Talk presented at Cloud Native Rejekts in Chicago: https://cloud-native.rejekts.io
Location: TeamWorking by TechNexus, Chicago
Code is available on GitHub: https://github.com/luxas/kube-rebac-authorizer
Youtube: https://www.youtube.com/live/tWWBzsZLrIw?t=396
Abstract as follows:
The Kubernetes API server is a declarative, uniform and extensible REST API server capable of storing a diverse set of APIs for infrastructure control. API objects tend to contain parent-child and sibling relations such as “ReplicaSet owns Pod refers to Node”. However, with this graph-based structure, access control and multi-tenancy become a real challenge. The default RBAC authorizer is best for resource-scoped authorization (“allow listing all Pods”), not fine-grained authorization (“allow listing Pods of these Deployments”).
OpenFGA is a Relationship-Based Access Control (ReBAC) engine inspired by Google Zanzibar and a CNCF sandbox project. ReBAC is a superset of RBAC, and empowers administrators to configure authorization in an object-scoped manner with minimal configuration sprawl.
A Kubernetes contributor and a OpenFGA maintainer will demo an open-source implementation of a Kubernetes authorizer and controller that configures and queries OpenFGA for authorization decisions.
In today’s world, security requirements grow ever-more more demanding and important. Kubernetes Role-Based Access Control (RBAC) is a critical piece of the security in the Kubernetes cluster, e.g. guarding all (unencrypted) Secret API objects from being accessed by unauthorized parties. RBAC is inherently best used for collection-scoped rules, as if object-scoped rules are wanted, all the API object names need to be hard-coded into the rule; which effectively creates a lot of “rule sprawl”.
It is not possible to force a user to list or watch a strict subset of the API objects of a given kind in a namespace; it is all of the objects in the namespace or none. It is thus a pain point, almost impossible, to configure authorization for Kubernetes operator to only list/watch a subset of resources (the resources it manages).
Kubernetes has actually implemented object-scoped authorization as a special case, the Node authorizer, which enforces that a kubelet can only access Secrets, ConfigMaps, etc. that are bound to a workload running on that given node. However, this implementation is hard-coded (written in Go) in the API server, not a generic implementation for which many other controllers and users would benefit.
Thus, we are demonstrating a Proof-of-Concept implementation as a generic alternative for this problem, using the OpenFGA engine.
This talk would highlight improvement suggestions for both Kubernetes and OpenFGA for increased security and increased administrator awareness.