Modern Kubernetes environments require consistent service-to-service authorization without pushing policy logic into application code. In this session, we demonstrate a zero-code authorization model that centralizes policy decisions in Keycloak and enforces them transparently at the service mesh layer.

Using Istio Ambient Mode and waypoint proxies, we implement a WebAssembly-based Policy Enforcement Point (PEP) that evaluates each HTTP request at L7. Applications remain unchanged while authorization is handled entirely at the platform layer.

We also show how to make authorization observable by combining standard mesh telemetry (L4/L7) with domain-specific authorization signals exported through OpenTelemetry to an in-cluster Collector. The session includes a live demonstration of this architecture running on Kubernetes and discusses practical trade-offs such as decision latency and future optimization paths.