Otterize is an intent-based access control tool for Kubernetes that lets application teams declare which services their workload needs to reach, then automatically compiles those declarations into NetworkPolicies, Istio authorization policies, Linkerd server authorizations, database grants, AWS IAM roles, and Kafka ACLs.
The core abstraction is a ClientIntents custom resource. A developer lists the targets their service talks to — another Kubernetes service, a Postgres database, an S3 bucket, a Kafka topic — and Otterize’s operator translates that into the right low-level policy for each target. A companion Network Mapper watches live traffic in the cluster (via eBPF or Kubernetes service telemetry) and can produce ClientIntents automatically from observed communication, which means you can roll out zero-trust network policies by generating them from reality instead of hand-writing YAML and hoping you covered everything. Otterize can also provision short-lived mTLS credentials via SPIRE for workloads that need identity-based auth rather than network-based.
Otterize is Apache-2.0 open-source, with a commercial cloud management plane on top. In the zero-trust Kubernetes space it overlaps with Cilium Network Policies, Calico, Tetragon, Istio AuthorizationPolicy, and Kyverno — Otterize’s niche is the intent-based authoring model and the automatic cross-plane translation, so the same declaration produces network, mesh, database, and IAM policies in one pass.