Version: 0.7

Control Role Assumption

Assumption Policies provide the mechanism that controls how users are permitted to assume roles. Robots/service accounts cannot assume roles.

By default, Kore does not statically assign permissions to users. Instead users begin with least privilege and can request escalation to specific roles to carry out a task for a period of time. After a set period, these permissions expire and the user's access rolls back to least privilege once more. To understand how to use kore assume to request elevation, see Assume a Role.

Kore's assumption policies provide a number of constraints for controlling role assumption:

  • Subject-basedβ€”who can assume the role
  • Time-basedβ€”time of day or day or week
  • Expirationβ€”how long the user is permitted to assume the role for
  • Source networkβ€”the network the user is coming from
  • Authentication methodβ€”which method is used by user (SSO, two-factor, etc.)
  • Parameters for the assumptionβ€”for example, cluster name, label, namespace, etc.

This allows the construction of policies such as:

  • Developers work 8am - 7pm, Monday to Friday from the office, but require on-call to work outside of office hours or network.
  • There is a seven-hour expiry for an assumption for those coming from the office, but external users can only have one hour.
  • There's an extra layer of authentication enforced, such as two-factor, in certain scenarios or always.
  • All of the above are allowed for non-production, but are not allowed for access to production.

If Kore doesn't support the policy constraint you require out of the box, you can create your own constraints with some knowledge of OPA.

Which roles can be assumed?#

A role (also known as a policy plan) that you can permit to be assumed is a policy plan with the Assumable flag set to true. A set of policy plans is available by default, and as a team administrator, you can create your own assumeable policy plans if needed.

To understand the possible roles run kore get policyplan.

Create an assumption policy#

To create an assumption policy:

  1. Run the command kore create policy assume command.

    tip

    If you want to see the implementation before applying, run the command with the --dry-run option. This outputs the YAML of the generated policy without applying it.

  2. Respond to the question prompts to form the policy:

    • Which users are you permitting to assume the role: members of a specific team, members in a role, all team members, etc.
    • Which role (assumable policy plan) are you permitting these users to assume?
    • You are then asked a series of questions allowing you to place constraints on the time, location, authentication method, and other parameters to the role.

Example: Allow assumption of namespace admin role#

Example use case: A developer named katie@yourorg.io needs to correct an issue in a deployed application. You want to allow her to assume the namespace admin role on a cluster.

To create this assumption policy:

  1. Run the following, and select the namespace.admin role:

    $ kore create policy assume
    ? Which role would you like to allow use of?
    cluster.admin
    kore.admin
    kore.viewer
    β–Έ namespace.admin
    Name:namespace.admin
    Owner:teamname
    Provides administrative permissions within a specific namespace
    for a period of time. Note this role is intended to be used by users
    not robot accounts; please use kore.deployment for deployments.
  1. Select the constraints:

    βœ” Creating role assumption policy for plan: "namespace.admin"
    βœ” You have choosen to add an time to live for assuming y
    βœ” The policy will disappear in 1h
    βœ” Policy will apply to member: katie@yourorg.io
    βœ” This plan has 2 parameters associated
    β—‰ The plan has a required value: "cluster" (single)
    βœ” You have selected eks-dev2 as the cluster:
    β—‰ The plan has a required value: "namespace" (single)
    βœ” You have selected katieapp as the namespace:
    βœ” Choosen to constrain the assume by source network y
    βœ” Select the network range 10.120.0.0/22
    βœ” Choosen to constrain the assume by expiration y
    βœ” What the max time a user can assume e.g. 1h, 30m, 3d: 3h
    ? Would you like to enforce the time of day they can assume? [y/N] y
    βœ” You have selected Mon-Fri as week days
    βœ” You have selected Mon,Tue,Wed,Thu,Fri as the choosen days
    ? Are you sure you want to apply this policy? [y/N] y
    βœ” Policy allowing role assumption created

The developer katie@yourorg.io can now use:

kore assume namespace.admin --cluster eks-dev --namespace katieapp

This applies for the next hour.