Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Usable Access Control in Cloud Management Systems

Usable Access Control in Cloud Management Systems

Master's thesis of Science and Technology presentation at Aalto University

The thesis will be published at https://github.com/luxas/research

Presentation date: May 22, 2025

Avatar for Lucas Käldström

Lucas Käldström

May 22, 2025
Tweet

More Decks by Lucas Käldström

Other Decks in Technology

Transcript

  1. Outline Project Context: - Find gaps in and improve (usability

    of) Kubernetes Access Control Evaluated Tools: - Relation-based Access Control with SpiceDB - Analyzable Access Control with Cedar Policy Contributions: - Kubernetes Access Control improvements implemented with Cedar @luxas.dev
  2. Production-grade Container Orchestrator Released as open source by Google in

    2014, donated to Kubernetes @luxas.dev Published 2013 and 2015
  3. Kubernetes Control Plane framework and control plane for workload orchestration

    @luxas.dev Generic Control Plane Framework Container Orchestration Project Targets Any software system Container Workloads, SDN, etc.
  4. Kubernetes Control Plane framework and control plane for workload orchestration

    @luxas.dev Generic Control Plane Framework Project Targets Any software system
  5. Kubernetes Control Plane framework and control plane for workload orchestration

    @luxas.dev Declarative, uniform, extensible API server Clients Clients Controlled System 1 Read desired state Controlled System 2 Write actual state Act Act Database
  6. Anatomy of an uniform and extensible API server apiVersion: gateway.networking.k8s.io/v1

    kind: Gateway metadata: name: my-route labels: owner: lucas spec: gatewayClassName: test-gateway addresses: - value: 1.2.3.4 status: conditions: - type: Ready Type Metadata always encoded Uniform Object Metadata for all objects User declares the desired state System updates actual state
  7. Anatomy of an uniform and extensible API server apiVersion: gateway.networking.k8s.io/v1

    kind: Gateway* metadata: name: my-route labels: … Type Metadata always encoded Uniform Object Metadata for all objects list, watch, create, deletecollection: /apis/<group>/<version>/<resource>** get, update, patch, delete: /apis/<group>/<version>/<resource>/<name>** *resource != kind, but almost, simplified here **Plus namespace scoping if namespaced @luxas.dev
  8. Kubernetes RBAC Subjects RoleBinding admin RoleBinding deploy-workloads Role admin Role

    deploy-workloads 1:1 *:* OR Role Bindings Roles @luxas.dev
  9. Kubernetes RBAC Subjects RoleBinding admin RoleBinding deploy-workloads Role admin Role

    deploy-workloads 1:1 *:* Rule 1 Rule 2 OR OR (Rule 1 and Role deploy-workloads omitted for brevity) 1:* Role Bindings Roles Role Rules @luxas.dev
  10. Kubernetes RBAC Subjects RoleBinding admin RoleBinding deploy-workloads Role admin Role

    deploy-workloads 1:1 *:* Rule 1 Rule 2 OR OR (Rule 1 and Role deploy-workloads omitted for brevity) 1:* apiGroup resource namespace name AND Role Bindings Roles Role Rules Predicates @luxas.dev
  11. Kubernetes RBAC Subjects RoleBinding admin RoleBinding deploy-workloads Role admin Role

    deploy-workloads 1:1 *:* Rule 1 Rule 2 OR OR (Rule 1 and Role deploy-workloads omitted for brevity) 1:* apiGroup Obj 1 resource namespace name Obj 2 Obj 3 AND Role Bindings Roles Role Rules Predicates Objects @luxas.dev
  12. Kubernetes RBAC Subjects RoleBinding admin RoleBinding deploy-workloads Role admin Role

    deploy-workloads 1:1 *:* Rule 1 Rule 2 OR OR (Rule 1 and Role deploy-workloads omitted for brevity) 1:* apiGroup Obj 1 resource namespace name Obj 2 Obj 3 AND Role Bindings Roles Role Rules Predicates Objects “RBAC” “ABAC” @luxas.dev
  13. Kubernetes RBAC mapping into ReBAC In recent years, it has

    become increasingly popular to turn the access control problem into a graph reachability problem (“Relation-Based Access Control”) @luxas.dev Published 2013 and 2019
  14. @luxas @luxas API Server Slide from my talk at Disobey

    18 User Authenticator ReBAC Server Flow Control Authorizer Admission Privilege Escalation Prevention Authorization State Update List Filter ReBAC Database Storage Audit Log Policy Engine Check ListResources WriteRelations
  15. Kubernetes RBAC mapping into ReBAC However, due to Kubernetes RBAC’s

    (ironically) heavy ABAC use, a graph-based mapping wasn’t expressive enough. The lack of expressiveness in the graph resulted in the actual access control logic moving to the (Turing-complete) reconciler from user intent to graph representation. In other words, the result was not very analyzable. ⇒ I pivoted from graph- to logic-based methods @luxas.dev
  16. Kubernetes API Server structure Authenticators RequestInfo UserInfo 401 Webhook OIDC

    CA Slide from my and Jimmy’s talk at KubeCon Salt Lake City
  17. Kubernetes API Server structure Authenticators Authorizers RequestInfo UserInfo 401 403

    RequestInfo UserInfo Body Webhook OIDC CA Webhook RBAC Slide from my and Jimmy’s talk at KubeCon Salt Lake City
  18. Kubernetes API Server structure Authenticators Authorizers RequestInfo UserInfo Mutating/Validating Admission

    Controllers* Storage 401 403 40X RequestInfo UserInfo Body Body Webhook OIDC CA Webhook RBAC CEL Webhook 200 * Admission only for CREATE/UPDATE/PATCH/DELETE Slide from my and Jimmy’s talk at KubeCon Salt Lake City
  19. Authorization and Admission Control are separate The request payload is

    not available in the authorization stage. Thus, we need to “over-grant” in authorization, and remove the extra permissions in the admission stage. create, update, delete gateways — object=* oldobject=* Authorization .class != test-gateway .class == test-gateway Admission Control Amount of permissions for lucas Desired permissions
  20. Authorization and Admission Control are separate There is a ValidationAdmissionPolicy

    API in Kubernetes, which allows specifying the deny rule using Common Expression Language (CEL). @luxas.dev create, update, delete gateways — object=* oldobject=* Kubernetes RBAC .class != test-gateway .class == test-gateway CEL Rule Amount of permissions for lucas Desired permissions
  21. Authorization and Admission Control are separate RBAC Role Allow in

    authorization RBAC Role Binding Allow in authorization CEL Policy Deny in admission create, update, delete gateways — object=* oldobject=* .class != test-gateway .class == test-gateway Kubernetes RBAC CEL Rule Amount of permissions for lucas Desired permissions
  22. Admission Control is not available for reads ❌ Admission only

    applies to writes, so reads are still unconstrained to all gateway classes. ✅ There is an experimental feature to include label and field selectors 🟡 Selectors won’t become accessible in Kubernetes RBAC, however. create, update, delete gateways — object=* oldobject=* .class != test-gateway .class == test-gateway Kubernetes RBAC CEL Rule Amount of permissions for lucas Desired permissions
  23. Maintains a decidable encoding into Satisfiability Modulo Theories* Open Source

    Authorization Engine @luxas.dev Aims to be expressive, fast, safe, and analyzable *Means in practice that the language does not have loops or ordered lists
  24. Maintains a decidable encoding into Satisfiability Modulo Theories* Open Source

    Authorization Engine @luxas.dev Aims to be expressive, fast, safe, and analyzable *Means in practice that the language does not have loops or ordered lists Supports RBAC, ReBAC and ABAC paradigms
  25. Maintains a decidable encoding into Satisfiability Modulo Theories* Open Source

    Authorization Engine @luxas.dev Aims to be expressive, fast, safe, and analyzable *Means in practice that the language does not have loops or ordered lists AWS is donating Cedar to the CNCF Supports RBAC, ReBAC and ABAC paradigms
  26. MSc thesis project: Integrate Kubernetes and Cedar 1. Improve policy

    authoring usability with typed schema and autocompletion 2. Unify policy authoring for both authorization and admission 3. Unify policy authoring targeting label/field selectors for reads and writes 4. Find an expression language that allow policy querying and comparisons 5. Solve hard authorization problems once, re-use for various user experiences @luxas.dev
  27. Kubernetes API Server /openapi/v3/<group> API Discovery Document /apis/<group>/<version> 1. Improve

    policy authoring usability with typed schema Project Schema IDE Dev loop @luxas.dev
  28. 2. Unify policy authoring for both authorization and admission Previous

    example shown in the project’s proposed syntax. Only one policy object is needed, not three like before. @luxas.dev
  29. 2. Unify policy authoring for both authorization and admission Authorization

    RequestInfo UserInfo Kubernetes Path for write request Project Partial Evaluation Yes, No, Maybe 403 Policies Webhook Authentication @luxas.dev
  30. 2. Unify policy authoring for both authorization and admission Authorization

    RequestInfo UserInfo Admission Control RequestInfo UserInfo Body Body Kubernetes Path for write request Project Partial Evaluation Yes, No, Maybe Full Evaluation Yes, No 403 403 Policies Webhooks Authentication Storage @luxas.dev
  31. 3. Unify policy authoring targeting selectors for reads and writes

    The last example, but for any action, including reads. Predicates targeting resource.stored determine if a concrete object is allowed to be read from storage. @luxas.dev
  32. 3. Unify policy authoring targeting selectors for reads and writes

    Authorization Kubernetes Path for read request Project Full Evaluation Yes, No 403 Authentication Storage Example selectors: “Label owner value in (‘alice’, ‘bob’)” “Field .spec.gatewayClassName != ‘production’” @luxas.dev Policies RequestInfo UserInfo Selectors
  33. 3. Unify policy authoring targeting selectors for reads and writes

    Authorization RequestInfo UserInfo Selectors Kubernetes Path for read request Project 1. Partial Evaluation => Yes, No, Maybe 2. If Maybe, turn Selectors and Residual into SMT => Yield Yes or No 403 Policies Authentication Storage Authorize IFF: ∀o : objectSelected(o) ⇒ isAuthorized(o) ≡ ∃o : objectSelected(o) ∧ ¬isAuthorized(o) = UNSAT @luxas.dev
  34. 4. Find an expression language that allow policy analysis Ask

    “what resources can principal P perform what actions on?” Ask “what principals can perform what actions on resource R?”
  35. 4. Find an expression language that allow policy analysis Ask

    “what resources can principal P perform what actions on?” Ask “what principals can perform what actions on resource R?” Check for logical inconsistencies in a policy set Check for equality Prevent privilege escalation ← No effect ← Allow shadows allow ← Deny shadows allow Allow policy Deny policy
  36. 4. Find an expression language that allow policy analysis Queries

    achievable through Partial Evaluation @luxas.dev
  37. 4. Find an expression language that allow policy analysis Queries

    achievable through Partial Evaluation If the policies are compiled into equivalent SMT formulas, then: Equality if: policy1 ⊨ policy2 ∧ policy2 ⊨ policy1 Policy 2 > Policy 1 if: policy1 ⊨ policy2 ∧ ¬(policy2 ⊨ policy1) Policy change not an escalation if: current_privileges ⊨ new_privileges @luxas.dev
  38. 5. Write backend once, use for multiple “frontends” Kubernetes CEL

    (portion w/o loops) Kubernetes RBAC New Selector-based Authorization paradigm? New Multi-cluster Policies? Project SMT Solvers @luxas.dev Policies Engine
  39. Results ✅ There seems to be a path forward for

    all five goals & two research questions
  40. Results ✅ There seems to be a path forward for

    all five goals & two research questions ✅ I already made two contributions to Cedar
  41. Results ✅ There seems to be a path forward for

    all five goals & two research questions ✅ I already made two contributions to Cedar ✅ Potential interest to contribute some of these features to Kubernetes
  42. Results ✅ There seems to be a path forward for

    all five goals & two research questions ✅ I already made two contributions to Cedar ✅ Potential interest to contribute some of these features to Kubernetes 🟡 More work to be done in Cedar to get production-ready partial evaluation & SMT compilation
  43. Results ✅ There seems to be a path forward for

    all five goals & two research questions ✅ I already made two contributions to Cedar ✅ Potential interest to contribute some of these features to Kubernetes 🟡 More work to be done in Cedar to get production-ready partial evaluation & SMT compilation 🟡 Need to keep getting Kubernetes user feedback
  44. Results ✅ There seems to be a path forward for

    all five goals & two research questions ✅ I already made two contributions to Cedar ✅ Potential interest to contribute some of these features to Kubernetes 🟡 More work to be done in Cedar to get production-ready partial evaluation & SMT compilation 🟡 Need to keep getting Kubernetes user feedback 🟡 Time will tell how useful the analysis properties are in practice
  45. Results ✅ There seems to be a path forward for

    all five goals & two research questions ✅ I already made two contributions to Cedar ✅ Potential interest to contribute some of these features to Kubernetes 🟡 More work to be done in Cedar to get production-ready partial evaluation & SMT compilation 🟡 Need to keep getting Kubernetes user feedback 🟡 Time will tell how useful the analysis properties are in practice ❌ Will always exist cases where analyzable access control isn’t expressive enough