Jonathan Whitaker

My name is Jonathan Whitaker. I’ve spent the last 7+ years of my career in the authentication, authorization, and Identity and Access Management (IAM) domain. The emphasis of my work has been on building authorization integrations and frameworks for small, medium, and large application platforms. I have helped build IAM platforms for companies as big as Adobe and for small startups. Since I started working in this domain I have been fixated on trying to bring better solutions to developers for these common, yet challenging, problems. I am currently working on the OpenFGA and Auth0 FGA project at Okta/Auth0 to bring global scale, fine-grained authorization to a broader audience of developers. In my spare time I love to get outdoors and camp, hike, fly fish, and mountain bike.

The speaker's profile picture


Beyond RBAC: Implementing Relation-based Access Control for Kubernetes with OpenFGA
Lucas Käldström, Jonathan Whitaker

The Kubernetes API server is a declarative, uniform and extensible REST API server capable of storing a diverse set of APIs for infrastructure control. API objects tend to contain parent-child and sibling relations such as “ReplicaSet owns Pod refers to Node”. However, with this graph-based structure, access control and multi-tenancy become a real challenge. The default RBAC authorizer is best for resource-scoped authorization (“allow listing all Pods”), not fine-grained authorization (“allow listing Pods of these Deployments”).

OpenFGA is a Relationship-Based Access Control (ReBAC) engine inspired by Google Zanzibar and a CNCF sandbox project. ReBAC is a superset of RBAC, and empowers administrators to configure authorization in an object-scoped manner with minimal configuration sprawl.

A Kubernetes contributor and a OpenFGA maintainer will demo an open-source implementation of a Kubernetes authorizer and controller that configures and queries OpenFGA for authorization decisions.