SlideShare a Scribd company logo

User authentication and authorizarion in Kubernetes

User authentication and authorizarion in Kubernetes

1 of 22
Download to read offline
K8sOM#15
User Authentication and Authorization in
Kubernetes
Neependra Khare, CloudYuga
About the Speaker - Neependra Khare
● Founder and Principal Consultant at CloudYuga
● Author of Docker Cookbook - 2015
● Author of “Introduction to Kubernetes” course on Edx
● Running Docker Meetup Group in Bangalore, India
for more than 4 years now
Kubernetes Architecture
Controller
Scheduler
API Server
key/value
store
Master Node
Node
Kubelet
kube-proxy
Node
Kubelet
kube-proxy
Node
Kubelet
kube-proxy
CLI/API
Kubernetes API Request
Authenticaion
Can a user to login
to the cluster ?
Authorization
Can a user do
requested action ?
Admission
Control
Is it a valid request ?
K8s
objects
Authentication
Kubernetes Users
● Users are not first class citizen of Kubernetes, like Pods
● In most of the cases, it is offloaded to external services like Active
Directory, LDAP
Kubernetes Users
● Users are not first class citizen like Pods
● In most of the cases, it is offloaded to external services like Active
Directory, LDAP
Normal Users Service Accounts
Normal Users
● Basic Authentication
○ Pass a configutation with content like following to API Server
<password>,<username>,<uid>,"<group1,group2>"
<password>,<username>,<uid>,"<group1,group3>”
● X.509 Client Certificate
○ Create a user’s Public/Private key combination
○ Get it certified by a CA (Kubernetes CA)
● Bearer Tokens (JSON Web Tokens)
○ OpenID Connect
■ On Top of OAuth 2.0
○ Webhooks
Service Account
● Think of it as a user, using which a process inside a Pod can access
API Server.
● A Service Account with default name, gets created as we create a
new namesapce.
● User defined Service Accounts can be created as well, which we can
attach to the pod running in same namespace.
Kubeconfig File
apiVersion: v1
clusters:
- cluster:
certificate-authority: /Users/neependra/.minikube/ca.crt
server: https://192.168.99.100:8443
name: minikube
contexts:
- context:
cluster: minikube
user: minikube
name: minikube
current-context: minikube
kind: Config
preferences: {}
users:
- name: minikube
user:
client-certificate: /Users/neependra/.minikube/client.crt
client-key: /Users/neependra/.minikube/client.key
User dev Cluster devContext dev
User qa Cluster qaContext qa
User prod Cluster prodContext prod
Authentication Demo Workflow
nkhare.key
(openssl)
nkhare.csr
(openssl)
nkhare-csr
(k8s object)
nkhare.crt
K8s
CA
Authentication
Demo
Authorization
Kubernetes Authorization
Can a User do Requested Action ?
Kubernetes Authorization
Can a User do Requested Action ?
● Kubernetes Autorization Modules
○ AlwaysAllow
○ AlwaysDeny
○ Node
○ Attribute Based Access Control (ABAC)
○ Role Based Access Control (RBAC)
○ Webhook
Operations on Kubernetes Objects
● create
● get
● delete
● list
● update
● edit
● patch
● watch
● ….
Role Based Access Control (RBAC) - Roles
Role
“Applicable to a given namespace
only.”
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: cloudyuga
name: deployment-manager
rules:
- apiGroups: ["", "apps"]
resources: ["deployments", "replicasets", "pods"]
verbs: ["get", "list", "watch", "create", "update"]
ClusterRole
“Applicable Cluster Wide.”
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: deployment-manager-cluster
rules:
- apiGroups: ["", "apps"]
resources: ["deployments", "replicasets", "pods"]
verbs: ["get", "list", "watch", "create", "update"]
Kubernetes - APIs
/
/healthz /metrics /api /apis …..
/api/v1
/api/v1/pods /api/v1/nodes /api/v1/services ……
/apis/apps
/apis/apps/v1
/apis/apps/v1/Deployment /apis/apps/v1/DaemonSet /apis/apps/v1/StatefulSet …….
/apis/apps/v1beta1
/apis/…..
Role Based Access Control (RBAC) - Role Bindings
RoleBinding
“Applicable to a given namespace
only.”
ClusterRoleBinding
“Applicable Cluster Wide.”
Role
Subjects
- Normal Users
- Service Accounts
- Groups
ClusterRole
Subjects
- Normal Users
- Service Accounts
- Groups
Role Based Access Control (RBAC) - Role Bindings
RoleBinding
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: deployment-manager-binding
namespace: cloudyuga
subjects:
- kind: User
name: nkhare
apiGroup: "rbac.authorization.k8s.io"
roleRef:
kind: Role
name: deployment-manager
apiGroup: "rbac.authorization.k8s.io"
ClusterRoleBinding
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: cluster-manager-binding
subjects:
- kind: User
name: nkhare
apiGroup: "rbac.authorization.k8s.io"
roleRef:
kind: ClusterRole
name: deployment-manager-cluster
apiGroup: "rbac.authorization.k8s.io"
Authorization
Demo
Thanks
@neependra
https://www.linkedin.com/in/neependra/

Recommended

Introduction to Kubernetes RBAC
Introduction to Kubernetes RBACIntroduction to Kubernetes RBAC
Introduction to Kubernetes RBACKublr
 
Nodeless scaling with Karpenter
Nodeless scaling with KarpenterNodeless scaling with Karpenter
Nodeless scaling with KarpenterMarko Bevc
 
Comprehensive Terraform Training
Comprehensive Terraform TrainingComprehensive Terraform Training
Comprehensive Terraform TrainingYevgeniy Brikman
 
Efficient Kubernetes scaling using Karpenter
Efficient Kubernetes scaling using KarpenterEfficient Kubernetes scaling using Karpenter
Efficient Kubernetes scaling using KarpenterMarko Bevc
 
Ansible presentation
Ansible presentationAnsible presentation
Ansible presentationSuresh Kumar
 
Automation with ansible
Automation with ansibleAutomation with ansible
Automation with ansibleKhizer Naeem
 

More Related Content

What's hot

Kubernetes Webinar - Using ConfigMaps & Secrets
Kubernetes Webinar - Using ConfigMaps & Secrets Kubernetes Webinar - Using ConfigMaps & Secrets
Kubernetes Webinar - Using ConfigMaps & Secrets Janakiram MSV
 
Role based access control - RBAC - Kubernetes
Role based access control - RBAC - KubernetesRole based access control - RBAC - Kubernetes
Role based access control - RBAC - KubernetesMilan Das
 
Kubernetes #1 intro
Kubernetes #1   introKubernetes #1   intro
Kubernetes #1 introTerry Cho
 
Introduction to kubernetes
Introduction to kubernetesIntroduction to kubernetes
Introduction to kubernetesRishabh Indoria
 
Azure kubernetes service (aks)
Azure kubernetes service (aks)Azure kubernetes service (aks)
Azure kubernetes service (aks)Akash Agrawal
 
Kubernetes 101 for Beginners
Kubernetes 101 for BeginnersKubernetes 101 for Beginners
Kubernetes 101 for BeginnersOktay Esgul
 
Terraform modules restructured
Terraform modules restructuredTerraform modules restructured
Terraform modules restructuredAmi Mahloof
 
Ansible presentation
Ansible presentationAnsible presentation
Ansible presentationJohn Lynch
 
Kubernetes Networking 101
Kubernetes Networking 101Kubernetes Networking 101
Kubernetes Networking 101Weaveworks
 
Kubernetes
KubernetesKubernetes
Kuberneteserialc_w
 
Kubernetes Concepts And Architecture Powerpoint Presentation Slides
Kubernetes Concepts And Architecture Powerpoint Presentation SlidesKubernetes Concepts And Architecture Powerpoint Presentation Slides
Kubernetes Concepts And Architecture Powerpoint Presentation SlidesSlideTeam
 
Container, Container, Container -유재석 (AWS 솔루션즈 아키텍트)
Container, Container, Container -유재석 (AWS 솔루션즈 아키텍트)Container, Container, Container -유재석 (AWS 솔루션즈 아키텍트)
Container, Container, Container -유재석 (AWS 솔루션즈 아키텍트)Amazon Web Services Korea
 
How to test infrastructure code: automated testing for Terraform, Kubernetes,...
How to test infrastructure code: automated testing for Terraform, Kubernetes,...How to test infrastructure code: automated testing for Terraform, Kubernetes,...
How to test infrastructure code: automated testing for Terraform, Kubernetes,...Yevgeniy Brikman
 
Kubernetes extensibility: CRDs & Operators
Kubernetes extensibility: CRDs & OperatorsKubernetes extensibility: CRDs & Operators
Kubernetes extensibility: CRDs & OperatorsSIGHUP
 
Rancher and Kubernetes Best Practices
Rancher and  Kubernetes Best PracticesRancher and  Kubernetes Best Practices
Rancher and Kubernetes Best PracticesAvinash Patil
 

What's hot (20)

Kubernetes Webinar - Using ConfigMaps & Secrets
Kubernetes Webinar - Using ConfigMaps & Secrets Kubernetes Webinar - Using ConfigMaps & Secrets
Kubernetes Webinar - Using ConfigMaps & Secrets
 
Role based access control - RBAC - Kubernetes
Role based access control - RBAC - KubernetesRole based access control - RBAC - Kubernetes
Role based access control - RBAC - Kubernetes
 
Kubernetes #1 intro
Kubernetes #1   introKubernetes #1   intro
Kubernetes #1 intro
 
Introduction to kubernetes
Introduction to kubernetesIntroduction to kubernetes
Introduction to kubernetes
 
Azure kubernetes service (aks)
Azure kubernetes service (aks)Azure kubernetes service (aks)
Azure kubernetes service (aks)
 
Kubernetes 101 for Beginners
Kubernetes 101 for BeginnersKubernetes 101 for Beginners
Kubernetes 101 for Beginners
 
Terraform modules restructured
Terraform modules restructuredTerraform modules restructured
Terraform modules restructured
 
Ansible
AnsibleAnsible
Ansible
 
Ansible presentation
Ansible presentationAnsible presentation
Ansible presentation
 
Kubernetes Networking 101
Kubernetes Networking 101Kubernetes Networking 101
Kubernetes Networking 101
 
Kubernetes
KubernetesKubernetes
Kubernetes
 
Introduction to Kubernetes
Introduction to KubernetesIntroduction to Kubernetes
Introduction to Kubernetes
 
Kubernetes Concepts And Architecture Powerpoint Presentation Slides
Kubernetes Concepts And Architecture Powerpoint Presentation SlidesKubernetes Concepts And Architecture Powerpoint Presentation Slides
Kubernetes Concepts And Architecture Powerpoint Presentation Slides
 
Container, Container, Container -유재석 (AWS 솔루션즈 아키텍트)
Container, Container, Container -유재석 (AWS 솔루션즈 아키텍트)Container, Container, Container -유재석 (AWS 솔루션즈 아키텍트)
Container, Container, Container -유재석 (AWS 솔루션즈 아키텍트)
 
Quick introduction to Kubernetes
Quick introduction to KubernetesQuick introduction to Kubernetes
Quick introduction to Kubernetes
 
Ansible
AnsibleAnsible
Ansible
 
Kubernetes Basics
Kubernetes BasicsKubernetes Basics
Kubernetes Basics
 
How to test infrastructure code: automated testing for Terraform, Kubernetes,...
How to test infrastructure code: automated testing for Terraform, Kubernetes,...How to test infrastructure code: automated testing for Terraform, Kubernetes,...
How to test infrastructure code: automated testing for Terraform, Kubernetes,...
 
Kubernetes extensibility: CRDs & Operators
Kubernetes extensibility: CRDs & OperatorsKubernetes extensibility: CRDs & Operators
Kubernetes extensibility: CRDs & Operators
 
Rancher and Kubernetes Best Practices
Rancher and  Kubernetes Best PracticesRancher and  Kubernetes Best Practices
Rancher and Kubernetes Best Practices
 

Similar to User authentication and authorizarion in Kubernetes

Security considerations while deploying Containerized Applications by Neepend...
Security considerations while deploying Containerized Applications by Neepend...Security considerations while deploying Containerized Applications by Neepend...
Security considerations while deploying Containerized Applications by Neepend...Agile India
 
K8s hard-way on DigitalOcean
K8s hard-way on DigitalOceanK8s hard-way on DigitalOcean
K8s hard-way on DigitalOceanCloudYuga
 
Getting started with kubernetes
Getting started with kubernetesGetting started with kubernetes
Getting started with kubernetesBob Killen
 
Docker Dublin Meetup | 22 Feb 2018 | Docker + Kubernetes
Docker Dublin Meetup | 22 Feb 2018 | Docker + KubernetesDocker Dublin Meetup | 22 Feb 2018 | Docker + Kubernetes
Docker Dublin Meetup | 22 Feb 2018 | Docker + KubernetesThomas Barlow
 
K8s in 3h - Kubernetes Fundamentals Training
K8s in 3h - Kubernetes Fundamentals TrainingK8s in 3h - Kubernetes Fundamentals Training
K8s in 3h - Kubernetes Fundamentals TrainingPiotr Perzyna
 
Introduction to Kubernetes Workshop
Introduction to Kubernetes WorkshopIntroduction to Kubernetes Workshop
Introduction to Kubernetes WorkshopBob Killen
 
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security DevOpsDays Riga
 
Kubernetes Networking | Kubernetes Services, Pods & Ingress Networks | Kubern...
Kubernetes Networking | Kubernetes Services, Pods & Ingress Networks | Kubern...Kubernetes Networking | Kubernetes Services, Pods & Ingress Networks | Kubern...
Kubernetes Networking | Kubernetes Services, Pods & Ingress Networks | Kubern...Edureka!
 
Extending kubernetes
Extending kubernetesExtending kubernetes
Extending kubernetesGigi Sayfan
 
Docker kubernetes fundamental(pod_service)_190307
Docker kubernetes fundamental(pod_service)_190307Docker kubernetes fundamental(pod_service)_190307
Docker kubernetes fundamental(pod_service)_190307Inhye Park
 
FIWARE Global Summit - Leveraging Kubernetes for FIWARE Components Automations
FIWARE Global Summit - Leveraging Kubernetes for FIWARE Components AutomationsFIWARE Global Summit - Leveraging Kubernetes for FIWARE Components Automations
FIWARE Global Summit - Leveraging Kubernetes for FIWARE Components AutomationsFIWARE
 
Kubernetes: від знайомства до використання у CI/CD
Kubernetes: від знайомства до використання у CI/CDKubernetes: від знайомства до використання у CI/CD
Kubernetes: від знайомства до використання у CI/CDStfalcon Meetups
 
04_Azure Kubernetes Service: Basic Practices for Developers_GAB2019
04_Azure Kubernetes Service: Basic Practices for Developers_GAB201904_Azure Kubernetes Service: Basic Practices for Developers_GAB2019
04_Azure Kubernetes Service: Basic Practices for Developers_GAB2019Kumton Suttiraksiri
 
DCEU 18: Docker Container Networking
DCEU 18: Docker Container NetworkingDCEU 18: Docker Container Networking
DCEU 18: Docker Container NetworkingDocker, Inc.
 
Creating a Kubernetes Operator in Java
Creating a Kubernetes Operator in JavaCreating a Kubernetes Operator in Java
Creating a Kubernetes Operator in JavaRudy De Busscher
 
MongoDB World 2018: Partner Talk - Red Hat: Deploying to Enterprise Kubernetes
MongoDB World 2018: Partner Talk - Red Hat: Deploying to Enterprise KubernetesMongoDB World 2018: Partner Talk - Red Hat: Deploying to Enterprise Kubernetes
MongoDB World 2018: Partner Talk - Red Hat: Deploying to Enterprise KubernetesMongoDB
 

Similar to User authentication and authorizarion in Kubernetes (20)

Security considerations while deploying Containerized Applications by Neepend...
Security considerations while deploying Containerized Applications by Neepend...Security considerations while deploying Containerized Applications by Neepend...
Security considerations while deploying Containerized Applications by Neepend...
 
K8s hard-way on DigitalOcean
K8s hard-way on DigitalOceanK8s hard-way on DigitalOcean
K8s hard-way on DigitalOcean
 
Getting started with kubernetes
Getting started with kubernetesGetting started with kubernetes
Getting started with kubernetes
 
Docker Dublin Meetup | 22 Feb 2018 | Docker + Kubernetes
Docker Dublin Meetup | 22 Feb 2018 | Docker + KubernetesDocker Dublin Meetup | 22 Feb 2018 | Docker + Kubernetes
Docker Dublin Meetup | 22 Feb 2018 | Docker + Kubernetes
 
K8s in 3h - Kubernetes Fundamentals Training
K8s in 3h - Kubernetes Fundamentals TrainingK8s in 3h - Kubernetes Fundamentals Training
K8s in 3h - Kubernetes Fundamentals Training
 
Introduction to Kubernetes Workshop
Introduction to Kubernetes WorkshopIntroduction to Kubernetes Workshop
Introduction to Kubernetes Workshop
 
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
 
Kubernetes Networking | Kubernetes Services, Pods & Ingress Networks | Kubern...
Kubernetes Networking | Kubernetes Services, Pods & Ingress Networks | Kubern...Kubernetes Networking | Kubernetes Services, Pods & Ingress Networks | Kubern...
Kubernetes Networking | Kubernetes Services, Pods & Ingress Networks | Kubern...
 
Kubernetes 101 for_penetration_testers_-_null_mumbai
Kubernetes 101 for_penetration_testers_-_null_mumbaiKubernetes 101 for_penetration_testers_-_null_mumbai
Kubernetes 101 for_penetration_testers_-_null_mumbai
 
Extending kubernetes
Extending kubernetesExtending kubernetes
Extending kubernetes
 
RBAC in Kuberetes
RBAC in KuberetesRBAC in Kuberetes
RBAC in Kuberetes
 
Docker kubernetes fundamental(pod_service)_190307
Docker kubernetes fundamental(pod_service)_190307Docker kubernetes fundamental(pod_service)_190307
Docker kubernetes fundamental(pod_service)_190307
 
FIWARE Global Summit - Leveraging Kubernetes for FIWARE Components Automations
FIWARE Global Summit - Leveraging Kubernetes for FIWARE Components AutomationsFIWARE Global Summit - Leveraging Kubernetes for FIWARE Components Automations
FIWARE Global Summit - Leveraging Kubernetes for FIWARE Components Automations
 
Kubernetes: від знайомства до використання у CI/CD
Kubernetes: від знайомства до використання у CI/CDKubernetes: від знайомства до використання у CI/CD
Kubernetes: від знайомства до використання у CI/CD
 
04_Azure Kubernetes Service: Basic Practices for Developers_GAB2019
04_Azure Kubernetes Service: Basic Practices for Developers_GAB201904_Azure Kubernetes Service: Basic Practices for Developers_GAB2019
04_Azure Kubernetes Service: Basic Practices for Developers_GAB2019
 
DCEU 18: Docker Container Networking
DCEU 18: Docker Container NetworkingDCEU 18: Docker Container Networking
DCEU 18: Docker Container Networking
 
Kubernetes basics
Kubernetes basicsKubernetes basics
Kubernetes basics
 
Creating a Kubernetes Operator in Java
Creating a Kubernetes Operator in JavaCreating a Kubernetes Operator in Java
Creating a Kubernetes Operator in Java
 
Kubernetes-Meetup
Kubernetes-MeetupKubernetes-Meetup
Kubernetes-Meetup
 
MongoDB World 2018: Partner Talk - Red Hat: Deploying to Enterprise Kubernetes
MongoDB World 2018: Partner Talk - Red Hat: Deploying to Enterprise KubernetesMongoDB World 2018: Partner Talk - Red Hat: Deploying to Enterprise Kubernetes
MongoDB World 2018: Partner Talk - Red Hat: Deploying to Enterprise Kubernetes
 

More from Neependra Khare

002 a solooverviewjul2020-ceposta
002 a solooverviewjul2020-ceposta002 a solooverviewjul2020-ceposta
002 a solooverviewjul2020-cepostaNeependra Khare
 
Service Discovery with Consul - Arunvel Arunachalam
Service Discovery with Consul  - Arunvel Arunachalam Service Discovery with Consul  - Arunvel Arunachalam
Service Discovery with Consul - Arunvel Arunachalam Neependra Khare
 
Containarized Gluster Storage in Kubernetes
Containarized Gluster Storage in KubernetesContainarized Gluster Storage in Kubernetes
Containarized Gluster Storage in KubernetesNeependra Khare
 
Securing modern infrastructure
Securing modern infrastructureSecuring modern infrastructure
Securing modern infrastructureNeependra Khare
 
DevOps India Days' 17 Keynote
DevOps India Days' 17 KeynoteDevOps India Days' 17 Keynote
DevOps India Days' 17 KeynoteNeependra Khare
 
Docker Networking (Libnetwork) - Lakshman Kumar
Docker Networking (Libnetwork) - Lakshman KumarDocker Networking (Libnetwork) - Lakshman Kumar
Docker Networking (Libnetwork) - Lakshman KumarNeependra Khare
 
Docker Multi Host Networking, Rachit Arora, IBM
Docker Multi Host Networking, Rachit Arora, IBMDocker Multi Host Networking, Rachit Arora, IBM
Docker Multi Host Networking, Rachit Arora, IBMNeependra Khare
 
Kubernetes Networking - Giragadurai Vallirajan
Kubernetes Networking - Giragadurai VallirajanKubernetes Networking - Giragadurai Vallirajan
Kubernetes Networking - Giragadurai VallirajanNeependra Khare
 
Performance characterization in large distributed file system with gluster fs
Performance characterization in large distributed file system with gluster fsPerformance characterization in large distributed file system with gluster fs
Performance characterization in large distributed file system with gluster fsNeependra Khare
 

More from Neependra Khare (11)

002 a solooverviewjul2020-ceposta
002 a solooverviewjul2020-ceposta002 a solooverviewjul2020-ceposta
002 a solooverviewjul2020-ceposta
 
Service Discovery with Consul - Arunvel Arunachalam
Service Discovery with Consul  - Arunvel Arunachalam Service Discovery with Consul  - Arunvel Arunachalam
Service Discovery with Consul - Arunvel Arunachalam
 
Containarized Gluster Storage in Kubernetes
Containarized Gluster Storage in KubernetesContainarized Gluster Storage in Kubernetes
Containarized Gluster Storage in Kubernetes
 
Securing modern infrastructure
Securing modern infrastructureSecuring modern infrastructure
Securing modern infrastructure
 
DevOps India Days' 17 Keynote
DevOps India Days' 17 KeynoteDevOps India Days' 17 Keynote
DevOps India Days' 17 Keynote
 
CNCF Projects Overview
CNCF Projects OverviewCNCF Projects Overview
CNCF Projects Overview
 
Project Moby
Project MobyProject Moby
Project Moby
 
Docker Networking (Libnetwork) - Lakshman Kumar
Docker Networking (Libnetwork) - Lakshman KumarDocker Networking (Libnetwork) - Lakshman Kumar
Docker Networking (Libnetwork) - Lakshman Kumar
 
Docker Multi Host Networking, Rachit Arora, IBM
Docker Multi Host Networking, Rachit Arora, IBMDocker Multi Host Networking, Rachit Arora, IBM
Docker Multi Host Networking, Rachit Arora, IBM
 
Kubernetes Networking - Giragadurai Vallirajan
Kubernetes Networking - Giragadurai VallirajanKubernetes Networking - Giragadurai Vallirajan
Kubernetes Networking - Giragadurai Vallirajan
 
Performance characterization in large distributed file system with gluster fs
Performance characterization in large distributed file system with gluster fsPerformance characterization in large distributed file system with gluster fs
Performance characterization in large distributed file system with gluster fs
 

Recently uploaded

New ThousandEyes Product Features and Release Highlights: February 2024
New ThousandEyes Product Features and Release Highlights: February 2024New ThousandEyes Product Features and Release Highlights: February 2024
New ThousandEyes Product Features and Release Highlights: February 2024ThousandEyes
 
Key projects in AI, ML and Generative AI
Key projects in AI, ML and Generative AIKey projects in AI, ML and Generative AI
Key projects in AI, ML and Generative AIVijayananda Mohire
 
software-quality-assurance question paper 2023
software-quality-assurance question paper 2023software-quality-assurance question paper 2023
software-quality-assurance question paper 2023RohanMistry15
 
How We Grew Up with CloudStack and its Journey – Dilip Singh, DataHub
How We Grew Up with CloudStack and its Journey – Dilip Singh, DataHubHow We Grew Up with CloudStack and its Journey – Dilip Singh, DataHub
How We Grew Up with CloudStack and its Journey – Dilip Singh, DataHubShapeBlue
 
What’s New in CloudStack 4.19, Abhishek Kumar, Release Manager Apache CloudSt...
What’s New in CloudStack 4.19, Abhishek Kumar, Release Manager Apache CloudSt...What’s New in CloudStack 4.19, Abhishek Kumar, Release Manager Apache CloudSt...
What’s New in CloudStack 4.19, Abhishek Kumar, Release Manager Apache CloudSt...ShapeBlue
 
Transcript: Trending now: Book subjects on the move in the Canadian market - ...
Transcript: Trending now: Book subjects on the move in the Canadian market - ...Transcript: Trending now: Book subjects on the move in the Canadian market - ...
Transcript: Trending now: Book subjects on the move in the Canadian market - ...BookNet Canada
 
Geospatial Synergy: Amplifying Efficiency with FME & Esri
Geospatial Synergy: Amplifying Efficiency with FME & EsriGeospatial Synergy: Amplifying Efficiency with FME & Esri
Geospatial Synergy: Amplifying Efficiency with FME & EsriSafe Software
 
Mastering Play Store App Listing and Optimization
Mastering Play Store App Listing and OptimizationMastering Play Store App Listing and Optimization
Mastering Play Store App Listing and OptimizationAppsthentic Technology
 
Centralized TLS Certificates Management Using Vault PKI + Cert-Manager
Centralized TLS Certificates Management Using Vault PKI + Cert-ManagerCentralized TLS Certificates Management Using Vault PKI + Cert-Manager
Centralized TLS Certificates Management Using Vault PKI + Cert-ManagerSaiLinnThu2
 
ChatGPT's Code Interpreter: Your secret weapon for SEO automation success - S...
ChatGPT's Code Interpreter: Your secret weapon for SEO automation success - S...ChatGPT's Code Interpreter: Your secret weapon for SEO automation success - S...
ChatGPT's Code Interpreter: Your secret weapon for SEO automation success - S...SearchNorwich
 
Microsoft x 2toLead Webinar Session 1 - How Employee Communication and Connec...
Microsoft x 2toLead Webinar Session 1 - How Employee Communication and Connec...Microsoft x 2toLead Webinar Session 1 - How Employee Communication and Connec...
Microsoft x 2toLead Webinar Session 1 - How Employee Communication and Connec...2toLead Limited
 
Elevating Cloud Infrastructure with Object Storage, DRS, VM Scheduling, and D...
Elevating Cloud Infrastructure with Object Storage, DRS, VM Scheduling, and D...Elevating Cloud Infrastructure with Object Storage, DRS, VM Scheduling, and D...
Elevating Cloud Infrastructure with Object Storage, DRS, VM Scheduling, and D...ShapeBlue
 
AGFM - Toyota Coaster 1HZ Install Guide.pdf
AGFM - Toyota Coaster 1HZ Install Guide.pdfAGFM - Toyota Coaster 1HZ Install Guide.pdf
AGFM - Toyota Coaster 1HZ Install Guide.pdfRodneyThomas28
 
AI improves software testing to be more fault tolerant, focused and efficient
AI improves software testing to be more fault tolerant, focused and efficientAI improves software testing to be more fault tolerant, focused and efficient
AI improves software testing to be more fault tolerant, focused and efficientKari Kakkonen
 
VM Migration from VMware to CloudStack and KVM – Suresh Anaparti, ShapeBlue
VM Migration from VMware to CloudStack and KVM – Suresh Anaparti, ShapeBlueVM Migration from VMware to CloudStack and KVM – Suresh Anaparti, ShapeBlue
VM Migration from VMware to CloudStack and KVM – Suresh Anaparti, ShapeBlueShapeBlue
 
Why Disability Justice should be at the core of your digital accessibility jo...
Why Disability Justice should be at the core of your digital accessibility jo...Why Disability Justice should be at the core of your digital accessibility jo...
Why Disability Justice should be at the core of your digital accessibility jo...Modality Co
 
Python For Kids - Sách Lập trình cho trẻ em
Python For Kids - Sách Lập trình cho trẻ emPython For Kids - Sách Lập trình cho trẻ em
Python For Kids - Sách Lập trình cho trẻ emNho Vĩnh
 
Achieving Excellence IESVE for HVAC Simulation.pdf
Achieving Excellence IESVE for HVAC Simulation.pdfAchieving Excellence IESVE for HVAC Simulation.pdf
Achieving Excellence IESVE for HVAC Simulation.pdfIES VE
 
Communities, networking and developer culture
Communities, networking and developer cultureCommunities, networking and developer culture
Communities, networking and developer cultureRavi Sanghani
 
GDG Cloud Southlake 30 Brian Demers Breeding 10x Developers with Developer Pr...
GDG Cloud Southlake 30 Brian Demers Breeding 10x Developers with Developer Pr...GDG Cloud Southlake 30 Brian Demers Breeding 10x Developers with Developer Pr...
GDG Cloud Southlake 30 Brian Demers Breeding 10x Developers with Developer Pr...James Anderson
 

Recently uploaded (20)

New ThousandEyes Product Features and Release Highlights: February 2024
New ThousandEyes Product Features and Release Highlights: February 2024New ThousandEyes Product Features and Release Highlights: February 2024
New ThousandEyes Product Features and Release Highlights: February 2024
 
Key projects in AI, ML and Generative AI
Key projects in AI, ML and Generative AIKey projects in AI, ML and Generative AI
Key projects in AI, ML and Generative AI
 
software-quality-assurance question paper 2023
software-quality-assurance question paper 2023software-quality-assurance question paper 2023
software-quality-assurance question paper 2023
 
How We Grew Up with CloudStack and its Journey – Dilip Singh, DataHub
How We Grew Up with CloudStack and its Journey – Dilip Singh, DataHubHow We Grew Up with CloudStack and its Journey – Dilip Singh, DataHub
How We Grew Up with CloudStack and its Journey – Dilip Singh, DataHub
 
What’s New in CloudStack 4.19, Abhishek Kumar, Release Manager Apache CloudSt...
What’s New in CloudStack 4.19, Abhishek Kumar, Release Manager Apache CloudSt...What’s New in CloudStack 4.19, Abhishek Kumar, Release Manager Apache CloudSt...
What’s New in CloudStack 4.19, Abhishek Kumar, Release Manager Apache CloudSt...
 
Transcript: Trending now: Book subjects on the move in the Canadian market - ...
Transcript: Trending now: Book subjects on the move in the Canadian market - ...Transcript: Trending now: Book subjects on the move in the Canadian market - ...
Transcript: Trending now: Book subjects on the move in the Canadian market - ...
 
Geospatial Synergy: Amplifying Efficiency with FME & Esri
Geospatial Synergy: Amplifying Efficiency with FME & EsriGeospatial Synergy: Amplifying Efficiency with FME & Esri
Geospatial Synergy: Amplifying Efficiency with FME & Esri
 
Mastering Play Store App Listing and Optimization
Mastering Play Store App Listing and OptimizationMastering Play Store App Listing and Optimization
Mastering Play Store App Listing and Optimization
 
Centralized TLS Certificates Management Using Vault PKI + Cert-Manager
Centralized TLS Certificates Management Using Vault PKI + Cert-ManagerCentralized TLS Certificates Management Using Vault PKI + Cert-Manager
Centralized TLS Certificates Management Using Vault PKI + Cert-Manager
 
ChatGPT's Code Interpreter: Your secret weapon for SEO automation success - S...
ChatGPT's Code Interpreter: Your secret weapon for SEO automation success - S...ChatGPT's Code Interpreter: Your secret weapon for SEO automation success - S...
ChatGPT's Code Interpreter: Your secret weapon for SEO automation success - S...
 
Microsoft x 2toLead Webinar Session 1 - How Employee Communication and Connec...
Microsoft x 2toLead Webinar Session 1 - How Employee Communication and Connec...Microsoft x 2toLead Webinar Session 1 - How Employee Communication and Connec...
Microsoft x 2toLead Webinar Session 1 - How Employee Communication and Connec...
 
Elevating Cloud Infrastructure with Object Storage, DRS, VM Scheduling, and D...
Elevating Cloud Infrastructure with Object Storage, DRS, VM Scheduling, and D...Elevating Cloud Infrastructure with Object Storage, DRS, VM Scheduling, and D...
Elevating Cloud Infrastructure with Object Storage, DRS, VM Scheduling, and D...
 
AGFM - Toyota Coaster 1HZ Install Guide.pdf
AGFM - Toyota Coaster 1HZ Install Guide.pdfAGFM - Toyota Coaster 1HZ Install Guide.pdf
AGFM - Toyota Coaster 1HZ Install Guide.pdf
 
AI improves software testing to be more fault tolerant, focused and efficient
AI improves software testing to be more fault tolerant, focused and efficientAI improves software testing to be more fault tolerant, focused and efficient
AI improves software testing to be more fault tolerant, focused and efficient
 
VM Migration from VMware to CloudStack and KVM – Suresh Anaparti, ShapeBlue
VM Migration from VMware to CloudStack and KVM – Suresh Anaparti, ShapeBlueVM Migration from VMware to CloudStack and KVM – Suresh Anaparti, ShapeBlue
VM Migration from VMware to CloudStack and KVM – Suresh Anaparti, ShapeBlue
 
Why Disability Justice should be at the core of your digital accessibility jo...
Why Disability Justice should be at the core of your digital accessibility jo...Why Disability Justice should be at the core of your digital accessibility jo...
Why Disability Justice should be at the core of your digital accessibility jo...
 
Python For Kids - Sách Lập trình cho trẻ em
Python For Kids - Sách Lập trình cho trẻ emPython For Kids - Sách Lập trình cho trẻ em
Python For Kids - Sách Lập trình cho trẻ em
 
Achieving Excellence IESVE for HVAC Simulation.pdf
Achieving Excellence IESVE for HVAC Simulation.pdfAchieving Excellence IESVE for HVAC Simulation.pdf
Achieving Excellence IESVE for HVAC Simulation.pdf
 
Communities, networking and developer culture
Communities, networking and developer cultureCommunities, networking and developer culture
Communities, networking and developer culture
 
GDG Cloud Southlake 30 Brian Demers Breeding 10x Developers with Developer Pr...
GDG Cloud Southlake 30 Brian Demers Breeding 10x Developers with Developer Pr...GDG Cloud Southlake 30 Brian Demers Breeding 10x Developers with Developer Pr...
GDG Cloud Southlake 30 Brian Demers Breeding 10x Developers with Developer Pr...
 

User authentication and authorizarion in Kubernetes

  • 1. K8sOM#15 User Authentication and Authorization in Kubernetes Neependra Khare, CloudYuga
  • 2. About the Speaker - Neependra Khare ● Founder and Principal Consultant at CloudYuga ● Author of Docker Cookbook - 2015 ● Author of “Introduction to Kubernetes” course on Edx ● Running Docker Meetup Group in Bangalore, India for more than 4 years now
  • 3. Kubernetes Architecture Controller Scheduler API Server key/value store Master Node Node Kubelet kube-proxy Node Kubelet kube-proxy Node Kubelet kube-proxy CLI/API
  • 4. Kubernetes API Request Authenticaion Can a user to login to the cluster ? Authorization Can a user do requested action ? Admission Control Is it a valid request ? K8s objects
  • 6. Kubernetes Users ● Users are not first class citizen of Kubernetes, like Pods ● In most of the cases, it is offloaded to external services like Active Directory, LDAP
  • 7. Kubernetes Users ● Users are not first class citizen like Pods ● In most of the cases, it is offloaded to external services like Active Directory, LDAP Normal Users Service Accounts
  • 8. Normal Users ● Basic Authentication ○ Pass a configutation with content like following to API Server <password>,<username>,<uid>,"<group1,group2>" <password>,<username>,<uid>,"<group1,group3>” ● X.509 Client Certificate ○ Create a user’s Public/Private key combination ○ Get it certified by a CA (Kubernetes CA) ● Bearer Tokens (JSON Web Tokens) ○ OpenID Connect ■ On Top of OAuth 2.0 ○ Webhooks
  • 9. Service Account ● Think of it as a user, using which a process inside a Pod can access API Server. ● A Service Account with default name, gets created as we create a new namesapce. ● User defined Service Accounts can be created as well, which we can attach to the pod running in same namespace.
  • 10. Kubeconfig File apiVersion: v1 clusters: - cluster: certificate-authority: /Users/neependra/.minikube/ca.crt server: https://192.168.99.100:8443 name: minikube contexts: - context: cluster: minikube user: minikube name: minikube current-context: minikube kind: Config preferences: {} users: - name: minikube user: client-certificate: /Users/neependra/.minikube/client.crt client-key: /Users/neependra/.minikube/client.key User dev Cluster devContext dev User qa Cluster qaContext qa User prod Cluster prodContext prod
  • 14. Kubernetes Authorization Can a User do Requested Action ?
  • 15. Kubernetes Authorization Can a User do Requested Action ? ● Kubernetes Autorization Modules ○ AlwaysAllow ○ AlwaysDeny ○ Node ○ Attribute Based Access Control (ABAC) ○ Role Based Access Control (RBAC) ○ Webhook
  • 16. Operations on Kubernetes Objects ● create ● get ● delete ● list ● update ● edit ● patch ● watch ● ….
  • 17. Role Based Access Control (RBAC) - Roles Role “Applicable to a given namespace only.” kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: namespace: cloudyuga name: deployment-manager rules: - apiGroups: ["", "apps"] resources: ["deployments", "replicasets", "pods"] verbs: ["get", "list", "watch", "create", "update"] ClusterRole “Applicable Cluster Wide.” kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: deployment-manager-cluster rules: - apiGroups: ["", "apps"] resources: ["deployments", "replicasets", "pods"] verbs: ["get", "list", "watch", "create", "update"]
  • 18. Kubernetes - APIs / /healthz /metrics /api /apis ….. /api/v1 /api/v1/pods /api/v1/nodes /api/v1/services …… /apis/apps /apis/apps/v1 /apis/apps/v1/Deployment /apis/apps/v1/DaemonSet /apis/apps/v1/StatefulSet ……. /apis/apps/v1beta1 /apis/…..
  • 19. Role Based Access Control (RBAC) - Role Bindings RoleBinding “Applicable to a given namespace only.” ClusterRoleBinding “Applicable Cluster Wide.” Role Subjects - Normal Users - Service Accounts - Groups ClusterRole Subjects - Normal Users - Service Accounts - Groups
  • 20. Role Based Access Control (RBAC) - Role Bindings RoleBinding kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: deployment-manager-binding namespace: cloudyuga subjects: - kind: User name: nkhare apiGroup: "rbac.authorization.k8s.io" roleRef: kind: Role name: deployment-manager apiGroup: "rbac.authorization.k8s.io" ClusterRoleBinding kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: cluster-manager-binding subjects: - kind: User name: nkhare apiGroup: "rbac.authorization.k8s.io" roleRef: kind: ClusterRole name: deployment-manager-cluster apiGroup: "rbac.authorization.k8s.io"