SlideShare a Scribd company logo
Introduction to Kubernetes RBAC
Oleg Chunikhin | CTO, Kublr
Tuesday September 15, 2020
Thursday March 18, 2021 (alternative date)
@ Red Cross Square in Downtown DC
DC Meetup Slack Channel
Join our meetup-dc channel on the
Kubernetes Slack
Introductions
Oleg Chunikhin
CTO, Kublr
• 20 years in software architecture &
development
• Working w/ Kubernetes since its release in 2015
• Software architect behind Kublr—an enterprise
ready container management platform
• Twitter @olgch
Enterprise Kubernetes Needs
Developers SRE/Ops/DevOps/SecOps
• Self-service
• Compatible
• Conformant
• Configurable
• Open & Flexible
• Governance
• Org multi-tenancy
• Single pane of glass
• Operations
• Monitoring
• Log collection
• Image management
• Identity management
• Security
• Reliability
• Performance
• Portability
@olgch; @kublr
@olgch; @kublr
Automation
Ingress
Custom
Clusters
Infrastructure
Logging Monitoring
Observability
API
Usage
Reporting
RBAC IAM
Air Gap TLS
Certificate
Rotation
Audit
Storage Networking Container
Registry
CI / CD App Mgmt
Infrastructure
Container Runtime Kubernetes
OPERATIONS SECURITY &
GOVERNANCE
Kubernetes Access Control
• Who can do what with which resource
• Authentication
• Authorization
• RBAC
• Use-cases and gotchas
@olgch; @kublr
Who Can Do What in a Cluster
Three groups
Connected through access control
@olgch; @kublr
Subjects
User
Group
Service account
Resources
Pods
Nodes
ConfigMaps
Secrets
Deployments
…
Operations
list
get
create
update
delete
watch
patch
get
post
put
delete
Kubernetes API Request Attributes
• Authentication
• User – the user string
• Group – the list of group names
• Extra – a map of arbitrary keys
• API – non-resource or API resource flag
• API resource request
• API request verb – lowercased resource verb
• Namespace – the namespace
• API group - The API Group being accessed
• Resource – the resource ID
• Subresource – the sub-resource
• Non-resource request
• HTTP request verb – lowercased HTTP method
• Request path – non-resource request path.
Verbs
• Common API resource request :
get, list, watch,
create, update, patch,
delete, deletecollection
• Special API resource request:
use (PodSecurityPolicy),
bind, escalate (Role, ClusterRole),
impersonate (User, Group, SA),
userextras
• HTTP request verbs:
get, head, post, put,
patch, delete
@olgch; @kublr
Kubernetes API Client, Tools
• Any HTTP client
• curl – good for experiments
• kubectl – Kubernetes CLI
• jq – honorable mention – JSON visualization and processing
@olgch; @kublr
Client Kubernetes API
HTTP Request
Kubernetes API Client, Example
• curl
• kubectl
@olgch; @kublr
curl -k -v -XGET -H 'Authorization: Bearer ***' 
'https://52.44.121.181:443/api/v1/nodes?limit=50' | jq .
kubectl --kubeconfig=kc.yaml get nodes
export KUBECONFIG="$(pwd)/config.yaml"
kubectl get nodes
kubectl get nodes –-v=9
apiVersion: v1
kind: Config
clusters:
- name: demo-rbac
cluster:
certificate-authority-data: ***
server: https://52.44.121.181:443
users:
- name: demo-rbac-admin-token
user:
token: ***
contexts:
- name: demo-rbac
context:
cluster: demo-rbac
user: demo-rbac-admin-token
current-context: demo-rbac
Authentication: Mechanisms
Mechanism Secret Source Usage
X509 Client Certs CSR generated externally and
signed with the cluster CA key
Enterprise CA / PKI
Via Kubernetes API
CertificateSigningRequest
Kubernetes cluster admin
Bearer token Bootstrap token Internal use
Node authentication token Internal use
Static token file Insecure
ServiceAccount token Pods, containers, applications, users
OIDC token Users
HTTP Basic auth Static password file Insecure
Auth proxy N/A (trust proxy) Integration
Impersonate N/A (trust account) Integration and administration
Authentication: X509 Client Cert, PKI
Client Kubernetes API
3. HTTPS/TLS handshake with client cert
4. Request
Admin
1. client.csr 2. client.crt
client.key k8s-api-server-client-ca.key
k8s-api-server-client-ca.crt
--client-ca-file=k8s-api-server-client-ca.key
k8s-api-server-client-ca.key
Admin (issuer) must has access to
the server CA private key
@olgch; @kublr
Authentication: X509 Client Cert, PKI Example
• User: generate user private key (if not exist)
• User: generate user CSR
• Admin: sign user client cert
• User: use with kubectl via options or kubeconfig
openssl genrsa -out user1.key 2048
openssl req -new -key user1.key -out user1.csr -subj "/CN=user1/O=group1/O=group2"
openssl x509 -req -in user1.csr -CA cluster-ca.crt -CAkey cluster-ca.key 
-set_serial 101 -extensions client -days 365 -outform PEM -out user1.crt
kubectl --client-key=user1.key --client-certificate=user1.crt get nodes
kubectl config set-credentials user1 --client-key user1.key --client-certificate user1.crt --embed-certs
kubectl config set-context user1 --cluster demo-rbac --user user1
kubectl --context=user1 get nodes
kubectl config use-context user1
kubectl config get-contexts
kubectl get nodes
@olgch; @kublr
Authentication: X509 Client Cert, K8S CSR
Client Kubernetes API
7. HTTPS/TLS handshake with client cert
8. Request
Admin
1. client.csr 6. client.crt
client.key k8s-api-server-client-ca.key
k8s-api-server-client-ca.crt
--client-ca-file=k8s-api-server-client-ca.key
3. kubectl create csr ...
4. kubectl certificate approve csr ...
5. kubectl get csr ...
@olgch; @kublr
Authentication: X509 Client Cert, K8S CSR
• User: generate user CSR
• Admin: use Kubernetes API server to sign the CSR
• User: use with kubectl via options or kubeconfig
openssl req -new -key user2.key -out user2.csr -subj "/CN=user2/O=group1/O=group2"
kubectl apply -f - <<EOF
apiVersion: certificates.k8s.io/v1beta1
kind: CertificateSigningRequest
metadata:
name: user2
spec:
request: $(cat user2.csr | base64 | tr -d 'n')
usages: ['digital signature', 'key encipherment',
'client auth']
EOF
kubectl certificate approve user2
kubectl certificate deny user2
kubectl get csr user2 –o jsonpath='{.status.certificate}' | 
base64 --decode > user2.crt
kubectl --client-key=user2.key --client-certificate=user2.crt get nodes
kubectl config set-credentials user2 --client-key user2.key --client-certificate user2.crt --embed-certs
kubectl config set-context user2 --cluster demo-rbac --user user2
@olgch; @kublr
Authentication: Service Account
Client Kubernetes API
1. create service account
2. get service account token
3. Request (token in Authorization header)
@olgch; @kublr
Authentication: Service Account, Example
• Create service account
• Get service account token
• Send request
kubectl create serviceaccount sa1
kubectl "--token=${SA_TOKEN}" get nodes
kubectl config set-credentials sa1 "--token=${SA_TOKEN}"
kubectl config set-context sa1 --cluster demo-rbac --user sa1
kubectl get –o yaml sa sa1
SA_SECRET="$(kubectl get sa sa1 -o jsonpath='{.secrets[0].name}')"
kubectl get -o yaml secret "${SA_SECRET}"
SA_TOKEN="$(kubectl get secret "${SA_SECRET}" -o jsonpath='{.data.token}' | base64 -d)"
@olgch; @kublr
Authentication: OIDC
Client Kubernetes API
3. Request with the token
1. auth / refresh token
2. Tokens
--oidc-client-id=kubernetes
--oidc-groups-claim=user_groups
--oidc-issuer-url=https://idp.example.com
--oidc-username-claim=preferred_username
OIDC IdP
4. Verify token
@olgch; @kublr
Authentication: OIDC, Demo
Kublr uses Keycloak by default
• Multiple “realms”
• OIDC, SAML, LDAP, AD, Kerberos support
• User federation and Identity Broker support
Demo
• “demo-app” realm
• “kubernetes” OIDC client
• “demo-rbac” Kublr cluster with OIDC auth configured for the client
spec:
master:
kublrAgentConfig:
kublr:
kube_api_server_flag:
oidc_client_id: '--oidc-client-id=kubernetes'
oidc_groups_claim: '--oidc-groups-claim=user_groups'
oidc_issuer_url: '--oidc-issuer-url=https://***'
oidc_username_claim: '--oidc-username-claim=preferred_username'
@olgch; @kublr
Authentication: OIDC, Example
Login (visualization)
Login (CLI)
curl 
-d "grant_type=password" 
-d "scope=openid" 
-d "client_id=kubernetes" 
-d "client_secret=${CLIENT_SECRET}" 
-d "username=da-admin" 
-d "password=${USER_PASSWORD}" 
https://kcp.kublr-demo.com/auth/realms/demo-app/protocol/openid-connect/token | jq .
eval "$(curl -d "grant_type=password" -d "scope=openid" -d "client_id=kubernetes" 
-d "client_secret=${CLIENT_SECRET}" -d "username=da-admin" -d "password=${USER_PASSWORD}" 
https://kcp.kublr-demo.com/auth/realms/demo-app/protocol/openid-connect/token | 
jq -r '"REFRESH_TOKEN="+.refresh_token,"TOKEN="+.access_token,"ID_TOKEN="+.id_token')" ; 
echo ; echo "TOKEN=${TOKEN}" ; echo ; echo "ID_TOKEN=${ID_TOKEN}" ; echo ; 
echo "REFRESH_TOKEN=${REFRESH_TOKEN}" ; echo
@olgch; @kublr
Authentication: OIDC, Example
Refresh (visualization)
Refresh (CLI)
curl 
-d "grant_type=refresh_token" 
-d "client_id=kubernetes" 
-d "client_secret=${CLIENT_SECRET}" 
-d "refresh_token=${REFRESH_TOKEN}" 
https://kcp.kublr-demo.com/auth/realms/demo-app/protocol/openid-connect/token | jq -r .
eval "$(curl -d "grant_type=refresh_token" -d "client_id=kubernetes" 
-d "client_secret=${CLIENT_SECRET}" -d "refresh_token=${REFRESH_TOKEN}" 
https://kcp.kublr-demo.com/auth/realms/demo-app/protocol/openid-connect/token | 
jq -r '"REFRESH_TOKEN="+.refresh_token,"TOKEN="+.access_token,"ID_TOKEN="+.id_token')" ; 
echo ; echo "TOKEN=${TOKEN}" ; echo ; echo "ID_TOKEN=${ID_TOKEN}" ; echo ; 
echo "REFRESH_TOKEN=${REFRESH_TOKEN}"
@olgch; @kublr
Authentication: OIDC, Example
Token introspection
kubectl configuration
curl 
--user "kubernetes:${CLIENT_SECRET}" 
-d "token=${TOKEN}" 
https://kcp.kublr-demo.com/auth/realms/demo-app/protocol/openid-connect/token/introspect | jq .
kubectl config set-credentials da-admin 
"--auth-provider=oidc" 
"--auth-provider-arg=idp-issuer-url=https://kcp.kublr-demo.com/auth/realms/demo-app" 
"--auth-provider-arg=client-id=kubernetes" 
"--auth-provider-arg=client-secret=${CLIENT_SECRET}" 
"--auth-provider-arg=refresh-token=${REFRESH_TOKEN}" 
"--auth-provider-arg=id-token=${ID_TOKEN}"
kubectl config set-context da-admin --cluster=demo-rbac --user=da-admin
kubectl --context=da-admin get nodes
@olgch; @kublr
Authentication: Authenticating Proxy
Client Kubernetes API
2. Request “X-Remote-*” headers
X-Remote-User: user1
X-Remote-Groups: group1
X-Remote-Extra-Key1: value11. Request
--requestheader-username-headers=X-Remote-User
--requestheader-group-headers=X-Remote-Group
--requestheader-extra-headers-prefix=X-Remote-Extra-
Auth Proxy
@olgch; @kublr
Authentication: Impersonation
Client Kubernetes API
1. Request with “Impersonate-*” headers
Impersonate-User: jane.doe@example.com
Impersonate-Group: developers
Impersonate-Group: admins
Impersonate-Extra-dn: cn=jane,ou=engineers
Impersonate-Extra-scopes: view
kubectl get nodes 
--as "system:serviceaccount:default:sa1" 
--as-group g1 
--as-group g2
@olgch; @kublr
Authorization: Mechanisms
Mechanism Decision source Usage
Node API Server built-in Internal use (kubelets)
ABAC Static file Insecure, deprecated
RBAC API Objects Users and administrators
WebHook External services Integration
AlwaysDeny
AlwaysAllow
API Server built-in Testing
@olgch; @kublr
Authorization, tools
• kubectl auth can-i ...
• kubectl whoami
• kubectl --v=8 ...
@olgch; @kublr
Authorization: WebHook
Client Kubernetes API
1. Request
--authorization-webhook-config-file=auth-cfg.yaml
Authorization
Service
2. Verify
Config file in kubeconfig format
@olgch; @kublr
Authorization: RBAC
Three groups
Connected through RBAC
@olgch; @kublr
Subjects
User
Group
Service Account
Resources
Pods
Nodes
ConfigMaps
Secrets
Deployments
…
Operations
list
get
create
update
delete
watch
patch
get
post
put
delete
Roles and ClusterRoles
• Roles and ClusterRoles define a set of
allowed actions on resources
• Role is namespaced
• Cannot include non-namespaces
resources or non-resource URLs
@olgch; @kublr
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: default
name: role1
rules:
- apiGroups: ['*']
resources: ['nodes', 'pods', 'pods/log']
verbs: ['get', 'list']
- apiGroups: ['*']
resources: ['configmaps']
resourceNames: ['my-configmap']
verbs: ['get', 'list']
ClusterRoles
• ClusterRole is not namespaced
• non-namespaced resources access
• non-resource URLs access
@olgch; @kublr
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
namespace: default
name: clusterRole1
rules:
- apiGroups: ['*']
resources: ['nodes', ‘pods']
verbs: ['get', 'list']
- nonResourceURLs: ['/api', '/healthz*']
verbs: ['get', 'head']
Aggregated ClusterRoles
Aggregated ClusterRole combines rules from other cluster roles
@olgch; @kublr
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: aggregatedClusterRole1
aggregationRule:
clusterRoleSelectors:
- matchLabels:
label1: value1
# The control plane automatically fills in the rules
rules: []
Aggregated
ClusterRole
clusterRole1
aggregationRule:
clusterRoleSelectors:
- matchLabels:
label1: value1
metadata:
labels:
label1: value1
clusterRole1
metadata:
labels:
label1: value1
label2: value2
clusterRole1
metadata:
labels:
label2: value2
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: roleBinding1
namespace: default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: role1
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: user1
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: group1
- kind: ServiceAccount
name: sa1
namespace: default
RoleBinding
@olgch; @kublr
user1 user2
group
RoleBinding
namespace
resources only
ClusterRole
Role
namespace
ServiceAccount
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: roleBinding1
namespace: default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: clusterRole1
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: user1
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: group1
- kind: ServiceAccount
name: sa1
namespace: default
ClusterRoleBinding
@olgch; @kublr
user1 user2
group
ClusterRole
Role
namespace
ServiceAccount
ClusterRoleBinding
Built-in ClusterRoles
Role Access Can do
cluster-admin Full access to all cluster resources Anything in the cluster
admin Full access to all namespace resources Anything in a namespace
edit Full access to all namespace resources
except Role, RoleBinding,
LocalSubjectAccessReviews
Anything in a namespace except granting and
checking access
view RO access to all namespace resources
except sensitive ones
View and list non-sensitive objects in a
namespace
@olgch; @kublr
Use-cases
• Start with build-in roles
•Cluster admin
•Namespace admin
•Namespace developer
•Namespace read-only user
• Define new roles as needed
• Beware of “gotchas”
@olgch; @kublr
“Gotchas”
• Privilege escalation via pod creation
• Non-namespaced objects
• CRD, PriorityClass, PodSecurityPolicy
• Often needed for development, especially in advanced DevOps / SRE culture
• As a result, developers need self-service dev cluster management capabilities
• Role and role binding conventions
• Name
• Role bindings – one per subject, one per role, or mixed
@olgch; @kublr
Next steps
• PodSecurityPolicy
• NetworkPolicy
• Limits and Quotas
• Admission Controllers
• Dynamic admission control
• Dynamic policies, OPA
@olgch; @kublr
Kubernetes API Groups and Objects
API Group API Obects
rbac.authorization.k8s.io/v1 ClusterRole
Role
ClusterRoleBinding
RoleBinding
authentication.k8s.io/v1 TokenReview
admissionregistration.k8s.io/v1 MutatingWebhookConfiguration
ValidatingWebhookConfiguration
authorization.k8s.io/v1 LocalSubjectAccessReview
SelfSubjectAccessReview
SelfSubjectRulesReview
SubjectAccessReview
certificates.k8s.io/v1beta1 CertificateSigningRequest
policy/v1beta1 PodSecurityPolicy
@olgch; @kublr
References
https://github.com/rajatjindal/kubectl-whoami
https://kubernetes.io/docs/reference/access-authn-authz/rbac/
https://kubernetes.io/docs/concepts/cluster-administration/certificates/
https://kubernetes.io/docs/tasks/tls/managing-tls-in-a-cluster/
https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/
@olgch; @kublr
Q&A
@olgch; @kublr
Oleg Chunikhin
CTO
oleg@kublr.com
@olgch
Kublr | kublr.com
@kublr
Signup for our newsletter
at kublr.com
@olgch; @kublr

More Related Content

What's hot

Kubernetes Deployment Strategies
Kubernetes Deployment StrategiesKubernetes Deployment Strategies
Kubernetes Deployment StrategiesAbdennour TM
 
Kubernetes Networking
Kubernetes NetworkingKubernetes Networking
Kubernetes NetworkingCJ Cullen
 
Introduction to the Container Network Interface (CNI)
Introduction to the Container Network Interface (CNI)Introduction to the Container Network Interface (CNI)
Introduction to the Container Network Interface (CNI)Weaveworks
 
User authentication and authorizarion in Kubernetes
User authentication and authorizarion in KubernetesUser authentication and authorizarion in Kubernetes
User authentication and authorizarion in KubernetesNeependra Khare
 
Kubernetes Networking | Kubernetes Services, Pods & Ingress Networks | Kubern...
Kubernetes Networking | Kubernetes Services, Pods & Ingress Networks | Kubern...Kubernetes Networking | Kubernetes Services, Pods & Ingress Networks | Kubern...
Kubernetes Networking | Kubernetes Services, Pods & Ingress Networks | Kubern...Edureka!
 
Kubernetes Introduction
Kubernetes IntroductionKubernetes Introduction
Kubernetes IntroductionPeng Xiao
 
Service Discovery In Kubernetes
Service Discovery In KubernetesService Discovery In Kubernetes
Service Discovery In KubernetesKnoldus Inc.
 
An intro to Kubernetes operators
An intro to Kubernetes operatorsAn intro to Kubernetes operators
An intro to Kubernetes operatorsJ On The Beach
 
Introduction to Kubernetes Workshop
Introduction to Kubernetes WorkshopIntroduction to Kubernetes Workshop
Introduction to Kubernetes WorkshopBob Killen
 
Hands-On Introduction to Kubernetes at LISA17
Hands-On Introduction to Kubernetes at LISA17Hands-On Introduction to Kubernetes at LISA17
Hands-On Introduction to Kubernetes at LISA17Ryan Jarvinen
 
Getting Started with Kubernetes
Getting Started with Kubernetes Getting Started with Kubernetes
Getting Started with Kubernetes VMware Tanzu
 
K8s in 3h - Kubernetes Fundamentals Training
K8s in 3h - Kubernetes Fundamentals TrainingK8s in 3h - Kubernetes Fundamentals Training
K8s in 3h - Kubernetes Fundamentals TrainingPiotr Perzyna
 
Best Practices with Azure Kubernetes Services
Best Practices with Azure Kubernetes ServicesBest Practices with Azure Kubernetes Services
Best Practices with Azure Kubernetes ServicesQAware GmbH
 
Kubernetes internals (Kubernetes 해부하기)
Kubernetes internals (Kubernetes 해부하기)Kubernetes internals (Kubernetes 해부하기)
Kubernetes internals (Kubernetes 해부하기)DongHyeon Kim
 
[KubeCon EU 2022] Running containerd and k3s on macOS
[KubeCon EU 2022] Running containerd and k3s on macOS[KubeCon EU 2022] Running containerd and k3s on macOS
[KubeCon EU 2022] Running containerd and k3s on macOSAkihiro Suda
 
Kubernetes Architecture and Introduction
Kubernetes Architecture and IntroductionKubernetes Architecture and Introduction
Kubernetes Architecture and IntroductionStefan Schimanski
 
Rancher and Kubernetes Best Practices
Rancher and  Kubernetes Best PracticesRancher and  Kubernetes Best Practices
Rancher and Kubernetes Best PracticesAvinash Patil
 

What's hot (20)

Argocd up and running
Argocd up and runningArgocd up and running
Argocd up and running
 
Kubernetes Deployment Strategies
Kubernetes Deployment StrategiesKubernetes Deployment Strategies
Kubernetes Deployment Strategies
 
Kubernetes Networking
Kubernetes NetworkingKubernetes Networking
Kubernetes Networking
 
Introduction to the Container Network Interface (CNI)
Introduction to the Container Network Interface (CNI)Introduction to the Container Network Interface (CNI)
Introduction to the Container Network Interface (CNI)
 
01. Kubernetes-PPT.pptx
01. Kubernetes-PPT.pptx01. Kubernetes-PPT.pptx
01. Kubernetes-PPT.pptx
 
User authentication and authorizarion in Kubernetes
User authentication and authorizarion in KubernetesUser authentication and authorizarion in Kubernetes
User authentication and authorizarion in Kubernetes
 
Kubernetes Networking | Kubernetes Services, Pods & Ingress Networks | Kubern...
Kubernetes Networking | Kubernetes Services, Pods & Ingress Networks | Kubern...Kubernetes Networking | Kubernetes Services, Pods & Ingress Networks | Kubern...
Kubernetes Networking | Kubernetes Services, Pods & Ingress Networks | Kubern...
 
Kubernetes Introduction
Kubernetes IntroductionKubernetes Introduction
Kubernetes Introduction
 
Service Discovery In Kubernetes
Service Discovery In KubernetesService Discovery In Kubernetes
Service Discovery In Kubernetes
 
Introduction to kubernetes
Introduction to kubernetesIntroduction to kubernetes
Introduction to kubernetes
 
An intro to Kubernetes operators
An intro to Kubernetes operatorsAn intro to Kubernetes operators
An intro to Kubernetes operators
 
Introduction to Kubernetes Workshop
Introduction to Kubernetes WorkshopIntroduction to Kubernetes Workshop
Introduction to Kubernetes Workshop
 
Hands-On Introduction to Kubernetes at LISA17
Hands-On Introduction to Kubernetes at LISA17Hands-On Introduction to Kubernetes at LISA17
Hands-On Introduction to Kubernetes at LISA17
 
Getting Started with Kubernetes
Getting Started with Kubernetes Getting Started with Kubernetes
Getting Started with Kubernetes
 
K8s in 3h - Kubernetes Fundamentals Training
K8s in 3h - Kubernetes Fundamentals TrainingK8s in 3h - Kubernetes Fundamentals Training
K8s in 3h - Kubernetes Fundamentals Training
 
Best Practices with Azure Kubernetes Services
Best Practices with Azure Kubernetes ServicesBest Practices with Azure Kubernetes Services
Best Practices with Azure Kubernetes Services
 
Kubernetes internals (Kubernetes 해부하기)
Kubernetes internals (Kubernetes 해부하기)Kubernetes internals (Kubernetes 해부하기)
Kubernetes internals (Kubernetes 해부하기)
 
[KubeCon EU 2022] Running containerd and k3s on macOS
[KubeCon EU 2022] Running containerd and k3s on macOS[KubeCon EU 2022] Running containerd and k3s on macOS
[KubeCon EU 2022] Running containerd and k3s on macOS
 
Kubernetes Architecture and Introduction
Kubernetes Architecture and IntroductionKubernetes Architecture and Introduction
Kubernetes Architecture and Introduction
 
Rancher and Kubernetes Best Practices
Rancher and  Kubernetes Best PracticesRancher and  Kubernetes Best Practices
Rancher and Kubernetes Best Practices
 

Similar to Introduction to Kubernetes RBAC

Kubernetes Ingress 101
Kubernetes Ingress 101Kubernetes Ingress 101
Kubernetes Ingress 101Kublr
 
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security DevOpsDays Riga
 
网易云K8S应用实践 | practices for kubernetes cluster provisioning, management and ap...
网易云K8S应用实践 | practices for kubernetes cluster provisioning, management and ap...网易云K8S应用实践 | practices for kubernetes cluster provisioning, management and ap...
网易云K8S应用实践 | practices for kubernetes cluster provisioning, management and ap...Xiaohui Chen
 
Container orchestration k8s azure kubernetes services
Container orchestration  k8s azure kubernetes servicesContainer orchestration  k8s azure kubernetes services
Container orchestration k8s azure kubernetes servicesRajesh Kolla
 
All the troubles you get into when setting up a production ready Kubernetes c...
All the troubles you get into when setting up a production ready Kubernetes c...All the troubles you get into when setting up a production ready Kubernetes c...
All the troubles you get into when setting up a production ready Kubernetes c...Jimmy Lu
 
Pro2516 10 things about oracle and k8s.pptx-final
Pro2516   10 things about oracle and k8s.pptx-finalPro2516   10 things about oracle and k8s.pptx-final
Pro2516 10 things about oracle and k8s.pptx-finalMichel Schildmeijer
 
Appsecco Kubernetes Hacking Masterclass Presentation Slides
Appsecco Kubernetes Hacking Masterclass Presentation SlidesAppsecco Kubernetes Hacking Masterclass Presentation Slides
Appsecco Kubernetes Hacking Masterclass Presentation SlidesAppsecco
 
Scaling search-clusters-solr-k8s-2020-amrit-sarkar
Scaling search-clusters-solr-k8s-2020-amrit-sarkarScaling search-clusters-solr-k8s-2020-amrit-sarkar
Scaling search-clusters-solr-k8s-2020-amrit-sarkarAmrit Sarkar
 
Event driven workloads on Kubernetes with KEDA
Event driven workloads on Kubernetes with KEDAEvent driven workloads on Kubernetes with KEDA
Event driven workloads on Kubernetes with KEDANilesh Gule
 
Event driven autoscaling with KEDA
Event driven autoscaling with KEDAEvent driven autoscaling with KEDA
Event driven autoscaling with KEDANilesh Gule
 
Attacking and Defending Kubernetes - Nithin Jois
Attacking and Defending Kubernetes - Nithin JoisAttacking and Defending Kubernetes - Nithin Jois
Attacking and Defending Kubernetes - Nithin JoisOWASP Hacker Thursday
 
K8s hard-way on DigitalOcean
K8s hard-way on DigitalOceanK8s hard-way on DigitalOcean
K8s hard-way on DigitalOceanCloudYuga
 
Scaling .net containers with event driven workloads
Scaling .net containers with event driven workloadsScaling .net containers with event driven workloads
Scaling .net containers with event driven workloadsNilesh Gule
 
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...Michael Man
 
From Kubernetes to OpenStack in Sydney
From Kubernetes to OpenStack in SydneyFrom Kubernetes to OpenStack in Sydney
From Kubernetes to OpenStack in SydneySK Telecom
 
Kubernetes in Hybrid Environments with Submariner
Kubernetes in Hybrid Environments with SubmarinerKubernetes in Hybrid Environments with Submariner
Kubernetes in Hybrid Environments with SubmarinerKublr
 
Openstack days sv building highly available services using kubernetes (preso)
Openstack days sv   building highly available services using kubernetes (preso)Openstack days sv   building highly available services using kubernetes (preso)
Openstack days sv building highly available services using kubernetes (preso)Allan Naim
 
Continuous Deployment with Kubernetes, Docker and GitLab CI
Continuous Deployment with Kubernetes, Docker and GitLab CIContinuous Deployment with Kubernetes, Docker and GitLab CI
Continuous Deployment with Kubernetes, Docker and GitLab CIalexanderkiel
 

Similar to Introduction to Kubernetes RBAC (20)

Kubernetes Ingress 101
Kubernetes Ingress 101Kubernetes Ingress 101
Kubernetes Ingress 101
 
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
 
网易云K8S应用实践 | practices for kubernetes cluster provisioning, management and ap...
网易云K8S应用实践 | practices for kubernetes cluster provisioning, management and ap...网易云K8S应用实践 | practices for kubernetes cluster provisioning, management and ap...
网易云K8S应用实践 | practices for kubernetes cluster provisioning, management and ap...
 
CKA_1st.pptx
CKA_1st.pptxCKA_1st.pptx
CKA_1st.pptx
 
Container orchestration k8s azure kubernetes services
Container orchestration  k8s azure kubernetes servicesContainer orchestration  k8s azure kubernetes services
Container orchestration k8s azure kubernetes services
 
All the troubles you get into when setting up a production ready Kubernetes c...
All the troubles you get into when setting up a production ready Kubernetes c...All the troubles you get into when setting up a production ready Kubernetes c...
All the troubles you get into when setting up a production ready Kubernetes c...
 
Pro2516 10 things about oracle and k8s.pptx-final
Pro2516   10 things about oracle and k8s.pptx-finalPro2516   10 things about oracle and k8s.pptx-final
Pro2516 10 things about oracle and k8s.pptx-final
 
Appsecco Kubernetes Hacking Masterclass Presentation Slides
Appsecco Kubernetes Hacking Masterclass Presentation SlidesAppsecco Kubernetes Hacking Masterclass Presentation Slides
Appsecco Kubernetes Hacking Masterclass Presentation Slides
 
Scaling search-clusters-solr-k8s-2020-amrit-sarkar
Scaling search-clusters-solr-k8s-2020-amrit-sarkarScaling search-clusters-solr-k8s-2020-amrit-sarkar
Scaling search-clusters-solr-k8s-2020-amrit-sarkar
 
Event driven workloads on Kubernetes with KEDA
Event driven workloads on Kubernetes with KEDAEvent driven workloads on Kubernetes with KEDA
Event driven workloads on Kubernetes with KEDA
 
Event driven autoscaling with KEDA
Event driven autoscaling with KEDAEvent driven autoscaling with KEDA
Event driven autoscaling with KEDA
 
Attacking and Defending Kubernetes - Nithin Jois
Attacking and Defending Kubernetes - Nithin JoisAttacking and Defending Kubernetes - Nithin Jois
Attacking and Defending Kubernetes - Nithin Jois
 
K8s hard-way on DigitalOcean
K8s hard-way on DigitalOceanK8s hard-way on DigitalOcean
K8s hard-way on DigitalOcean
 
Scaling .net containers with event driven workloads
Scaling .net containers with event driven workloadsScaling .net containers with event driven workloads
Scaling .net containers with event driven workloads
 
K8s Webhook Admission
K8s Webhook AdmissionK8s Webhook Admission
K8s Webhook Admission
 
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
 
From Kubernetes to OpenStack in Sydney
From Kubernetes to OpenStack in SydneyFrom Kubernetes to OpenStack in Sydney
From Kubernetes to OpenStack in Sydney
 
Kubernetes in Hybrid Environments with Submariner
Kubernetes in Hybrid Environments with SubmarinerKubernetes in Hybrid Environments with Submariner
Kubernetes in Hybrid Environments with Submariner
 
Openstack days sv building highly available services using kubernetes (preso)
Openstack days sv   building highly available services using kubernetes (preso)Openstack days sv   building highly available services using kubernetes (preso)
Openstack days sv building highly available services using kubernetes (preso)
 
Continuous Deployment with Kubernetes, Docker and GitLab CI
Continuous Deployment with Kubernetes, Docker and GitLab CIContinuous Deployment with Kubernetes, Docker and GitLab CI
Continuous Deployment with Kubernetes, Docker and GitLab CI
 

More from Kublr

Container Runtimes and Tooling, v2
Container Runtimes and Tooling, v2Container Runtimes and Tooling, v2
Container Runtimes and Tooling, v2Kublr
 
Container Runtimes and Tooling
Container Runtimes and ToolingContainer Runtimes and Tooling
Container Runtimes and ToolingKublr
 
Intro into Rook and Ceph on Kubernetes
Intro into Rook and Ceph on KubernetesIntro into Rook and Ceph on Kubernetes
Intro into Rook and Ceph on KubernetesKublr
 
Hybrid architecture solutions with kubernetes and the cloud native stack
Hybrid architecture solutions with kubernetes and the cloud native stackHybrid architecture solutions with kubernetes and the cloud native stack
Hybrid architecture solutions with kubernetes and the cloud native stackKublr
 
Multi-cloud Kubernetes BCDR with Velero
Multi-cloud Kubernetes BCDR with VeleroMulti-cloud Kubernetes BCDR with Velero
Multi-cloud Kubernetes BCDR with VeleroKublr
 
Kubernetes Networking 101
Kubernetes Networking 101Kubernetes Networking 101
Kubernetes Networking 101Kublr
 
Kubernetes persistence 101
Kubernetes persistence 101Kubernetes persistence 101
Kubernetes persistence 101Kublr
 
Portable CI/CD Environment as Code with Kubernetes, Kublr and Jenkins
Portable CI/CD Environment as Code with Kubernetes, Kublr and JenkinsPortable CI/CD Environment as Code with Kubernetes, Kublr and Jenkins
Portable CI/CD Environment as Code with Kubernetes, Kublr and JenkinsKublr
 
Kubernetes 101
Kubernetes 101Kubernetes 101
Kubernetes 101Kublr
 
Advanced Scheduling in Kubernetes
Advanced Scheduling in KubernetesAdvanced Scheduling in Kubernetes
Advanced Scheduling in KubernetesKublr
 
Setting up CI/CD Pipeline with Kubernetes and Kublr step by-step
Setting up CI/CD Pipeline with Kubernetes and Kublr step by-stepSetting up CI/CD Pipeline with Kubernetes and Kublr step by-step
Setting up CI/CD Pipeline with Kubernetes and Kublr step by-stepKublr
 
Canary Releases on Kubernetes with Spinnaker, Istio, & Prometheus (2020)
Canary Releases on Kubernetes with Spinnaker, Istio, & Prometheus (2020)Canary Releases on Kubernetes with Spinnaker, Istio, & Prometheus (2020)
Canary Releases on Kubernetes with Spinnaker, Istio, & Prometheus (2020)Kublr
 
How to Run Kubernetes in Restrictive Environments
How to Run Kubernetes in Restrictive EnvironmentsHow to Run Kubernetes in Restrictive Environments
How to Run Kubernetes in Restrictive EnvironmentsKublr
 
Building Portable Applications with Kubernetes
Building Portable Applications with KubernetesBuilding Portable Applications with Kubernetes
Building Portable Applications with KubernetesKublr
 
How Self-Healing Nodes and Infrastructure Management Impact Reliability
How Self-Healing Nodes and Infrastructure Management Impact ReliabilityHow Self-Healing Nodes and Infrastructure Management Impact Reliability
How Self-Healing Nodes and Infrastructure Management Impact ReliabilityKublr
 
Kubernetes as Infrastructure Abstraction
Kubernetes as Infrastructure AbstractionKubernetes as Infrastructure Abstraction
Kubernetes as Infrastructure AbstractionKublr
 
Centralizing Kubernetes Management in Restrictive Environments
Centralizing Kubernetes Management in Restrictive EnvironmentsCentralizing Kubernetes Management in Restrictive Environments
Centralizing Kubernetes Management in Restrictive EnvironmentsKublr
 
Kubernetes in Highly Restrictive Environments
Kubernetes in Highly Restrictive EnvironmentsKubernetes in Highly Restrictive Environments
Kubernetes in Highly Restrictive EnvironmentsKublr
 
The Evolution of your Kubernetes Cluster
The Evolution of your Kubernetes ClusterThe Evolution of your Kubernetes Cluster
The Evolution of your Kubernetes ClusterKublr
 
Canary Releases on Kubernetes w/ Spinnaker, Istio, and Prometheus
Canary Releases on Kubernetes w/ Spinnaker, Istio, and PrometheusCanary Releases on Kubernetes w/ Spinnaker, Istio, and Prometheus
Canary Releases on Kubernetes w/ Spinnaker, Istio, and PrometheusKublr
 

More from Kublr (20)

Container Runtimes and Tooling, v2
Container Runtimes and Tooling, v2Container Runtimes and Tooling, v2
Container Runtimes and Tooling, v2
 
Container Runtimes and Tooling
Container Runtimes and ToolingContainer Runtimes and Tooling
Container Runtimes and Tooling
 
Intro into Rook and Ceph on Kubernetes
Intro into Rook and Ceph on KubernetesIntro into Rook and Ceph on Kubernetes
Intro into Rook and Ceph on Kubernetes
 
Hybrid architecture solutions with kubernetes and the cloud native stack
Hybrid architecture solutions with kubernetes and the cloud native stackHybrid architecture solutions with kubernetes and the cloud native stack
Hybrid architecture solutions with kubernetes and the cloud native stack
 
Multi-cloud Kubernetes BCDR with Velero
Multi-cloud Kubernetes BCDR with VeleroMulti-cloud Kubernetes BCDR with Velero
Multi-cloud Kubernetes BCDR with Velero
 
Kubernetes Networking 101
Kubernetes Networking 101Kubernetes Networking 101
Kubernetes Networking 101
 
Kubernetes persistence 101
Kubernetes persistence 101Kubernetes persistence 101
Kubernetes persistence 101
 
Portable CI/CD Environment as Code with Kubernetes, Kublr and Jenkins
Portable CI/CD Environment as Code with Kubernetes, Kublr and JenkinsPortable CI/CD Environment as Code with Kubernetes, Kublr and Jenkins
Portable CI/CD Environment as Code with Kubernetes, Kublr and Jenkins
 
Kubernetes 101
Kubernetes 101Kubernetes 101
Kubernetes 101
 
Advanced Scheduling in Kubernetes
Advanced Scheduling in KubernetesAdvanced Scheduling in Kubernetes
Advanced Scheduling in Kubernetes
 
Setting up CI/CD Pipeline with Kubernetes and Kublr step by-step
Setting up CI/CD Pipeline with Kubernetes and Kublr step by-stepSetting up CI/CD Pipeline with Kubernetes and Kublr step by-step
Setting up CI/CD Pipeline with Kubernetes and Kublr step by-step
 
Canary Releases on Kubernetes with Spinnaker, Istio, & Prometheus (2020)
Canary Releases on Kubernetes with Spinnaker, Istio, & Prometheus (2020)Canary Releases on Kubernetes with Spinnaker, Istio, & Prometheus (2020)
Canary Releases on Kubernetes with Spinnaker, Istio, & Prometheus (2020)
 
How to Run Kubernetes in Restrictive Environments
How to Run Kubernetes in Restrictive EnvironmentsHow to Run Kubernetes in Restrictive Environments
How to Run Kubernetes in Restrictive Environments
 
Building Portable Applications with Kubernetes
Building Portable Applications with KubernetesBuilding Portable Applications with Kubernetes
Building Portable Applications with Kubernetes
 
How Self-Healing Nodes and Infrastructure Management Impact Reliability
How Self-Healing Nodes and Infrastructure Management Impact ReliabilityHow Self-Healing Nodes and Infrastructure Management Impact Reliability
How Self-Healing Nodes and Infrastructure Management Impact Reliability
 
Kubernetes as Infrastructure Abstraction
Kubernetes as Infrastructure AbstractionKubernetes as Infrastructure Abstraction
Kubernetes as Infrastructure Abstraction
 
Centralizing Kubernetes Management in Restrictive Environments
Centralizing Kubernetes Management in Restrictive EnvironmentsCentralizing Kubernetes Management in Restrictive Environments
Centralizing Kubernetes Management in Restrictive Environments
 
Kubernetes in Highly Restrictive Environments
Kubernetes in Highly Restrictive EnvironmentsKubernetes in Highly Restrictive Environments
Kubernetes in Highly Restrictive Environments
 
The Evolution of your Kubernetes Cluster
The Evolution of your Kubernetes ClusterThe Evolution of your Kubernetes Cluster
The Evolution of your Kubernetes Cluster
 
Canary Releases on Kubernetes w/ Spinnaker, Istio, and Prometheus
Canary Releases on Kubernetes w/ Spinnaker, Istio, and PrometheusCanary Releases on Kubernetes w/ Spinnaker, Istio, and Prometheus
Canary Releases on Kubernetes w/ Spinnaker, Istio, and Prometheus
 

Recently uploaded

Into the Box 2024 - Keynote Day 2 Slides.pdf
Into the Box 2024 - Keynote Day 2 Slides.pdfInto the Box 2024 - Keynote Day 2 Slides.pdf
Into the Box 2024 - Keynote Day 2 Slides.pdfOrtus Solutions, Corp
 
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2
 
top nidhi software solution freedownload
top nidhi software solution freedownloadtop nidhi software solution freedownload
top nidhi software solution freedownloadvrstrong314
 
Secure Software Ecosystem Teqnation 2024
Secure Software Ecosystem Teqnation 2024Secure Software Ecosystem Teqnation 2024
Secure Software Ecosystem Teqnation 2024Soroosh Khodami
 
Benefits of Employee Monitoring Software
Benefits of  Employee Monitoring SoftwareBenefits of  Employee Monitoring Software
Benefits of Employee Monitoring SoftwareMera Monitor
 
GraphSummit Stockholm - Neo4j - Knowledge Graphs and Product Updates
GraphSummit Stockholm - Neo4j - Knowledge Graphs and Product UpdatesGraphSummit Stockholm - Neo4j - Knowledge Graphs and Product Updates
GraphSummit Stockholm - Neo4j - Knowledge Graphs and Product UpdatesNeo4j
 
10 Essential Software Testing Tools You Need to Know About.pdf
10 Essential Software Testing Tools You Need to Know About.pdf10 Essential Software Testing Tools You Need to Know About.pdf
10 Essential Software Testing Tools You Need to Know About.pdfkalichargn70th171
 
A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1
A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1
A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1KnowledgeSeed
 
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...Anthony Dahanne
 
Mastering Windows 7 A Comprehensive Guide for Power Users .pdf
Mastering Windows 7 A Comprehensive Guide for Power Users .pdfMastering Windows 7 A Comprehensive Guide for Power Users .pdf
Mastering Windows 7 A Comprehensive Guide for Power Users .pdfmbmh111980
 
Agnieszka Andrzejewska - BIM School Course in Kraków
Agnieszka Andrzejewska - BIM School Course in KrakówAgnieszka Andrzejewska - BIM School Course in Kraków
Agnieszka Andrzejewska - BIM School Course in Krakówbim.edu.pl
 
Workforce Efficiency with Employee Time Tracking Software.pdf
Workforce Efficiency with Employee Time Tracking Software.pdfWorkforce Efficiency with Employee Time Tracking Software.pdf
Workforce Efficiency with Employee Time Tracking Software.pdfDeskTrack
 
SOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar Research Team: Latest Activities of IntelBrokerSOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar Research Team: Latest Activities of IntelBrokerSOCRadar
 
StrimziCon 2024 - Transition to Apache Kafka on Kubernetes with Strimzi
StrimziCon 2024 - Transition to Apache Kafka on Kubernetes with StrimziStrimziCon 2024 - Transition to Apache Kafka on Kubernetes with Strimzi
StrimziCon 2024 - Transition to Apache Kafka on Kubernetes with Strimzisteffenkarlsson2
 
Implementing KPIs and Right Metrics for Agile Delivery Teams.pdf
Implementing KPIs and Right Metrics for Agile Delivery Teams.pdfImplementing KPIs and Right Metrics for Agile Delivery Teams.pdf
Implementing KPIs and Right Metrics for Agile Delivery Teams.pdfVictor Lopez
 
KLARNA - Language Models and Knowledge Graphs: A Systems Approach
KLARNA -  Language Models and Knowledge Graphs: A Systems ApproachKLARNA -  Language Models and Knowledge Graphs: A Systems Approach
KLARNA - Language Models and Knowledge Graphs: A Systems ApproachNeo4j
 
A Guideline to Gorgias to to Re:amaze Data Migration
A Guideline to Gorgias to to Re:amaze Data MigrationA Guideline to Gorgias to to Re:amaze Data Migration
A Guideline to Gorgias to to Re:amaze Data MigrationHelp Desk Migration
 

Recently uploaded (20)

Into the Box 2024 - Keynote Day 2 Slides.pdf
Into the Box 2024 - Keynote Day 2 Slides.pdfInto the Box 2024 - Keynote Day 2 Slides.pdf
Into the Box 2024 - Keynote Day 2 Slides.pdf
 
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
 
Corporate Management | Session 3 of 3 | Tendenci AMS
Corporate Management | Session 3 of 3 | Tendenci AMSCorporate Management | Session 3 of 3 | Tendenci AMS
Corporate Management | Session 3 of 3 | Tendenci AMS
 
Top Mobile App Development Companies 2024
Top Mobile App Development Companies 2024Top Mobile App Development Companies 2024
Top Mobile App Development Companies 2024
 
top nidhi software solution freedownload
top nidhi software solution freedownloadtop nidhi software solution freedownload
top nidhi software solution freedownload
 
Secure Software Ecosystem Teqnation 2024
Secure Software Ecosystem Teqnation 2024Secure Software Ecosystem Teqnation 2024
Secure Software Ecosystem Teqnation 2024
 
Benefits of Employee Monitoring Software
Benefits of  Employee Monitoring SoftwareBenefits of  Employee Monitoring Software
Benefits of Employee Monitoring Software
 
GraphSummit Stockholm - Neo4j - Knowledge Graphs and Product Updates
GraphSummit Stockholm - Neo4j - Knowledge Graphs and Product UpdatesGraphSummit Stockholm - Neo4j - Knowledge Graphs and Product Updates
GraphSummit Stockholm - Neo4j - Knowledge Graphs and Product Updates
 
5 Reasons Driving Warehouse Management Systems Demand
5 Reasons Driving Warehouse Management Systems Demand5 Reasons Driving Warehouse Management Systems Demand
5 Reasons Driving Warehouse Management Systems Demand
 
10 Essential Software Testing Tools You Need to Know About.pdf
10 Essential Software Testing Tools You Need to Know About.pdf10 Essential Software Testing Tools You Need to Know About.pdf
10 Essential Software Testing Tools You Need to Know About.pdf
 
A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1
A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1
A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1
 
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
 
Mastering Windows 7 A Comprehensive Guide for Power Users .pdf
Mastering Windows 7 A Comprehensive Guide for Power Users .pdfMastering Windows 7 A Comprehensive Guide for Power Users .pdf
Mastering Windows 7 A Comprehensive Guide for Power Users .pdf
 
Agnieszka Andrzejewska - BIM School Course in Kraków
Agnieszka Andrzejewska - BIM School Course in KrakówAgnieszka Andrzejewska - BIM School Course in Kraków
Agnieszka Andrzejewska - BIM School Course in Kraków
 
Workforce Efficiency with Employee Time Tracking Software.pdf
Workforce Efficiency with Employee Time Tracking Software.pdfWorkforce Efficiency with Employee Time Tracking Software.pdf
Workforce Efficiency with Employee Time Tracking Software.pdf
 
SOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar Research Team: Latest Activities of IntelBrokerSOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar Research Team: Latest Activities of IntelBroker
 
StrimziCon 2024 - Transition to Apache Kafka on Kubernetes with Strimzi
StrimziCon 2024 - Transition to Apache Kafka on Kubernetes with StrimziStrimziCon 2024 - Transition to Apache Kafka on Kubernetes with Strimzi
StrimziCon 2024 - Transition to Apache Kafka on Kubernetes with Strimzi
 
Implementing KPIs and Right Metrics for Agile Delivery Teams.pdf
Implementing KPIs and Right Metrics for Agile Delivery Teams.pdfImplementing KPIs and Right Metrics for Agile Delivery Teams.pdf
Implementing KPIs and Right Metrics for Agile Delivery Teams.pdf
 
KLARNA - Language Models and Knowledge Graphs: A Systems Approach
KLARNA -  Language Models and Knowledge Graphs: A Systems ApproachKLARNA -  Language Models and Knowledge Graphs: A Systems Approach
KLARNA - Language Models and Knowledge Graphs: A Systems Approach
 
A Guideline to Gorgias to to Re:amaze Data Migration
A Guideline to Gorgias to to Re:amaze Data MigrationA Guideline to Gorgias to to Re:amaze Data Migration
A Guideline to Gorgias to to Re:amaze Data Migration
 

Introduction to Kubernetes RBAC

  • 1. Introduction to Kubernetes RBAC Oleg Chunikhin | CTO, Kublr
  • 2. Tuesday September 15, 2020 Thursday March 18, 2021 (alternative date) @ Red Cross Square in Downtown DC
  • 3. DC Meetup Slack Channel Join our meetup-dc channel on the Kubernetes Slack
  • 4. Introductions Oleg Chunikhin CTO, Kublr • 20 years in software architecture & development • Working w/ Kubernetes since its release in 2015 • Software architect behind Kublr—an enterprise ready container management platform • Twitter @olgch
  • 5. Enterprise Kubernetes Needs Developers SRE/Ops/DevOps/SecOps • Self-service • Compatible • Conformant • Configurable • Open & Flexible • Governance • Org multi-tenancy • Single pane of glass • Operations • Monitoring • Log collection • Image management • Identity management • Security • Reliability • Performance • Portability @olgch; @kublr
  • 6. @olgch; @kublr Automation Ingress Custom Clusters Infrastructure Logging Monitoring Observability API Usage Reporting RBAC IAM Air Gap TLS Certificate Rotation Audit Storage Networking Container Registry CI / CD App Mgmt Infrastructure Container Runtime Kubernetes OPERATIONS SECURITY & GOVERNANCE
  • 7. Kubernetes Access Control • Who can do what with which resource • Authentication • Authorization • RBAC • Use-cases and gotchas @olgch; @kublr
  • 8. Who Can Do What in a Cluster Three groups Connected through access control @olgch; @kublr Subjects User Group Service account Resources Pods Nodes ConfigMaps Secrets Deployments … Operations list get create update delete watch patch get post put delete
  • 9. Kubernetes API Request Attributes • Authentication • User – the user string • Group – the list of group names • Extra – a map of arbitrary keys • API – non-resource or API resource flag • API resource request • API request verb – lowercased resource verb • Namespace – the namespace • API group - The API Group being accessed • Resource – the resource ID • Subresource – the sub-resource • Non-resource request • HTTP request verb – lowercased HTTP method • Request path – non-resource request path. Verbs • Common API resource request : get, list, watch, create, update, patch, delete, deletecollection • Special API resource request: use (PodSecurityPolicy), bind, escalate (Role, ClusterRole), impersonate (User, Group, SA), userextras • HTTP request verbs: get, head, post, put, patch, delete @olgch; @kublr
  • 10. Kubernetes API Client, Tools • Any HTTP client • curl – good for experiments • kubectl – Kubernetes CLI • jq – honorable mention – JSON visualization and processing @olgch; @kublr Client Kubernetes API HTTP Request
  • 11. Kubernetes API Client, Example • curl • kubectl @olgch; @kublr curl -k -v -XGET -H 'Authorization: Bearer ***' 'https://52.44.121.181:443/api/v1/nodes?limit=50' | jq . kubectl --kubeconfig=kc.yaml get nodes export KUBECONFIG="$(pwd)/config.yaml" kubectl get nodes kubectl get nodes –-v=9 apiVersion: v1 kind: Config clusters: - name: demo-rbac cluster: certificate-authority-data: *** server: https://52.44.121.181:443 users: - name: demo-rbac-admin-token user: token: *** contexts: - name: demo-rbac context: cluster: demo-rbac user: demo-rbac-admin-token current-context: demo-rbac
  • 12. Authentication: Mechanisms Mechanism Secret Source Usage X509 Client Certs CSR generated externally and signed with the cluster CA key Enterprise CA / PKI Via Kubernetes API CertificateSigningRequest Kubernetes cluster admin Bearer token Bootstrap token Internal use Node authentication token Internal use Static token file Insecure ServiceAccount token Pods, containers, applications, users OIDC token Users HTTP Basic auth Static password file Insecure Auth proxy N/A (trust proxy) Integration Impersonate N/A (trust account) Integration and administration
  • 13. Authentication: X509 Client Cert, PKI Client Kubernetes API 3. HTTPS/TLS handshake with client cert 4. Request Admin 1. client.csr 2. client.crt client.key k8s-api-server-client-ca.key k8s-api-server-client-ca.crt --client-ca-file=k8s-api-server-client-ca.key k8s-api-server-client-ca.key Admin (issuer) must has access to the server CA private key @olgch; @kublr
  • 14. Authentication: X509 Client Cert, PKI Example • User: generate user private key (if not exist) • User: generate user CSR • Admin: sign user client cert • User: use with kubectl via options or kubeconfig openssl genrsa -out user1.key 2048 openssl req -new -key user1.key -out user1.csr -subj "/CN=user1/O=group1/O=group2" openssl x509 -req -in user1.csr -CA cluster-ca.crt -CAkey cluster-ca.key -set_serial 101 -extensions client -days 365 -outform PEM -out user1.crt kubectl --client-key=user1.key --client-certificate=user1.crt get nodes kubectl config set-credentials user1 --client-key user1.key --client-certificate user1.crt --embed-certs kubectl config set-context user1 --cluster demo-rbac --user user1 kubectl --context=user1 get nodes kubectl config use-context user1 kubectl config get-contexts kubectl get nodes @olgch; @kublr
  • 15. Authentication: X509 Client Cert, K8S CSR Client Kubernetes API 7. HTTPS/TLS handshake with client cert 8. Request Admin 1. client.csr 6. client.crt client.key k8s-api-server-client-ca.key k8s-api-server-client-ca.crt --client-ca-file=k8s-api-server-client-ca.key 3. kubectl create csr ... 4. kubectl certificate approve csr ... 5. kubectl get csr ... @olgch; @kublr
  • 16. Authentication: X509 Client Cert, K8S CSR • User: generate user CSR • Admin: use Kubernetes API server to sign the CSR • User: use with kubectl via options or kubeconfig openssl req -new -key user2.key -out user2.csr -subj "/CN=user2/O=group1/O=group2" kubectl apply -f - <<EOF apiVersion: certificates.k8s.io/v1beta1 kind: CertificateSigningRequest metadata: name: user2 spec: request: $(cat user2.csr | base64 | tr -d 'n') usages: ['digital signature', 'key encipherment', 'client auth'] EOF kubectl certificate approve user2 kubectl certificate deny user2 kubectl get csr user2 –o jsonpath='{.status.certificate}' | base64 --decode > user2.crt kubectl --client-key=user2.key --client-certificate=user2.crt get nodes kubectl config set-credentials user2 --client-key user2.key --client-certificate user2.crt --embed-certs kubectl config set-context user2 --cluster demo-rbac --user user2 @olgch; @kublr
  • 17. Authentication: Service Account Client Kubernetes API 1. create service account 2. get service account token 3. Request (token in Authorization header) @olgch; @kublr
  • 18. Authentication: Service Account, Example • Create service account • Get service account token • Send request kubectl create serviceaccount sa1 kubectl "--token=${SA_TOKEN}" get nodes kubectl config set-credentials sa1 "--token=${SA_TOKEN}" kubectl config set-context sa1 --cluster demo-rbac --user sa1 kubectl get –o yaml sa sa1 SA_SECRET="$(kubectl get sa sa1 -o jsonpath='{.secrets[0].name}')" kubectl get -o yaml secret "${SA_SECRET}" SA_TOKEN="$(kubectl get secret "${SA_SECRET}" -o jsonpath='{.data.token}' | base64 -d)" @olgch; @kublr
  • 19. Authentication: OIDC Client Kubernetes API 3. Request with the token 1. auth / refresh token 2. Tokens --oidc-client-id=kubernetes --oidc-groups-claim=user_groups --oidc-issuer-url=https://idp.example.com --oidc-username-claim=preferred_username OIDC IdP 4. Verify token @olgch; @kublr
  • 20. Authentication: OIDC, Demo Kublr uses Keycloak by default • Multiple “realms” • OIDC, SAML, LDAP, AD, Kerberos support • User federation and Identity Broker support Demo • “demo-app” realm • “kubernetes” OIDC client • “demo-rbac” Kublr cluster with OIDC auth configured for the client spec: master: kublrAgentConfig: kublr: kube_api_server_flag: oidc_client_id: '--oidc-client-id=kubernetes' oidc_groups_claim: '--oidc-groups-claim=user_groups' oidc_issuer_url: '--oidc-issuer-url=https://***' oidc_username_claim: '--oidc-username-claim=preferred_username' @olgch; @kublr
  • 21. Authentication: OIDC, Example Login (visualization) Login (CLI) curl -d "grant_type=password" -d "scope=openid" -d "client_id=kubernetes" -d "client_secret=${CLIENT_SECRET}" -d "username=da-admin" -d "password=${USER_PASSWORD}" https://kcp.kublr-demo.com/auth/realms/demo-app/protocol/openid-connect/token | jq . eval "$(curl -d "grant_type=password" -d "scope=openid" -d "client_id=kubernetes" -d "client_secret=${CLIENT_SECRET}" -d "username=da-admin" -d "password=${USER_PASSWORD}" https://kcp.kublr-demo.com/auth/realms/demo-app/protocol/openid-connect/token | jq -r '"REFRESH_TOKEN="+.refresh_token,"TOKEN="+.access_token,"ID_TOKEN="+.id_token')" ; echo ; echo "TOKEN=${TOKEN}" ; echo ; echo "ID_TOKEN=${ID_TOKEN}" ; echo ; echo "REFRESH_TOKEN=${REFRESH_TOKEN}" ; echo @olgch; @kublr
  • 22. Authentication: OIDC, Example Refresh (visualization) Refresh (CLI) curl -d "grant_type=refresh_token" -d "client_id=kubernetes" -d "client_secret=${CLIENT_SECRET}" -d "refresh_token=${REFRESH_TOKEN}" https://kcp.kublr-demo.com/auth/realms/demo-app/protocol/openid-connect/token | jq -r . eval "$(curl -d "grant_type=refresh_token" -d "client_id=kubernetes" -d "client_secret=${CLIENT_SECRET}" -d "refresh_token=${REFRESH_TOKEN}" https://kcp.kublr-demo.com/auth/realms/demo-app/protocol/openid-connect/token | jq -r '"REFRESH_TOKEN="+.refresh_token,"TOKEN="+.access_token,"ID_TOKEN="+.id_token')" ; echo ; echo "TOKEN=${TOKEN}" ; echo ; echo "ID_TOKEN=${ID_TOKEN}" ; echo ; echo "REFRESH_TOKEN=${REFRESH_TOKEN}" @olgch; @kublr
  • 23. Authentication: OIDC, Example Token introspection kubectl configuration curl --user "kubernetes:${CLIENT_SECRET}" -d "token=${TOKEN}" https://kcp.kublr-demo.com/auth/realms/demo-app/protocol/openid-connect/token/introspect | jq . kubectl config set-credentials da-admin "--auth-provider=oidc" "--auth-provider-arg=idp-issuer-url=https://kcp.kublr-demo.com/auth/realms/demo-app" "--auth-provider-arg=client-id=kubernetes" "--auth-provider-arg=client-secret=${CLIENT_SECRET}" "--auth-provider-arg=refresh-token=${REFRESH_TOKEN}" "--auth-provider-arg=id-token=${ID_TOKEN}" kubectl config set-context da-admin --cluster=demo-rbac --user=da-admin kubectl --context=da-admin get nodes @olgch; @kublr
  • 24. Authentication: Authenticating Proxy Client Kubernetes API 2. Request “X-Remote-*” headers X-Remote-User: user1 X-Remote-Groups: group1 X-Remote-Extra-Key1: value11. Request --requestheader-username-headers=X-Remote-User --requestheader-group-headers=X-Remote-Group --requestheader-extra-headers-prefix=X-Remote-Extra- Auth Proxy @olgch; @kublr
  • 25. Authentication: Impersonation Client Kubernetes API 1. Request with “Impersonate-*” headers Impersonate-User: jane.doe@example.com Impersonate-Group: developers Impersonate-Group: admins Impersonate-Extra-dn: cn=jane,ou=engineers Impersonate-Extra-scopes: view kubectl get nodes --as "system:serviceaccount:default:sa1" --as-group g1 --as-group g2 @olgch; @kublr
  • 26. Authorization: Mechanisms Mechanism Decision source Usage Node API Server built-in Internal use (kubelets) ABAC Static file Insecure, deprecated RBAC API Objects Users and administrators WebHook External services Integration AlwaysDeny AlwaysAllow API Server built-in Testing @olgch; @kublr
  • 27. Authorization, tools • kubectl auth can-i ... • kubectl whoami • kubectl --v=8 ... @olgch; @kublr
  • 28. Authorization: WebHook Client Kubernetes API 1. Request --authorization-webhook-config-file=auth-cfg.yaml Authorization Service 2. Verify Config file in kubeconfig format @olgch; @kublr
  • 29. Authorization: RBAC Three groups Connected through RBAC @olgch; @kublr Subjects User Group Service Account Resources Pods Nodes ConfigMaps Secrets Deployments … Operations list get create update delete watch patch get post put delete
  • 30. Roles and ClusterRoles • Roles and ClusterRoles define a set of allowed actions on resources • Role is namespaced • Cannot include non-namespaces resources or non-resource URLs @olgch; @kublr apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: namespace: default name: role1 rules: - apiGroups: ['*'] resources: ['nodes', 'pods', 'pods/log'] verbs: ['get', 'list'] - apiGroups: ['*'] resources: ['configmaps'] resourceNames: ['my-configmap'] verbs: ['get', 'list']
  • 31. ClusterRoles • ClusterRole is not namespaced • non-namespaced resources access • non-resource URLs access @olgch; @kublr apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: namespace: default name: clusterRole1 rules: - apiGroups: ['*'] resources: ['nodes', ‘pods'] verbs: ['get', 'list'] - nonResourceURLs: ['/api', '/healthz*'] verbs: ['get', 'head']
  • 32. Aggregated ClusterRoles Aggregated ClusterRole combines rules from other cluster roles @olgch; @kublr apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: aggregatedClusterRole1 aggregationRule: clusterRoleSelectors: - matchLabels: label1: value1 # The control plane automatically fills in the rules rules: [] Aggregated ClusterRole clusterRole1 aggregationRule: clusterRoleSelectors: - matchLabels: label1: value1 metadata: labels: label1: value1 clusterRole1 metadata: labels: label1: value1 label2: value2 clusterRole1 metadata: labels: label2: value2
  • 33. apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: roleBinding1 namespace: default roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: role1 subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: user1 - apiGroup: rbac.authorization.k8s.io kind: Group name: group1 - kind: ServiceAccount name: sa1 namespace: default RoleBinding @olgch; @kublr user1 user2 group RoleBinding namespace resources only ClusterRole Role namespace ServiceAccount
  • 34. apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: roleBinding1 namespace: default roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: clusterRole1 subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: user1 - apiGroup: rbac.authorization.k8s.io kind: Group name: group1 - kind: ServiceAccount name: sa1 namespace: default ClusterRoleBinding @olgch; @kublr user1 user2 group ClusterRole Role namespace ServiceAccount ClusterRoleBinding
  • 35. Built-in ClusterRoles Role Access Can do cluster-admin Full access to all cluster resources Anything in the cluster admin Full access to all namespace resources Anything in a namespace edit Full access to all namespace resources except Role, RoleBinding, LocalSubjectAccessReviews Anything in a namespace except granting and checking access view RO access to all namespace resources except sensitive ones View and list non-sensitive objects in a namespace @olgch; @kublr
  • 36. Use-cases • Start with build-in roles •Cluster admin •Namespace admin •Namespace developer •Namespace read-only user • Define new roles as needed • Beware of “gotchas” @olgch; @kublr
  • 37. “Gotchas” • Privilege escalation via pod creation • Non-namespaced objects • CRD, PriorityClass, PodSecurityPolicy • Often needed for development, especially in advanced DevOps / SRE culture • As a result, developers need self-service dev cluster management capabilities • Role and role binding conventions • Name • Role bindings – one per subject, one per role, or mixed @olgch; @kublr
  • 38. Next steps • PodSecurityPolicy • NetworkPolicy • Limits and Quotas • Admission Controllers • Dynamic admission control • Dynamic policies, OPA @olgch; @kublr
  • 39. Kubernetes API Groups and Objects API Group API Obects rbac.authorization.k8s.io/v1 ClusterRole Role ClusterRoleBinding RoleBinding authentication.k8s.io/v1 TokenReview admissionregistration.k8s.io/v1 MutatingWebhookConfiguration ValidatingWebhookConfiguration authorization.k8s.io/v1 LocalSubjectAccessReview SelfSubjectAccessReview SelfSubjectRulesReview SubjectAccessReview certificates.k8s.io/v1beta1 CertificateSigningRequest policy/v1beta1 PodSecurityPolicy @olgch; @kublr
  • 42. Oleg Chunikhin CTO oleg@kublr.com @olgch Kublr | kublr.com @kublr Signup for our newsletter at kublr.com @olgch; @kublr