Understanding Kubernetes cluster authorization is very important in determining the actions a user, group, or service account can perform within the cluster. This authorization is managed by Kubernetes using Role-Based Access Control (RBAC).
In RBAC, roles are assigned permissions and then assigned to users, groups, or service accounts. RBAC allows administrators to create access control policies that grant users the permissions they need to finish their tasks.
Cerbos is an open-source authorization engine that provides access control for modern cloud-native applications and microservices architectures. It is designed to address complex authorization requirements of distributed systems, especially in Kubernetes and other cloud-native environments.
This tutorial will demonstrate how to apply custom access control policies on Civo Kubernetes using Cerbos, leveraging RBAC rules and custom policies to manage Kubernetes resources effectively.
Prerequisites
This post assumes some familiarity with Kubernetes and YAML configuration files. In addition, you will need the following installed to follow along:
Installing Cerbos on Civo
To install Cerbos using the Civo Marketplace UI, log in to your account, and on your dashboard, go to Kubernetes > Kubernetes Cluster > Marketplace. You will have a screen as shown below:
After you see this screen, click on the Security tab under the Marketplace section and click on Cerbos.
Once you have clicked Cerbos, scroll down and click on Install Apps to install the application inside your launched Kubernetes cluster. You can check the details of Cerbos and its requirements. To do this, click on Installed Applications and choose Cerbos.
Introduction to Cerbos Policy Language
Cerbos is a tool that helps define access control policies using declarative language. These policies are designed in such a way that they are readable by humans and can express very complex authorization requirements. This helps assure you that your system's security is in safe hands.
Configuring Cerbos Policies for Civo Kubernetes
To configure Cerbos policies for Civo Kubernetes, follow these steps:
Step 1: Identify Resources and Access Control Rules
Identify the resources within your Kubernetes cluster that need protection and define the access control rules to be enforced.
Step 2: Ensure Cerbos is Installed and Deployed
Ensure that Cerbos is installed and deployed within your Civo Kubernetes cluster.
Step 3: Write Policy Rules
Create a policy file named policy.yaml
to define who can perform what actions on which resources and under what conditions. Here's an example policy:
allow:
- actions: ["read"]
resources: ["namespace:default"]
subjects: ["user:tam"]
In the example above, the policy grants the user tam
read access to the resources within the default
namespace.
Step 4: Confirm the Policy
Confirm the policy is working as expected by having the user (tam
) try accessing the resources within the namespace in the cluster.
Troubleshooting
If you are having issues configuring your Cerbos policy, confirm that your policy file has the correct syntax because YAML files are sensitive to indentation and formatting.
Integrating Cerbos With Civo Kubernetes
The Civo Kubernetes RBAC provides access control within the Kubernetes clusters, utilizing roles and role bindings in defining permissions for the users. It also allows customization of specific namespace and cluster-wide configurations to meet access control requirements. The default roles, role bindings, and customization tools like kubectl and the Civo dashboard make managing and enforcing access control policies for Kubernetes environments accessible.
Cerbos is a policy engine that complements Kubernetes RBAC, it enhances access control with policies. It considers factors like the user's identity and the resource attributes when making authorization decisions.
To enable authorization for Kubernetes resources when integrating Cerbos with Civo Kubernetes, annotate the resources with information related to Cerbos.
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment
annotations:
cerbos.authorization.cerbos.dev/enabled: "true"
cerbos.authorization.cerbos.dev/policy: "allow_read_pod_logs."
This configuration enables Kubernetes to use Cerbos for authorization and applies the allowreadpod_logs
policy to the nginx-deployment
.
Troubleshooting
If you are encountering issues with enabling Cerbos authorization for Kubernetes resources in your Civo Kubernetes cluster, here are some troubleshooting steps to take:
- Check Syntax: Ensure that the syntax is correct in your Kubernetes resource definition.
- Verify Annotation Keys: Make sure there are no errors in the annotation keys.
- Policy Existence: Confirm the policy referenced (
allow_read_pod_logs
) exists in your Cerbos policies. - Restart Cerbos: Consider restarting Cerbos to ensure any configuration changes or updates take effect. This resolves issues related to configuration changes that need to be applied correctly.
Applying Cerbos Policy
Apply the policy to Cerbos by using the following command:
kubectl apply -f policy.yaml -n cerbos
This command applies the policy to Cerbos within the cerbos
namespace.
Example Access Control Rules
Denying access outside of business hours:
- resource: *
actions: [read, write]
subjects:
- group: employees
condition: 'hour(now()) >= 9 && hour(now()) < 17'
effect: allow
- resource: *
actions: [read, write]
subjects:
- group: employees
effect: deny
Allowing users to read their profile:
- resource: user
actions: [read]
subjects:
- user: '{{ .Subject }}'
condition: 'resource.id == subject.id'
effect: allow
Allowing API service accounts to call specific APIs:
- resource: API
actions: [call]
subjects:
- serviceAccount: API-service-account
effect: allow
Testing Cerbos Policies Locally
To test Cerbos policies locally, set up a development environment to simulate requests and to evaluate how Cerbos enforces access control based on the defined policies.
Set Up a Local Development Environment
Install Cerbos locally or use a development environment like Minikube or Kind (Kubernetes in Docker). With Minikube or Kind, you can simulate a Kubernetes cluster locally, allowing you to run Cerbos alongside your applications for testing. To set this up, you will need to do the following:
Install Docker and make sure it's running.
- Install either Minikube or Kind, depending on your preference.
- Install kubectl to interact with your Kubernetes cluster.
- You will need the Cerbos Docker image or installation package. The direct link to the GitHub container registry where the Cerbos Docker image can be found is http://ghcr.io/cerbos/cerbos
Here are the steps for integration:
Step 1: Start by setting up the Kubernetes cluster.
If you are using Kind, run:
kind create cluster --name cerbos-cluster
To load the Cerbos image into the Kind cluster. You can do that using the following command:
docker pull ghcr.io/cerbos/cerbos:latest
kind load docker-image ghcr.io/cerbos/cerbos:latest --name cerbos-cluster
If you are using Minikube, run:
minikube start --kubernetes-version=v1.23.0
To load the Cerbos image into Minikube use the following command:
docker pull ghcr.io/cerbos/cerbos:latest
minikube image load ghcr.io/cerbos/cerbos:latest
Deploy Cerbos in Kubernetes: Cerbos can be deployed using a simple Kubernetes manifest. Create a file named cerbos-deployment.yaml
:
apiVersion: apps/v1
kind: Deployment
metadata:
name: cerbos
spec:
replicas: 1
selector:
matchLabels:
app: cerbos
template:
metadata:
labels:
app: cerbos
spec:
containers:
- name: cerbos
image: ghcr.io/cerbos/cerbos:latest
ports:
- containerPort: 3592
volumeMounts:
- name: policy-volume
mountPath: /policies
volumes:
- name: policy-volume
configMap:
name: cerbos-policy
---
apiVersion: v1
kind: Service
metadata:
name: cerbos
spec:
ports:
- port: 3592
targetPort: 3592
selector:
app: cerbos
To apply the above manifest, run:
kubectl apply -f cerbos-deployment.yaml
Step 2: Create a policy.yaml
file with all your policies:
allow:
- actions: ["read"]
resources: ["namespace:default"]
subjects: ["user:tam"]
Step 3: Create a ConfigMap with the policy above:
kubectl create configmap cerbos-policy --from-file=policy.yaml
To verify Cerbos deployment, check if the cerbos pod is running:
kubectl get pods
The Cerbos pods should be listed if it is working correctly. If it is, you can start testing.
Step 4: To test your policies, you have to send a request to the Cerbos service. To do this using curl
:
kubectl port-forward svc/cerbos 3592:3592
Then, in a different terminal:
curl -X POST http://localhost:3592/api/check -d '{
"requestId": "test-request",
"actions": ["read"],
"resource": {
"kind": "namespace",
"policyVersion": "default",
"attributes": {"id": "default"}
},
"principal": {
"id": "tam",
"roles": ["user"]
}
}'
Set Up Sample Resources
Create sample resources and subjects that mimic your production environment. These may include Kubernetes namespaces, services, deployments, and users.
Evaluate Policy Decisions
Simulate several requests to Cerbos for evaluation. Simulate requests that represent different access scenarios based on your defined policies.
Monitor Policy Enforcement
Monitor Cerbos logs or use debugging tools to inspect how Cerbos enforces access control based on your policies.
Iterate and Refine Policies
Based on the results of testing, iterate and refine the tested policies as needed. If certain access scenarios are not working as expected, adjust them accordingly.
Deploy a Sample Application for Testing
To test authorization, deploy a sample application to the Kubernetes cluster. For example, deploy an Nginx web server:
kubectl create deployment nginx --image=nginx
Confirm Cerbos enforces access control policies defined in the policy file by attempting to access the deployed application using different user identities and namespaces.
Cleaning Up
After completing the testing, clean up the resources to prevent unnecessary costs. Remove the Kubernetes cluster using the following command:
civo k3s remove my-cluster
This command will remove the cluster and associated resources from your Civo account.
Summary
This tutorial offers a guide on integrating Cerbos with Civo Kubernetes to enforce access control policies effectively. Users can establish a secure Kubernetes environment by following the steps. Cerbos integrates cluster-wide authorization management, allowing users to define and enforce access control policies customized to their needs. Through proper testing, documentation, and troubleshooting, users can verify the integration and address any issues.
Integrating Cerbos with Civo Kubernetes has several advantages, including heightened security, simplified authorization management, compliance assurance, and optimized resource utilization. This integration contributes to a more resilient, efficient, and well-managed Kubernetes ecosystem for applications and users.
Further Resources
If you want to learn more about the topics discussed in this tutorial, here are some additional resources to check out: