Yelp recently migrated their container-orchestration system from Mesos to Kubernetes. However, existing Kubernetes authorization mechanisms were insufficient to implement least-privilege access control rules. Yelp needed to authorize its users to hundreds of services owned by hundreds of different teams. By leveraging the Open Policy Agent (OPA), Yelp has implemented an authorization system that allows defining fine-grained authorization rules: These can rely on service ownerships, resources’ or actions’ sensitivity levels. This talk covers Yelp’s journey to a fine-grained Kubernetes authorization using OPA and LDAP. It will discuss: - Shortcomings of existing Kubernetes authorization mechanisms - Design details of the new OPA-based system - Strategies for provisioning authorization rules at scale - Migration to the new system with zero downtime - Issues encountered along the way and lessons learned

The Cloud Native Computing Foundation’s flagship conference gathers adopters and technologists from leading open source and cloud native communities from October 11-15, 2021. Join containerd, CoreDNS, Envoy, etcd, Fluentd, Harbor, Helm, Jaeger, Kubernetes, Open Policy Agent, Prometheus, Rook, TiKV, TUF, Vitess, Argo, Buildpacks, CloudEvents, CNI, Contour, Cortex, CRI-O, Dragonfly, Falco, Flux, gRPC, KubeEdge, Linkerd, NATS, Notary, OpenTelemetry, Operator Framework, SPIFFE, SPIRE, and Thanos as the community gathers for four days to further the education and advancement of cloud native computing.

Fine-Grained User Authorization for Kubernetes with OPA and LDAP

Conference: KubeCon + CloudNativeCon North America 2021

Authors: Cagri Cetin, Quentin Long

Abstract

Post a comment

Related work

Sponsored Session: Datadog - Policy-as