Assumption Policies provide the mechanism that controls how users are permitted to assume roles. Robots/service accounts cannot assume roles.
By default, Kore does not statically assign permissions to users. Instead
users begin with least privilege and can request escalation to specific roles to carry out a task
for a period of time. After a set period, these permissions expire and the user's access
rolls back to least privilege once more. To understand how to use
kore assume to request elevation,
see Assume a Role.
Kore's assumption policies provide a number of constraints for controlling role assumption:
- Subject-based—who can assume the role
- Time-based—time of day or day or week
- Expiration—how long the user is permitted to assume the role for
- Source network—the network the user is coming from
- Authentication method—which method is used by user (SSO, two-factor, etc.)
- Parameters for the assumption—for example, cluster name, label, namespace, etc.
This allows the construction of policies such as:
- Developers work 8am - 7pm, Monday to Friday from the office, but require on-call to work outside of office hours or network.
- There is a seven-hour expiry for an assumption for those coming from the office, but external users can only have one hour.
- There's an extra layer of authentication enforced, such as two-factor, in certain scenarios or always.
- All of the above are allowed for non-production, but are not allowed for access to production.
If Kore doesn't support the policy constraint you require out of the box, you can create your own constraints with some knowledge of OPA.
A role (also known as a policy plan) that you can permit to be assumed is a policy plan with the
Assumable flag set to true. A set of policy plans is available by default, and as a team administrator, you can create
your own assumeable policy plans if needed.
To understand the possible roles run
kore get policyplan.
To create an assumption policy:
Run the command
kore create policy assumecommand.
If you want to see the implementation before applying, run the command with the
--dry-runoption. This outputs the YAML of the generated policy without applying it.
Respond to the question prompts to form the policy:
- Which users are you permitting to assume the role: members of a specific team, members in a role, all team members, etc.
- Which role (assumable policy plan) are you permitting these users to assume?
- You are then asked a series of questions allowing you to place constraints on the time, location, authentication method, and other parameters to the role.
Example use case: A developer named
email@example.com needs to correct an issue in a deployed application. You want to allow her to assume the namespace admin role on a cluster.
To create this assumption policy:
Run the following, and select the
namespace.adminrole:$ kore create policy assume? Which role would you like to allow use of?cluster.adminkore.adminkore.viewer▸ namespace.adminName:namespace.adminOwner:teamnameProvides administrative permissions within a specific namespacefor a period of time. Note this role is intended to be used by usersnot robot accounts; please use kore.deployment for deployments.
Select the constraints:✔ Creating role assumption policy for plan: "namespace.admin"✔ You have choosen to add an time to live for assuming y✔ The policy will disappear in 1h✔ Policy will apply to member: firstname.lastname@example.org✔ This plan has 2 parameters associated◉ The plan has a required value: "cluster" (single)✔ You have selected eks-dev2 as the cluster:◉ The plan has a required value: "namespace" (single)✔ You have selected katieapp as the namespace:✔ Choosen to constrain the assume by source network y✔ Select the network range 10.120.0.0/22✔ Choosen to constrain the assume by expiration y✔ What the max time a user can assume e.g. 1h, 30m, 3d: 3h? Would you like to enforce the time of day they can assume? [y/N] y✔ You have selected Mon-Fri as week days✔ You have selected Mon,Tue,Wed,Thu,Fri as the choosen days? Are you sure you want to apply this policy? [y/N] y✔ Policy allowing role assumption created
email@example.com can now use:
kore assume namespace.admin --cluster eks-dev --namespace katieapp
This applies for the next hour.