Dapr provides a strong security foundation for building and operating distributed applications by following the principle of "Secure by Default."
1. mTLS Between Dapr Sidecars
Dapr automatically enables mutual TLS (mTLS) to encrypt communication between sidecars. It uses the SPIFFE/SPIRE standard for workload identity, ensuring services are authenticated and authorized before they exchange data.
2. Certificate Management
Dapr manages certificates through a built-in certificate authority (CA) or can integrate with external CAs. It rotates certificates automatically, minimizing operational overhead and security risks.
3. Access Control (ACLs)
Developers can define Access Control Policies to control which apps can call which Dapr APIs. These are defined declaratively via YAML configuration, enabling fine-grained access restrictions.
4. API Authentication
Dapr APIs (including the HTTP/gRPC endpoints) can be secured with API tokens or external authentication providers. This restricts unauthorized access to Dapr’s control plane and sidecar APIs.
5. Component Scoping and Secrets
6. App Identity and Trust
Each Dapr app has a unique identity issued via SPIFFE. This identity is used across the runtime to enforce security boundaries and traceability.
In short, Dapr simplifies secure service-to-service communication, enforces identity-based trust, and integrates well with enterprise-grade secret and policy systems—making secure cloud-native development easier.
More...
1. mTLS Between Dapr Sidecars
Dapr automatically enables mutual TLS (mTLS) to encrypt communication between sidecars. It uses the SPIFFE/SPIRE standard for workload identity, ensuring services are authenticated and authorized before they exchange data.
2. Certificate Management
Dapr manages certificates through a built-in certificate authority (CA) or can integrate with external CAs. It rotates certificates automatically, minimizing operational overhead and security risks.
3. Access Control (ACLs)
Developers can define Access Control Policies to control which apps can call which Dapr APIs. These are defined declaratively via YAML configuration, enabling fine-grained access restrictions.
4. API Authentication
Dapr APIs (including the HTTP/gRPC endpoints) can be secured with API tokens or external authentication providers. This restricts unauthorized access to Dapr’s control plane and sidecar APIs.
5. Component Scoping and Secrets
- Secrets Management: Dapr integrates with secret stores (like Azure Key Vault, HashiCorp Vault) to retrieve secrets securely.
- Component Scoping: Limits visibility of components (e.g., state stores, bindings) to specific apps to avoid unintentional cross-access.
6. App Identity and Trust
Each Dapr app has a unique identity issued via SPIFFE. This identity is used across the runtime to enforce security boundaries and traceability.
In short, Dapr simplifies secure service-to-service communication, enforces identity-based trust, and integrates well with enterprise-grade secret and policy systems—making secure cloud-native development easier.
More...