Security

CedarPolicy

Defines authorization rules using the Cedar policy language. Policies control three authorization domains: cluster access, secret access, and security overrides.

group: lattice.dev version: v1alpha1 scope: namespaced

Cedar Entity Types

Cedar policies reference six entity types that map to Lattice authorization concepts. See the Cedar Authorization guide for detailed patterns and examples.

Lattice::User

Individual users (principals). Referenced by email or username, e.g. "alice@example.com".

Lattice::Group

User groups (principals). Referenced by group name, e.g. "sre-team".

Lattice::Service

Pod/service identity (principal). Referenced as "namespace/name". Attributes: namespace, name.

Lattice::Cluster

Kubernetes clusters (resources). Referenced by cluster name, e.g. "prod-frontend".

Lattice::SecretPath

Secret identity (resource). Referenced as "provider:path". Attributes: path, provider.

Lattice::SecurityOverride

Security feature (resource). Referenced as "category:id". Attributes: category, override_id.

Actions

AccessCluster Cluster proxy access. Principal: User/Group. Resource: Cluster.

AccessSecret Secret retrieval during service compilation. Principal: Service. Resource: SecretPath.

OverrideSecurity PSS relaxation (capabilities, privileged, etc.). Principal: Service. Resource: SecurityOverride.

Examples

admin-access.yaml

apiVersion: lattice.dev/v1alpha1
kind: CedarPolicy
metadata:
  name: admin-access
spec:
  description: "Grant admin group full access to all clusters"
  policies: |
    permit (
      principal in Lattice::Group::"admin",
      action,
      resource
    );
  priority: 0
  enabled: true
  propagate: true

deny-production.yaml

apiVersion: lattice.dev/v1alpha1
kind: CedarPolicy
metadata:
  name: deny-production
spec:
  description: "Deny all access to production clusters except sre-team"
  policies: |
    // SRE team retains full production access
    permit (
      principal in Lattice::Group::"sre-team",
      action,
      resource in Lattice::Cluster::"prod-frontend"
    );

    permit (
      principal in Lattice::Group::"sre-team",
      action,
      resource in Lattice::Cluster::"prod-backend"
    );

    // Deny everyone else from production
    forbid (
      principal,
      action,
      resource in Lattice::Cluster::"prod-frontend"
    );

    forbid (
      principal,
      action,
      resource in Lattice::Cluster::"prod-backend"
    );
  priority: 100              # evaluated first
  enabled: true
  propagate: true

team-access.yaml

apiVersion: lattice.dev/v1alpha1
kind: CedarPolicy
metadata:
  name: team-access
spec:
  description: "Grant teams scoped access to their clusters"
  policies: |
    // Frontend team: read-only on staging
    permit (
      principal in Lattice::Group::"frontend-team",
      action in [Lattice::Action::"get", Lattice::Action::"list"],
      resource in Lattice::Cluster::"staging-frontend"
    );

    // Backend team: full access on staging
    permit (
      principal in Lattice::Group::"backend-team",
      action,
      resource in Lattice::Cluster::"staging-backend"
    );

    // Individual user: create/update on dev cluster
    permit (
      principal == Lattice::User::"alice@example.com",
      action in [Lattice::Action::"create", Lattice::Action::"update"],
      resource in Lattice::Cluster::"dev-sandbox"
    );
  priority: 10
  enabled: true
  propagate: false            # local to this cluster only

media-security-overrides.yaml

apiVersion: lattice.dev/v1alpha1
kind: CedarPolicy
metadata:
  name: media-security-overrides
spec:
  description: "Secret access and security overrides for media namespace"
  policies: |
    // Media services can access their namespace secrets
    permit (
      principal,
      action == Lattice::Action::"AccessSecret",
      resource
    ) when {
      principal is Lattice::Service &&
      principal.namespace == "media" &&
      resource.path like "secret/data/media/*"
    };

    // nzbget needs NET_ADMIN and SYS_MODULE for VPN sidecar
    permit (
      principal == Lattice::Service::"media/nzbget",
      action == Lattice::Action::"OverrideSecurity",
      resource == Lattice::SecurityOverride::"capability:NET_ADMIN"
    );

    permit (
      principal == Lattice::Service::"media/nzbget",
      action == Lattice::Action::"OverrideSecurity",
      resource == Lattice::SecurityOverride::"capability:SYS_MODULE"
    );
  priority: 10
  enabled: true
  propagate: false

For more patterns including namespace-scoped secrets, provider isolation, and category-based security overrides, see the Cedar Authorization guide.

Spec

CedarPolicy spec fields
Field	Type	Description
`description`	string?	Human-readable description of what this policy does.
`policies`	string	Cedar policy text. May contain multiple `permit` and `forbid` statements. Entity types: Lattice::User, Lattice::Group, Lattice::Service, Lattice::Cluster, Lattice::SecretPath, Lattice::SecurityOverride.
`priority`	i32	Evaluation order. Higher values are evaluated first. Default: `0`.
`enabled`	bool	Whether this policy is active. Disabled policies are skipped during evaluation. Default: `true`.
`propagate`	bool	Whether to propagate this policy to child clusters. Default: `true`.

Status

CedarPolicy status fields
Field	Type	Description
`phase`	CedarPolicyPhase	Current validation phase of the policy.
`message`	string?	Human-readable status message.
`permitCount`	u32	Number of `permit` statements in the policy.
`forbidCount`	u32	Number of `forbid` statements in the policy.
`lastValidated`	string?	ISO 8601 timestamp of the last successful validation.
`validationErrors`	[]string	List of validation errors found in the Cedar policy text.

CedarPolicyPhase

Pending Policy has not yet been validated.

Valid Policy has been parsed and validated successfully.

Invalid Policy contains errors. See validationErrors for details.