Back to all videos

All About Cedar, an Open Source Solution for Fine-Tuning Kubernetes Authorization

By The New Stack

Cloud Computing SecurityOpen Source SoftwareKubernetes AuthorizationPolicy Languages
Share:

Key Concepts

  • Cedar: An open-source authorization engine and policy language created by AWS.
  • CNCF Sandbox: A program within the Cloud Native Computing Foundation (CNCF) that hosts promising open-source projects in their early stages.
  • Kubernetes: An open-source system for automating deployment, scaling, and management of containerized applications.
  • RBAC (Role-Based Access Control): The existing authorization mechanism in Kubernetes.
  • Policy Language: A specialized language used to define rules and permissions.
  • Formal Methods: Mathematical techniques used to prove the correctness of software.
  • Lean: A theorem prover used to formally verify Cedar.
  • Language Bindings: Implementations of Cedar in different programming languages.
  • Partial Evaluation: A feature that allows for "maybe" authorization decisions.
  • Agentic AI: Artificial intelligence systems that can act autonomously.
  • Admission Control: A phase in Kubernetes where requests can be modified or rejected.

Cedar: An Open-Source Authorization Engine and Policy Language

Introduction to Cedar

Cedar is an open-source authorization engine and policy language developed by Amazon Web Services (AWS). It was initially released by AWS in 2022 to address authorization challenges faced by both internal Amazon teams and external customers. The primary goal of Cedar is to provide a fast, safe, and performant solution for authorizing requests.

Challenges with Kubernetes Authorization and Cedar's Solution

Kubernetes has historically relied on Role-Based Access Control (RBAC) for authorization since its General Availability (GA) in 2017. While RBAC has served Kubernetes well for eight years, its limitations have become apparent as Kubernetes has grown in usage and complexity.

Limitations of RBAC:

  • Simplicity and "Allow Only": RBAC is primarily an "allow only" system, meaning it's difficult to explicitly deny actions.
  • Lack of Conditions: RBAC does not support conditional authorization. It's not possible to specify that an action can only be taken if a certain condition is met (e.g., "you can touch this thing if this condition is true").
  • Attribute-Based Access Control (ABAC) Limitations: RBAC does not work with attributes. For instance, it cannot authorize an action based on the user's name matching an attribute of the resource (e.g., "you can touch this because it has the same name as your username").

Cedar effectively addresses these limitations by providing a more expressive and flexible authorization model. Although not initially designed for Kubernetes, Cedar has proven to be a strong fit for modeling Kubernetes authorization in a concise and readable policy language.

Use Cases and Prominent Adopters

Cedar is being adopted by various organizations for their authorization needs. Notable users and contributors include:

  • Cloudflare: A major player in web infrastructure and security.
  • MongoDB Atlas: Users managing MongoDB databases write Cedar policies to govern access.
  • AWS Kubernetes Team: Micah Howler, a principal engineer at AWS, is a key user and advocate for Cedar within the Kubernetes team, recognizing its potential to improve Kubernetes authorization.

Benefits and Features of Cedar

Cedar offers several advantages over traditional authorization mechanisms:

  • Expressiveness: Cedar allows for more complex authorization rules, including explicit denials and conditional access.
  • Attribute-Based Access Control: It supports ABAC, enabling authorization based on attributes of users, resources, and actions.
  • User-Facing Features:
    • Schema Validation: Policies can be validated against a schema, providing benefits like code autocomplete for engineers writing policies.
    • Formal Verification: Cedar is formally verified, ensuring policies are correct and will not result in errors or unsatisfiable conditions. It guarantees that a policy will always result in either an "allow" or a "deny."
  • Readability: Cedar policies are designed to be highly readable, even for non-technical stakeholders, making it easier to understand and communicate authorization logic.

Open Sourcing and CNCF Donation

Cedar was developed with the long-term vision of being a solution that customers could use independently of AWS managed services. Recognizing the need for broader adoption and community involvement, AWS open-sourced Cedar from its inception. The project was recently accepted into the CNCF Sandbox, signifying its potential and growing importance in the cloud-native ecosystem.

The decision to open-source was driven by the desire to:

  • Serve Customer Needs: Provide a general-purpose authorization solution for customers.
  • Foster Collaboration: Encourage external contributions and development.
  • Leverage Formal Methods Expertise: The Cedar development team includes individuals with backgrounds in formal methods, ensuring the language's correctness and reliability.

Contributing to Cedar

Cedar is actively seeking contributions from the community. Key areas for contributions include:

  • Language Bindings: While the primary implementation is in Rust, there is a Go implementation developed by StrongDM. Contributions are welcomed for other popular languages like TypeScript, JavaScript, and Python to build a comprehensive ecosystem.
  • General Development: Improving the engine, tooling, and documentation.

Interested individuals can find more information and ways to get involved on the Cedar policy organization's GitHub repositories.

Encouraging Industry Participation in Open Source

Micah Howler suggests that to encourage greater participation in open-source projects, engineers need to effectively demonstrate the business value of their contributions. This involves:

  • Binding Contributions to Business Goals: Showing management how working on an open-source project directly benefits the company or the project itself.
  • Moving Beyond "Fun": While enjoyment is a motivator, proving tangible business outcomes is crucial for securing management buy-in.

Future Roadmap for Cedar

The future roadmap for Cedar includes several exciting developments:

  • Additional Language Bindings: Expanding support for more programming languages.
  • Partial Evaluation: This feature allows for "maybe" authorization decisions, which can be crucial in scenarios where further context is needed before a final allow or deny. This is particularly relevant for complex systems.
  • Agentic AI Integration: Cedar's deterministic nature makes it a valuable tool for securing agentic AI systems. It can provide a reliable authorization layer for autonomous agents making decisions and taking actions.

"Maybe" Authorization and Kubernetes Admission Control

The concept of "maybe" authorization is particularly relevant in the context of Kubernetes. Current Kubernetes authorization mechanisms do not have access to the full request body during the authorization phase. This means an authorizer might not know crucial details like resource labels or fields.

Cedar's "maybe" capability can address this by:

  1. Providing Potential Policies: Cedar can return a set of policies that would apply if certain conditions were met.
  2. Leveraging Admission Control: Kubernetes has a later phase called admission control, which does have access to the full request context.
  3. Resolving "Maybe" to "Yes" or "No": The "maybe" answers from Cedar can be applied to the full context available during admission control, allowing for a definitive "yes" or "no" decision.

This enables policies like "Micah can only touch something that they own," where ownership information might be in the request body, which is not available during the initial authorization.

Hidden Superpowers of Cedar

Micah Howler highlights a significant "hidden superpower" of Cedar: its exceptional readability. He notes that even non-technical individuals can often understand the intent of a Cedar policy when presented with it. This high level of clarity is invaluable for:

  • Communication: Explaining authorization logic to non-technical stakeholders within an organization.
  • Transparency: Making it easier for everyone to understand why certain actions are allowed or denied.

This aligns with a broader trend observed at the conference of bringing more non-technical stakeholders into decision-making processes and fostering understanding of technical operations.

Conclusion

Cedar represents a significant advancement in authorization technology, offering a powerful, flexible, and readable policy language. Its adoption by prominent organizations and its recent move to the CNCF Sandbox underscore its potential to become a foundational component for securing cloud-native applications. The project's focus on formal verification, coupled with its user-friendly design and ongoing development, positions it as a key solution for complex authorization challenges, particularly within dynamic environments like Kubernetes and emerging AI systems.

Chat with this Video

AI-Powered

Hi! I can answer questions about this video "All About Cedar, an Open Source Solution for Fine-Tuning Kubernetes Authorization". What would you like to know?

Chat is based on the transcript of this video and may not be 100% accurate.

Related Videos

Ready to summarize another video?

Summarize YouTube Video