Embracing WebAssembly in authorization | Cerbos, KubeCon + CloudNativeCon Paris

Transcript

Milo Oudenaller: Congrats on the launch of Cerbos Hub this past year. How have the first few months been?

Alex Olivier: Thanks! We actually launched Cerbos Hub at KubeCon last year, and the growth has been great to see. We've onboarded a number of users from our open source project to our fully managed control plane and getting all the benefits of a much more streamlined, managed CI deployment pipeline, as well as really leveraging our new embedded Policy Decision Point powered by WebAssembly.

Milo Oudenaller: How does Cerbos anticipate WASM influencing Kubernetes and cloud-native technologies?

Alex Olivier: I think it's fair to say WebAssembly and WASM has taken the world by storm probably in the last year or so. Particularly now with this unification around the WASM component model. Where we see Kubernetes and particularly the cloud native space going is much more of this encapsulation of common functionality. 

These really nice WASM components, which define a very clean interface of exactly how you interact and join and compile applications together is really this new model of how we foresee application architectures going. And Kubernetes is really well placed to leverage this with the idea of a Kubernetes component it's now just another type of pod inside of your cluster. You can very easily start combining and mixing and basically architecting components in a way that forms whatever use case you need to deliver upon.  

Milo Oudenaller: What hurdles do organizations typically encounter when adopting WASM-based solutions in Kubernetes, and how does Cerbos tackle these obstacles?

Alex Olivier: So obviously WASM is a new approach to development. Though, if you've been around long enough and used to like the days of Calm and ActiveX and   the old JVM runtime type approaches, there are definitely some echoes of yesteryear of how applications are built.

Kubernetes is well placed to be the orchestration layer, even of these WASM components. But from an organizational perspective, it is a bit of a mind shift in terms of how you build and compartmentalize components. Because if you think of a container, it's primarily, it's just the runtime, it's the binary. It's built for a particular architecture. 

But when you start looking more at the WASM space, not only are you now defining the actual execution, which is the WASM   itself, but also defines the interface and the, basically the architecture that needs to be provided to that component to run. So your WITs, as it's called, basically defines that this service or this component needs to be provided a key value store, or a database, or those   things.

And with Cerbos, we're really leveraging that and making sure Cerbos is the best implementation for how you do authorization in this whole ecosystem. 

Milo Oudenaller: Can you provide some insights into Cerbos’ approach to leveraging WASM in its solutions?

Alex Olivier: Yeah, absolutely. With Cerbos Hub, as well as launching the managed control plane, we also introduced the new embeddable Policy Decision Point.

So classically, Cerbos works as a container or binary that you're running on your back end, either in your Kubernetes cluster or just bare metal on a VM somewhere. But we got more and more use cases coming to us from our users, saying, I want to be able to do authorization at the edge, or even on the client devices, for those more presentational type of use cases.

So when we looked at sort of how to best solve this, in these environments, you can't necessarily run a whole container or a binary. So you needed a much more smaller footprint way and a much more lightweight way of running the Cerbos decision point logic at the edge or even on devices. And WASM really was the natural approach to that. 

As part of Cerbos hub, as well as generating the artifact that gets deployed to your backend Cerbos instances, we also generate the WebAssembly version, which is an embeddable version of our Policy Decision Point, which then can be pulled directly into your edge runtimes, or even into the client devices.

So you get the exact same interface in terms of, can this user do this action on this resource, that the Cerbos system provides, but it's the same set of policies that you're defining and now being deployed both to your backend, to your Kubernetes cluster, for example, also can be pulled down into your edge functions or onto actual client devices.

So it's a fairly unique approach that really allows you to do authorization anywhere in your architecture stack.  

Milo Oudenaller: How does Cerbos ensure WASM-based solutions are compatible and interoperable with Kubernetes environments?

Alex Olivier: The core of the Cerbos embeddable Policy Decision Point is the engine. And then what we're doing now is putting adapters and basically runtimes around the core engine to allow you to spin it up in an environment that exposes a standard component model. If you look at things like Spincube, which got announced last week, wasmCloud being the CNCF project, these implement the WebAssembly component model, or component spec. So we're now updating Cerbos’ embeddable Policy Decision Point to basically implement that spec. So you can very easily spin it up in a wasmCloud infrastructure, or using Spincube to run directly in Kubernetes. And you get, again, that exact same API in terms of how you interact and check authorization permissions.  

Milo Oudenaller: In what ways does Cerbos actively contribute to the broader Kubernetes and cloud-native communities through its WASM initiatives?

Alex Olivier: We are big adopters of cloud-native technologies here at Cerbos. Not just how we build Cerbos, but also how we run Cerbos Hub itself. So Cerbos Hub, unsurprisingly, runs inside of the Kubernetes cluster. We're leveraging a number of the CNCF projects. For example, all our interfaces are GRPC. We're doing the whole open telemetry stack. So your Cerbos decision points, for example, are running inside of your cluster and they expose OTel traces, logging, Prometheus metrics, all the stuff you're used to.

So as well as leveraging those technologies, we're also trying to contribute back. So we're part of some new standards around authorization. With the AuthZEN project and in terms of giving users the easiest way to get up and running with Cerbos in their environments. We've published things like Helm charts to get you up and running without having to necessarily jump through too many hoops and creating too many manifests.

And then the WASM piece, as I mentioned, is designed to adopt this component model. So as our clusters out there start adopting these runtimes that support WASM, you'll be able to drop the embeddable version of the Cerbos Policy Decision Point directly into those environments.

Conclusion

To explore more about how Cerbos leverages WASM and to dive deeper into the possibilities it unfolds, read this piece on WebAssembly, and check out Cerbos Hub.