All About Cedar, an Open Source Solution for Fine-Tuning Kubernetes Authorization

Since 2017, when the feature went into general availability, Kubernetes has employed role-based access control, or RBAC, to determine who gets authorized to use it. But eight years is a long, long time in technology. And RBAC has its limits in Kubernetes, said Micah Hausler, a principal engineer at Amazon Web Services, in this episode of The New Stack Makers.   “While it works very well, it’s very simple. It’s allow only,” Hausler told me, in this On the Road episode of Makers, recorded at KubeCon + CloudNativeCon North America, in Atlanta. “I can’t forbid you from doing something. I cannot do any conditions. I can’t say, ‘you can touch this thing if this thing is true, if this condition is true.’ And it also doesn’t work on attributes.” Cedar, an authorization engine and policy language initially released by AWS in 2022, and open sourced the following year, wasn’t initially developed for Kubernetes, Hausler said. Instead, he said, it was meant “really to solve problems that both teams at Amazon were having, but also problems that customers were having. Problems around, how do I authorize requests? How do I do that and make sure that it’s fast, that it’s safe, that it’s performant? As an engineer on the Kubernetes team at AWS, Hausler was introduced to Cedar through his search for a better authorization language in K8s. Over time, he said, the in-house project maintainers realized that Cedar “works surprisingly well to model all of what we can do in Kubernetes, in a concise and readable policy language.” When introducerd to the project, Hausler said, he “geeked out” over its readability. Everyone working in technology, he said, “has nontechnical, family, friends, whatever. And you might try to explain what you’re working on to your family and friends and say, ‘Oh, this is what I’m doing.’ And a lot of times it might go over their head, their eyes might glaze over.” But “when I can actually show them a Cedar policy and say, here’s the text of this code that I’m working on, what do you think it does? And they can actually, as a nontechnical person, read it and understand it.” Rust, Go and Beyond Authorization in Kubernetes, Hausler noted, is “very constrained on purpose. It attempts to be fast, and it is, but it also makes some tradeoffs with that speed in terms of not letting users be as expressive. I can’t deny things. I can’t do attribute-based type access controls.” Cedar, by contrast, “gives us not only those features that Kubernetes is missing, but has some really nice user-facing features on top. All your policies can be validated against a schema. “ Another feature included in Cedar, Hausler said: code autocomplete, when writing a policy. “I can also be assured, because Cedar is formally verified, that my policies are correct, they won’t error out. I can’t have an unsatisfiable policy. It’s going to either produce, allow or deny.” Cedar —currently onboarding to the Cloud Native Computing Foundation sandbox — is being used by other companies, such as Cloudflare and MongoDB.  “If you’re using MongoDB and managing databases, you’re actually writing Xedar policies to govern your access the access to your MongoDB,” Hausler noted. The project, written in Rust, is designed to be language-agnostic. StrongDM, a contributor to the project, wrote an implementation in Go that has been donated to Cedar, Hausler said. Cedar, he said, is currently seeking contributors and maintainers, especially those who can build other language bindings. “To build a whole ecosystem, you kind of need to gain all the benefits of Cedar,” he said. “Not everyone writes everything in Rust or Go. There’s a whole ecosystem out there, and in TypeScript, JavaScript, Python, that I think could benefit from this as well.” Check out the full episode to learn more about Cedar’s background, how AWS made the decision to make it open source, and the increasing role agentic AI will play in Kubernetes. The post All About Cedar, an Open Source Solution for Fine-Tuning Kubernetes Authorization appeared first on The New Stack.