Understanding Kubernetes cluster authorization is very important in determining the actions a user, group, or service account can perform within the cluster. This authorization is managed by Kubernetes using Role-Based Access Control (RBAC).

In RBAC, roles are assigned permissions and then assigned to users, groups, or service accounts. RBAC allows administrators to create access control policies that grant users the permissions they need to finish their tasks.

💡 To learn more about Role-Based Access Control (RBAC) and its levels, roles, and role bindings, check out this Civo Academy lesson from Saiyam Pathak.

Cerbos is an open-source authorization engine that provides access control for modern cloud-native applications and microservices architectures. It is designed to address complex authorization requirements of distributed systems, especially in Kubernetes and other cloud-native environments.

This tutorial will demonstrate how to apply custom access control policies on Civo Kubernetes using Cerbos, leveraging RBAC rules and custom policies to manage Kubernetes resources effectively.

Prerequisites

This post assumes some familiarity with Kubernetes and YAML configuration files. In addition, you will need the following installed to follow along:

Installing Cerbos on Civo

To install Cerbos using the Civo Marketplace UI, log in to your account, and on your dashboard, go to Kubernetes > Kubernetes Cluster > Marketplace. You will have a screen as shown below:

Installing Cerbos on Civo

After you see this screen, click on the Security tab under the Marketplace section and click on Cerbos.

Installing Cerbos on Civo

Once you have clicked Cerbos, scroll down and click on Install Apps to install the application inside your launched Kubernetes cluster. You can check the details of Cerbos and its requirements. To do this, click on Installed Applications and choose Cerbos.

Introduction to Cerbos Policy Language

Cerbos is a tool that helps define access control policies using declarative language. These policies are designed in such a way that they are readable by humans and can express very complex authorization requirements. This helps assure you that your system's security is in safe hands.

Configuring Cerbos Policies for Civo Kubernetes

To configure Cerbos policies for Civo Kubernetes, follow these steps:

Step 1: Identify Resources and Access Control Rules

Identify the resources within your Kubernetes cluster that need protection and define the access control rules to be enforced.

Step 2: Ensure Cerbos is Installed and Deployed

Ensure that Cerbos is installed and deployed within your Civo Kubernetes cluster.

Step 3: Write Policy Rules

Create a policy file named policy.yaml to define who can perform what actions on which resources and under what conditions. Here's an example policy:

allow:
 - actions: ["read"]
   resources: ["namespace:default"]
   subjects: ["user:tam"]

In the example above, the policy grants the user tam read access to the resources within the default namespace.

Step 4: Confirm the Policy

Confirm the policy is working as expected by having the user (tam) try accessing the resources within the namespace in the cluster.

Troubleshooting

If you are having issues configuring your Cerbos policy, confirm that your policy file has the correct syntax because YAML files are sensitive to indentation and formatting.

Integrating Cerbos With Civo Kubernetes

The Civo Kubernetes RBAC provides access control within the Kubernetes clusters, utilizing roles and role bindings in defining permissions for the users. It also allows customization of specific namespace and cluster-wide configurations to meet access control requirements. The default roles, role bindings, and customization tools like kubectl and the Civo dashboard make managing and enforcing access control policies for Kubernetes environments accessible.

Cerbos is a policy engine that complements Kubernetes RBAC, it enhances access control with policies. It considers factors like the user's identity and the resource attributes when making authorization decisions.

To enable authorization for Kubernetes resources when integrating Cerbos with Civo Kubernetes, annotate the resources with information related to Cerbos.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment
  annotations:
    cerbos.authorization.cerbos.dev/enabled: "true"
    cerbos.authorization.cerbos.dev/policy: "allow_read_pod_logs."

This configuration enables Kubernetes to use Cerbos for authorization and applies the allowreadpod_logs policy to the nginx-deployment.

Troubleshooting

If you are encountering issues with enabling Cerbos authorization for Kubernetes resources in your Civo Kubernetes cluster, here are some troubleshooting steps to take:

  1. Check Syntax: Ensure that the syntax is correct in your Kubernetes resource definition.
  2. Verify Annotation Keys: Make sure there are no errors in the annotation keys.
  3. Policy Existence: Confirm the policy referenced (allow_read_pod_logs) exists in your Cerbos policies.
  4. Restart Cerbos: Consider restarting Cerbos to ensure any configuration changes or updates take effect. This resolves issues related to configuration changes that need to be applied correctly.

Applying Cerbos Policy

Apply the policy to Cerbos by using the following command:

kubectl apply -f policy.yaml -n cerbos

This command applies the policy to Cerbos within the cerbos namespace.

Example Access Control Rules

Denying access outside of business hours:

- resource: *
  actions: [read, write]
  subjects:
    - group: employees
  condition: 'hour(now()) >= 9 && hour(now()) < 17'
  effect: allow
- resource: *
  actions: [read, write]
  subjects:
    - group: employees
  effect: deny

Allowing users to read their profile:

- resource: user
  actions: [read]
  subjects:
    - user: '{{ .Subject }}'
  condition: 'resource.id == subject.id'
  effect: allow

Allowing API service accounts to call specific APIs:

- resource: API
  actions: [call]
  subjects:
    - serviceAccount: API-service-account
  effect: allow

Testing Cerbos Policies Locally

To test Cerbos policies locally, set up a development environment to simulate requests and to evaluate how Cerbos enforces access control based on the defined policies.

Set Up a Local Development Environment

Install Cerbos locally or use a development environment like Minikube or Kind (Kubernetes in Docker). With Minikube or Kind, you can simulate a Kubernetes cluster locally, allowing you to run Cerbos alongside your applications for testing. To set this up, you will need to do the following:

Install Docker and make sure it's running.

  • Install either Minikube or Kind, depending on your preference.
  • Install kubectl to interact with your Kubernetes cluster.
  • You will need the Cerbos Docker image or installation package. The direct link to the GitHub container registry where the Cerbos Docker image can be found is http://ghcr.io/cerbos/cerbos

Here are the steps for integration:

Step 1: Start by setting up the Kubernetes cluster.

If you are using Kind, run:

kind create cluster --name cerbos-cluster

To load the Cerbos image into the Kind cluster. You can do that using the following command:

docker pull ghcr.io/cerbos/cerbos:latest
kind load docker-image ghcr.io/cerbos/cerbos:latest --name cerbos-cluster

If you are using Minikube, run:

minikube start --kubernetes-version=v1.23.0

To load the Cerbos image into Minikube use the following command:

docker pull ghcr.io/cerbos/cerbos:latest
minikube image load ghcr.io/cerbos/cerbos:latest

Deploy Cerbos in Kubernetes: Cerbos can be deployed using a simple Kubernetes manifest. Create a file named cerbos-deployment.yaml:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: cerbos
spec:
  replicas: 1
  selector:
    matchLabels:
      app: cerbos
  template:
    metadata:
      labels:
        app: cerbos
    spec:
      containers:
      - name: cerbos
        image: ghcr.io/cerbos/cerbos:latest
        ports:
        - containerPort: 3592
        volumeMounts:
        - name: policy-volume
          mountPath: /policies
      volumes:
      - name: policy-volume
        configMap:
          name: cerbos-policy
---
apiVersion: v1
kind: Service
metadata:
  name: cerbos
spec:
  ports:
  - port: 3592
    targetPort: 3592
  selector:
    app: cerbos

To apply the above manifest, run:

kubectl apply -f cerbos-deployment.yaml

Step 2: Create a policy.yaml file with all your policies:

allow:
  - actions: ["read"]
    resources: ["namespace:default"]
    subjects: ["user:tam"]

Step 3: Create a ConfigMap with the policy above:

kubectl create configmap cerbos-policy --from-file=policy.yaml

To verify Cerbos deployment, check if the cerbos pod is running:

kubectl get pods

The Cerbos pods should be listed if it is working correctly. If it is, you can start testing.

Step 4: To test your policies, you have to send a request to the Cerbos service. To do this using curl:

kubectl port-forward svc/cerbos 3592:3592

Then, in a different terminal:

curl -X POST http://localhost:3592/api/check -d '{
  "requestId": "test-request",
  "actions": ["read"],
  "resource": {
    "kind": "namespace",
    "policyVersion": "default",
    "attributes": {"id": "default"}
  },
  "principal": {
    "id": "tam",
    "roles": ["user"]
  }
}'

Set Up Sample Resources

Create sample resources and subjects that mimic your production environment. These may include Kubernetes namespaces, services, deployments, and users.

Evaluate Policy Decisions

Simulate several requests to Cerbos for evaluation. Simulate requests that represent different access scenarios based on your defined policies.

Monitor Policy Enforcement

Monitor Cerbos logs or use debugging tools to inspect how Cerbos enforces access control based on your policies.

Iterate and Refine Policies

Based on the results of testing, iterate and refine the tested policies as needed. If certain access scenarios are not working as expected, adjust them accordingly.

Deploy a Sample Application for Testing

To test authorization, deploy a sample application to the Kubernetes cluster. For example, deploy an Nginx web server:

kubectl create deployment nginx --image=nginx

Confirm Cerbos enforces access control policies defined in the policy file by attempting to access the deployed application using different user identities and namespaces.

Cleaning Up

After completing the testing, clean up the resources to prevent unnecessary costs. Remove the Kubernetes cluster using the following command:

civo k3s remove my-cluster

This command will remove the cluster and associated resources from your Civo account.

Summary

This tutorial offers a guide on integrating Cerbos with Civo Kubernetes to enforce access control policies effectively. Users can establish a secure Kubernetes environment by following the steps. Cerbos integrates cluster-wide authorization management, allowing users to define and enforce access control policies customized to their needs. Through proper testing, documentation, and troubleshooting, users can verify the integration and address any issues.

Integrating Cerbos with Civo Kubernetes has several advantages, including heightened security, simplified authorization management, compliance assurance, and optimized resource utilization. This integration contributes to a more resilient, efficient, and well-managed Kubernetes ecosystem for applications and users.

Further Resources

If you want to learn more about the topics discussed in this tutorial, here are some additional resources to check out: