<img src="https://ws.zoominfo.com/pixel/6169bf9791429100154fc0a2" width="1" height="1" style="display: none;">
Curious about how StrongDM works? 🤔 Learn more here!
Search
Close icon
Search bar icon
Blog / AWS

Cedar for Kubernetes: Authorization That Speaks Your Language

Kubernetes authorization has always been a tale of two systems. RBAC defines what your users can do in crisp YAML declarations (“permits” in Cedar parlance). Admission controllers - whether OPA, Kyverno, or custom webhooks - maintain separate rules about what actions those same users are authorized to perform (Cedar “forbids”). 

Different languages, different files, different mental models – all trying to articulate the same security intent.

Micah Hausler, Principal Engineer at AWS, recognized that Cedar could potentially unify these fragmented approaches. In his blog post, Cedar Access Controls for Kubernetes, Micah introduces a comprehensive authorization model based entirely on Cedar, eliminating the separation between RBAC and admission control:

kubernetes-request-phases
Image from the Cedar blog

Cedar combines authorization and admission controls in a single language, making it easier to define and manage policies that ensure only the right actions are performed on the right resources.

StrongDM’s Commitment: Cedar for Go and Open Source Investment

Micah’s implementation leverages the open-source Go implementation of Cedar—a project which StrongDM proudly developed and contributed back to the Open Source community. We originally developed Cedar for Go because our entire system is written in Go and we wanted a Go-Native version as we built our Cedar-powered policy engine. It’s exciting to see it now play a role in strengthening Kubernetes access controls. Cedar’s growth within the Kubernetes ecosystem reflects the open-source community’s ongoing commitment to creating unified, straightforward access control across complex environments.

For administrators, the ability to define both authorizations and restrictions in one place is game-changing. It allows them to manage Kubernetes access with greater ease and accuracy. By consolidating access rules within a single Cedar-based policy, security teams can ensure that only the right actions are taken on specific resources without navigating multiple, fragmented systems.

Why This Matters: Protecting One of the Most Critical Yet Complex Resources

Kubernetes is powerful, but it’s also one of the more misunderstood and complex resources to secure. With the Cedar team’s latest enhancements, we’re moving closer to a reality where securing Kubernetes is as straightforward as securing other critical resources in the tech stack. Cedar’s unified policies mean fewer weak points and more manageable configurations, allowing companies to apply Zero Trust principles without getting lost in the weeds of Kubernetes’ extensive permission structures.

The Cedar team’s direction is exactly what the Kubernetes ecosystem needs: reducing cognitive overhead, minimizing misconfigurations, and enabling policy-driven security at a highly granular level. This approach doesn’t just make access management easier—it directly impacts security by shrinking the Kubernetes attack surface.

While the new Cedar for Kubernetes project tackles authorization within Kubernetes clusters—granting or restricting specific actions on resources inside the cluster—StrongDM’s focus is on securing access to the cluster itself. Our platform controls who can reach the Kubernetes API server and engage with the control plane, defining who is allowed into the environment before they even interact with cluster resources. Together, Cedar’s new internal authorization capabilities and StrongDM’s access controls create a comprehensive security model: Cedar enforces rules within the cluster, while StrongDM ensures only the right people gain entry.

Celebrating Cedar’s Progress in Kubernetes Access Control

At StrongDM, we’re dedicated to helping organizations achieve secure, seamless access to every critical resource, and Kubernetes has become essential for many of our customers. It’s by far the top resource our platform supports across our customer base. The Cedar team’s advancements align perfectly with our vision of Zero Trust access, where permissions are controlled with precision and access is granted only when and where it’s truly needed.

By simplifying the ability to enforce granular policies, Cedar has set a new benchmark for access control in Kubernetes, and we’re thrilled to be part of this journey. This evolution is a milestone for anyone dedicated to securing cloud infrastructure. Congratulations to the Cedar team for this significant leap forward. Keep up the great work! And, we can hardly wait to see what gets build next with Cedar for Go!


About the Author

, Co-founder / CTO, originally developed empathy for Operations as a founding and pager-carrying member of many operations and data teams. As an Executive, he has led Engineering and Product in high-throughput and high-stakes e-Commerce, financial, and AI products. Justin is the original author of StrongDM's core protocol-aware proxy technology. To contact Justin, visit him on Twitter.

StrongDM logo
💙 this post?
Then get all that StrongDM goodness, right in your inbox.

You May Also Like

Why Just-in-Time Access Is Key for Zero Trust Security in AWS
Why Just-in-Time Access Is Key for Zero Trust Security in AWS
Learn why Just-in-Time (JIT) access is essential for Zero Trust security in AWS environments. Discover how StrongDM's JIT access enhances security, optimizes workflows, and ensures compliance with Zero Trust principles.
Cedar Go Implementation: Simplifying Security for Developers
Cedar Go Implementation: Simplifying Security for Developers
We are pleased to announce that Amazon has accepted StrongDM's native Go implementation of Cedar into the Cedar Policy Organization's official GitHub repository. This allows Go developers to use Cedar, a security and authorization framework built to be fast, secure, and analyzable natively in their Go programs.
AWS re:Invent 2023 Recap
AWS re:Invent 2023 Recap: RDS for Db2, EKS Pod Identity & More
re:Invent 2023 was AWS’ 12th conference, and it did not disappoint. More than 50,000 of us descended onto Las Vegas for a week of learning, networking, and discussing all things cloud. The campus was insanely large, spanning most of the Las Vegas strip, so that meant we got our steps in! We had some fun along the way, as well, at the many social gatherings, parties and amazing musical experience re:Play.
AWS Well-Architected Framework Security Best Practices
AWS Well-Architected Framework Security Best Practices
The AWS Well-Architected Framework has been a staple for many years for AWS practitioners of all sorts, including cloud architects and platform engineers. It’s a blueprint for architectural and design best practices that will lay the foundation for resilience, operational efficiency, and security on the AWS Cloud.
Simplifying AWS Access with StrongDM Without Compromising Security Posture
Simplifying AWS Access with StrongDM Without Compromising Security Posture
Since Amazon Web Services first announced it in 2011, AWS IAM has evolved to become the gateway to the AWS Cloud. Organizations cannot interact with their cloud resources and its many services without it. Identity, not networking, is the real access boundary.