Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

User authentication and authorizarion in Kubernetes

620 views

Published on

User authentication and authorizarion in Kubernetes

Published in: Technology
  • Be the first to comment

  • Be the first to like this

User authentication and authorizarion in Kubernetes

  1. 1. K8sOM#15 User Authentication and Authorization in Kubernetes Neependra Khare, CloudYuga
  2. 2. About the Speaker - Neependra Khare ● Founder and Principal Consultant at CloudYuga ● Author of Docker Cookbook - 2015 ● Author of “Introduction to Kubernetes” course on Edx ● Running Docker Meetup Group in Bangalore, India for more than 4 years now
  3. 3. Kubernetes Architecture Controller Scheduler API Server key/value store Master Node Node Kubelet kube-proxy Node Kubelet kube-proxy Node Kubelet kube-proxy CLI/API
  4. 4. Kubernetes API Request Authenticaion Can a user to login to the cluster ? Authorization Can a user do requested action ? Admission Control Is it a valid request ? K8s objects
  5. 5. Authentication
  6. 6. Kubernetes Users ● Users are not first class citizen of Kubernetes, like Pods ● In most of the cases, it is offloaded to external services like Active Directory, LDAP
  7. 7. Kubernetes Users ● Users are not first class citizen like Pods ● In most of the cases, it is offloaded to external services like Active Directory, LDAP Normal Users Service Accounts
  8. 8. Normal Users ● Basic Authentication ○ Pass a configutation with content like following to API Server <password>,<username>,<uid>,"<group1,group2>" <password>,<username>,<uid>,"<group1,group3>” ● X.509 Client Certificate ○ Create a user’s Public/Private key combination ○ Get it certified by a CA (Kubernetes CA) ● Bearer Tokens (JSON Web Tokens) ○ OpenID Connect ■ On Top of OAuth 2.0 ○ Webhooks
  9. 9. Service Account ● Think of it as a user, using which a process inside a Pod can access API Server. ● A Service Account with default name, gets created as we create a new namesapce. ● User defined Service Accounts can be created as well, which we can attach to the pod running in same namespace.
  10. 10. Kubeconfig File apiVersion: v1 clusters: - cluster: certificate-authority: /Users/neependra/.minikube/ca.crt server: https://192.168.99.100:8443 name: minikube contexts: - context: cluster: minikube user: minikube name: minikube current-context: minikube kind: Config preferences: {} users: - name: minikube user: client-certificate: /Users/neependra/.minikube/client.crt client-key: /Users/neependra/.minikube/client.key User dev Cluster devContext dev User qa Cluster qaContext qa User prod Cluster prodContext prod
  11. 11. Authentication Demo Workflow nkhare.key (openssl) nkhare.csr (openssl) nkhare-csr (k8s object) nkhare.crt K8s CA
  12. 12. Authentication Demo
  13. 13. Authorization
  14. 14. Kubernetes Authorization Can a User do Requested Action ?
  15. 15. Kubernetes Authorization Can a User do Requested Action ? ● Kubernetes Autorization Modules ○ AlwaysAllow ○ AlwaysDeny ○ Node ○ Attribute Based Access Control (ABAC) ○ Role Based Access Control (RBAC) ○ Webhook
  16. 16. Operations on Kubernetes Objects ● create ● get ● delete ● list ● update ● edit ● patch ● watch ● ….
  17. 17. Role Based Access Control (RBAC) - Roles Role “Applicable to a given namespace only.” kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: namespace: cloudyuga name: deployment-manager rules: - apiGroups: ["", "apps"] resources: ["deployments", "replicasets", "pods"] verbs: ["get", "list", "watch", "create", "update"] ClusterRole “Applicable Cluster Wide.” kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: deployment-manager-cluster rules: - apiGroups: ["", "apps"] resources: ["deployments", "replicasets", "pods"] verbs: ["get", "list", "watch", "create", "update"]
  18. 18. Kubernetes - APIs / /healthz /metrics /api /apis ….. /api/v1 /api/v1/pods /api/v1/nodes /api/v1/services …… /apis/apps /apis/apps/v1 /apis/apps/v1/Deployment /apis/apps/v1/DaemonSet /apis/apps/v1/StatefulSet ……. /apis/apps/v1beta1 /apis/…..
  19. 19. Role Based Access Control (RBAC) - Role Bindings RoleBinding “Applicable to a given namespace only.” ClusterRoleBinding “Applicable Cluster Wide.” Role Subjects - Normal Users - Service Accounts - Groups ClusterRole Subjects - Normal Users - Service Accounts - Groups
  20. 20. Role Based Access Control (RBAC) - Role Bindings RoleBinding kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: deployment-manager-binding namespace: cloudyuga subjects: - kind: User name: nkhare apiGroup: "rbac.authorization.k8s.io" roleRef: kind: Role name: deployment-manager apiGroup: "rbac.authorization.k8s.io" ClusterRoleBinding kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: cluster-manager-binding subjects: - kind: User name: nkhare apiGroup: "rbac.authorization.k8s.io" roleRef: kind: ClusterRole name: deployment-manager-cluster apiGroup: "rbac.authorization.k8s.io"
  21. 21. Authorization Demo
  22. 22. Thanks @neependra https://www.linkedin.com/in/neependra/

×