Episode 151.875 - GluuFederation/identerati-office-hours GitHub Wiki
KubeCon Live: Taming Kubernetes Access Control
- Host: Mike Schwartz, Founder/CEO Gluu
- Guest: Lucas Käldström, Kubernetes and cloud native contributor
Channels
Description
Have you ever struggled writing least-privilege access control policies for Kubernetes? Are you concerned about the wide permissions of installed Helm charts? Do you manage to regularly audit who has access to sensitive resources? How to right-size your RBAC rules semi-automatically, audit who can access sensitive resources, and check whether policy refactors are correct. What is the Kubernetes Conditional Authorization feature? Dynamic Resource Allocation?
Join us for a practical, high-signal discussion, live from KubeCon, to follow-up on Lukas and Micah's 2025 Kubecon session.
Session
- Tools and Strategies for Making the Most of Kubernetes Access Control - Lucas Käldström, Upbound & Micah Hausler, AWS
- Mike's notes, see Linkedin Comments on this post
Takeaways
- ⚡ Partial analysis in Cedar is helpful because it can prevent a denial of service attack where the payload is large. It's sort of like database index optimization. For example, before the Rust Cedar engine processes a large entity, it checks metadata conditions first make sure they all pass--no use parsing the large object until it's clearly necessary.
- ⚡ Kubernetes first supported RBAC, which is useful, but can be limited. For example, you can't make policies about the content of the request, only its metadata.
- ⚡ Kubernetes is exposing more features that will make Cedar more useful, like "Conditional Access" and "Dynamic Resource Allocation".
- ⚡ Platform engineers can use multiple policy engines for Kubernetes, including CEL, OPA, Cedar and probably OpenFGA.