Skip to main content

Reference Architectures

These patterns describe how enterprises typically operationalize authorization with EnforceAuth. Each links to deeper guides — use them in architecture reviews and platform standards.

Pattern 1 — Kubernetes microservices (sidecar PDP)

We recommend this for cloud-native application authorization when each service owns its policy slice.

Git (Rego) → EnforceAuth (build, test, promote) → S3/GCS bundle

Pod: App PEP ─localhost─► OPA/EOPA sidecar ─poll/logs─► EnforceAuth
QuestionGuidance
Why choose itLowest PEP→PDP latency; failure isolated per pod
When to avoidHundreds of ephemeral functions without orchestration overhead budget
Who uses itPlatform teams on EKS/GKE/AKS; product microservices
LatencySub-millisecond localhost hop
Blast radiusOne pod; other replicas continue
Ops complexityMedium — manifests, API keys, staggered bundle polling
Failure behaviorStale bundle until next successful poll; sidecar crash affects one pod

Deployment patterns § Sidecar · Kubernetes Control Center

Pattern 2 — Centralized PDP for polyglot fleets

Typically best suited when many languages share one policy revision and a network hop is acceptable.

Many PEPs (Java, Python, Node, …) ─HTTP─► OPA/EOPA cluster (HA) ─► EnforceAuth logs
QuestionGuidance
Why choose itOne upgrade path, one bundle poll cycle, language-agnostic HTTP
When to avoidStrict sub-ms SLOs or air-gapped per-service isolation requirements
Who uses itEnterprises with diverse stacks and platform SRE ownership
LatencyOne network round trip per decision
Blast radiusFleet-wide if the PDP pool is down — plan HA and health checks
Ops complexityHigher — scaling, mTLS, capacity planning
Failure behaviorAll callers denied until recovery unless you cache last-known decisions in PEP

Deployment patterns § Centralized

Pattern 3 — Regulated workloads (EOPA + masking)

Consider this when decision logs must not carry raw PII outside your network.

Same control plane as Patterns 1–2, with EOPA masking at the PDP before decision_logs ship
QuestionGuidance
Why choose itNative decision_logs.mask at evaluation time
When to avoidGreenfield teams with no masking mandate — start with OSS OPA
Who uses itHealthcare, financial services, data-residency-sensitive tenants
LatencySame as chosen deployment pattern
Blast radiusSame as chosen deployment pattern
Ops complexityAdd mask path maintenance and regression tests
Failure behaviorMasking misconfiguration can block log shipping — test in lower environments

OPA vs EOPA · PDP integration § EOPA

Pattern 4 — AI agents and MCP tool governance

Use when autonomous agents call enterprise MCP tools (filesystems, APIs, databases) and you need policy + audit at the tool boundary.

Agent ─MCP─► MCP Authorization Gateway (PEP) ─► OPA ─► EnforceAuth bundle + decision logs

EnforceAuth documents this as the MCP Authorization Gateway pattern. Our reference implementation and baseline starting point is PortcullisMCP from PAC.Labs — Gate, Keep, and Guard components with allow / deny / escalate semantics.

MCP Authorization Gateway · AI workload guardrails

Pattern 5 — Cluster admission (platform governance)

Separate from app authz — gates Kubernetes resource shape at admission time.

Kubernetes Control Center § Cluster admission

Choosing a pattern

Your primary workloadStart here
Kubernetes microservicesPattern 1
VMs / bare metalHost agent
Polyglot HTTP callersPattern 2
HIPAA / PCI decision-log rulesPattern 3
AI agents + MCP toolsPattern 4
Platform security baselinePattern 5

Next