[EKS] [request]: Cedar for Kubernetes in Amazon EKS

[micahhausler]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Tell us about your request
Integrate Cedar access controls for Kubernetes into Amazon EKS

Which service(s) is this request for?
EKS

Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard?
Kubernetes RBAC has well-known limitations in being allow-only (no denials), no conditions, and no attribute-based controls.

Are you currently working around this issue?
Many customers use Open Policy Agent/Gatekeeper, Kyverno, or K8s Validating Admission Policies to restrict permissions

Additional context
AWS open sourced Cedar access controls for Kubernetes (blog post) in October 2024, but as authorization webhooks are not customer configurable in EKS (#1932), AWS would have to integrate Cedar into EKS for customers to use it.