration Plane (Cerbos Hub) that coordinates unified policy-based authorization across your architecture. Enforce least privilege & maintain full visibility into access decisions with Cerbos authorization.