SlideShare a Scribd company logo

Introduction to Kubernetes RBAC

Kublr
Kublr

Incredibly powerful and flexible, Kubernetes role-based access control (RBAC) is an essential tool to effectively manage production clusters. Yet many Ops and DevOps engineers are still facing barriers to efficiently use it at scale. These include a steep learning curve, YAML-based configuration, lack of standardized best practices, and the general complexity of this functionality at large -- it truly can be somewhat overwhelming. During this meetup Oleg, CTO at Kublr, will discuss Kubernetes RBAC concepts and objects. He'll explore different use cases ranging from simple permission management for in-cluster application accounts to integrations with external identity providers for SSO and enterprise user access management. Leveraging the Kublr Platform, Oleg will demonstrate how it simplifies the management of access and RBAC rules in a cloud native environment while staying vendor-independent and compatible with any Kubernetes distribution.

Software
1 of 42
Download to read offline
Introduction to Kubernetes RBAC Oleg Chunikhin | CTO, Kublr
Tuesday September 15, 2020 Thursday March 18, 2021 (alternative date) @ Red Cross Square in Downtown DC
DC Meetup Slack Channel Join our meetup-dc channel on the Kubernetes Slack
Introductions Oleg Chunikhin CTO, Kublr • 20 years in software architecture & development • Working w/ Kubernetes since its release in 2015 • Software architect behind Kublr—an enterprise ready container management platform • Twitter @olgch
Enterprise Kubernetes Needs Developers SRE/Ops/DevOps/SecOps • Self-service • Compatible • Conformant • Configurable • Open & Flexible • Governance • Org multi-tenancy • Single pane of glass • Operations • Monitoring • Log collection • Image management • Identity management • Security • Reliability • Performance • Portability @olgch; @kublr
@olgch; @kublr Automation Ingress Custom Clusters Infrastructure Logging Monitoring Observability API Usage Reporting RBAC IAM Air Gap TLS Certificate Rotation Audit Storage Networking Container Registry CI / CD App Mgmt Infrastructure Container Runtime Kubernetes OPERATIONS SECURITY & GOVERNANCE
Kubernetes Access Control • Who can do what with which resource • Authentication • Authorization • RBAC • Use-cases and gotchas @olgch; @kublr
Who Can Do What in a Cluster Three groups Connected through access control @olgch; @kublr Subjects User Group Service account Resources Pods Nodes ConfigMaps Secrets Deployments … Operations list get create update delete watch patch get post put delete
Kubernetes API Request Attributes • Authentication • User – the user string • Group – the list of group names • Extra – a map of arbitrary keys • API – non-resource or API resource flag • API resource request • API request verb – lowercased resource verb • Namespace – the namespace • API group - The API Group being accessed • Resource – the resource ID • Subresource – the sub-resource • Non-resource request • HTTP request verb – lowercased HTTP method • Request path – non-resource request path. Verbs • Common API resource request : get, list, watch, create, update, patch, delete, deletecollection • Special API resource request: use (PodSecurityPolicy), bind, escalate (Role, ClusterRole), impersonate (User, Group, SA), userextras • HTTP request verbs: get, head, post, put, patch, delete @olgch; @kublr
Kubernetes API Client, Tools • Any HTTP client • curl – good for experiments • kubectl – Kubernetes CLI • jq – honorable mention – JSON visualization and processing @olgch; @kublr Client Kubernetes API HTTP Request
Kubernetes API Client, Example • curl • kubectl @olgch; @kublr curl -k -v -XGET -H 'Authorization: Bearer ***' 'https://52.44.121.181:443/api/v1/nodes?limit=50' | jq . kubectl --kubeconfig=kc.yaml get nodes export KUBECONFIG="$(pwd)/config.yaml" kubectl get nodes kubectl get nodes –-v=9 apiVersion: v1 kind: Config clusters: - name: demo-rbac cluster: certificate-authority-data: *** server: https://52.44.121.181:443 users: - name: demo-rbac-admin-token user: token: *** contexts: - name: demo-rbac context: cluster: demo-rbac user: demo-rbac-admin-token current-context: demo-rbac
Authentication: Mechanisms Mechanism Secret Source Usage X509 Client Certs CSR generated externally and signed with the cluster CA key Enterprise CA / PKI Via Kubernetes API CertificateSigningRequest Kubernetes cluster admin Bearer token Bootstrap token Internal use Node authentication token Internal use Static token file Insecure ServiceAccount token Pods, containers, applications, users OIDC token Users HTTP Basic auth Static password file Insecure Auth proxy N/A (trust proxy) Integration Impersonate N/A (trust account) Integration and administration
Authentication: X509 Client Cert, PKI Client Kubernetes API 3. HTTPS/TLS handshake with client cert 4. Request Admin 1. client.csr 2. client.crt client.key k8s-api-server-client-ca.key k8s-api-server-client-ca.crt --client-ca-file=k8s-api-server-client-ca.key k8s-api-server-client-ca.key Admin (issuer) must has access to the server CA private key @olgch; @kublr
Authentication: X509 Client Cert, PKI Example • User: generate user private key (if not exist) • User: generate user CSR • Admin: sign user client cert • User: use with kubectl via options or kubeconfig openssl genrsa -out user1.key 2048 openssl req -new -key user1.key -out user1.csr -subj "/CN=user1/O=group1/O=group2" openssl x509 -req -in user1.csr -CA cluster-ca.crt -CAkey cluster-ca.key -set_serial 101 -extensions client -days 365 -outform PEM -out user1.crt kubectl --client-key=user1.key --client-certificate=user1.crt get nodes kubectl config set-credentials user1 --client-key user1.key --client-certificate user1.crt --embed-certs kubectl config set-context user1 --cluster demo-rbac --user user1 kubectl --context=user1 get nodes kubectl config use-context user1 kubectl config get-contexts kubectl get nodes @olgch; @kublr
Authentication: X509 Client Cert, K8S CSR Client Kubernetes API 7. HTTPS/TLS handshake with client cert 8. Request Admin 1. client.csr 6. client.crt client.key k8s-api-server-client-ca.key k8s-api-server-client-ca.crt --client-ca-file=k8s-api-server-client-ca.key 3. kubectl create csr ... 4. kubectl certificate approve csr ... 5. kubectl get csr ... @olgch; @kublr
Authentication: X509 Client Cert, K8S CSR • User: generate user CSR • Admin: use Kubernetes API server to sign the CSR • User: use with kubectl via options or kubeconfig openssl req -new -key user2.key -out user2.csr -subj "/CN=user2/O=group1/O=group2" kubectl apply -f - <<EOF apiVersion: certificates.k8s.io/v1beta1 kind: CertificateSigningRequest metadata: name: user2 spec: request: $(cat user2.csr | base64 | tr -d 'n') usages: ['digital signature', 'key encipherment', 'client auth'] EOF kubectl certificate approve user2 kubectl certificate deny user2 kubectl get csr user2 –o jsonpath='{.status.certificate}' | base64 --decode > user2.crt kubectl --client-key=user2.key --client-certificate=user2.crt get nodes kubectl config set-credentials user2 --client-key user2.key --client-certificate user2.crt --embed-certs kubectl config set-context user2 --cluster demo-rbac --user user2 @olgch; @kublr
Authentication: Service Account Client Kubernetes API 1. create service account 2. get service account token 3. Request (token in Authorization header) @olgch; @kublr
Authentication: Service Account, Example • Create service account • Get service account token • Send request kubectl create serviceaccount sa1 kubectl "--token=${SA_TOKEN}" get nodes kubectl config set-credentials sa1 "--token=${SA_TOKEN}" kubectl config set-context sa1 --cluster demo-rbac --user sa1 kubectl get –o yaml sa sa1 SA_SECRET="$(kubectl get sa sa1 -o jsonpath='{.secrets[0].name}')" kubectl get -o yaml secret "${SA_SECRET}" SA_TOKEN="$(kubectl get secret "${SA_SECRET}" -o jsonpath='{.data.token}' | base64 -d)" @olgch; @kublr
Authentication: OIDC Client Kubernetes API 3. Request with the token 1. auth / refresh token 2. Tokens --oidc-client-id=kubernetes --oidc-groups-claim=user_groups --oidc-issuer-url=https://idp.example.com --oidc-username-claim=preferred_username OIDC IdP 4. Verify token @olgch; @kublr
Authentication: OIDC, Demo Kublr uses Keycloak by default • Multiple “realms” • OIDC, SAML, LDAP, AD, Kerberos support • User federation and Identity Broker support Demo • “demo-app” realm • “kubernetes” OIDC client • “demo-rbac” Kublr cluster with OIDC auth configured for the client spec: master: kublrAgentConfig: kublr: kube_api_server_flag: oidc_client_id: '--oidc-client-id=kubernetes' oidc_groups_claim: '--oidc-groups-claim=user_groups' oidc_issuer_url: '--oidc-issuer-url=https://***' oidc_username_claim: '--oidc-username-claim=preferred_username' @olgch; @kublr
Authentication: OIDC, Example Login (visualization) Login (CLI) curl -d "grant_type=password" -d "scope=openid" -d "client_id=kubernetes" -d "client_secret=${CLIENT_SECRET}" -d "username=da-admin" -d "password=${USER_PASSWORD}" https://kcp.kublr-demo.com/auth/realms/demo-app/protocol/openid-connect/token | jq . eval "$(curl -d "grant_type=password" -d "scope=openid" -d "client_id=kubernetes" -d "client_secret=${CLIENT_SECRET}" -d "username=da-admin" -d "password=${USER_PASSWORD}" https://kcp.kublr-demo.com/auth/realms/demo-app/protocol/openid-connect/token | jq -r '"REFRESH_TOKEN="+.refresh_token,"TOKEN="+.access_token,"ID_TOKEN="+.id_token')" ; echo ; echo "TOKEN=${TOKEN}" ; echo ; echo "ID_TOKEN=${ID_TOKEN}" ; echo ; echo "REFRESH_TOKEN=${REFRESH_TOKEN}" ; echo @olgch; @kublr
Authentication: OIDC, Example Refresh (visualization) Refresh (CLI) curl -d "grant_type=refresh_token" -d "client_id=kubernetes" -d "client_secret=${CLIENT_SECRET}" -d "refresh_token=${REFRESH_TOKEN}" https://kcp.kublr-demo.com/auth/realms/demo-app/protocol/openid-connect/token | jq -r . eval "$(curl -d "grant_type=refresh_token" -d "client_id=kubernetes" -d "client_secret=${CLIENT_SECRET}" -d "refresh_token=${REFRESH_TOKEN}" https://kcp.kublr-demo.com/auth/realms/demo-app/protocol/openid-connect/token | jq -r '"REFRESH_TOKEN="+.refresh_token,"TOKEN="+.access_token,"ID_TOKEN="+.id_token')" ; echo ; echo "TOKEN=${TOKEN}" ; echo ; echo "ID_TOKEN=${ID_TOKEN}" ; echo ; echo "REFRESH_TOKEN=${REFRESH_TOKEN}" @olgch; @kublr
Authentication: OIDC, Example Token introspection kubectl configuration curl --user "kubernetes:${CLIENT_SECRET}" -d "token=${TOKEN}" https://kcp.kublr-demo.com/auth/realms/demo-app/protocol/openid-connect/token/introspect | jq . kubectl config set-credentials da-admin "--auth-provider=oidc" "--auth-provider-arg=idp-issuer-url=https://kcp.kublr-demo.com/auth/realms/demo-app" "--auth-provider-arg=client-id=kubernetes" "--auth-provider-arg=client-secret=${CLIENT_SECRET}" "--auth-provider-arg=refresh-token=${REFRESH_TOKEN}" "--auth-provider-arg=id-token=${ID_TOKEN}" kubectl config set-context da-admin --cluster=demo-rbac --user=da-admin kubectl --context=da-admin get nodes @olgch; @kublr
Authentication: Authenticating Proxy Client Kubernetes API 2. Request “X-Remote-*” headers X-Remote-User: user1 X-Remote-Groups: group1 X-Remote-Extra-Key1: value11. Request --requestheader-username-headers=X-Remote-User --requestheader-group-headers=X-Remote-Group --requestheader-extra-headers-prefix=X-Remote-Extra- Auth Proxy @olgch; @kublr
Authentication: Impersonation Client Kubernetes API 1. Request with “Impersonate-*” headers Impersonate-User: jane.doe@example.com Impersonate-Group: developers Impersonate-Group: admins Impersonate-Extra-dn: cn=jane,ou=engineers Impersonate-Extra-scopes: view kubectl get nodes --as "system:serviceaccount:default:sa1" --as-group g1 --as-group g2 @olgch; @kublr
Authorization: Mechanisms Mechanism Decision source Usage Node API Server built-in Internal use (kubelets) ABAC Static file Insecure, deprecated RBAC API Objects Users and administrators WebHook External services Integration AlwaysDeny AlwaysAllow API Server built-in Testing @olgch; @kublr
Authorization, tools • kubectl auth can-i ... • kubectl whoami • kubectl --v=8 ... @olgch; @kublr
Authorization: WebHook Client Kubernetes API 1. Request --authorization-webhook-config-file=auth-cfg.yaml Authorization Service 2. Verify Config file in kubeconfig format @olgch; @kublr
Authorization: RBAC Three groups Connected through RBAC @olgch; @kublr Subjects User Group Service Account Resources Pods Nodes ConfigMaps Secrets Deployments … Operations list get create update delete watch patch get post put delete
Roles and ClusterRoles • Roles and ClusterRoles define a set of allowed actions on resources • Role is namespaced • Cannot include non-namespaces resources or non-resource URLs @olgch; @kublr apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: namespace: default name: role1 rules: - apiGroups: ['*'] resources: ['nodes', 'pods', 'pods/log'] verbs: ['get', 'list'] - apiGroups: ['*'] resources: ['configmaps'] resourceNames: ['my-configmap'] verbs: ['get', 'list']
ClusterRoles • ClusterRole is not namespaced • non-namespaced resources access • non-resource URLs access @olgch; @kublr apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: namespace: default name: clusterRole1 rules: - apiGroups: ['*'] resources: ['nodes', ‘pods'] verbs: ['get', 'list'] - nonResourceURLs: ['/api', '/healthz*'] verbs: ['get', 'head']
Aggregated ClusterRoles Aggregated ClusterRole combines rules from other cluster roles @olgch; @kublr apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: aggregatedClusterRole1 aggregationRule: clusterRoleSelectors: - matchLabels: label1: value1 # The control plane automatically fills in the rules rules: [] Aggregated ClusterRole clusterRole1 aggregationRule: clusterRoleSelectors: - matchLabels: label1: value1 metadata: labels: label1: value1 clusterRole1 metadata: labels: label1: value1 label2: value2 clusterRole1 metadata: labels: label2: value2
apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: roleBinding1 namespace: default roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: role1 subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: user1 - apiGroup: rbac.authorization.k8s.io kind: Group name: group1 - kind: ServiceAccount name: sa1 namespace: default RoleBinding @olgch; @kublr user1 user2 group RoleBinding namespace resources only ClusterRole Role namespace ServiceAccount
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: roleBinding1 namespace: default roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: clusterRole1 subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: user1 - apiGroup: rbac.authorization.k8s.io kind: Group name: group1 - kind: ServiceAccount name: sa1 namespace: default ClusterRoleBinding @olgch; @kublr user1 user2 group ClusterRole Role namespace ServiceAccount ClusterRoleBinding
Built-in ClusterRoles Role Access Can do cluster-admin Full access to all cluster resources Anything in the cluster admin Full access to all namespace resources Anything in a namespace edit Full access to all namespace resources except Role, RoleBinding, LocalSubjectAccessReviews Anything in a namespace except granting and checking access view RO access to all namespace resources except sensitive ones View and list non-sensitive objects in a namespace @olgch; @kublr
Use-cases • Start with build-in roles •Cluster admin •Namespace admin •Namespace developer •Namespace read-only user • Define new roles as needed • Beware of “gotchas” @olgch; @kublr
“Gotchas” • Privilege escalation via pod creation • Non-namespaced objects • CRD, PriorityClass, PodSecurityPolicy • Often needed for development, especially in advanced DevOps / SRE culture • As a result, developers need self-service dev cluster management capabilities • Role and role binding conventions • Name • Role bindings – one per subject, one per role, or mixed @olgch; @kublr
Next steps • PodSecurityPolicy • NetworkPolicy • Limits and Quotas • Admission Controllers • Dynamic admission control • Dynamic policies, OPA @olgch; @kublr
Kubernetes API Groups and Objects API Group API Obects rbac.authorization.k8s.io/v1 ClusterRole Role ClusterRoleBinding RoleBinding authentication.k8s.io/v1 TokenReview admissionregistration.k8s.io/v1 MutatingWebhookConfiguration ValidatingWebhookConfiguration authorization.k8s.io/v1 LocalSubjectAccessReview SelfSubjectAccessReview SelfSubjectRulesReview SubjectAccessReview certificates.k8s.io/v1beta1 CertificateSigningRequest policy/v1beta1 PodSecurityPolicy @olgch; @kublr
References https://github.com/rajatjindal/kubectl-whoami https://kubernetes.io/docs/reference/access-authn-authz/rbac/ https://kubernetes.io/docs/concepts/cluster-administration/certificates/ https://kubernetes.io/docs/tasks/tls/managing-tls-in-a-cluster/ https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/ @olgch; @kublr
Q&A @olgch; @kublr
Oleg Chunikhin CTO oleg@kublr.com @olgch Kublr | kublr.com @kublr Signup for our newsletter at kublr.com @olgch; @kublr

Recommended

Role based access control - RBAC - Kubernetes
Role based access control - RBAC - KubernetesRole based access control - RBAC - Kubernetes
Role based access control - RBAC - Kubernetes
Milan Das
 
Kubernetes security
Kubernetes securityKubernetes security
Kubernetes security
Thomas Fricke
 
Autoscaling Kubernetes
Autoscaling KubernetesAutoscaling Kubernetes
Autoscaling Kubernetes
craigbox
 
Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...
Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...
Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...
Edureka!
 
Kubernetes 101
Kubernetes 101Kubernetes 101
Kubernetes 101
Crevise Technologies
 
WSO2Con US 2015 Kubernetes: a platform for automating deployment, scaling, an...
WSO2Con US 2015 Kubernetes: a platform for automating deployment, scaling, an...WSO2Con US 2015 Kubernetes: a platform for automating deployment, scaling, an...
WSO2Con US 2015 Kubernetes: a platform for automating deployment, scaling, an...
Brian Grant
 
Kubernetes Networking
Kubernetes NetworkingKubernetes Networking
Kubernetes Networking
CJ Cullen
 
Kubernetes Architecture and Introduction
Kubernetes Architecture and IntroductionKubernetes Architecture and Introduction
Kubernetes Architecture and Introduction
Stefan Schimanski
 

Recommended

Role based access control - RBAC - Kubernetes
Role based access control - RBAC - KubernetesRole based access control - RBAC - Kubernetes
Role based access control - RBAC - Kubernetes
Milan Das
 
Kubernetes security
Kubernetes securityKubernetes security
Kubernetes security
Thomas Fricke
 
Autoscaling Kubernetes
Autoscaling KubernetesAutoscaling Kubernetes
Autoscaling Kubernetes
craigbox
 
Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...
Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...
Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...
Edureka!
 
Kubernetes 101
Kubernetes 101Kubernetes 101
Kubernetes 101
Crevise Technologies
 
WSO2Con US 2015 Kubernetes: a platform for automating deployment, scaling, an...
WSO2Con US 2015 Kubernetes: a platform for automating deployment, scaling, an...WSO2Con US 2015 Kubernetes: a platform for automating deployment, scaling, an...
WSO2Con US 2015 Kubernetes: a platform for automating deployment, scaling, an...
Brian Grant
 
Kubernetes Networking
Kubernetes NetworkingKubernetes Networking
Kubernetes Networking
CJ Cullen
 
Kubernetes Architecture and Introduction
Kubernetes Architecture and IntroductionKubernetes Architecture and Introduction
Kubernetes Architecture and Introduction
Stefan Schimanski
 
Kubernetes 101 for Beginners
Kubernetes 101 for BeginnersKubernetes 101 for Beginners
Kubernetes 101 for Beginners
Oktay Esgul
 
Cluster-as-code. The Many Ways towards Kubernetes
Cluster-as-code. The Many Ways towards KubernetesCluster-as-code. The Many Ways towards Kubernetes
Cluster-as-code. The Many Ways towards Kubernetes
QAware GmbH
 
01. Kubernetes-PPT.pptx
01. Kubernetes-PPT.pptx01. Kubernetes-PPT.pptx
01. Kubernetes-PPT.pptx
TamalBanerjee16
 
Introduction to Amazon EKS
Introduction to Amazon EKSIntroduction to Amazon EKS
Introduction to Amazon EKS
Amazon Web Services
 
Kubernetes PPT.pptx
Kubernetes PPT.pptxKubernetes PPT.pptx
Kubernetes PPT.pptx
ssuser0cc9131
 
User authentication and authorizarion in Kubernetes
User authentication and authorizarion in KubernetesUser authentication and authorizarion in Kubernetes
User authentication and authorizarion in Kubernetes
Neependra Khare
 
Kubernetes - Security Journey
Kubernetes - Security JourneyKubernetes - Security Journey
Kubernetes - Security Journey
Jerry Jalava
 
Kubernetes
KubernetesKubernetes
Kubernetes
Meng-Ze Lee
 
Kubernetes Introduction
Kubernetes IntroductionKubernetes Introduction
Kubernetes Introduction
Eric Gustafson
 
Kubernetes #1 intro
Kubernetes #1 introKubernetes #1 intro
Kubernetes #1 intro
Terry Cho
 
Jenkins를 활용한 Openshift CI/CD 구성
Jenkins를 활용한 Openshift CI/CD 구성 Jenkins를 활용한 Openshift CI/CD 구성
Jenkins를 활용한 Openshift CI/CD 구성
rockplace
 
Optimizing Kubernetes Resource Requests/Limits for Cost-Efficiency and Latenc...
Optimizing Kubernetes Resource Requests/Limits for Cost-Efficiency and Latenc...Optimizing Kubernetes Resource Requests/Limits for Cost-Efficiency and Latenc...
Optimizing Kubernetes Resource Requests/Limits for Cost-Efficiency and Latenc...
Henning Jacobs
 
An intro to Kubernetes operators
An intro to Kubernetes operatorsAn intro to Kubernetes operators
An intro to Kubernetes operators
J On The Beach
 
Kubernetes - A Comprehensive Overview
Kubernetes - A Comprehensive OverviewKubernetes - A Comprehensive Overview
Kubernetes - A Comprehensive Overview
Bob Killen
 
Introduction to Kubernetes and GKE
Introduction to Kubernetes and GKEIntroduction to Kubernetes and GKE
Introduction to Kubernetes and GKE
Opsta
 
Kubernetes Introduction
Kubernetes IntroductionKubernetes Introduction
Kubernetes Introduction
Martin Danielsson
 
Deep dive into Kubernetes Networking
Deep dive into Kubernetes NetworkingDeep dive into Kubernetes Networking
Deep dive into Kubernetes Networking
Sreenivas Makam
 
Hands-On Introduction to Kubernetes at LISA17
Hands-On Introduction to Kubernetes at LISA17Hands-On Introduction to Kubernetes at LISA17
Hands-On Introduction to Kubernetes at LISA17
Ryan Jarvinen
 
CNCF Meetup - OpenShift Overview
CNCF Meetup - OpenShift OverviewCNCF Meetup - OpenShift Overview
CNCF Meetup - OpenShift Overview
Sumit Shatwara
 
Evolution of containers to kubernetes
Evolution of containers to kubernetesEvolution of containers to kubernetes
Evolution of containers to kubernetes
Krishna-Kumar
 
Kubernetes Ingress 101
Kubernetes Ingress 101Kubernetes Ingress 101
Kubernetes Ingress 101
Kublr
 
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
DevOpsDays Riga
 

More Related Content

What's hot

Kubernetes 101 for Beginners
Kubernetes 101 for BeginnersKubernetes 101 for Beginners
Kubernetes 101 for Beginners
Oktay Esgul
 
Cluster-as-code. The Many Ways towards Kubernetes
Cluster-as-code. The Many Ways towards KubernetesCluster-as-code. The Many Ways towards Kubernetes
Cluster-as-code. The Many Ways towards Kubernetes
QAware GmbH
 
01. Kubernetes-PPT.pptx
01. Kubernetes-PPT.pptx01. Kubernetes-PPT.pptx
01. Kubernetes-PPT.pptx
TamalBanerjee16
 
Introduction to Amazon EKS
Introduction to Amazon EKSIntroduction to Amazon EKS
Introduction to Amazon EKS
Amazon Web Services
 
Kubernetes PPT.pptx
Kubernetes PPT.pptxKubernetes PPT.pptx
Kubernetes PPT.pptx
ssuser0cc9131
 
User authentication and authorizarion in Kubernetes
User authentication and authorizarion in KubernetesUser authentication and authorizarion in Kubernetes
User authentication and authorizarion in Kubernetes
Neependra Khare
 
Kubernetes - Security Journey
Kubernetes - Security JourneyKubernetes - Security Journey
Kubernetes - Security Journey
Jerry Jalava
 
Kubernetes
KubernetesKubernetes
Kubernetes
Meng-Ze Lee
 
Kubernetes Introduction
Kubernetes IntroductionKubernetes Introduction
Kubernetes Introduction
Eric Gustafson
 
Kubernetes #1 intro
Kubernetes #1 introKubernetes #1 intro
Kubernetes #1 intro
Terry Cho
 
Jenkins를 활용한 Openshift CI/CD 구성
Jenkins를 활용한 Openshift CI/CD 구성 Jenkins를 활용한 Openshift CI/CD 구성
Jenkins를 활용한 Openshift CI/CD 구성
rockplace
 
Optimizing Kubernetes Resource Requests/Limits for Cost-Efficiency and Latenc...
Optimizing Kubernetes Resource Requests/Limits for Cost-Efficiency and Latenc...Optimizing Kubernetes Resource Requests/Limits for Cost-Efficiency and Latenc...
Optimizing Kubernetes Resource Requests/Limits for Cost-Efficiency and Latenc...
Henning Jacobs
 
An intro to Kubernetes operators
An intro to Kubernetes operatorsAn intro to Kubernetes operators
An intro to Kubernetes operators
J On The Beach
 
Kubernetes - A Comprehensive Overview
Kubernetes - A Comprehensive OverviewKubernetes - A Comprehensive Overview
Kubernetes - A Comprehensive Overview
Bob Killen
 
Introduction to Kubernetes and GKE
Introduction to Kubernetes and GKEIntroduction to Kubernetes and GKE
Introduction to Kubernetes and GKE
Opsta
 
Kubernetes Introduction
Kubernetes IntroductionKubernetes Introduction
Kubernetes Introduction
Martin Danielsson
 
Deep dive into Kubernetes Networking
Deep dive into Kubernetes NetworkingDeep dive into Kubernetes Networking
Deep dive into Kubernetes Networking
Sreenivas Makam
 
Hands-On Introduction to Kubernetes at LISA17
Hands-On Introduction to Kubernetes at LISA17Hands-On Introduction to Kubernetes at LISA17
Hands-On Introduction to Kubernetes at LISA17
Ryan Jarvinen
 
CNCF Meetup - OpenShift Overview
CNCF Meetup - OpenShift OverviewCNCF Meetup - OpenShift Overview
CNCF Meetup - OpenShift Overview
Sumit Shatwara
 
Evolution of containers to kubernetes
Evolution of containers to kubernetesEvolution of containers to kubernetes
Evolution of containers to kubernetes
Krishna-Kumar
 

What's hot (20)

Kubernetes 101 for Beginners
Kubernetes 101 for BeginnersKubernetes 101 for Beginners
Kubernetes 101 for Beginners
 
Cluster-as-code. The Many Ways towards Kubernetes
Cluster-as-code. The Many Ways towards KubernetesCluster-as-code. The Many Ways towards Kubernetes
Cluster-as-code. The Many Ways towards Kubernetes
 
01. Kubernetes-PPT.pptx
01. Kubernetes-PPT.pptx01. Kubernetes-PPT.pptx
01. Kubernetes-PPT.pptx
 
Introduction to Amazon EKS
Introduction to Amazon EKSIntroduction to Amazon EKS
Introduction to Amazon EKS
 
Kubernetes PPT.pptx
Kubernetes PPT.pptxKubernetes PPT.pptx
Kubernetes PPT.pptx
 
User authentication and authorizarion in Kubernetes
User authentication and authorizarion in KubernetesUser authentication and authorizarion in Kubernetes
User authentication and authorizarion in Kubernetes
 
Kubernetes - Security Journey
Kubernetes - Security JourneyKubernetes - Security Journey
Kubernetes - Security Journey
 
Kubernetes
KubernetesKubernetes
Kubernetes
 
Kubernetes Introduction
Kubernetes IntroductionKubernetes Introduction
Kubernetes Introduction
 
Kubernetes #1 intro
Kubernetes #1 introKubernetes #1 intro
Kubernetes #1 intro
 
Jenkins를 활용한 Openshift CI/CD 구성
Jenkins를 활용한 Openshift CI/CD 구성 Jenkins를 활용한 Openshift CI/CD 구성
Jenkins를 활용한 Openshift CI/CD 구성
 
Optimizing Kubernetes Resource Requests/Limits for Cost-Efficiency and Latenc...
Optimizing Kubernetes Resource Requests/Limits for Cost-Efficiency and Latenc...Optimizing Kubernetes Resource Requests/Limits for Cost-Efficiency and Latenc...
Optimizing Kubernetes Resource Requests/Limits for Cost-Efficiency and Latenc...
 
An intro to Kubernetes operators
An intro to Kubernetes operatorsAn intro to Kubernetes operators
An intro to Kubernetes operators
 
Kubernetes - A Comprehensive Overview
Kubernetes - A Comprehensive OverviewKubernetes - A Comprehensive Overview
Kubernetes - A Comprehensive Overview
 
Introduction to Kubernetes and GKE
Introduction to Kubernetes and GKEIntroduction to Kubernetes and GKE
Introduction to Kubernetes and GKE
 
Kubernetes Introduction
Kubernetes IntroductionKubernetes Introduction
Kubernetes Introduction
 
Deep dive into Kubernetes Networking
Deep dive into Kubernetes NetworkingDeep dive into Kubernetes Networking
Deep dive into Kubernetes Networking
 
Hands-On Introduction to Kubernetes at LISA17
Hands-On Introduction to Kubernetes at LISA17Hands-On Introduction to Kubernetes at LISA17
Hands-On Introduction to Kubernetes at LISA17
 
CNCF Meetup - OpenShift Overview
CNCF Meetup - OpenShift OverviewCNCF Meetup - OpenShift Overview
CNCF Meetup - OpenShift Overview
 
Evolution of containers to kubernetes
Evolution of containers to kubernetesEvolution of containers to kubernetes
Evolution of containers to kubernetes
 

Similar to Introduction to Kubernetes RBAC

Kubernetes Ingress 101
Kubernetes Ingress 101Kubernetes Ingress 101
Kubernetes Ingress 101
Kublr
 
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
DevOpsDays Riga
 
网易云K8S应用实践 | practices for kubernetes cluster provisioning, management and ap...
网易云K8S应用实践 | practices for kubernetes cluster provisioning, management and ap...网易云K8S应用实践 | practices for kubernetes cluster provisioning, management and ap...
网易云K8S应用实践 | practices for kubernetes cluster provisioning, management and ap...
Xiaohui Chen
 
CKA_1st.pptx
CKA_1st.pptxCKA_1st.pptx
CKA_1st.pptx
YIJHEHUANG
 
Container orchestration k8s azure kubernetes services
Container orchestration k8s azure kubernetes servicesContainer orchestration k8s azure kubernetes services
Container orchestration k8s azure kubernetes services
Rajesh Kolla
 
All the troubles you get into when setting up a production ready Kubernetes c...
All the troubles you get into when setting up a production ready Kubernetes c...All the troubles you get into when setting up a production ready Kubernetes c...
All the troubles you get into when setting up a production ready Kubernetes c...
Jimmy Lu
 
Pro2516 10 things about oracle and k8s.pptx-final
Pro2516 10 things about oracle and k8s.pptx-finalPro2516 10 things about oracle and k8s.pptx-final
Pro2516 10 things about oracle and k8s.pptx-final
Michel Schildmeijer
 
Appsecco Kubernetes Hacking Masterclass Presentation Slides
Appsecco Kubernetes Hacking Masterclass Presentation SlidesAppsecco Kubernetes Hacking Masterclass Presentation Slides
Appsecco Kubernetes Hacking Masterclass Presentation Slides
Appsecco
 
Scaling search-clusters-solr-k8s-2020-amrit-sarkar
Scaling search-clusters-solr-k8s-2020-amrit-sarkarScaling search-clusters-solr-k8s-2020-amrit-sarkar
Scaling search-clusters-solr-k8s-2020-amrit-sarkar
Amrit Sarkar
 
Event driven workloads on Kubernetes with KEDA
Event driven workloads on Kubernetes with KEDAEvent driven workloads on Kubernetes with KEDA
Event driven workloads on Kubernetes with KEDA
Nilesh Gule
 
Event driven autoscaling with KEDA
Event driven autoscaling with KEDAEvent driven autoscaling with KEDA
Event driven autoscaling with KEDA
Nilesh Gule
 
Attacking and Defending Kubernetes - Nithin Jois
Attacking and Defending Kubernetes - Nithin JoisAttacking and Defending Kubernetes - Nithin Jois
Attacking and Defending Kubernetes - Nithin Jois
OWASP Hacker Thursday
 
K8s hard-way on DigitalOcean
K8s hard-way on DigitalOceanK8s hard-way on DigitalOcean
K8s hard-way on DigitalOcean
CloudYuga
 
Scaling .net containers with event driven workloads
Scaling .net containers with event driven workloadsScaling .net containers with event driven workloads
Scaling .net containers with event driven workloads
Nilesh Gule
 
K8s Webhook Admission
K8s Webhook AdmissionK8s Webhook Admission
K8s Webhook Admission
Huynh Thai Bao
 
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
Michael Man
 
From Kubernetes to OpenStack in Sydney
From Kubernetes to OpenStack in SydneyFrom Kubernetes to OpenStack in Sydney
From Kubernetes to OpenStack in Sydney
SK Telecom
 
Kubernetes in Hybrid Environments with Submariner
Kubernetes in Hybrid Environments with SubmarinerKubernetes in Hybrid Environments with Submariner
Kubernetes in Hybrid Environments with Submariner
Kublr
 
Openstack days sv building highly available services using kubernetes (preso)
Openstack days sv building highly available services using kubernetes (preso)Openstack days sv building highly available services using kubernetes (preso)
Openstack days sv building highly available services using kubernetes (preso)
Allan Naim
 
Continuous Deployment with Kubernetes, Docker and GitLab CI
Continuous Deployment with Kubernetes, Docker and GitLab CIContinuous Deployment with Kubernetes, Docker and GitLab CI
Continuous Deployment with Kubernetes, Docker and GitLab CI
alexanderkiel
 

Similar to Introduction to Kubernetes RBAC (20)

Kubernetes Ingress 101
Kubernetes Ingress 101Kubernetes Ingress 101
Kubernetes Ingress 101
 
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
 
网易云K8S应用实践 | practices for kubernetes cluster provisioning, management and ap...
网易云K8S应用实践 | practices for kubernetes cluster provisioning, management and ap...网易云K8S应用实践 | practices for kubernetes cluster provisioning, management and ap...
网易云K8S应用实践 | practices for kubernetes cluster provisioning, management and ap...
 
CKA_1st.pptx
CKA_1st.pptxCKA_1st.pptx
CKA_1st.pptx
 
Container orchestration k8s azure kubernetes services
Container orchestration k8s azure kubernetes servicesContainer orchestration k8s azure kubernetes services
Container orchestration k8s azure kubernetes services
 
All the troubles you get into when setting up a production ready Kubernetes c...
All the troubles you get into when setting up a production ready Kubernetes c...All the troubles you get into when setting up a production ready Kubernetes c...
All the troubles you get into when setting up a production ready Kubernetes c...
 
Pro2516 10 things about oracle and k8s.pptx-final
Pro2516 10 things about oracle and k8s.pptx-finalPro2516 10 things about oracle and k8s.pptx-final
Pro2516 10 things about oracle and k8s.pptx-final
 
Appsecco Kubernetes Hacking Masterclass Presentation Slides
Appsecco Kubernetes Hacking Masterclass Presentation SlidesAppsecco Kubernetes Hacking Masterclass Presentation Slides
Appsecco Kubernetes Hacking Masterclass Presentation Slides
 
Scaling search-clusters-solr-k8s-2020-amrit-sarkar
Scaling search-clusters-solr-k8s-2020-amrit-sarkarScaling search-clusters-solr-k8s-2020-amrit-sarkar
Scaling search-clusters-solr-k8s-2020-amrit-sarkar
 
Event driven workloads on Kubernetes with KEDA
Event driven workloads on Kubernetes with KEDAEvent driven workloads on Kubernetes with KEDA
Event driven workloads on Kubernetes with KEDA
 
Event driven autoscaling with KEDA
Event driven autoscaling with KEDAEvent driven autoscaling with KEDA
Event driven autoscaling with KEDA
 
Attacking and Defending Kubernetes - Nithin Jois
Attacking and Defending Kubernetes - Nithin JoisAttacking and Defending Kubernetes - Nithin Jois
Attacking and Defending Kubernetes - Nithin Jois
 
K8s hard-way on DigitalOcean
K8s hard-way on DigitalOceanK8s hard-way on DigitalOcean
K8s hard-way on DigitalOcean
 
Scaling .net containers with event driven workloads
Scaling .net containers with event driven workloadsScaling .net containers with event driven workloads
Scaling .net containers with event driven workloads
 
K8s Webhook Admission
K8s Webhook AdmissionK8s Webhook Admission
K8s Webhook Admission
 
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
 
From Kubernetes to OpenStack in Sydney
From Kubernetes to OpenStack in SydneyFrom Kubernetes to OpenStack in Sydney
From Kubernetes to OpenStack in Sydney
 
Kubernetes in Hybrid Environments with Submariner
Kubernetes in Hybrid Environments with SubmarinerKubernetes in Hybrid Environments with Submariner
Kubernetes in Hybrid Environments with Submariner
 
Openstack days sv building highly available services using kubernetes (preso)
Openstack days sv building highly available services using kubernetes (preso)Openstack days sv building highly available services using kubernetes (preso)
Openstack days sv building highly available services using kubernetes (preso)
 
Continuous Deployment with Kubernetes, Docker and GitLab CI
Continuous Deployment with Kubernetes, Docker and GitLab CIContinuous Deployment with Kubernetes, Docker and GitLab CI
Continuous Deployment with Kubernetes, Docker and GitLab CI
 

More from Kublr

Container Runtimes and Tooling, v2
Container Runtimes and Tooling, v2Container Runtimes and Tooling, v2
Container Runtimes and Tooling, v2
Kublr
 
Container Runtimes and Tooling
Container Runtimes and ToolingContainer Runtimes and Tooling
Container Runtimes and Tooling
Kublr
 
Intro into Rook and Ceph on Kubernetes
Intro into Rook and Ceph on KubernetesIntro into Rook and Ceph on Kubernetes
Intro into Rook and Ceph on Kubernetes
Kublr
 
Hybrid architecture solutions with kubernetes and the cloud native stack
Hybrid architecture solutions with kubernetes and the cloud native stackHybrid architecture solutions with kubernetes and the cloud native stack
Hybrid architecture solutions with kubernetes and the cloud native stack
Kublr
 
Multi-cloud Kubernetes BCDR with Velero
Multi-cloud Kubernetes BCDR with VeleroMulti-cloud Kubernetes BCDR with Velero
Multi-cloud Kubernetes BCDR with Velero
Kublr
 
Kubernetes Networking 101
Kubernetes Networking 101Kubernetes Networking 101
Kubernetes Networking 101
Kublr
 
Kubernetes persistence 101
Kubernetes persistence 101Kubernetes persistence 101
Kubernetes persistence 101
Kublr
 
Portable CI/CD Environment as Code with Kubernetes, Kublr and Jenkins
Portable CI/CD Environment as Code with Kubernetes, Kublr and JenkinsPortable CI/CD Environment as Code with Kubernetes, Kublr and Jenkins
Portable CI/CD Environment as Code with Kubernetes, Kublr and Jenkins
Kublr
 
Kubernetes 101
Kubernetes 101Kubernetes 101
Kubernetes 101
Kublr
 
Advanced Scheduling in Kubernetes
Advanced Scheduling in KubernetesAdvanced Scheduling in Kubernetes
Advanced Scheduling in Kubernetes
Kublr
 
Setting up CI/CD Pipeline with Kubernetes and Kublr step by-step
Setting up CI/CD Pipeline with Kubernetes and Kublr step by-stepSetting up CI/CD Pipeline with Kubernetes and Kublr step by-step
Setting up CI/CD Pipeline with Kubernetes and Kublr step by-step
Kublr
 
Canary Releases on Kubernetes with Spinnaker, Istio, & Prometheus (2020)
Canary Releases on Kubernetes with Spinnaker, Istio, & Prometheus (2020)Canary Releases on Kubernetes with Spinnaker, Istio, & Prometheus (2020)
Canary Releases on Kubernetes with Spinnaker, Istio, & Prometheus (2020)
Kublr
 
How to Run Kubernetes in Restrictive Environments
How to Run Kubernetes in Restrictive EnvironmentsHow to Run Kubernetes in Restrictive Environments
How to Run Kubernetes in Restrictive Environments
Kublr
 
Building Portable Applications with Kubernetes
Building Portable Applications with KubernetesBuilding Portable Applications with Kubernetes
Building Portable Applications with Kubernetes
Kublr
 
How Self-Healing Nodes and Infrastructure Management Impact Reliability
How Self-Healing Nodes and Infrastructure Management Impact ReliabilityHow Self-Healing Nodes and Infrastructure Management Impact Reliability
How Self-Healing Nodes and Infrastructure Management Impact Reliability
Kublr
 
Kubernetes as Infrastructure Abstraction
Kubernetes as Infrastructure AbstractionKubernetes as Infrastructure Abstraction
Kubernetes as Infrastructure Abstraction
Kublr
 
Centralizing Kubernetes Management in Restrictive Environments
Centralizing Kubernetes Management in Restrictive EnvironmentsCentralizing Kubernetes Management in Restrictive Environments
Centralizing Kubernetes Management in Restrictive Environments
Kublr
 
Kubernetes in Highly Restrictive Environments
Kubernetes in Highly Restrictive EnvironmentsKubernetes in Highly Restrictive Environments
Kubernetes in Highly Restrictive Environments
Kublr
 
The Evolution of your Kubernetes Cluster
The Evolution of your Kubernetes ClusterThe Evolution of your Kubernetes Cluster
The Evolution of your Kubernetes Cluster
Kublr
 
Canary Releases on Kubernetes w/ Spinnaker, Istio, and Prometheus
Canary Releases on Kubernetes w/ Spinnaker, Istio, and PrometheusCanary Releases on Kubernetes w/ Spinnaker, Istio, and Prometheus
Canary Releases on Kubernetes w/ Spinnaker, Istio, and Prometheus
Kublr
 

More from Kublr (20)

Container Runtimes and Tooling, v2
Container Runtimes and Tooling, v2Container Runtimes and Tooling, v2
Container Runtimes and Tooling, v2
 
Container Runtimes and Tooling
Container Runtimes and ToolingContainer Runtimes and Tooling
Container Runtimes and Tooling
 
Intro into Rook and Ceph on Kubernetes
Intro into Rook and Ceph on KubernetesIntro into Rook and Ceph on Kubernetes
Intro into Rook and Ceph on Kubernetes
 
Hybrid architecture solutions with kubernetes and the cloud native stack
Hybrid architecture solutions with kubernetes and the cloud native stackHybrid architecture solutions with kubernetes and the cloud native stack
Hybrid architecture solutions with kubernetes and the cloud native stack
 
Multi-cloud Kubernetes BCDR with Velero
Multi-cloud Kubernetes BCDR with VeleroMulti-cloud Kubernetes BCDR with Velero
Multi-cloud Kubernetes BCDR with Velero
 
Kubernetes Networking 101
Kubernetes Networking 101Kubernetes Networking 101
Kubernetes Networking 101
 
Kubernetes persistence 101
Kubernetes persistence 101Kubernetes persistence 101
Kubernetes persistence 101
 
Portable CI/CD Environment as Code with Kubernetes, Kublr and Jenkins
Portable CI/CD Environment as Code with Kubernetes, Kublr and JenkinsPortable CI/CD Environment as Code with Kubernetes, Kublr and Jenkins
Portable CI/CD Environment as Code with Kubernetes, Kublr and Jenkins
 
Kubernetes 101
Kubernetes 101Kubernetes 101
Kubernetes 101
 
Advanced Scheduling in Kubernetes
Advanced Scheduling in KubernetesAdvanced Scheduling in Kubernetes
Advanced Scheduling in Kubernetes
 
Setting up CI/CD Pipeline with Kubernetes and Kublr step by-step
Setting up CI/CD Pipeline with Kubernetes and Kublr step by-stepSetting up CI/CD Pipeline with Kubernetes and Kublr step by-step
Setting up CI/CD Pipeline with Kubernetes and Kublr step by-step
 
Canary Releases on Kubernetes with Spinnaker, Istio, & Prometheus (2020)
Canary Releases on Kubernetes with Spinnaker, Istio, & Prometheus (2020)Canary Releases on Kubernetes with Spinnaker, Istio, & Prometheus (2020)
Canary Releases on Kubernetes with Spinnaker, Istio, & Prometheus (2020)
 
How to Run Kubernetes in Restrictive Environments
How to Run Kubernetes in Restrictive EnvironmentsHow to Run Kubernetes in Restrictive Environments
How to Run Kubernetes in Restrictive Environments
 
Building Portable Applications with Kubernetes
Building Portable Applications with KubernetesBuilding Portable Applications with Kubernetes
Building Portable Applications with Kubernetes
 
How Self-Healing Nodes and Infrastructure Management Impact Reliability
How Self-Healing Nodes and Infrastructure Management Impact ReliabilityHow Self-Healing Nodes and Infrastructure Management Impact Reliability
How Self-Healing Nodes and Infrastructure Management Impact Reliability
 
Kubernetes as Infrastructure Abstraction
Kubernetes as Infrastructure AbstractionKubernetes as Infrastructure Abstraction
Kubernetes as Infrastructure Abstraction
 
Centralizing Kubernetes Management in Restrictive Environments
Centralizing Kubernetes Management in Restrictive EnvironmentsCentralizing Kubernetes Management in Restrictive Environments
Centralizing Kubernetes Management in Restrictive Environments
 
Kubernetes in Highly Restrictive Environments
Kubernetes in Highly Restrictive EnvironmentsKubernetes in Highly Restrictive Environments
Kubernetes in Highly Restrictive Environments
 
The Evolution of your Kubernetes Cluster
The Evolution of your Kubernetes ClusterThe Evolution of your Kubernetes Cluster
The Evolution of your Kubernetes Cluster
 
Canary Releases on Kubernetes w/ Spinnaker, Istio, and Prometheus
Canary Releases on Kubernetes w/ Spinnaker, Istio, and PrometheusCanary Releases on Kubernetes w/ Spinnaker, Istio, and Prometheus
Canary Releases on Kubernetes w/ Spinnaker, Istio, and Prometheus
 

Recently uploaded

A Sighting of filterA in Typelevel Rite of Passage
A Sighting of filterA in Typelevel Rite of PassageA Sighting of filterA in Typelevel Rite of Passage
A Sighting of filterA in Typelevel Rite of Passage
Philip Schwarz
 
GOING AOT WITH GRAALVM FOR SPRING BOOT (SPRING IO)
GOING AOT WITH GRAALVM FOR SPRING BOOT (SPRING IO)GOING AOT WITH GRAALVM FOR SPRING BOOT (SPRING IO)
GOING AOT WITH GRAALVM FOR SPRING BOOT (SPRING IO)
Alina Yurenko
 
Nidhi Software Price. Fact , Costs, Tips
Nidhi Software Price. Fact , Costs, TipsNidhi Software Price. Fact , Costs, Tips
Nidhi Software Price. Fact , Costs, Tips
vrstrong314
 
Lecture 1 Introduction to games development
Lecture 1 Introduction to games developmentLecture 1 Introduction to games development
Lecture 1 Introduction to games development
abdulrafaychaudhry
 
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, BetterWebinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
XfilesPro
 
Large Language Models and the End of Programming
Large Language Models and the End of ProgrammingLarge Language Models and the End of Programming
Large Language Models and the End of Programming
Matt Welsh
 
Atelier - Innover avec l’IA Générative et les graphes de connaissances
Atelier - Innover avec l’IA Générative et les graphes de connaissancesAtelier - Innover avec l’IA Générative et les graphes de connaissances
Atelier - Innover avec l’IA Générative et les graphes de connaissances
Neo4j
 
Introduction to Pygame (Lecture 7 Python Game Development)
Introduction to Pygame (Lecture 7 Python Game Development)Introduction to Pygame (Lecture 7 Python Game Development)
Introduction to Pygame (Lecture 7 Python Game Development)
abdulrafaychaudhry
 
Mobile App Development Company In Noida | Drona Infotech
Mobile App Development Company In Noida | Drona InfotechMobile App Development Company In Noida | Drona Infotech
Mobile App Development Company In Noida | Drona Infotech
Drona Infotech
 
First Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User EndpointsFirst Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User Endpoints
Globus
 
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOMLORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
lorraineandreiamcidl
 
openEuler Case Study - The Journey to Supply Chain Security
openEuler Case Study - The Journey to Supply Chain SecurityopenEuler Case Study - The Journey to Supply Chain Security
openEuler Case Study - The Journey to Supply Chain Security
Shane Coughlan
 
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptx
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptxTop Features to Include in Your Winzo Clone App for Business Growth (4).pptx
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptx
rickgrimesss22
 
GraphSummit Paris - The art of the possible with Graph Technology
GraphSummit Paris - The art of the possible with Graph TechnologyGraphSummit Paris - The art of the possible with Graph Technology
GraphSummit Paris - The art of the possible with Graph Technology
Neo4j
 
Orion Context Broker introduction 20240604
Orion Context Broker introduction 20240604Orion Context Broker introduction 20240604
Orion Context Broker introduction 20240604
Fermin Galan
 
Enterprise Resource Planning System in Telangana
Enterprise Resource Planning System in TelanganaEnterprise Resource Planning System in Telangana
Enterprise Resource Planning System in Telangana
NYGGS Automation Suite
 
Need for Speed: Removing speed bumps from your Symfony projects ⚡️
Need for Speed: Removing speed bumps from your Symfony projects ⚡️Need for Speed: Removing speed bumps from your Symfony projects ⚡️
Need for Speed: Removing speed bumps from your Symfony projects ⚡️
Łukasz Chruściel
 
Navigating the Metaverse: A Journey into Virtual Evolution"
Navigating the Metaverse: A Journey into Virtual Evolution"Navigating the Metaverse: A Journey into Virtual Evolution"
Navigating the Metaverse: A Journey into Virtual Evolution"
Donna Lenk
 
Providing Globus Services to Users of JASMIN for Environmental Data Analysis
Providing Globus Services to Users of JASMIN for Environmental Data AnalysisProviding Globus Services to Users of JASMIN for Environmental Data Analysis
Providing Globus Services to Users of JASMIN for Environmental Data Analysis
Globus
 
Enhancing Research Orchestration Capabilities at ORNL.pdf
Enhancing Research Orchestration Capabilities at ORNL.pdfEnhancing Research Orchestration Capabilities at ORNL.pdf
Enhancing Research Orchestration Capabilities at ORNL.pdf
Globus
 

Recently uploaded (20)

A Sighting of filterA in Typelevel Rite of Passage
A Sighting of filterA in Typelevel Rite of PassageA Sighting of filterA in Typelevel Rite of Passage
A Sighting of filterA in Typelevel Rite of Passage
 
GOING AOT WITH GRAALVM FOR SPRING BOOT (SPRING IO)
GOING AOT WITH GRAALVM FOR SPRING BOOT (SPRING IO)GOING AOT WITH GRAALVM FOR SPRING BOOT (SPRING IO)
GOING AOT WITH GRAALVM FOR SPRING BOOT (SPRING IO)
 
Nidhi Software Price. Fact , Costs, Tips
Nidhi Software Price. Fact , Costs, TipsNidhi Software Price. Fact , Costs, Tips
Nidhi Software Price. Fact , Costs, Tips
 
Lecture 1 Introduction to games development
Lecture 1 Introduction to games developmentLecture 1 Introduction to games development
Lecture 1 Introduction to games development
 
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, BetterWebinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
 
Large Language Models and the End of Programming
Large Language Models and the End of ProgrammingLarge Language Models and the End of Programming
Large Language Models and the End of Programming
 
Atelier - Innover avec l’IA Générative et les graphes de connaissances
Atelier - Innover avec l’IA Générative et les graphes de connaissancesAtelier - Innover avec l’IA Générative et les graphes de connaissances
Atelier - Innover avec l’IA Générative et les graphes de connaissances
 
Introduction to Pygame (Lecture 7 Python Game Development)
Introduction to Pygame (Lecture 7 Python Game Development)Introduction to Pygame (Lecture 7 Python Game Development)
Introduction to Pygame (Lecture 7 Python Game Development)
 
Mobile App Development Company In Noida | Drona Infotech
Mobile App Development Company In Noida | Drona InfotechMobile App Development Company In Noida | Drona Infotech
Mobile App Development Company In Noida | Drona Infotech
 
First Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User EndpointsFirst Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User Endpoints
 
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOMLORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
 
openEuler Case Study - The Journey to Supply Chain Security
openEuler Case Study - The Journey to Supply Chain SecurityopenEuler Case Study - The Journey to Supply Chain Security
openEuler Case Study - The Journey to Supply Chain Security
 
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptx
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptxTop Features to Include in Your Winzo Clone App for Business Growth (4).pptx
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptx
 
GraphSummit Paris - The art of the possible with Graph Technology
GraphSummit Paris - The art of the possible with Graph TechnologyGraphSummit Paris - The art of the possible with Graph Technology
GraphSummit Paris - The art of the possible with Graph Technology
 
Orion Context Broker introduction 20240604
Orion Context Broker introduction 20240604Orion Context Broker introduction 20240604
Orion Context Broker introduction 20240604
 
Enterprise Resource Planning System in Telangana
Enterprise Resource Planning System in TelanganaEnterprise Resource Planning System in Telangana
Enterprise Resource Planning System in Telangana
 
Need for Speed: Removing speed bumps from your Symfony projects ⚡️
Need for Speed: Removing speed bumps from your Symfony projects ⚡️Need for Speed: Removing speed bumps from your Symfony projects ⚡️
Need for Speed: Removing speed bumps from your Symfony projects ⚡️
 
Navigating the Metaverse: A Journey into Virtual Evolution"
Navigating the Metaverse: A Journey into Virtual Evolution"Navigating the Metaverse: A Journey into Virtual Evolution"
Navigating the Metaverse: A Journey into Virtual Evolution"
 
Providing Globus Services to Users of JASMIN for Environmental Data Analysis
Providing Globus Services to Users of JASMIN for Environmental Data AnalysisProviding Globus Services to Users of JASMIN for Environmental Data Analysis
Providing Globus Services to Users of JASMIN for Environmental Data Analysis
 
Enhancing Research Orchestration Capabilities at ORNL.pdf
Enhancing Research Orchestration Capabilities at ORNL.pdfEnhancing Research Orchestration Capabilities at ORNL.pdf
Enhancing Research Orchestration Capabilities at ORNL.pdf
 

Introduction to Kubernetes RBAC

  • 1. Introduction to Kubernetes RBAC Oleg Chunikhin | CTO, Kublr
  • 2. Tuesday September 15, 2020 Thursday March 18, 2021 (alternative date) @ Red Cross Square in Downtown DC
  • 3. DC Meetup Slack Channel Join our meetup-dc channel on the Kubernetes Slack
  • 4. Introductions Oleg Chunikhin CTO, Kublr • 20 years in software architecture & development • Working w/ Kubernetes since its release in 2015 • Software architect behind Kublr—an enterprise ready container management platform • Twitter @olgch
  • 5. Enterprise Kubernetes Needs Developers SRE/Ops/DevOps/SecOps • Self-service • Compatible • Conformant • Configurable • Open & Flexible • Governance • Org multi-tenancy • Single pane of glass • Operations • Monitoring • Log collection • Image management • Identity management • Security • Reliability • Performance • Portability @olgch; @kublr
  • 6. @olgch; @kublr Automation Ingress Custom Clusters Infrastructure Logging Monitoring Observability API Usage Reporting RBAC IAM Air Gap TLS Certificate Rotation Audit Storage Networking Container Registry CI / CD App Mgmt Infrastructure Container Runtime Kubernetes OPERATIONS SECURITY & GOVERNANCE
  • 7. Kubernetes Access Control • Who can do what with which resource • Authentication • Authorization • RBAC • Use-cases and gotchas @olgch; @kublr
  • 8. Who Can Do What in a Cluster Three groups Connected through access control @olgch; @kublr Subjects User Group Service account Resources Pods Nodes ConfigMaps Secrets Deployments … Operations list get create update delete watch patch get post put delete
  • 9. Kubernetes API Request Attributes • Authentication • User – the user string • Group – the list of group names • Extra – a map of arbitrary keys • API – non-resource or API resource flag • API resource request • API request verb – lowercased resource verb • Namespace – the namespace • API group - The API Group being accessed • Resource – the resource ID • Subresource – the sub-resource • Non-resource request • HTTP request verb – lowercased HTTP method • Request path – non-resource request path. Verbs • Common API resource request : get, list, watch, create, update, patch, delete, deletecollection • Special API resource request: use (PodSecurityPolicy), bind, escalate (Role, ClusterRole), impersonate (User, Group, SA), userextras • HTTP request verbs: get, head, post, put, patch, delete @olgch; @kublr
  • 10. Kubernetes API Client, Tools • Any HTTP client • curl – good for experiments • kubectl – Kubernetes CLI • jq – honorable mention – JSON visualization and processing @olgch; @kublr Client Kubernetes API HTTP Request
  • 11. Kubernetes API Client, Example • curl • kubectl @olgch; @kublr curl -k -v -XGET -H 'Authorization: Bearer ***' 'https://52.44.121.181:443/api/v1/nodes?limit=50' | jq . kubectl --kubeconfig=kc.yaml get nodes export KUBECONFIG="$(pwd)/config.yaml" kubectl get nodes kubectl get nodes –-v=9 apiVersion: v1 kind: Config clusters: - name: demo-rbac cluster: certificate-authority-data: *** server: https://52.44.121.181:443 users: - name: demo-rbac-admin-token user: token: *** contexts: - name: demo-rbac context: cluster: demo-rbac user: demo-rbac-admin-token current-context: demo-rbac
  • 12. Authentication: Mechanisms Mechanism Secret Source Usage X509 Client Certs CSR generated externally and signed with the cluster CA key Enterprise CA / PKI Via Kubernetes API CertificateSigningRequest Kubernetes cluster admin Bearer token Bootstrap token Internal use Node authentication token Internal use Static token file Insecure ServiceAccount token Pods, containers, applications, users OIDC token Users HTTP Basic auth Static password file Insecure Auth proxy N/A (trust proxy) Integration Impersonate N/A (trust account) Integration and administration
  • 13. Authentication: X509 Client Cert, PKI Client Kubernetes API 3. HTTPS/TLS handshake with client cert 4. Request Admin 1. client.csr 2. client.crt client.key k8s-api-server-client-ca.key k8s-api-server-client-ca.crt --client-ca-file=k8s-api-server-client-ca.key k8s-api-server-client-ca.key Admin (issuer) must has access to the server CA private key @olgch; @kublr
  • 14. Authentication: X509 Client Cert, PKI Example • User: generate user private key (if not exist) • User: generate user CSR • Admin: sign user client cert • User: use with kubectl via options or kubeconfig openssl genrsa -out user1.key 2048 openssl req -new -key user1.key -out user1.csr -subj "/CN=user1/O=group1/O=group2" openssl x509 -req -in user1.csr -CA cluster-ca.crt -CAkey cluster-ca.key -set_serial 101 -extensions client -days 365 -outform PEM -out user1.crt kubectl --client-key=user1.key --client-certificate=user1.crt get nodes kubectl config set-credentials user1 --client-key user1.key --client-certificate user1.crt --embed-certs kubectl config set-context user1 --cluster demo-rbac --user user1 kubectl --context=user1 get nodes kubectl config use-context user1 kubectl config get-contexts kubectl get nodes @olgch; @kublr
  • 15. Authentication: X509 Client Cert, K8S CSR Client Kubernetes API 7. HTTPS/TLS handshake with client cert 8. Request Admin 1. client.csr 6. client.crt client.key k8s-api-server-client-ca.key k8s-api-server-client-ca.crt --client-ca-file=k8s-api-server-client-ca.key 3. kubectl create csr ... 4. kubectl certificate approve csr ... 5. kubectl get csr ... @olgch; @kublr
  • 16. Authentication: X509 Client Cert, K8S CSR • User: generate user CSR • Admin: use Kubernetes API server to sign the CSR • User: use with kubectl via options or kubeconfig openssl req -new -key user2.key -out user2.csr -subj "/CN=user2/O=group1/O=group2" kubectl apply -f - <<EOF apiVersion: certificates.k8s.io/v1beta1 kind: CertificateSigningRequest metadata: name: user2 spec: request: $(cat user2.csr | base64 | tr -d 'n') usages: ['digital signature', 'key encipherment', 'client auth'] EOF kubectl certificate approve user2 kubectl certificate deny user2 kubectl get csr user2 –o jsonpath='{.status.certificate}' | base64 --decode > user2.crt kubectl --client-key=user2.key --client-certificate=user2.crt get nodes kubectl config set-credentials user2 --client-key user2.key --client-certificate user2.crt --embed-certs kubectl config set-context user2 --cluster demo-rbac --user user2 @olgch; @kublr
  • 17. Authentication: Service Account Client Kubernetes API 1. create service account 2. get service account token 3. Request (token in Authorization header) @olgch; @kublr
  • 18. Authentication: Service Account, Example • Create service account • Get service account token • Send request kubectl create serviceaccount sa1 kubectl "--token=${SA_TOKEN}" get nodes kubectl config set-credentials sa1 "--token=${SA_TOKEN}" kubectl config set-context sa1 --cluster demo-rbac --user sa1 kubectl get –o yaml sa sa1 SA_SECRET="$(kubectl get sa sa1 -o jsonpath='{.secrets[0].name}')" kubectl get -o yaml secret "${SA_SECRET}" SA_TOKEN="$(kubectl get secret "${SA_SECRET}" -o jsonpath='{.data.token}' | base64 -d)" @olgch; @kublr
  • 19. Authentication: OIDC Client Kubernetes API 3. Request with the token 1. auth / refresh token 2. Tokens --oidc-client-id=kubernetes --oidc-groups-claim=user_groups --oidc-issuer-url=https://idp.example.com --oidc-username-claim=preferred_username OIDC IdP 4. Verify token @olgch; @kublr
  • 20. Authentication: OIDC, Demo Kublr uses Keycloak by default • Multiple “realms” • OIDC, SAML, LDAP, AD, Kerberos support • User federation and Identity Broker support Demo • “demo-app” realm • “kubernetes” OIDC client • “demo-rbac” Kublr cluster with OIDC auth configured for the client spec: master: kublrAgentConfig: kublr: kube_api_server_flag: oidc_client_id: '--oidc-client-id=kubernetes' oidc_groups_claim: '--oidc-groups-claim=user_groups' oidc_issuer_url: '--oidc-issuer-url=https://***' oidc_username_claim: '--oidc-username-claim=preferred_username' @olgch; @kublr
  • 21. Authentication: OIDC, Example Login (visualization) Login (CLI) curl -d "grant_type=password" -d "scope=openid" -d "client_id=kubernetes" -d "client_secret=${CLIENT_SECRET}" -d "username=da-admin" -d "password=${USER_PASSWORD}" https://kcp.kublr-demo.com/auth/realms/demo-app/protocol/openid-connect/token | jq . eval "$(curl -d "grant_type=password" -d "scope=openid" -d "client_id=kubernetes" -d "client_secret=${CLIENT_SECRET}" -d "username=da-admin" -d "password=${USER_PASSWORD}" https://kcp.kublr-demo.com/auth/realms/demo-app/protocol/openid-connect/token | jq -r '"REFRESH_TOKEN="+.refresh_token,"TOKEN="+.access_token,"ID_TOKEN="+.id_token')" ; echo ; echo "TOKEN=${TOKEN}" ; echo ; echo "ID_TOKEN=${ID_TOKEN}" ; echo ; echo "REFRESH_TOKEN=${REFRESH_TOKEN}" ; echo @olgch; @kublr
  • 22. Authentication: OIDC, Example Refresh (visualization) Refresh (CLI) curl -d "grant_type=refresh_token" -d "client_id=kubernetes" -d "client_secret=${CLIENT_SECRET}" -d "refresh_token=${REFRESH_TOKEN}" https://kcp.kublr-demo.com/auth/realms/demo-app/protocol/openid-connect/token | jq -r . eval "$(curl -d "grant_type=refresh_token" -d "client_id=kubernetes" -d "client_secret=${CLIENT_SECRET}" -d "refresh_token=${REFRESH_TOKEN}" https://kcp.kublr-demo.com/auth/realms/demo-app/protocol/openid-connect/token | jq -r '"REFRESH_TOKEN="+.refresh_token,"TOKEN="+.access_token,"ID_TOKEN="+.id_token')" ; echo ; echo "TOKEN=${TOKEN}" ; echo ; echo "ID_TOKEN=${ID_TOKEN}" ; echo ; echo "REFRESH_TOKEN=${REFRESH_TOKEN}" @olgch; @kublr
  • 23. Authentication: OIDC, Example Token introspection kubectl configuration curl --user "kubernetes:${CLIENT_SECRET}" -d "token=${TOKEN}" https://kcp.kublr-demo.com/auth/realms/demo-app/protocol/openid-connect/token/introspect | jq . kubectl config set-credentials da-admin "--auth-provider=oidc" "--auth-provider-arg=idp-issuer-url=https://kcp.kublr-demo.com/auth/realms/demo-app" "--auth-provider-arg=client-id=kubernetes" "--auth-provider-arg=client-secret=${CLIENT_SECRET}" "--auth-provider-arg=refresh-token=${REFRESH_TOKEN}" "--auth-provider-arg=id-token=${ID_TOKEN}" kubectl config set-context da-admin --cluster=demo-rbac --user=da-admin kubectl --context=da-admin get nodes @olgch; @kublr
  • 24. Authentication: Authenticating Proxy Client Kubernetes API 2. Request “X-Remote-*” headers X-Remote-User: user1 X-Remote-Groups: group1 X-Remote-Extra-Key1: value11. Request --requestheader-username-headers=X-Remote-User --requestheader-group-headers=X-Remote-Group --requestheader-extra-headers-prefix=X-Remote-Extra- Auth Proxy @olgch; @kublr
  • 25. Authentication: Impersonation Client Kubernetes API 1. Request with “Impersonate-*” headers Impersonate-User: jane.doe@example.com Impersonate-Group: developers Impersonate-Group: admins Impersonate-Extra-dn: cn=jane,ou=engineers Impersonate-Extra-scopes: view kubectl get nodes --as "system:serviceaccount:default:sa1" --as-group g1 --as-group g2 @olgch; @kublr
  • 26. Authorization: Mechanisms Mechanism Decision source Usage Node API Server built-in Internal use (kubelets) ABAC Static file Insecure, deprecated RBAC API Objects Users and administrators WebHook External services Integration AlwaysDeny AlwaysAllow API Server built-in Testing @olgch; @kublr
  • 27. Authorization, tools • kubectl auth can-i ... • kubectl whoami • kubectl --v=8 ... @olgch; @kublr
  • 28. Authorization: WebHook Client Kubernetes API 1. Request --authorization-webhook-config-file=auth-cfg.yaml Authorization Service 2. Verify Config file in kubeconfig format @olgch; @kublr
  • 29. Authorization: RBAC Three groups Connected through RBAC @olgch; @kublr Subjects User Group Service Account Resources Pods Nodes ConfigMaps Secrets Deployments … Operations list get create update delete watch patch get post put delete
  • 30. Roles and ClusterRoles • Roles and ClusterRoles define a set of allowed actions on resources • Role is namespaced • Cannot include non-namespaces resources or non-resource URLs @olgch; @kublr apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: namespace: default name: role1 rules: - apiGroups: ['*'] resources: ['nodes', 'pods', 'pods/log'] verbs: ['get', 'list'] - apiGroups: ['*'] resources: ['configmaps'] resourceNames: ['my-configmap'] verbs: ['get', 'list']
  • 31. ClusterRoles • ClusterRole is not namespaced • non-namespaced resources access • non-resource URLs access @olgch; @kublr apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: namespace: default name: clusterRole1 rules: - apiGroups: ['*'] resources: ['nodes', ‘pods'] verbs: ['get', 'list'] - nonResourceURLs: ['/api', '/healthz*'] verbs: ['get', 'head']
  • 32. Aggregated ClusterRoles Aggregated ClusterRole combines rules from other cluster roles @olgch; @kublr apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: aggregatedClusterRole1 aggregationRule: clusterRoleSelectors: - matchLabels: label1: value1 # The control plane automatically fills in the rules rules: [] Aggregated ClusterRole clusterRole1 aggregationRule: clusterRoleSelectors: - matchLabels: label1: value1 metadata: labels: label1: value1 clusterRole1 metadata: labels: label1: value1 label2: value2 clusterRole1 metadata: labels: label2: value2
  • 33. apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: roleBinding1 namespace: default roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: role1 subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: user1 - apiGroup: rbac.authorization.k8s.io kind: Group name: group1 - kind: ServiceAccount name: sa1 namespace: default RoleBinding @olgch; @kublr user1 user2 group RoleBinding namespace resources only ClusterRole Role namespace ServiceAccount
  • 34. apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: roleBinding1 namespace: default roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: clusterRole1 subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: user1 - apiGroup: rbac.authorization.k8s.io kind: Group name: group1 - kind: ServiceAccount name: sa1 namespace: default ClusterRoleBinding @olgch; @kublr user1 user2 group ClusterRole Role namespace ServiceAccount ClusterRoleBinding
  • 35. Built-in ClusterRoles Role Access Can do cluster-admin Full access to all cluster resources Anything in the cluster admin Full access to all namespace resources Anything in a namespace edit Full access to all namespace resources except Role, RoleBinding, LocalSubjectAccessReviews Anything in a namespace except granting and checking access view RO access to all namespace resources except sensitive ones View and list non-sensitive objects in a namespace @olgch; @kublr
  • 36. Use-cases • Start with build-in roles •Cluster admin •Namespace admin •Namespace developer •Namespace read-only user • Define new roles as needed • Beware of “gotchas” @olgch; @kublr
  • 37. “Gotchas” • Privilege escalation via pod creation • Non-namespaced objects • CRD, PriorityClass, PodSecurityPolicy • Often needed for development, especially in advanced DevOps / SRE culture • As a result, developers need self-service dev cluster management capabilities • Role and role binding conventions • Name • Role bindings – one per subject, one per role, or mixed @olgch; @kublr
  • 38. Next steps • PodSecurityPolicy • NetworkPolicy • Limits and Quotas • Admission Controllers • Dynamic admission control • Dynamic policies, OPA @olgch; @kublr
  • 39. Kubernetes API Groups and Objects API Group API Obects rbac.authorization.k8s.io/v1 ClusterRole Role ClusterRoleBinding RoleBinding authentication.k8s.io/v1 TokenReview admissionregistration.k8s.io/v1 MutatingWebhookConfiguration ValidatingWebhookConfiguration authorization.k8s.io/v1 LocalSubjectAccessReview SelfSubjectAccessReview SelfSubjectRulesReview SubjectAccessReview certificates.k8s.io/v1beta1 CertificateSigningRequest policy/v1beta1 PodSecurityPolicy @olgch; @kublr
  • 42. Oleg Chunikhin CTO oleg@kublr.com @olgch Kublr | kublr.com @kublr Signup for our newsletter at kublr.com @olgch; @kublr