Altoros, profile picture
Uploaded byAltoros
3,577 views

UAA for Kubernetes

The document discusses emergency exit procedures and provides an outline for a talk on authentication and authorization in Kubernetes. It covers various authentication strategies, including the use of OpenID Connect and JWTs, and compares RBAC and ABAC for authorization management. It also highlights the importance of using a unified solution across platforms like Cloud Foundry and Kubernetes, with resources for further involvement.

Embed presentation

@altoros
@altoros@altoros Fire Exit Announcement • Please note the locations of the surrounding emergency exits & located the nearest lit EXIT sign to you • In the event of a fire alarm or other emergency, please calmly exit to the public concourse area • Emergency exit stairwells leading to the outside of thisfacility are located along the public concourse • For your safety in an emergency, please follow the directions of the Public Safety Staff
UAA Authentication for Kubernetes Andrei Krasnitski Software Engineer,Altoros @altoros
@altoros@altoros Talk Outline • Authentication in Kubernetes • Authorization in Kubernetes • Demo • Benefits • Resources
@altoros@altoros Kubernetes • Open-source container orchestration platform • Multi-cloud support • Containers based • Extensible API
@altoros@altoros What isAuthentication and Authorization • Authentication (AuthN) - determining the identity of auser, server, or client. • Authorization (AuthZ) - determining whether that user, server, or client as permission to do something.
@altoros@altoros AuthN and AuthZ consumers in Kubernetes • Operators (using kubectl command-line tool) • Internal communication: • Pods • Control Plane (apiserver, controller, scheduler etc.)
@altoros@altoros Access Control Diagram Authentication User Pod Authorization Admission Control Kubernetes API Server
@altoros@altoros Authentication Strategies in Kubernetes • X509 Client Certificates • Static Password File • Tokens: • Static Token File • Bootstrap Tokens • Service Account Tokens • OpenID Connect Tokens • Webhook Tokens
@altoros@altoros AuthN Plugins: X509 Client Certificates
@altoros@altoros AuthN Plugins: Static Password/Token
@altoros@altoros AuthN Plugins: Service Accounts
@altoros@altoros AuthN Plugins: Webhook Token End User Auth Service Bearer Token Review Status
@altoros@altoros OpenID Connect AuthN Plugin • Delegate authentication of users to a trusted IdP. • Extension for OAuth 2.0. • “OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol. It allows Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner.”
@altoros@altoros JSON Web Token eyJhbGciOiJSUzI1NiIsImtpZCI6ImtleS0xIiwidHlwIjoiSldUIn0.eyJzdWIiOiJmNDJlNjAxYi1mO DBlLTQwMGMtOTU4Yy0xYWI0YThhZGNhNDQiLCJwcmV2aW91c19sb2dvbl90aW1lIjoxNTIz NTQ5NDY5NDk1LCJ1c2VyX25hbWUiOiJhZG1pbiIsIm9yaWdpbiI6InVhYSIsImFtciI6WyJwd2 QiXSwiaXNzIjoiaHR0cHM6Ly91YWEuc3lzLnBjZi0xLTEyLmluZnJhLXJlZC54eXovb2F1dGgvdG 9rZW4iLCJjbGllbnRfaWQiOiJwb3J0YWwiLCJhdWQiOlsicG9ydGFsIl0sInppZCI6InVhYSIsImd yYW50X3R5cGUiOiJwYXNzd29yZCIsInVzZXJfaWQiOiJmNDJlNjAxYi1mODBlLTQwMGMtOT U4Yy0xYWI0YThhZGNhNDQiLCJhenAiOiJwb3J0YWwiLCJzY29wZSI6WyJvcGVuaWQiXSwiY XV0aF90aW1lIjoxNTIzNjU4NjA4LCJleHAiOjE1MjQ4NjgyMDgsImlhdCI6MTUyMzY1ODYwO CwianRpIjoiMTRjMDBmNjk2ZWE5NGMzNmEzOTIxZDkxNTA2MDkyNjciLCJlbWFpbCI6ImFk bWluIiwicmV2X3NpZyI6IjQ1N2U4Y2QwIiwiY2lkIjoicG9ydGFsIn0.rUK2FdC6ha1HAmNH_YC6 z6JzpJfTBuTqejIWfak37cApO1ij8_VCXaI51g3IXJrEvx3tcvxGRQdXr 88L1_iz7NjWYwqWVK_ VSmf6njR-k5S9UJkIx5WV6B-I_VCnHZsJCvGdYcll6Jkhf- CTMWqL8mdpoRR6GQV_6iFUDLJtJq2c8LoXH2njm6-gi5iEu_lFxsh_IJUdjHP98mWwrRpf- nZHpllJ12npkorhyY2g4hftgGNTm3o8GYtsn8IUPHPCfTFhtukEmjXB- A1nODF2QHNO5tGlyBnryvo3TjUPy7NR96zzTnbAakSjh3iJkE_6Cy6Wll3GRXXYIsykXd5A
@altoros@altoros Payload component of the JWT
@altoros@altoros OpenID Connect Identity Providers • Public: • Google • Microsoft • Yahoo • PayPal • Amazon • Self-hosted: • dex • UAA
@altoros@altoros What is UAA • User Account and Authorization server • OAuth2 server • SAML, LDAP and OpenID Connect integration • Supports APIs for user account management • APIs defined by the specs for OAuth2 and OpenID Connect
@altoros@altoros How Does it Work with Kubernetes? User kubectl Identity Provider API Server Login to IdP IdP provide access_token and id_token Call kubectl using provided id_token Send token in Authorization header to the API server Validate JWT signature Check id_token expiration date UserAuthorized? Send response to kubectl Send result to the user
@altoros@altoros Authorization Modules in Kubernetes • Node (kubelets only) • ABAC (Attribute-based access control) • RBAC (Role-based access control) • Webhook
@altoros@altoros ABAC Overview
@altoros@altoros ABAC Overview
@altoros@altoros RBAC Overview • Role an ClusterRole • RoleBinding and ClusterRoleBinding • User and Group
@altoros@altoros RBAC and ABAC comparison RBAC ABAC Authorization policy changes can be made using kubectl command-line tool. Requires SSHand file system access on Kubernetes Master to make changes in authorization policy file. Changes are applied on the fly. Operator must restart API server to pickup new policy. Authorization is managed by Kubernetes API. Authorization is managed by user-configured local file.
Demo @altoros
@altoros@altoros Configure OpenID Connect in Kubernetes Just configure additional flags on the API server: • --oidc-issuer-url=URL • --oidc-client-id=ID • --oidc-username-claim=email • --oidc-ca-file=/k8s-ca.em
@altoros@altoros OpenID Connect in kubo-release It’s already there:
@altoros@altoros Lessons Learned • Use one solution for Cloud Foundry and Kubernetes • OpenID Connect includes discovery • Easy to configure • Minimize password security risks
@altoros@altoros Get Involved! • Repos: • https://github.com/cloudfoundry-incubator/kubo-release • https://github.com/cloudfoundry-incubator/kubo-deployment • https://github.com/frodenas/uaa-k8s-oidc-helper • Slack: • Cloud Foundry #cfcr • Kubernetes #sig-auth
Questions? Andrei Krasnitski Software Engineer,Altoros @altoros

More Related Content

PDF
Impala: A Modern, Open-Source SQL Engine for Hadoop
byAll Things Open
 
PDF
LogStash - Yes, logging can be awesome
byJames Turnbull
 
PDF
Application Logging With Logstash
bybenwaine
 
ODP
Using Logstash, elasticsearch & kibana
byAlejandro E Brito Monedero
 
PPTX
Troubleshooting .NET Applications on Cloud Foundry
byAltoros
 
PDF
Connecting to the network
byMu Chun Wang
 
TXT
File handling complete programs in c++
byzain ul hassan
 
PDF
Fail Fast. Into User's Face.
byYegor Bugayenko
 
Impala: A Modern, Open-Source SQL Engine for Hadoop
byAll Things Open
 
LogStash - Yes, logging can be awesome
byJames Turnbull
 
Application Logging With Logstash
bybenwaine
 
Using Logstash, elasticsearch & kibana
byAlejandro E Brito Monedero
 
Troubleshooting .NET Applications on Cloud Foundry
byAltoros
 
Connecting to the network
byMu Chun Wang
 
File handling complete programs in c++
byzain ul hassan
 
Fail Fast. Into User's Face.
byYegor Bugayenko
 

What's hot

PDF
Relayd: a load balancer for OpenBSD
byGiovanni Bechis
 
PPTX
Hack ASP.NET website
byPositive Hack Days
 
PDF
swift-nio のアーキテクチャーと RxHttpClient
byShinya Mochida
 
PPTX
13 networking, mobile services, and authentication
byWindowsPhoneRocks
 
PDF
Vert.X: Microservices Were Never So Easy (Clement Escoffier)
byRed Hat Developers
 
PDF
#win8acad : Building Metro Style Apps with XAML for .NET Developers
byFrederik De Bruyne
 
PDF
Web Services and Android - OSSPAC 2009
bysullis
 
PPTX
ATS Internals
byChao Xu
 
PPTX
Ajax basics
byHernán Garzón de la Roza
 
PDF
WebCamp: Developer Day: Web Security: Cookies, Domains and CORS - Юрий Чайков...
byGeeksLab Odessa
 
PDF
Connecting to Web Services on Android June 2 2010
bysullis
 
PDF
Debugging and Testing ES Systems
byChris Birchall
 
PDF
LibreSSL, one year later
byGiovanni Bechis
 
PDF
Got Logs? Get Answers with Elasticsearch ELK - PuppetConf 2014
byPuppet
 
PDF
Elk stack @inbot
byJilles van Gurp
 
PDF
OWASP Proxy
bySecurity B-Sides
 
PDF
Ajax и будущее Java Script
byConstantin Kichinsky
 
PDF
Modern Networking with Swish
byjakecraige
 
PPTX
Building real-time apps with WebSockets
byMicrosoft Developer Network (MSDN) - Belgium and Luxembourg
 
PDF
Need It Robust? Make It Fragile!
byYegor Bugayenko
 
Relayd: a load balancer for OpenBSD
byGiovanni Bechis
 
Hack ASP.NET website
byPositive Hack Days
 
swift-nio のアーキテクチャーと RxHttpClient
byShinya Mochida
 
13 networking, mobile services, and authentication
byWindowsPhoneRocks
 
Vert.X: Microservices Were Never So Easy (Clement Escoffier)
byRed Hat Developers
 
#win8acad : Building Metro Style Apps with XAML for .NET Developers
byFrederik De Bruyne
 
Web Services and Android - OSSPAC 2009
bysullis
 
ATS Internals
byChao Xu
 
Ajax basics
byHernán Garzón de la Roza
 
WebCamp: Developer Day: Web Security: Cookies, Domains and CORS - Юрий Чайков...
byGeeksLab Odessa
 
Connecting to Web Services on Android June 2 2010
bysullis
 
Debugging and Testing ES Systems
byChris Birchall
 
LibreSSL, one year later
byGiovanni Bechis
 
Got Logs? Get Answers with Elasticsearch ELK - PuppetConf 2014
byPuppet
 
Elk stack @inbot
byJilles van Gurp
 
OWASP Proxy
bySecurity B-Sides
 
Ajax и будущее Java Script
byConstantin Kichinsky
 
Modern Networking with Swish
byjakecraige
 
Building real-time apps with WebSockets
byMicrosoft Developer Network (MSDN) - Belgium and Luxembourg
 
Need It Robust? Make It Fragile!
byYegor Bugayenko
 

Similar to UAA for Kubernetes

PDF
What the Heck is OAuth and OpenID Connect - DOSUG 2018
byMatt Raible
 
PDF
OAuth and why you should use it
bySergey Podgornyy
 
PPTX
An Authentication and Authorization Architecture for a Microservices World
byVMware Tanzu
 
PPTX
REST Service Authetication with TLS & JWTs
byJon Todd
 
PDF
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
byVladimir Bychkov
 
PDF
Distributed Identities with OpenID
byBastian Hofmann
 
PDF
iMasters Intercon 2016 - Identity within Microservices
byErick Belluci Tedeschi
 
PDF
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
byiMasters
 
PPTX
Esquema de pasos de ejecución IdM
byFernando Lopez Aguilar
 
PDF
APIdays Paris 2019 - Workshop: OAuth by Example by Andy March, Okta
byapidays
 
PDF
OAuth2
bySPARK MEDIA
 
PDF
Are You Properly Using JWTs?
by42Crunch
 
PDF
Flaws in Oauth 2.0 Can Oauth be used as a Security Server
byijtsrd
 
PDF
Draft Hammer Oauth 10
byVishal Shah
 
PDF
RFC6749 et alia 20130504
byMattias Jidhage
 
PDF
Rest api titouan benoit
byTitouan BENOIT
 
PDF
When and Why Would I use Oauth2?
byDave Syer
 
PDF
Draft Ietf Oauth V2 12
byVishal Shah
 
PDF
Bufferauthentication
byVishal Shah
 
PDF
Oauth2.0
byiratao
 
What the Heck is OAuth and OpenID Connect - DOSUG 2018
byMatt Raible
 
OAuth and why you should use it
bySergey Podgornyy
 
An Authentication and Authorization Architecture for a Microservices World
byVMware Tanzu
 
REST Service Authetication with TLS & JWTs
byJon Todd
 
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
byVladimir Bychkov
 
Distributed Identities with OpenID
byBastian Hofmann
 
iMasters Intercon 2016 - Identity within Microservices
byErick Belluci Tedeschi
 
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
byiMasters
 
Esquema de pasos de ejecución IdM
byFernando Lopez Aguilar
 
APIdays Paris 2019 - Workshop: OAuth by Example by Andy March, Okta
byapidays
 
OAuth2
bySPARK MEDIA
 
Are You Properly Using JWTs?
by42Crunch
 
Flaws in Oauth 2.0 Can Oauth be used as a Security Server
byijtsrd
 
Draft Hammer Oauth 10
byVishal Shah
 
RFC6749 et alia 20130504
byMattias Jidhage
 
Rest api titouan benoit
byTitouan BENOIT
 
When and Why Would I use Oauth2?
byDave Syer
 
Draft Ietf Oauth V2 12
byVishal Shah
 
Bufferauthentication
byVishal Shah
 
Oauth2.0
byiratao
 

More from Altoros

PPTX
A Zero-Knowledge Proof: Improving Privacy on a Blockchain
byAltoros
 
PPTX
Cloud Foundry Monitoring How-To: Collecting Metrics and Logs
byAltoros
 
PPTX
SGX: Improving Privacy, Security, and Trust Across Blockchain Networks
byAltoros
 
PPTX
AI as a Catalyst for IoT
byAltoros
 
PPTX
Over-Engineering: Causes, Symptoms, and Treatment
byAltoros
 
PPTX
Navigating the Ecosystem of Pivotal Cloud Foundry Tiles
byAltoros
 
PPTX
5-Step Deployment of Hyperledger Fabric on Multiple Nodes
byAltoros
 
PPTX
Continuous Integration and Deployment with Jenkins for PCF
byAltoros
 
PPTX
Distributed Ledger Technology for Over-the-Counter Trading
byAltoros
 
PDF
Smart Baggage Tracking: End-to-End Sensor-Based Solution
byAltoros
 
PDF
Containers and Kubernetes
byAltoros
 
PPTX
Deploying Kubernetes on GCP with Kubespray
byAltoros
 
PDF
Kubernetes Platform Readiness and Maturity Assessment
byAltoros
 
PPTX
How to Never Leave Your Deployment Unattended
byAltoros
 
PPTX
Using the Cloud Foundry and Kubernetes Stack as a Part of a Blockchain CI/CD ...
byAltoros
 
PPTX
Crap. Your Big Data Kitchen Is Broken.
byAltoros
 
PPTX
What's New in the Cloud Foundry Ecosystem?
byAltoros
 
PDF
Journey Through Four Stages of Kubernetes Deployment Maturity
byAltoros
 
PPTX
Bluemix Live Sync: Speed Up Maintenance and Delivery for Node.js
byAltoros
 
PDF
Maturing with Kubernetes
byAltoros
 
A Zero-Knowledge Proof: Improving Privacy on a Blockchain
byAltoros
 
Cloud Foundry Monitoring How-To: Collecting Metrics and Logs
byAltoros
 
SGX: Improving Privacy, Security, and Trust Across Blockchain Networks
byAltoros
 
AI as a Catalyst for IoT
byAltoros
 
Over-Engineering: Causes, Symptoms, and Treatment
byAltoros
 
Navigating the Ecosystem of Pivotal Cloud Foundry Tiles
byAltoros
 
5-Step Deployment of Hyperledger Fabric on Multiple Nodes
byAltoros
 
Continuous Integration and Deployment with Jenkins for PCF
byAltoros
 
Distributed Ledger Technology for Over-the-Counter Trading
byAltoros
 
Smart Baggage Tracking: End-to-End Sensor-Based Solution
byAltoros
 
Containers and Kubernetes
byAltoros
 
Deploying Kubernetes on GCP with Kubespray
byAltoros
 
Kubernetes Platform Readiness and Maturity Assessment
byAltoros
 
How to Never Leave Your Deployment Unattended
byAltoros
 
Using the Cloud Foundry and Kubernetes Stack as a Part of a Blockchain CI/CD ...
byAltoros
 
Crap. Your Big Data Kitchen Is Broken.
byAltoros
 
What's New in the Cloud Foundry Ecosystem?
byAltoros
 
Journey Through Four Stages of Kubernetes Deployment Maturity
byAltoros
 
Bluemix Live Sync: Speed Up Maintenance and Delivery for Node.js
byAltoros
 
Maturing with Kubernetes
byAltoros
 

Recently uploaded

PDF
Data Virtualization in Action: Scaling APIs and Apps with FME
bySafe Software
 
PDF
How to Evaluate a High Performance Database
byScyllaDB
 
PDF
The State of the Gen AI economy - 2025 - The Meliora Company
byClive Dickens
 
PDF
Workshop on Sustaining & Growing Open Source Communities - GAS2025
bySammy Fung
 
PPTX
Building Agents in Microsoft Agent Framework.pptx
byUdaiappa Ramachandran
 
PDF
Fundamentals and Frontiers of Post Quantum Cryptography
byGokul Alex
 
PPTX
Conversational Agents – Building Intelligent Assistants [Virtual Hands-on Wor...
byUiPathCommunity
 
PPTX
Emancipatory Information Retrieval: Radically Reorienting Information Retriev...
byBhaskar Mitra
 
PPTX
Why Most GenAI Projects Fail to Scale and How to Become One of the Success St...
byEarley Information Science
 
PDF
Dev Dives: AI that builds with you - UiPath Autopilot for effortless RPA & AP...
byUiPathCommunity
 
PDF
WCAG Analyzer Tools and Techniques for User-Friendly Websites
byAccessibility Analyzer
 
PDF
API-First Architecture in Financial Systems
bycyy111112
 
PDF
Security Forum Sessions from Houston 2025 Event
byMark Simos
 
PDF
Real-Time Data Insight Using Microsoft Forms for Business
byElevate
 
PDF
Our Digital Tribe_ Cultivating Connection and Growth in Our Slack Community 🌿...
bysanjeetmishra30
 
PDF
Cross-Cultural Agile Development -Challenges and Strategies for Overcoming Them-
byTakashi Makino
 
PDF
CompTIA Cybersecurity Analyst (CySA+) CS0-003: Unit 5
byVICTOR MAESTRE RAMIREZ
 
PPTX
From Backup to Resilience: How MSPs Are Preparing for 2026
byMSP360
 
PPTX
Building Cyber Resilience for 2026: Best Practices for a Secure, AI-Driven Bu...
byYasir Naveed Riaz
 
PDF
Six Shifts For 2026 (And The Next Six Years)
byDavid Armano
 
Data Virtualization in Action: Scaling APIs and Apps with FME
bySafe Software
 
How to Evaluate a High Performance Database
byScyllaDB
 
The State of the Gen AI economy - 2025 - The Meliora Company
byClive Dickens
 
Workshop on Sustaining & Growing Open Source Communities - GAS2025
bySammy Fung
 
Building Agents in Microsoft Agent Framework.pptx
byUdaiappa Ramachandran
 
Fundamentals and Frontiers of Post Quantum Cryptography
byGokul Alex
 
Conversational Agents – Building Intelligent Assistants [Virtual Hands-on Wor...
byUiPathCommunity
 
Emancipatory Information Retrieval: Radically Reorienting Information Retriev...
byBhaskar Mitra
 
Why Most GenAI Projects Fail to Scale and How to Become One of the Success St...
byEarley Information Science
 
Dev Dives: AI that builds with you - UiPath Autopilot for effortless RPA & AP...
byUiPathCommunity
 
WCAG Analyzer Tools and Techniques for User-Friendly Websites
byAccessibility Analyzer
 
API-First Architecture in Financial Systems
bycyy111112
 
Security Forum Sessions from Houston 2025 Event
byMark Simos
 
Real-Time Data Insight Using Microsoft Forms for Business
byElevate
 
Our Digital Tribe_ Cultivating Connection and Growth in Our Slack Community 🌿...
bysanjeetmishra30
 
Cross-Cultural Agile Development -Challenges and Strategies for Overcoming Them-
byTakashi Makino
 
CompTIA Cybersecurity Analyst (CySA+) CS0-003: Unit 5
byVICTOR MAESTRE RAMIREZ
 
From Backup to Resilience: How MSPs Are Preparing for 2026
byMSP360
 
Building Cyber Resilience for 2026: Best Practices for a Secure, AI-Driven Bu...
byYasir Naveed Riaz
 
Six Shifts For 2026 (And The Next Six Years)
byDavid Armano
 

UAA for Kubernetes