Platform Mesh

Appearance

Identity and authorization

Platform Mesh separates authentication, authorization data, and control-plane enforcement across several runtime components.

Use this page to understand the conceptual relationship. Use Reference only for concrete component and resource lookup.

Runtime roles

AreaPlatform Mesh role
AuthenticationKeycloak is the default identity provider used by the local setup.
Authorization dataThe OpenFGA engine holds one IAM store per organization or account, declared by a Store CR. Each IAM store carries the relationship-based authorization data for that account and its provider-consumer relationships.
Enforcementrebac-authz-webhook participates in kcp authorization decisions.
Account lifecyclePlatform Mesh automation wires identity and authorization state as accounts and organizations are created.

Runtime relationship

Missing or stale authorization data can surface as authorization failures in kcp, the Kubernetes GraphQL gateway, or the portal.

Authorizer chain

Every API request that reaches kcp passes through this chain in order. When a request is denied, the deny comes from one of these stages:

  • Front proxy — terminates TLS and validates the request's identity against the OIDC issuer (Keycloak). A request without a valid token never reaches the authorizers.
  • kcp built-in chain — RBAC, required-groups, workspace-content, and maximal-permission-policy authorizers run in order. Standard Kubernetes RBAC denials happen here.
  • rebac-authz-webhook — the last stage. kcp sends a SubjectAccessReview to the webhook, which translates it into a Check against the consumer account's OpenFGA store and returns allow or deny. This is where Platform Mesh's relationship-based decisions land.

If every stage returns "no opinion", the request is denied by default. The webhook is configured with failurePolicy: NoOpinion so an unreachable webhook does not unilaterally allow traffic.

For the actual AuthorizationConfiguration YAML, the webhook deployment args, and per-workspace OIDC, see Identity and authorization reference.

EU and German government funding logos

Funded by the European Union – NextGenerationEU.

The views and opinions expressed are solely those of the author(s) and do not necessarily reflect the views of the European Union or the European Commission. Neither the European Union nor the European Commission can be held responsible for them.

Copyright © Linux Foundation Europe.

Identity and authorization | Platform Mesh is a project of NeoNephos Foundation. For applicable policies including privacy policy, terms of use and trademark usage guidelines, please see https://linuxfoundation.eu. Linux is a registered trademark of Linus Torvalds.