Kubiya LogoKubiya Developer Docs
Deployment/Runners

Enforcer Service

Advanced permission management and security controls for Kubiya runners

Enforcer Service

The Enforcer service provides advanced permission management capabilities for Kubiya runners, enabling just-in-time access, attribute-based controls, and comprehensive audit logging.

Key Features

  • Just-in-Time (JIT) permissions: Grant temporary, scoped access only when needed
  • Attribute-Based Access Control (ABAC): Permission decisions based on user context and request attributes
  • Policy-as-Code: Define, version, and manage permission policies alongside your infrastructure
  • Comprehensive audit trail: Track all access decisions and operations
  • Request approval workflows: Configure approval requirements for sensitive operations

Architecture

The Enforcer service integrates with your runners to provide a security layer between your agents and the systems they interact with:

graph TD
    A[Kubiya Agent] -->|Request| B[Runner]
    B -->|Permission Check| C[Enforcer]
    C -->|Decision| B
    B -->|Approved Action| D[Target System]
    C -->|Log| E[Audit Trail]
    C <-->|Policies| F[Policy Store]
    C <-->|Approval Workflow| G[Approvers]

Deployment Models

The Enforcer service can be deployed in multiple ways:

Sidecar Model

In this model, the Enforcer runs as a sidecar container alongside your runner:

# Example Kubernetes deployment with Enforcer sidecar
apiVersion: apps/v1
kind: Deployment
metadata:
  name: kubiya-runner
spec:
  template:
    spec:
      containers:
      - name: runner
        image: kubiya/runner:latest
        # Runner configuration...
      - name: enforcer
        image: kubiya/enforcer:latest
        # Enforcer configuration...

Standalone Model

In this model, the Enforcer runs as a separate service that multiple runners can connect to:

# Example Kubernetes service for standalone Enforcer
apiVersion: v1
kind: Service
metadata:
  name: kubiya-enforcer
spec:
  selector:
    app: kubiya-enforcer
  ports:
  - port: 8080
    targetPort: 8080

Just-in-Time Permissions

The Enforcer service enables temporary, scoped access through just-in-time (JIT) permissions:

  1. Request: The runner requests temporary credentials or permissions for a specific task
  2. Validation: Enforcer validates the request against policies and current context
  3. Issuance: If approved, temporary credentials are issued with appropriate time limits
  4. Revocation: Credentials are automatically revoked after use or expiration

JIT permissions significantly reduce the security risk by minimizing the duration and scope of elevated access.

Example: AWS Permissions

# Example JIT policy for AWS access
policy:
  name: aws-ec2-management
  description: Temporary access to manage EC2 instances
  permissions:
    - service: aws
      actions:
        - ec2:DescribeInstances
        - ec2:StartInstances
        - ec2:StopInstances
  conditions:
    - maxDuration: 30m
    - requireApproval: true
    - approvers:
        - role: platform-admin

Attribute-Based Access Control

ABAC policies allow for dynamic permission decisions based on:

  • User attributes: Who is requesting through the agent
  • Resource attributes: What they're trying to access
  • Environmental attributes: Time of day, network location, etc.
  • Request context: Purpose of the request, related workflow, etc.

Example ABAC Policy

# Example ABAC policy
policy:
  name: production-deployment
  description: Controls deployments to production environments
  effect: allow
  attributes:
    user:
      role: ["developer", "devops"]
      team: ["platform", "infrastructure"]
    resource:
      environment: ["production"]
      service: ["non-critical"]
    context:
      timeOfDay: "businessHours"
      changeRequest: "approved"

Approval Workflows

For sensitive operations, the Enforcer can require explicit approval:

  1. Agent requests permission for sensitive operation
  2. Enforcer initiates approval workflow based on policy
  3. Approvers are notified and can approve/deny the request
  4. On approval, the temporary access is granted

Configuring Approvers

# Example approver configuration
approvers:
  - name: infrastructure-team
    members:
      - user: alice@company.com
        role: admin
      - user: bob@company.com
        role: reviewer
  - name: security-team
    members:
      - user: security@company.com
        role: admin

Audit Logging

The Enforcer provides comprehensive audit logs for all permission requests and decisions:

  • Who initiated the request (user and agent)
  • What was requested
  • When it was requested
  • Decision outcome (approved/denied)
  • Approvers involved (if any)
  • Actions performed with the access

Integrating these logs with your existing SIEM system provides end-to-end visibility of all agent activities.

Terraform Configuration

You can configure the Enforcer service using Terraform:

resource "kubiya_enforcer" "production" {
  name        = "production-enforcer"
  description = "Enforcer for production environment"
  
  deployment_model = "standalone"
  
  jit_policies = [
    {
      name        = "aws-access"
      description = "Temporary AWS access"
      permissions = jsonencode({
        service = "aws"
        actions = [
          "ec2:Describe*",
          "s3:List*",
          "rds:Describe*"
        ]
      })
      conditions = jsonencode({
        maxDuration     = "1h"
        requireApproval = true
        approvers       = ["infrastructure-team"]
      })
    }
  ]
  
  abac_policies = [
    {
      name        = "production-access"
      description = "Controls access to production resources"
      effect      = "allow"
      attributes  = jsonencode({
        user = {
          role = ["admin", "devops"]
        }
        resource = {
          environment = ["production"]
        }
      })
    }
  ]
}

Best Practices

  1. Start restrictive: Begin with strict policies and loosen as needed
  2. Regular review: Audit and update policies regularly
  3. Layered approach: Combine JIT and ABAC for comprehensive protection
  4. Role separation: Define distinct approver roles separate from users
  5. Minimize duration: Keep temporary access windows as short as practical

Next Steps

Create Your First Runner

Step-by-step guide to creating and deploying a Kubiya runner

Hosted Runners

Understand Kubiya-provided hosted runners for simplified deployment

On this page