The DAS Kuma system type helps you manage the ingress and egress network traffic permitted within your OPA-integrated Kuma Service Mesh. For example, permit egress traffic only to a predefined collection of endpoints, to minimize the risk of data exfiltration, and implement microservice API authorization.
Figure 1: Kuma Architecture for Ingress traffic
Figure 2: Kuma Architecture for Egress traffic
For more information on how Envoy’s external authorization filter in Kuma can be used with OPA as an authorization service to enforce security policies over API requests received by Kuma, see the Kuma tutorial