Cedar is a human-readable and machine-analyzable policy language designed for modern authorization needs. It addresses the challenge with Kubernetes authorization with Role-Based Access Control (RBAC) and provides condition operators that allow fine-grained permissions on specific resources.
Recently, Micah Hausler, principal engineer at AWS, elaborated on Cedar’s approach to policy management in a CNCF blog. When scaling Kubernetes deployments in cloud-native environments, organizations face issues managing access control and authorization. In such scenarios, Kubernetes Administrators must manage different policy frameworks and tools for various types of controls. In Q4 2024, Cedar extended its integration with Kubernetes.
Using Cedar, Kubernetes administrators can write authorization and admission policies using the same language and framework. Cedar can be employed at multiple extension points in the Kubernetes API to enforce access controls in Kubernetes.
Source - Cedar: A new approach to policy management for Kubernetes
With label and attribute-based access Controls, Cedar enables fine-grained permissions based on resource labels and attributes, creating previously complex security boundaries. Another notable feature is Schema Generation for Kubernetes built-in types and Custom Resource Definitions, which ensures policies can be validated before creation.
Cedar also provides explicit support for impersonation authorization, which makes it easier for authors to correct impersonation policies on UIDs, usernames, and groups. As Cedar maintains compatibility with existing RBAC configurations, organizations can gradually adopt Cedar without much disruption to their current security posture.
At KubeCon + CloudNativeCon NA 2024, Gabriel L. Manor, VP of developer relations at Permit.io, moderated a panel discussion - The Policy Engines Showdown. Representing Cedar, Joy Scharmen, senior director of infrastructure engineering at StrongDM, said,
Cedar builds on AWS’s extensive IAM expertise, making it a highly readable and predictable policy language. Its analyzability is a standout feature, ensuring that policies do exactly what they’re supposed to.
The panel also included representatives from other policy engines: OpenFGA, Topaz, and Open Policy Agent (OPA).
There was announcement post from Hausler on LinkedIn, which also received good engagement from the tech community.
Organizations can start with Cedar, using tools in the development environment such as kind. Readers can check out the Cedar for Kubernetes GitHub repository for further interest regarding implementation or contribution.
/filters:no_upscale()/sponsorship/topic/3cc4d3ea-a697-40dc-9ff5-153675847d01/TemporalLogoRSB-1738309568986.png)
