Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

What's a common way to protect admin api?

Hello. You can protect them using ingress controller like nginx/istio/envoy.

You have two options:
1. Don’t expose them
2. Add an additional level of security (basic auth, make them open for ip ranges)

I was thinking more about from within the network. Say it's running in k8s pod, then technically anyone who can `exec` into this pod has access to it.

mainly to prevent misuse, since if someone has access to pod, then that someone has access to database anyway.

I see what you mean. What Cloud provider do you use?

I solved almost the same case a year ago. The idea to increase security lies in using service accounts with AWS IAM policies. You can set up CI/CD pipeline for yourself, use a service account within the pipeline and restrict access to the rest of a team.

<@U02U9MSKL9X> I'm working on on-prem thing :disappointed: That could be a VM with docker or k8s cluster. So I don't know where it's going to run.

I have a daemon that gets configuration from my other services and starts Kratos &amp; Hydra. I probably can use that to proxy requests to kratos private API listening on UDS.