Cedar for Kubernetes: Authorization That Speaks Your Language

Kubernetes authorization has always been a tale of two systems. RBAC defines what your users can do in crisp YAML declarations (“permits” in Cedar parlance). Admission controllers - whether OPA, Kyverno, or custom webhooks - maintain separate rules about what actions those same users are authorized to perform (Cedar “forbids”). 

Different languages, different files, different mental models – all trying to articulate the same security intent.

Micah Hausler, Principal Engineer at AWS, recognized that Cedar could potentially unify these fragmented approaches. In his blog post, Cedar Access Controls for Kubernetes, Micah introduces a comprehensive authorization model based entirely on Cedar, eliminating the separation between RBAC and admission control:

Image from the Cedar blog

Cedar combines authorization and admission controls in a single language, making it easier to define and manage policies that ensure only the right actions are performed on the right resources.

StrongDM’s Commitment: Cedar for Go and Open Source Investment

Micah’s implementation leverages the open-source Go implementation of Cedar—a project which StrongDM proudly developed and contributed back to the Open Source community. We originally developed Cedar for Go because our entire system is written in Go and we wanted a Go-Native version as we built our Cedar-powered policy engine. It’s exciting to see it now play a role in strengthening Kubernetes access controls. Cedar’s growth within the Kubernetes ecosystem reflects the open-source community’s ongoing commitment to creating unified, straightforward access control across complex environments.

For administrators, the ability to define both authorizations and restrictions in one place is game-changing. It allows them to manage Kubernetes access with greater ease and accuracy. By consolidating access rules within a single Cedar-based policy, security teams can ensure that only the right actions are taken on specific resources without navigating multiple, fragmented systems.

Why This Matters: Protecting One of the Most Critical Yet Complex Resources

Kubernetes is powerful, but it’s also one of the more misunderstood and complex resources to secure. With the Cedar team’s latest enhancements, we’re moving closer to a reality where securing Kubernetes is as straightforward as securing other critical resources in the tech stack. Cedar’s unified policies mean fewer weak points and more manageable configurations, allowing companies to apply Zero Trust principles without getting lost in the weeds of Kubernetes’ extensive permission structures.

The Cedar team’s direction is exactly what the Kubernetes ecosystem needs: reducing cognitive overhead, minimizing misconfigurations, and enabling policy-driven security at a highly granular level. This approach doesn’t just make access management easier—it directly impacts security by shrinking the Kubernetes attack surface.

While the new Cedar for Kubernetes project tackles authorization within Kubernetes clusters—granting or restricting specific actions on resources inside the cluster—StrongDM’s focus is on securing access to the cluster itself. Our platform controls who can reach the Kubernetes API server and engage with the control plane, defining who is allowed into the environment before they even interact with cluster resources. Together, Cedar’s new internal authorization capabilities and StrongDM’s access controls create a comprehensive security model: Cedar enforces rules within the cluster, while StrongDM ensures only the right people gain entry.

Celebrating Cedar’s Progress in Kubernetes Access Control

At StrongDM, we’re dedicated to helping organizations achieve secure, seamless access to every critical resource, and Kubernetes has become essential for many of our customers. It’s by far the top resource our platform supports across our customer base. The Cedar team’s advancements align perfectly with our vision of Zero Trust access, where permissions are controlled with precision and access is granted only when and where it’s truly needed.

By simplifying the ability to enforce granular policies, Cedar has set a new benchmark for access control in Kubernetes, and we’re thrilled to be part of this journey. This evolution is a milestone for anyone dedicated to securing cloud infrastructure. Congratulations to the Cedar team for this significant leap forward. Keep up the great work! And, we can hardly wait to see what gets build next with Cedar for Go!