Cedar for Kubernetes

[Micah Hausler]

Hey SIG Auth friends,

I mentioned in last week's SIG Auth that I'd been working on similar problems as Mo's demo with RBAC conditions, and signed up to show off a demo for next week.

Today, we open sourced the work in this area, integrating Cedar into Kubernetes. https://github.com/awslabs/cedar-access-control-for-k8s

Cedar is an open source policy language and evaluation engine by AWS for defining permissions as policies, and also is a specification for evaluating those policies. The policy structure is designed to be indexed for quick retrieval and to support fast and scalable real-time evaluation, with bounded latency. Cedar is also designed for analysis using Automated Reasoning, so you can prove that validated policies will not error. 

This project essentially converts SubjectAccessReviews and AdmissionRequests into structures Cedar can evaluate policies against. 

For an idea of what this can enable, read the blog post https://www.cedarpolicy.com/blog/cedar-for-kubernetes

There are some limitations to be aware of, and some changes I'd love to talk about making in Kubernetes to help solve some of these limitations. 

If you have 5 minutes to spin it up and try it out, I'd love any feedback you might have.

Micah Hausler