This document discusses Role Based Access Control (RBAC) in Kubernetes. It begins with an introduction of the speaker and then provides an overview of RBAC including roles, bindings, and how authentication works. It demonstrates how to configure RBAC and manage users through extensions like Auth0 to restrict access at the namespace and cluster level. The speaker then shows a demo of setting up RBAC roles and bindings in a Minikube cluster to configure secure access to the Kubernetes dashboard.

1. Kubernetes
Role Based Access Control (RBAC)
RBAC

2. About Me
Milan Das
https://github.com/dmilan77/kubernetes-rbac-presentation
Cloud Solution Architect (Equifax)
&
Photographer (when not working)
https://www.linkedin.com/in/milandas/

3. Milan Das
● Love to code (Java, Python, Scala, Spark)
● My Journey
○ Started with Java
○ IBM Middleware MQ/ETL
○ Camel ESB
○ BPM
○ Bigdata
○ Reactive Microservices : Akka, Domain Driven Design,
○ Cloud & Kubernetes
● My Son is 9 Years old. He plays Cricket
● Equifax: Data is our gold

4. Real Life Role Based Access (Driving a CDL)
Who Are You
Is Valid License ?
AuthN AuthZ
Identify Restictions
Assign car

5. RBAC in one-slide
RBAC is set of rules to map allowed operations on set of resources in a namespace (ns1) or cluster

6. Authorization and RBAC
● Default: Deny ALL
● Contains Subject-Verb-Resource-Namespace

7. Roles Vs Binding
● Role contains rules that represent a set of permissions.
● Binding grants the permissions defined in a role to a user or set of users
● Two types of roles/bindings:
○ Roles/RoleBinding: Scope is Namespace level
○ ClusterRoles/ClusterRoleBinding : Scope at cluster level.

8. Roles Example
Roles Cluster Roles

9. Binding Example
RoleBinding ClusterRoleBinding

10. User Management in Kubernetes ?
Expectation:
kubectl create user john
Kubectl create group adminns1
Kubectl add john to adminns1

11. No User Management in Kubernetes
Expectation:
kubectl create user john
Kubectl create group adminns1
Kubectl add john to adminns1

12. How to manage user ? User Plugin
● Certificate based Authentication (x509)
● Token based Authentication
● Basic Authentication
● OAuth2: OIDC
○ Third party: Dex, OpenUnison
https://kubernetes.io/docs/reference/access-authn-authz/authentication/#openid-connect-tokens

13. How OIDC works

14. JWT Token

15. Auth0 Authentication
● A OpenID Connect provider similar to
○ Auth0, github, google, Ping, SecureAuth, ADFS, Azure Active Directory
● The authentication flow looks like:
○ OAuth2 client logs a user in through Auth0.
○ That client uses the returned ID Token as a bearer token when talking to the Kubernetes API.
○ A claim designated as the username (and optionally group information) will be associated with that
request.

16. Demo time
Create RBAC based minikube cluster

17. Demo time: Configure Dashboard
● Configuring Secrets kube-dashboard-secrets
● Setup a minikube kubernetes dashboard using : openresty-oidc
○ https://hub.docker.com/r/myobplatform/openresty-oidc/

18. Demo time: Create RBAC role-bindings
● Create namespaces: ns1-namespace, ns2-namespace
● Deploy Role bindings:
○ ClusterRoleBinding (k8s-admin)
○ RoleBinding (ns1)
○ RoleBinding(ns2)
● Create user in auth0

19. Auth0 Extension

20. RBAC basd Kubernetes dashboard

21. Useful Links
https://aaronparecki.com/oauth-2-simplified/
https://github.com/dmilan77/kubernetes-rbac-presentation
https://jwt.io/
https://github.com/pvdvreede/kubernetes-auth-presentation/blob/master/PITCHME.md
https://www.youtube.com/watch?v=CnHTCTP8d48&t=1200s