tldr - powered by Generative AI

• The use of service policies and Argo workflows enables Cloud native open source authorization application architecture.
• Service policies allow for dynamic resolution of authorization checks based on service instances.
• Argo workflows are used for end-to-end workflows for compiling, testing, and validating authorization changes.
• The presentation provides an example of using Argo to submit a job to pull down policies and run tests to validate changes.
• The presentation emphasizes the importance of testing and evolving policies over time.

tldr - powered by Generative AI

• Admins in AWS do not necessarily have permissions on their Kubernetes cluster
• External secrets can be brought into the cluster using different techniques
• Architecting cloud-native applications can benefit from the full power of cloud services while avoiding complete vendor lock-in
• Attackers can abuse mechanisms to pivot from exploiting a single containerized workload to compromising full cloud environments
• A tool is being released to help mitigate and handle some of the pitfalls and problems

tldr - powered by Generative AI

• Decoupling policy from code is important for flexibility and scalability
• GitOps for policy allows for auditable and testable policy management
• Planning ahead for future demands ensures that the system can grow without needing to be rewritten from scratch

tldr - powered by Generative AI

• OPA is a decision point for authorization decisions made by any service
• Policy queries can be any arbitrary JSON value and the policy language is purpose-built to handle deeply nested JSON data
• Context-aware policies can be created by injecting arbitrary data into OPA
• Policy decisions can also be arbitrary JSON objects
• OPA is flexible in deployment options, including running as a CLI, embedded library, or centralized authorization service
• The policy language is expressive but not as complex as a programming language

tldr - powered by Generative AI

• Authentication can be indicated on a path by locking a padlock icon
• Credentials can be set at different levels of specificity, including the global organizational level, the warehouse server level, the client level, and the path level
• The program will attempt to authenticate using the most specific credentials first, following a hierarchy from path to client to warehouse to global
• An anecdote is provided where the presenter intentionally sets incorrect credentials at the path level to demonstrate the hierarchy of authentication attempts

tldr - powered by Generative AI

• Flux has focused on security hardening and undergone internal audits to address vulnerabilities in its multi-tenancy model and improve secrets management and decryption.
• Flux can be easily kept up to date through its self-upgrading feature and integration with renovatebot.
• Flux works with open PGP to restrict access to sensitive data and prevent unauthorized modifications.
• Flux execution is predictable and can be extended through building new Kubernetes controllers using the GitHub toolkit.
• Flux has been adopted by various platforms and organizations, including the U.S. Department of Defense and Deutsche Telekom.
• Flux has a security RFC process in place to ensure that any changes that affect its security posture undergo thorough review and approval.

tldr - powered by Generative AI

• Providing libraries and side cars for authentication and authorization is not scalable and difficult to maintain
• Enforcement of authentication and authorization needs to be mandatory
• JWT tokens become too large as permissions increase
• Policies for user access are buried deep within applications, making auditing difficult
• Lack of control over code that validates tokens limits ability to improve authentication and authorization