Cedar is a policy language specifically designed to meet modern authorization needs. It is both human-readable and machine-analyzable. By leveraging role-based access control (RBAC), it addresses the challenges of Kubernetes authorization and provides conditional operators that enable fine-grained permission control over specific resources.
Recently, Micah Hausler, Principal Engineer at AWS, elaborated on Cedar’s policy management approach in a CNCF blog post. As organizations scale their Kubernetes deployments in cloud-native environments, they encounter difficulties managing access control and authorization. In such scenarios, Kubernetes administrators are required to handle various policy frameworks and tools for different types of controls. In the fourth quarter of 2024, Cedar expanded its integration with Kubernetes.
With Cedar, Kubernetes administrators can use the same language and framework to write both authorization and admission policies. Cedar can be applied at multiple extension points within the Kubernetes API to enforce access control within Kubernetes.
Using attribute- and tag-based access control, Cedar achieves granular permissions based on resource tags and attributes, creating security boundaries that were previously complex to define. Another significant feature is the generation of schemas for Kubernetes built-in types and custom resource definitions, ensuring that policies can be validated before creation.
Cedar also offers explicit support for impersonation authorization, making it easier for authors to adjust impersonation policies related to UID, usernames, and groups. Since Cedar remains compatible with existing RBAC configurations, organizations can adopt Cedar incrementally without significantly disrupting their current security posture.
At KubeCon + CloudNativeCon NA 2024, Gabriel L. Manor, Vice President of Developer Relations at Permit.io, hosted a panel discussion titled "Policy Engine Showdown." Representing Cedar, Joy Scharmen, Senior Director of Infrastructure Engineering at StrongDM, stated:
Cedar builds on AWS's extensive IAM expertise, making it a highly readable and predictable policy language. Its analyzability stands out as a key feature, ensuring that policies execute precisely as intended.
The panel also included representatives from other policy engines: OpenFGA, Topaz, and Open Policy Agent (OPA).
Hausler's announcement post on LinkedIn received positive engagement from the tech community.
Organizations can get started with Cedar by using tools like kind in development environments. Readers can explore the Cedar for Kubernetes GitHub repository for more information on implementation or contributions.
