Skip to main content

Implement Casbin sidecar pattern

· 5 min read
Serhii Hrekov
Serhii Hrekov
software engineer, creator, artist, programmer, projects founder

1. The Casbin Sidecar Pattern

A sidecar is a helper container that runs alongside your main application container (the Flask app) inside the same Kubernetes Pod [4]. The sidecar, in this case, is the Envoy Proxy, which intercepts all incoming and outgoing traffic for your Flask application.

The authorization logic itself is performed by a dedicated service (often a small Go or Python service) that implements the Envoy ExtAuthz API, which we'll call the Casbin Authorization Service [3].

How it Works (The Authorization Path)

  1. Client $\rightarrow$ Envoy (Sidecar): An incoming HTTP request hits the Envoy sidecar before it can reach the Flask app.
  2. Envoy $\rightarrow$ Casbin Auth Service (ExtAuthz): Envoy halts the request and sends an authorization query (containing the user ID, path, and method) to the dedicated Casbin service.
  3. Casbin Service $\rightarrow$ Decision: The Casbin service runs the enforcer.enforce(sub, obj, act) check against the policy loaded from a store (like Firestore).
  4. Envoy $\rightarrow$ Flask App:
    • If Allowed (200 OK): Envoy forwards the request to your Flask application.
    • If Denied (403 Forbidden): Envoy immediately rejects the request, and the Flask app never sees it.

2. Sidecar vs. Flask Middleware

The sidecar pattern solves the limitations inherent in using internal Flask middleware for authorization.

AspectFlask Middleware (Internal)Envoy Sidecar (External)
Zero TrustFails Zero Trust; authorization is run after the request enters the application environment.Succeeds Zero Trust; authorization is enforced at the network boundary (the Pod), protecting the application.
LanguageTied to Python; only protects Flask endpoints.Language-Agnostic; protects any microservice in the Pod (Flask, Node.js, etc.) with the same logic.
PerformanceAuthorization check consumes Python/Flask CPU time.High Performance; check runs in the highly efficient Envoy proxy and is often written in Go, preserving Flask resources.
DecouplingAuthorization code must be maintained within the Flask codebase.Complete Decoupling; the security team maintains the Casbin service, and the Flask team focuses on business logic.

3. Implementation in a GCP Environment

In your GCP environment (using GKE or Cloud Run), deploying Casbin as an ExtAuthz sidecar is the most robust option:

A. The Envoy Component

You configure your Kubernetes manifest or Istio/Service Mesh configuration (if used) to inject the Envoy sidecar. This configuration includes an ext_authz filter that points to the internal gRPC endpoint of your Casbin service [1].

B. The Casbin Component (The Service)

You create a small microservice (often using Go for performance, but Python/FastAPI works too) that:

  1. Implements the gRPC ExtAuthz API: This is the contract Envoy uses for communication.
  2. Runs the Casbin Enforcer: It loads the policy from Firestore (using an appropriate adapter) upon startup.
  3. Makes the Decision: It performs the enforce check using the headers and path provided by Envoy.

By using the sidecar pattern, you achieve the security benefits of an API Gateway while keeping the authorization logic localized to the specific service pod, maximizing performance and resilience.

Sources

  1. Envoy Documentation - External Authorization
  2. Casbin Documentation - Authorization of Service Mesh through Envoy
  3. GitHub - casbin/envoy-authz
  4. Kubernetes Documentation - Sidecar Containers