Permit.io in KubeCon 2024 - Here’s What We're Excited For

KubeCon in Salt Lake City is tomorrow, and we, along with the rest of the cloud-native community, are super excited about it! Before the event starts, we gathered some top-notch recommendations for booths and talks you definitely shouldn’t miss, as well as a bit of an overview of the latest industry trends and some cool Permit.io / OPAL updates we are going to be showcasing during this event. Whether you're attending KubeCon in person or following along remotely, we hope this guide will help you get the best out of your KubeCon experience!

Let’s go!

The Ecosystem: What Changed Since the Last KubeCon?

The authorization space has been filled with activity over the past year, as we've seen some major shifts and updates in the tools and frameworks shaping the world of cloud-native authorization. Here’s what’s changed:

Authorization - An Afterthought No Longer

Throughout all of the events we had the opportunity to attend this year, no trend was more evident than the prioritization of fine-grained authorization implementation by startups and enterprises alike.

There is an evident shift in companies implementing fine-grained authorization early on in their product journeys. Whether it’s due to increasing security concerns or the need for a better user experience, more teams are prioritizing authorization as a foundational feature.

Authorization is no longer an afterthought, as companies understand that implementing fine-grained authorization that can grow along with their product in a future-proof fashion is a cornerstone of application development.

This shift is evident in the growing adoption of policy engines and authorization frameworks early on in the product development cycle, and we are happy to see this crucial security aspect getting the attention it deserves.

OpenFGA Adds Conditions to Policies

One of the most exciting advancements in the past year has been the addition of conditions to OpenFGA. Now, OpenFGA allows developers to layer specific conditions onto typical policy data, making it possible to handle more nuanced permissions. This addition helps fine-tune policies and makes it easier to enforce permissions based on dynamic criteria—crucial for complex, real-world applications.

Open Policy Agent (OPA) Hits Version 1.0

Since 2015, Open Policy Agent (OPA) has been a go-to framework for many developers building policy-driven applications. This year marks a big milestone for OPA as it finally reaches version 1.0. We’re especially eager to see how developers will utilize its new capabilities and adopt the changes as part of their cloud-native stack.

On the same note, Rego, the language used within OPA, has seen some key enhancements that make it even more capable of handling permission and policy scenarios. These improvements are particularly useful for Permit.io users who rely on Rego for writing authorization rules. With these upgrades, developers can write more efficient and powerful rules, further enhancing the flexibility of their permission models.

AWS Cedar for Kubernetes Admission Policies

AWS has made waves by introducing Cedar, a policy language and evaluation engine that’s now being applied for Kubernetes admission permissions. Cedar’s simplified model for policy handling is making it easier to manage permissions for Kubernetes clusters, which is a big win for teams working with complex Kubernetes environments. This development shows the flexibility of policy engines and their ability to support a range of use cases, from admission control in Kubernetes to detailed user permissions.

What's New with Permit.io and OPAL

Since our last visit to KubeCon, Permit.io has transformed from a product focused solely on fine-grained authorization into a comprehensive platform that allows far more than just querying for an authorization result. Some key enhancements we introduced include:

• Advanced Configuration and Modeling:Permit.io enables complex configuration and modeling of fine-grained permissions, allowing for more nuanced access control tailored to specific application needs.
• Infrastructure as Code Support:
  We've introduced support for infrastructure as code (IaC) tools like OpenTofu and Terraform’s HCL, empowering developers to define permissions using familiar IaC practices.
• Decentralized Decision Points:
  Our platform supports decentralized fine-grained decision points, enhancing scalability and performance by distributing authorization logic closer to where decisions are made.
• UI Components for Permission Delegation:
  We've expanded our suite of user interface components that simplify permission delegation to support access requests and approval flows - making it easier for administrators and end-users to manage application access controls.
• Integration with new Policy Engines:
  While Permit.io already seamlessly integrates with leading policy engines like Open Policy Agent (OPA) and AWS’ Cedar, we are looking to integrate Permit.io with OpenFGA in the near future, providing flexibility and compatibility with existing authorization frameworks.

Introducing a New Paid Tier

Understanding the needs of startups and smaller organizations, we're also excited to announce the launch of a new paid tier designed to lower the barrier to entry for implementing fine-grained permissions:

• Affordable Access: Organizations can now support up to 10,000 monthly active users for less than 200$, making advanced authorization accessible to startups focused on delivering great user experiences with high security.
• Enhanced Feature Availability: We've migrated some enterprise-only features (SSO, Compliance) into the Pro tier, ensuring that smaller teams have access to powerful tools without the need for large-scale enterprise contracts.
• Quota-Based Pricing: Staying true to our philosophy, our pricing model remains quota-based rather than feature-limited. This approach ensures that all users, including those on the free tier, have access to the full suite of functional features.

OPAL Continues to Grow!

Our open-source project, OPAL (Open Policy Administration Layer), has seen significant growth and enhancements:

• Expanded Support: OPAL now offers broader support for policy engines, including the recent addition of AWS Cedar and ongoing developments to integrate OpenFGA.
• Community Contributions: The community has made valuable contributions, helping to expand OPAL's capabilities and improving its integration with various authorization services.
• Enhanced Functionality: The project now supports more advanced features for Open Policy Agent, enabling developers to deploy comprehensive authorization solutions with minimal boilerplate code.

But enough about us - let’s talk about Kubecon, the booths we are excited to visit, and talks we can’t wait to hear!

Booths You Definitely Shouldn’t Miss -

At KubeCon, we're excited to connect with partners and friends (And see everyone’s swag game). Here are the booths we're eager to visit:

• The AWS Cedar Team

  With AWS Cedar's recent integration for Kubernetes admission policies, we're keen to explore collaboration opportunities, understand their roadmap for fine-grained permissions, and see how we at Permit.io can leverage Cedar's simplified policy model to streamline permissions management for developers further.

• Fastly

  Fastly is known for its CDN services and has expanded into edge computing and security solutions like WAF (Web Application Firewall). We’re eager to explore how we can integrate Permit.io and Fastly's edge services to create a more secure and efficient internet experience.

• Apollo GraphQL

  Permit and GraphQL have a longstanding relationship. We’ve supported GraphQL from day one, recognizing its potential as a powerful tool for implementing partial evaluation and advanced authorization queries, especially fine-grained permissions. GraphQL is uniquely suited to enable fine-grained authorization, making it an ideal partner in our mission to bring advanced access control to applications. We’re excited to visit Apollo’s booth, hear about their roadmap, and explore how we can collaborate to make fine-grained permissions even more effective with GraphQL.

• HashiCorp

  Since launching our Terraform provider, connecting with the HashiCorp team has been a top priority for us. We’ll be discussing how to improve policy management with Terraform, so if you’re a Terraform user looking to configure fine-grained permissions with IaC, we’re sure HashiCorp’s booth will be the perfect place to answer your questions.

• ngrok

  ngrok’s recent expansion into API gateway capabilities is an exciting development, and we’re eager to explore how Permit.io might collaborate to streamline API access control. For anyone managing API permissions or interested in API gateways, ngrok’s booth is a great place to learn about secure, efficient API management.

• Tetrate (Envoy)

  Tetrate plays a major role in maintaining Envoy, a core technology in service mesh architectures, as Envoy is increasingly being used as an e2e API gateway. We’re exploring options for Permit.io to contribute as an Envoy plugin. If you’re working in microservices or service mesh, make sure you stop by their booth to learn about enhancing service mesh security and observability.

• WSO2

  WSO2 is new to KubeCon sponsorship this year, and with its strength in digital transformation, we see significant potential for collaboration around fine-grained authorization.

• Atolio

  Atolio’s focus on enterprise search aligns with our recent work in integrating Permit.io with LLMs using vector search. We’re excited to explore potential integrations, and if you’re interested in search technologies or want to enhance search functionality with secure access, Atolio’s booth is going to be the place for you!

Talks we are Looking Forward to -

KubeCon has a bunch of extremely interesting sessions and talks this year - here are the ones we're particularly excited about:

• Policy Engine Showdown Panel
  We were a little biased with this one, but, hosted by Gabriel Manor from Permit.io, this talk will feature an in-depth debate on the strengths and applications of various policy engines. Representatives from Cedar, OPA, OpenFGA, and end-users will discuss which engines excel in specific scenarios and offer insights on how each can be best applied within modern authorization strategies.

• AuthZEN: The OpenID Connect of Authorization

  Omri Gazit from Aserto will present this session on AuthZEN, a new standard for defining application authorization that’s being likened to OpenID Connect’s role in authentication. This talk is a must for anyone interested in standardizing authorization practices or learning how AuthZEN is shaping the future of authorization.

• Creating Zanzibar-Based Permissions for Kubernetes

  In this session, Jimmy Zelinskie from AuthZed will cover how Zanzibar-inspired permissions models, particularly SpiceDB, can enhance Kubernetes RBAC. Attendees will gain practical knowledge on using relationship-based access control for Kubernetes admission and application-level permissions—perfect for anyone managing complex Kubernetes environments.

• Enabling Automatic Authorization in Envoy Through Live Traffic Inspection

  Presented by Dom DeLanaco, this talk explores how Envoy and tools like Pixie can be used for automatic authorization by inspecting live traffic. If you’re interested in automating API gateway policies or using real-time data to adjust permissions, this session will offer actionable insights.

• Lightning Talks: Open Policy Agent and OpenFGA

  These quick, focused talks will cover recent updates, including OPA’s milestone 1.0 release and OpenFGA’s new features. Perfect for developers and decision-makers looking to stay current with cutting-edge policy engine capabilities, these talks promise rapid-fire insights that can inform your next steps in authorization projects.

• Open Policy Agent Version 1.0 Deep Dive

  Led by Charlie Egan, Developer Advocate at Styra, this talk will delve into what’s new in OPA’s long-awaited 1.0 release. Attendees will get a closer look at the latest features and improvements, making this a can’t-miss session for anyone using or considering OPA in their policy management.

• Policies for AI and AI-Driven Policy

  Jimmy Ray will discuss the intersection of AI and policy management, especially as it relates to AI-driven Kubernetes policies. This talk will be valuable for those tracking how AI can enhance policy administration and those curious about policy needs for AI workloads.

• Extending the Gateway API: Challenges and Opportunities with Policies

  Kate Osborne from NGINX will lead this talk on the evolving Gateway API, focusing on the unique policy challenges and opportunities it presents. Attendees interested in extending API functionality and addressing policy challenges in gateways like NGINX will find this session particularly useful.

See You at KubeCon!

With KubeCon in Salt Lake City just around the corner, we’re looking forward to seeing you there! Whether you’re interested in diving into advanced policy engines, exploring Kubernetes innovations, or finding out how fine-grained authorization is transforming cloud-native security, this event promises to be packed with valuable insights and connections.

We hope this guide helps you make the most of KubeCon—whether you’re planning to stop by our booth for a chat, catch some of the recommended talks, or explore our favorite booths. If you’re attending in person, we’d love to meet you at Booth Q60 to talk about fine-grained permissions and hear about your journey in authorization. See you there!