Fine-Grained User Authorization for Kubernetes with OPA and LDAP

Explore a comprehensive conference talk on implementing fine-grained user authorization for Kubernetes using Open Policy Agent (OPA) and LDAP. Dive into Yelp's journey of migrating from Mesos to Kubernetes and their innovative approach to overcoming authorization challenges. Learn about the shortcomings of existing Kubernetes authorization mechanisms and discover the design details of Yelp's new OPA-based system. Gain insights into strategies for provisioning authorization rules at scale, achieving zero-downtime migration, and addressing issues encountered along the way. Examine the authorization architecture, including OPA capabilities, user groups, and service metadata. Follow along with practical examples of basic and team-based authorization runs. Understand the rollout strategy, system reliability considerations, and potential future improvements for this advanced authorization solution.

Intro
Mesos Migration to Kubernetes
Motivation: Initial K8s access-controls
Authorization Architecture Overview
Authorization Component: OPA Capabilities, User Groups, Service Metadata
Capability Example
Authorization Component: The Policy Manager
Authorization Component: Client side enforcement
Example run: Basic
Example run: team-based
Rollout Strategy
Challenges and Special Cases
System Reliability
Shortcomings and Future Improvements . Not every resource has meaning metadata labelsite.
Conclusions