AuthN and AuthZ at Cruise: Crawl, Walk, Run

Improving security and scalability in authentication and authorization for services

• Providing libraries and side cars for authentication and authorization is not scalable and difficult to maintain
• Enforcement of authentication and authorization needs to be mandatory
• JWT tokens become too large as permissions increase
• Policies for user access are buried deep within applications, making auditing difficult
• Lack of control over code that validates tokens limits ability to improve authentication and authorization

The security team provided libraries and side cars for authentication and authorization, but found it difficult to maintain and enforce. JWT tokens became too large as permissions increased, and policies for user access were buried deep within applications, making auditing difficult. The team also lacked control over the code that validated tokens, limiting their ability to improve authentication and authorization.

Authentication and authorization are crucial to achieving a zero trust security model. But how do you apply them to your organization in a simple and digestible way? Do you prescribe each engineering team what to do and give them the tools to do it? Do you enforce it globally? Our approach to handling authentication and authorization within our Kubernetes clusters at Cruise has matured over the years, and we’d like to take you through the history, challenges, and (what we think are) unique solutions to these problems at our scale.