Use Partial Evaluation

[luxas]

Category

Internal refactors/changes

Describe the feature you'd like to request

See cedar-policy/cedar#1465

The example there shows how one could use partial evaluation in a two-pass way:

• first authorizing without concrete objects (keeping object and oldObject unknown; this would correspond to k8s SubjectAccessReview) => yields yes, no, or a residual
• then reauthorizing the residual (this corresponds to k8s AdmissionReview), with the object(s) populated => yields yes or no

This has a couple of benefits:

• it allows folding the now different k8s::Action::"create" and k8s::admission::Action::"create" into just one unified action
• => it allows writing just one policy that covers both authorization and admission 🎉
• policies considered are atomic, so when the residual is considered in the second phase (admission), exactly the same policies are taken into account as in the authorization stage (avoiding consistency issues if the underlying policy store changed between the two apiserver webhooks)

One can also partition the actions into operating on specialized resource types (e.g. ResourceUpdate, ResourceGet, or typed PodUpdate), to not have to use the resource has object type of checks all the time.

There's lots of more details probably, but this flow is validated to work locally with patch cedar-policy/cedar#1466.

What we'd need from the kube API server is some context, e.g. Audit-Id header, so the webhook handlers can match the same request between authorization and admission.

Describe alternatives you've considered

Additional context

No response

Is this something that you'd be interested in working on?

• 👋 I may be able to implement this feature request
• ⚠️ This feature might incur a breaking change