All About Cedar, An Open Source Solution For Fine-tuning Kubernetes Authorization

Since 2017, erstwhile nan characteristic went into wide availability, Kubernetes has employed role-based entree control, aliases RBAC, to find who gets authorized to usage it.

But 8 years is simply a long, agelong clip successful technology. And RBAC has its limits successful Kubernetes, said Micah Hausler, a main technologist astatine Amazon Web Services, successful this section of The New Stack Makers.  

“While it useful very well, it’s very simple. It’s let only,” Hausler told me, successful this On nan Road section of Makers, recorded astatine KubeCon + CloudNativeCon North America, successful Atlanta.

“I can’t forbid you from doing something. I cannot do immoderate conditions. I can’t say, ‘you tin touch this point if this point is true, if this information is true.’ And it besides doesn’t activity connected attributes.”

Cedar, an authorization motor and argumentation connection initially released by AWS successful 2022, and open originated nan pursuing year, wasn’t initially developed for Kubernetes, Hausler said. Instead, he said, it was meant “really to lick problems that some teams astatine Amazon were having, but besides problems that customers were having. Problems around, really do I authorize requests? How do I do that and make judge that it’s fast, that it’s safe, that it’s performant?

As an technologist connected nan Kubernetes squad astatine AWS, Hausler was introduced to Cedar done his hunt for a amended authorization connection successful K8s.

Over time, he said, nan in-house task maintainers realized that Cedar “works amazingly good to exemplary each of what we tin do successful Kubernetes, successful a concise and readable argumentation language.”

When introducerd to nan project, Hausler said, he “geeked out” complete its readability.

Everyone moving successful technology, he said, “has nontechnical, family, friends, whatever. And you mightiness effort to explicate what you’re moving connected to your family and friends and say, ‘Oh, this is what I’m doing.’ And a batch of times it mightiness spell complete their head, their eyes mightiness glaze over.”

But “when I tin really show them a Cedar argumentation and say, here’s nan matter of this codification that I’m moving on, what do you deliberation it does? And they tin actually, arsenic a nontechnical person, publication it and understand it.”

Rust, Go and Beyond

Authorization successful Kubernetes, Hausler noted, is “very constrained connected purpose. It attempts to beryllium fast, and it is, but it besides makes immoderate tradeoffs pinch that velocity successful position of not letting users beryllium arsenic expressive. I can’t contradict things. I can’t do attribute-based type entree controls.”

Cedar, by contrast, “gives america not only those features that Kubernetes is missing, but has immoderate really bully user-facing features connected top. All your policies tin beryllium validated against a schema. “

Another characteristic included successful Cedar, Hausler said: codification autocomplete, erstwhile penning a policy. “I tin besides beryllium assured, because Cedar is formally verified, that my policies are correct, they won’t correction out. I can’t person an unsatisfiable policy. It’s going to either produce, let aliases deny.”

Cedar —currently onboarding to nan Cloud Native Computing Foundation sandbox — is being utilized by different companies, specified arsenic Cloudflare and MongoDB.  “If you’re utilizing MongoDB and managing databases, you’re really penning Xedar policies to govern your entree nan entree to your MongoDB,” Hausler noted.

The project, written successful Rust, is designed to beryllium language-agnostic. StrongDM, a contributor to nan project, wrote an implementation successful Go that has been donated to Cedar, Hausler said.

Cedar, he said, is presently seeking contributors and maintainers, particularly those who tin build different connection bindings. “To build a full ecosystem, you benignant of request to summation each nan benefits of Cedar,” he said. “Not everyone writes everything successful Rust aliases Go. There’s a full ecosystem retired there, and successful TypeScript, JavaScript, Python, that I deliberation could use from this arsenic well.”

Check retired nan afloat section to study much astir Cedar’s background, really AWS made nan determination to make it unfastened source, and nan expanding domiciled agentic AI will play successful Kubernetes.

Group Created pinch Sketch.