SlideShare a Scribd company logo

User authentication and authorizarion in Kubernetes

Neependra Khare
Neependra Khare

This document discusses user authentication and authorization in Kubernetes. It describes how Kubernetes uses external services like Active Directory and LDAP for user authentication. It also explains the different types of users in Kubernetes including normal users, service accounts, and how kubeconfig files are used. The main authorization mechanism in Kubernetes is Role-Based Access Control (RBAC) which uses roles and role bindings to control access to Kubernetes API resources and operations.

1 of 22
Download to read offline
K8sOM#15 User Authentication and Authorization in Kubernetes Neependra Khare, CloudYuga
About the Speaker - Neependra Khare ● Founder and Principal Consultant at CloudYuga ● Author of Docker Cookbook - 2015 ● Author of “Introduction to Kubernetes” course on Edx ● Running Docker Meetup Group in Bangalore, India for more than 4 years now
Kubernetes Architecture Controller Scheduler API Server key/value store Master Node Node Kubelet kube-proxy Node Kubelet kube-proxy Node Kubelet kube-proxy CLI/API
Kubernetes API Request Authenticaion Can a user to login to the cluster ? Authorization Can a user do requested action ? Admission Control Is it a valid request ? K8s objects
Authentication
Kubernetes Users ● Users are not first class citizen of Kubernetes, like Pods ● In most of the cases, it is offloaded to external services like Active Directory, LDAP
Kubernetes Users ● Users are not first class citizen like Pods ● In most of the cases, it is offloaded to external services like Active Directory, LDAP Normal Users Service Accounts
Normal Users ● Basic Authentication ○ Pass a configutation with content like following to API Server <password>,<username>,<uid>,"<group1,group2>" <password>,<username>,<uid>,"<group1,group3>” ● X.509 Client Certificate ○ Create a user’s Public/Private key combination ○ Get it certified by a CA (Kubernetes CA) ● Bearer Tokens (JSON Web Tokens) ○ OpenID Connect ■ On Top of OAuth 2.0 ○ Webhooks
Service Account ● Think of it as a user, using which a process inside a Pod can access API Server. ● A Service Account with default name, gets created as we create a new namesapce. ● User defined Service Accounts can be created as well, which we can attach to the pod running in same namespace.
Kubeconfig File apiVersion: v1 clusters: - cluster: certificate-authority: /Users/neependra/.minikube/ca.crt server: https://192.168.99.100:8443 name: minikube contexts: - context: cluster: minikube user: minikube name: minikube current-context: minikube kind: Config preferences: {} users: - name: minikube user: client-certificate: /Users/neependra/.minikube/client.crt client-key: /Users/neependra/.minikube/client.key User dev Cluster devContext dev User qa Cluster qaContext qa User prod Cluster prodContext prod
Authentication Demo Workflow nkhare.key (openssl) nkhare.csr (openssl) nkhare-csr (k8s object) nkhare.crt K8s CA
Authentication Demo
Authorization
Kubernetes Authorization Can a User do Requested Action ?
Kubernetes Authorization Can a User do Requested Action ? ● Kubernetes Autorization Modules ○ AlwaysAllow ○ AlwaysDeny ○ Node ○ Attribute Based Access Control (ABAC) ○ Role Based Access Control (RBAC) ○ Webhook
Operations on Kubernetes Objects ● create ● get ● delete ● list ● update ● edit ● patch ● watch ● ….
Role Based Access Control (RBAC) - Roles Role “Applicable to a given namespace only.” kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: namespace: cloudyuga name: deployment-manager rules: - apiGroups: ["", "apps"] resources: ["deployments", "replicasets", "pods"] verbs: ["get", "list", "watch", "create", "update"] ClusterRole “Applicable Cluster Wide.” kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: deployment-manager-cluster rules: - apiGroups: ["", "apps"] resources: ["deployments", "replicasets", "pods"] verbs: ["get", "list", "watch", "create", "update"]
Kubernetes - APIs / /healthz /metrics /api /apis ….. /api/v1 /api/v1/pods /api/v1/nodes /api/v1/services …… /apis/apps /apis/apps/v1 /apis/apps/v1/Deployment /apis/apps/v1/DaemonSet /apis/apps/v1/StatefulSet ……. /apis/apps/v1beta1 /apis/…..
Role Based Access Control (RBAC) - Role Bindings RoleBinding “Applicable to a given namespace only.” ClusterRoleBinding “Applicable Cluster Wide.” Role Subjects - Normal Users - Service Accounts - Groups ClusterRole Subjects - Normal Users - Service Accounts - Groups
Role Based Access Control (RBAC) - Role Bindings RoleBinding kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: deployment-manager-binding namespace: cloudyuga subjects: - kind: User name: nkhare apiGroup: "rbac.authorization.k8s.io" roleRef: kind: Role name: deployment-manager apiGroup: "rbac.authorization.k8s.io" ClusterRoleBinding kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: cluster-manager-binding subjects: - kind: User name: nkhare apiGroup: "rbac.authorization.k8s.io" roleRef: kind: ClusterRole name: deployment-manager-cluster apiGroup: "rbac.authorization.k8s.io"
Authorization Demo
Thanks @neependra https://www.linkedin.com/in/neependra/

Recommended

Monitoring, Logging and Tracing on Kubernetes
Monitoring, Logging and Tracing on KubernetesMonitoring, Logging and Tracing on Kubernetes
Monitoring, Logging and Tracing on Kubernetes
Martin Etmajer
 
Kubernetes Security
Kubernetes SecurityKubernetes Security
Kubernetes Security
Karthik Gaekwad
 
Introduction to Kubernetes Workshop
Introduction to Kubernetes WorkshopIntroduction to Kubernetes Workshop
Introduction to Kubernetes Workshop
Bob Killen
 
Kubernetes - Security Journey
Kubernetes - Security JourneyKubernetes - Security Journey
Kubernetes - Security Journey
Jerry Jalava
 
Kubernetes Introduction
Kubernetes IntroductionKubernetes Introduction
Kubernetes Introduction
Martin Danielsson
 
Kubernetes Basics
Kubernetes BasicsKubernetes Basics
Kubernetes Basics
Eueung Mulyana
 
Introduction to Kubernetes RBAC
Introduction to Kubernetes RBACIntroduction to Kubernetes RBAC
Introduction to Kubernetes RBAC
Kublr
 
Autoscaling Kubernetes
Autoscaling KubernetesAutoscaling Kubernetes
Autoscaling Kubernetes
craigbox
 

Recommended

Monitoring, Logging and Tracing on Kubernetes
Monitoring, Logging and Tracing on KubernetesMonitoring, Logging and Tracing on Kubernetes
Monitoring, Logging and Tracing on Kubernetes
Martin Etmajer
 
Kubernetes Security
Kubernetes SecurityKubernetes Security
Kubernetes Security
Karthik Gaekwad
 
Introduction to Kubernetes Workshop
Introduction to Kubernetes WorkshopIntroduction to Kubernetes Workshop
Introduction to Kubernetes Workshop
Bob Killen
 
Kubernetes - Security Journey
Kubernetes - Security JourneyKubernetes - Security Journey
Kubernetes - Security Journey
Jerry Jalava
 
Kubernetes Introduction
Kubernetes IntroductionKubernetes Introduction
Kubernetes Introduction
Martin Danielsson
 
Kubernetes Basics
Kubernetes BasicsKubernetes Basics
Kubernetes Basics
Eueung Mulyana
 
Introduction to Kubernetes RBAC
Introduction to Kubernetes RBACIntroduction to Kubernetes RBAC
Introduction to Kubernetes RBAC
Kublr
 
Autoscaling Kubernetes
Autoscaling KubernetesAutoscaling Kubernetes
Autoscaling Kubernetes
craigbox
 
stupid-simple-kubernetes-final.pdf
stupid-simple-kubernetes-final.pdfstupid-simple-kubernetes-final.pdf
stupid-simple-kubernetes-final.pdf
DaniloQueirozMota
 
DevOps with Kubernetes
DevOps with KubernetesDevOps with Kubernetes
DevOps with Kubernetes
EastBanc Tachnologies
 
An intro to Kubernetes operators
An intro to Kubernetes operatorsAn intro to Kubernetes operators
An intro to Kubernetes operators
J On The Beach
 
Istio : Service Mesh
Istio : Service MeshIstio : Service Mesh
Istio : Service Mesh
Knoldus Inc.
 
Kubernetes Architecture
Kubernetes Architecture Kubernetes Architecture
Kubernetes Architecture
Knoldus Inc.
 
Kubernetes: A Short Introduction (2019)
Kubernetes: A Short Introduction (2019)Kubernetes: A Short Introduction (2019)
Kubernetes: A Short Introduction (2019)
Megan O'Keefe
 
Kubernetes extensibility: CRDs & Operators
Kubernetes extensibility: CRDs & OperatorsKubernetes extensibility: CRDs & Operators
Kubernetes extensibility: CRDs & Operators
SIGHUP
 
Hands-On Introduction to Kubernetes at LISA17
Hands-On Introduction to Kubernetes at LISA17Hands-On Introduction to Kubernetes at LISA17
Hands-On Introduction to Kubernetes at LISA17
Ryan Jarvinen
 
Kubernetes - A Comprehensive Overview
Kubernetes - A Comprehensive OverviewKubernetes - A Comprehensive Overview
Kubernetes - A Comprehensive Overview
Bob Killen
 
Room 1 - 4 - Phạm Tường Chiến & Trần Văn Thắng - Deliver managed Kubernetes C...
Room 1 - 4 - Phạm Tường Chiến & Trần Văn Thắng - Deliver managed Kubernetes C...Room 1 - 4 - Phạm Tường Chiến & Trần Văn Thắng - Deliver managed Kubernetes C...
Room 1 - 4 - Phạm Tường Chiến & Trần Văn Thắng - Deliver managed Kubernetes C...
Vietnam Open Infrastructure User Group
 
Getting Started with Kubernetes
Getting Started with Kubernetes Getting Started with Kubernetes
Getting Started with Kubernetes
VMware Tanzu
 
Tìm hiểu và triển khai ứng dụng Web với Kubernetes
Tìm hiểu và triển khai ứng dụng Web với KubernetesTìm hiểu và triển khai ứng dụng Web với Kubernetes
Tìm hiểu và triển khai ứng dụng Web với Kubernetes
GMO-Z.com Vietnam Lab Center
 
K8s security best practices
K8s security best practicesK8s security best practices
K8s security best practices
Sharon Vendrov
 
Kubernetes Probes (Liveness, Readyness, Startup) Introduction
Kubernetes Probes (Liveness, Readyness, Startup) IntroductionKubernetes Probes (Liveness, Readyness, Startup) Introduction
Kubernetes Probes (Liveness, Readyness, Startup) Introduction
AkhmadZakiAlsafi
 
Kubernetes and container security
Kubernetes and container securityKubernetes and container security
Kubernetes and container security
Volodymyr Shynkar
 
VPC Implementation In OpenStack Heat
VPC Implementation In OpenStack HeatVPC Implementation In OpenStack Heat
VPC Implementation In OpenStack Heat
Saju Madhavan
 
Introduction to kubernetes
Introduction to kubernetesIntroduction to kubernetes
Introduction to kubernetes
Raffaele Di Fazio
 
Kubernetes security
Kubernetes securityKubernetes security
Kubernetes security
Thomas Fricke
 
Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...
Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...
Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...
Edureka!
 
Introduction to Tekton
Introduction to TektonIntroduction to Tekton
Introduction to Tekton
Victor Iglesias
 
Security considerations while deploying Containerized Applications by Neepend...
Security considerations while deploying Containerized Applications by Neepend...Security considerations while deploying Containerized Applications by Neepend...
Security considerations while deploying Containerized Applications by Neepend...
Agile India
 
K8s hard-way on DigitalOcean
K8s hard-way on DigitalOceanK8s hard-way on DigitalOcean
K8s hard-way on DigitalOcean
CloudYuga
 

More Related Content

What's hot

stupid-simple-kubernetes-final.pdf
stupid-simple-kubernetes-final.pdfstupid-simple-kubernetes-final.pdf
stupid-simple-kubernetes-final.pdf
DaniloQueirozMota
 
DevOps with Kubernetes
DevOps with KubernetesDevOps with Kubernetes
DevOps with Kubernetes
EastBanc Tachnologies
 
An intro to Kubernetes operators
An intro to Kubernetes operatorsAn intro to Kubernetes operators
An intro to Kubernetes operators
J On The Beach
 
Istio : Service Mesh
Istio : Service MeshIstio : Service Mesh
Istio : Service Mesh
Knoldus Inc.
 
Kubernetes Architecture
Kubernetes Architecture Kubernetes Architecture
Kubernetes Architecture
Knoldus Inc.
 
Kubernetes: A Short Introduction (2019)
Kubernetes: A Short Introduction (2019)Kubernetes: A Short Introduction (2019)
Kubernetes: A Short Introduction (2019)
Megan O'Keefe
 
Kubernetes extensibility: CRDs & Operators
Kubernetes extensibility: CRDs & OperatorsKubernetes extensibility: CRDs & Operators
Kubernetes extensibility: CRDs & Operators
SIGHUP
 
Hands-On Introduction to Kubernetes at LISA17
Hands-On Introduction to Kubernetes at LISA17Hands-On Introduction to Kubernetes at LISA17
Hands-On Introduction to Kubernetes at LISA17
Ryan Jarvinen
 
Kubernetes - A Comprehensive Overview
Kubernetes - A Comprehensive OverviewKubernetes - A Comprehensive Overview
Kubernetes - A Comprehensive Overview
Bob Killen
 
Room 1 - 4 - Phạm Tường Chiến & Trần Văn Thắng - Deliver managed Kubernetes C...
Room 1 - 4 - Phạm Tường Chiến & Trần Văn Thắng - Deliver managed Kubernetes C...Room 1 - 4 - Phạm Tường Chiến & Trần Văn Thắng - Deliver managed Kubernetes C...
Room 1 - 4 - Phạm Tường Chiến & Trần Văn Thắng - Deliver managed Kubernetes C...
Vietnam Open Infrastructure User Group
 
Getting Started with Kubernetes
Getting Started with Kubernetes Getting Started with Kubernetes
Getting Started with Kubernetes
VMware Tanzu
 
Tìm hiểu và triển khai ứng dụng Web với Kubernetes
Tìm hiểu và triển khai ứng dụng Web với KubernetesTìm hiểu và triển khai ứng dụng Web với Kubernetes
Tìm hiểu và triển khai ứng dụng Web với Kubernetes
GMO-Z.com Vietnam Lab Center
 
K8s security best practices
K8s security best practicesK8s security best practices
K8s security best practices
Sharon Vendrov
 
Kubernetes Probes (Liveness, Readyness, Startup) Introduction
Kubernetes Probes (Liveness, Readyness, Startup) IntroductionKubernetes Probes (Liveness, Readyness, Startup) Introduction
Kubernetes Probes (Liveness, Readyness, Startup) Introduction
AkhmadZakiAlsafi
 
Kubernetes and container security
Kubernetes and container securityKubernetes and container security
Kubernetes and container security
Volodymyr Shynkar
 
VPC Implementation In OpenStack Heat
VPC Implementation In OpenStack HeatVPC Implementation In OpenStack Heat
VPC Implementation In OpenStack Heat
Saju Madhavan
 
Introduction to kubernetes
Introduction to kubernetesIntroduction to kubernetes
Introduction to kubernetes
Raffaele Di Fazio
 
Kubernetes security
Kubernetes securityKubernetes security
Kubernetes security
Thomas Fricke
 
Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...
Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...
Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...
Edureka!
 
Introduction to Tekton
Introduction to TektonIntroduction to Tekton
Introduction to Tekton
Victor Iglesias
 

What's hot (20)

stupid-simple-kubernetes-final.pdf
stupid-simple-kubernetes-final.pdfstupid-simple-kubernetes-final.pdf
stupid-simple-kubernetes-final.pdf
 
DevOps with Kubernetes
DevOps with KubernetesDevOps with Kubernetes
DevOps with Kubernetes
 
An intro to Kubernetes operators
An intro to Kubernetes operatorsAn intro to Kubernetes operators
An intro to Kubernetes operators
 
Istio : Service Mesh
Istio : Service MeshIstio : Service Mesh
Istio : Service Mesh
 
Kubernetes Architecture
Kubernetes Architecture Kubernetes Architecture
Kubernetes Architecture
 
Kubernetes: A Short Introduction (2019)
Kubernetes: A Short Introduction (2019)Kubernetes: A Short Introduction (2019)
Kubernetes: A Short Introduction (2019)
 
Kubernetes extensibility: CRDs & Operators
Kubernetes extensibility: CRDs & OperatorsKubernetes extensibility: CRDs & Operators
Kubernetes extensibility: CRDs & Operators
 
Hands-On Introduction to Kubernetes at LISA17
Hands-On Introduction to Kubernetes at LISA17Hands-On Introduction to Kubernetes at LISA17
Hands-On Introduction to Kubernetes at LISA17
 
Kubernetes - A Comprehensive Overview
Kubernetes - A Comprehensive OverviewKubernetes - A Comprehensive Overview
Kubernetes - A Comprehensive Overview
 
Room 1 - 4 - Phạm Tường Chiến & Trần Văn Thắng - Deliver managed Kubernetes C...
Room 1 - 4 - Phạm Tường Chiến & Trần Văn Thắng - Deliver managed Kubernetes C...Room 1 - 4 - Phạm Tường Chiến & Trần Văn Thắng - Deliver managed Kubernetes C...
Room 1 - 4 - Phạm Tường Chiến & Trần Văn Thắng - Deliver managed Kubernetes C...
 
Getting Started with Kubernetes
Getting Started with Kubernetes Getting Started with Kubernetes
Getting Started with Kubernetes
 
Tìm hiểu và triển khai ứng dụng Web với Kubernetes
Tìm hiểu và triển khai ứng dụng Web với KubernetesTìm hiểu và triển khai ứng dụng Web với Kubernetes
Tìm hiểu và triển khai ứng dụng Web với Kubernetes
 
K8s security best practices
K8s security best practicesK8s security best practices
K8s security best practices
 
Kubernetes Probes (Liveness, Readyness, Startup) Introduction
Kubernetes Probes (Liveness, Readyness, Startup) IntroductionKubernetes Probes (Liveness, Readyness, Startup) Introduction
Kubernetes Probes (Liveness, Readyness, Startup) Introduction
 
Kubernetes and container security
Kubernetes and container securityKubernetes and container security
Kubernetes and container security
 
VPC Implementation In OpenStack Heat
VPC Implementation In OpenStack HeatVPC Implementation In OpenStack Heat
VPC Implementation In OpenStack Heat
 
Introduction to kubernetes
Introduction to kubernetesIntroduction to kubernetes
Introduction to kubernetes
 
Kubernetes security
Kubernetes securityKubernetes security
Kubernetes security
 
Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...
Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...
Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...
 
Introduction to Tekton
Introduction to TektonIntroduction to Tekton
Introduction to Tekton
 

Similar to User authentication and authorizarion in Kubernetes

Security considerations while deploying Containerized Applications by Neepend...
Security considerations while deploying Containerized Applications by Neepend...Security considerations while deploying Containerized Applications by Neepend...
Security considerations while deploying Containerized Applications by Neepend...
Agile India
 
K8s hard-way on DigitalOcean
K8s hard-way on DigitalOceanK8s hard-way on DigitalOcean
K8s hard-way on DigitalOcean
CloudYuga
 
Getting started with kubernetes
Getting started with kubernetesGetting started with kubernetes
Getting started with kubernetes
Bob Killen
 
Docker Dublin Meetup | 22 Feb 2018 | Docker + Kubernetes
Docker Dublin Meetup | 22 Feb 2018 | Docker + KubernetesDocker Dublin Meetup | 22 Feb 2018 | Docker + Kubernetes
Docker Dublin Meetup | 22 Feb 2018 | Docker + Kubernetes
Thomas Barlow
 
Introduction to kubernetes
Introduction to kubernetesIntroduction to kubernetes
Introduction to kubernetes
Rishabh Indoria
 
K8s in 3h - Kubernetes Fundamentals Training
K8s in 3h - Kubernetes Fundamentals TrainingK8s in 3h - Kubernetes Fundamentals Training
K8s in 3h - Kubernetes Fundamentals Training
Piotr Perzyna
 
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
DevOpsDays Riga
 
Kubernetes Networking | Kubernetes Services, Pods & Ingress Networks | Kubern...
Kubernetes Networking | Kubernetes Services, Pods & Ingress Networks | Kubern...Kubernetes Networking | Kubernetes Services, Pods & Ingress Networks | Kubern...
Kubernetes Networking | Kubernetes Services, Pods & Ingress Networks | Kubern...
Edureka!
 
Kubernetes 101 for_penetration_testers_-_null_mumbai
Kubernetes 101 for_penetration_testers_-_null_mumbaiKubernetes 101 for_penetration_testers_-_null_mumbai
Kubernetes 101 for_penetration_testers_-_null_mumbai
n|u - The Open Security Community
 
Extending kubernetes
Extending kubernetesExtending kubernetes
Extending kubernetes
Gigi Sayfan
 
RBAC in Kuberetes
RBAC in KuberetesRBAC in Kuberetes
RBAC in Kuberetes
Knoldus Inc.
 
Docker kubernetes fundamental(pod_service)_190307
Docker kubernetes fundamental(pod_service)_190307Docker kubernetes fundamental(pod_service)_190307
Docker kubernetes fundamental(pod_service)_190307
Inhye Park
 
FIWARE Global Summit - Leveraging Kubernetes for FIWARE Components Automations
FIWARE Global Summit - Leveraging Kubernetes for FIWARE Components AutomationsFIWARE Global Summit - Leveraging Kubernetes for FIWARE Components Automations
FIWARE Global Summit - Leveraging Kubernetes for FIWARE Components Automations
FIWARE
 
Kubernetes: від знайомства до використання у CI/CD
Kubernetes: від знайомства до використання у CI/CDKubernetes: від знайомства до використання у CI/CD
Kubernetes: від знайомства до використання у CI/CD
Stfalcon Meetups
 
04_Azure Kubernetes Service: Basic Practices for Developers_GAB2019
04_Azure Kubernetes Service: Basic Practices for Developers_GAB201904_Azure Kubernetes Service: Basic Practices for Developers_GAB2019
04_Azure Kubernetes Service: Basic Practices for Developers_GAB2019
Kumton Suttiraksiri
 
DCEU 18: Docker Container Networking
DCEU 18: Docker Container NetworkingDCEU 18: Docker Container Networking
DCEU 18: Docker Container Networking
Docker, Inc.
 
Role based access control - RBAC - Kubernetes
Role based access control - RBAC - KubernetesRole based access control - RBAC - Kubernetes
Role based access control - RBAC - Kubernetes
Milan Das
 
Kubernetes basics
Kubernetes basicsKubernetes basics
Kubernetes basics
Robert te Kaat
 
Creating a Kubernetes Operator in Java
Creating a Kubernetes Operator in JavaCreating a Kubernetes Operator in Java
Creating a Kubernetes Operator in Java
Rudy De Busscher
 

Similar to User authentication and authorizarion in Kubernetes (20)

Security considerations while deploying Containerized Applications by Neepend...
Security considerations while deploying Containerized Applications by Neepend...Security considerations while deploying Containerized Applications by Neepend...
Security considerations while deploying Containerized Applications by Neepend...
 
K8s hard-way on DigitalOcean
K8s hard-way on DigitalOceanK8s hard-way on DigitalOcean
K8s hard-way on DigitalOcean
 
Getting started with kubernetes
Getting started with kubernetesGetting started with kubernetes
Getting started with kubernetes
 
Docker Dublin Meetup | 22 Feb 2018 | Docker + Kubernetes
Docker Dublin Meetup | 22 Feb 2018 | Docker + KubernetesDocker Dublin Meetup | 22 Feb 2018 | Docker + Kubernetes
Docker Dublin Meetup | 22 Feb 2018 | Docker + Kubernetes
 
Introduction to kubernetes
Introduction to kubernetesIntroduction to kubernetes
Introduction to kubernetes
 
K8s in 3h - Kubernetes Fundamentals Training
K8s in 3h - Kubernetes Fundamentals TrainingK8s in 3h - Kubernetes Fundamentals Training
K8s in 3h - Kubernetes Fundamentals Training
 
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
 
Kubernetes Networking | Kubernetes Services, Pods & Ingress Networks | Kubern...
Kubernetes Networking | Kubernetes Services, Pods & Ingress Networks | Kubern...Kubernetes Networking | Kubernetes Services, Pods & Ingress Networks | Kubern...
Kubernetes Networking | Kubernetes Services, Pods & Ingress Networks | Kubern...
 
Kubernetes 101 for_penetration_testers_-_null_mumbai
Kubernetes 101 for_penetration_testers_-_null_mumbaiKubernetes 101 for_penetration_testers_-_null_mumbai
Kubernetes 101 for_penetration_testers_-_null_mumbai
 
Extending kubernetes
Extending kubernetesExtending kubernetes
Extending kubernetes
 
RBAC in Kuberetes
RBAC in KuberetesRBAC in Kuberetes
RBAC in Kuberetes
 
Docker kubernetes fundamental(pod_service)_190307
Docker kubernetes fundamental(pod_service)_190307Docker kubernetes fundamental(pod_service)_190307
Docker kubernetes fundamental(pod_service)_190307
 
FIWARE Global Summit - Leveraging Kubernetes for FIWARE Components Automations
FIWARE Global Summit - Leveraging Kubernetes for FIWARE Components AutomationsFIWARE Global Summit - Leveraging Kubernetes for FIWARE Components Automations
FIWARE Global Summit - Leveraging Kubernetes for FIWARE Components Automations
 
Kubernetes: від знайомства до використання у CI/CD
Kubernetes: від знайомства до використання у CI/CDKubernetes: від знайомства до використання у CI/CD
Kubernetes: від знайомства до використання у CI/CD
 
04_Azure Kubernetes Service: Basic Practices for Developers_GAB2019
04_Azure Kubernetes Service: Basic Practices for Developers_GAB201904_Azure Kubernetes Service: Basic Practices for Developers_GAB2019
04_Azure Kubernetes Service: Basic Practices for Developers_GAB2019
 
DCEU 18: Docker Container Networking
DCEU 18: Docker Container NetworkingDCEU 18: Docker Container Networking
DCEU 18: Docker Container Networking
 
Role based access control - RBAC - Kubernetes
Role based access control - RBAC - KubernetesRole based access control - RBAC - Kubernetes
Role based access control - RBAC - Kubernetes
 
Kubernetes basics
Kubernetes basicsKubernetes basics
Kubernetes basics
 
Creating a Kubernetes Operator in Java
Creating a Kubernetes Operator in JavaCreating a Kubernetes Operator in Java
Creating a Kubernetes Operator in Java
 
Kubernetes-Meetup
Kubernetes-MeetupKubernetes-Meetup
Kubernetes-Meetup
 

More from Neependra Khare

002 a solooverviewjul2020-ceposta
002 a solooverviewjul2020-ceposta002 a solooverviewjul2020-ceposta
002 a solooverviewjul2020-ceposta
Neependra Khare
 
Service Discovery with Consul - Arunvel Arunachalam
Service Discovery with Consul - Arunvel Arunachalam Service Discovery with Consul - Arunvel Arunachalam
Service Discovery with Consul - Arunvel Arunachalam
Neependra Khare
 
Containarized Gluster Storage in Kubernetes
Containarized Gluster Storage in KubernetesContainarized Gluster Storage in Kubernetes
Containarized Gluster Storage in Kubernetes
Neependra Khare
 
Securing modern infrastructure
Securing modern infrastructureSecuring modern infrastructure
Securing modern infrastructure
Neependra Khare
 
DevOps India Days' 17 Keynote
DevOps India Days' 17 KeynoteDevOps India Days' 17 Keynote
DevOps India Days' 17 Keynote
Neependra Khare
 
CNCF Projects Overview
CNCF Projects OverviewCNCF Projects Overview
CNCF Projects Overview
Neependra Khare
 
Project Moby
Project MobyProject Moby
Project Moby
Neependra Khare
 
Docker Networking (Libnetwork) - Lakshman Kumar
Docker Networking (Libnetwork) - Lakshman KumarDocker Networking (Libnetwork) - Lakshman Kumar
Docker Networking (Libnetwork) - Lakshman Kumar
Neependra Khare
 
Docker Multi Host Networking, Rachit Arora, IBM
Docker Multi Host Networking, Rachit Arora, IBMDocker Multi Host Networking, Rachit Arora, IBM
Docker Multi Host Networking, Rachit Arora, IBM
Neependra Khare
 
Kubernetes Networking - Giragadurai Vallirajan
Kubernetes Networking - Giragadurai VallirajanKubernetes Networking - Giragadurai Vallirajan
Kubernetes Networking - Giragadurai Vallirajan
Neependra Khare
 
Performance characterization in large distributed file system with gluster fs
Performance characterization in large distributed file system with gluster fsPerformance characterization in large distributed file system with gluster fs
Performance characterization in large distributed file system with gluster fs
Neependra Khare
 

More from Neependra Khare (11)

002 a solooverviewjul2020-ceposta
002 a solooverviewjul2020-ceposta002 a solooverviewjul2020-ceposta
002 a solooverviewjul2020-ceposta
 
Service Discovery with Consul - Arunvel Arunachalam
Service Discovery with Consul - Arunvel Arunachalam Service Discovery with Consul - Arunvel Arunachalam
Service Discovery with Consul - Arunvel Arunachalam
 
Containarized Gluster Storage in Kubernetes
Containarized Gluster Storage in KubernetesContainarized Gluster Storage in Kubernetes
Containarized Gluster Storage in Kubernetes
 
Securing modern infrastructure
Securing modern infrastructureSecuring modern infrastructure
Securing modern infrastructure
 
DevOps India Days' 17 Keynote
DevOps India Days' 17 KeynoteDevOps India Days' 17 Keynote
DevOps India Days' 17 Keynote
 
CNCF Projects Overview
CNCF Projects OverviewCNCF Projects Overview
CNCF Projects Overview
 
Project Moby
Project MobyProject Moby
Project Moby
 
Docker Networking (Libnetwork) - Lakshman Kumar
Docker Networking (Libnetwork) - Lakshman KumarDocker Networking (Libnetwork) - Lakshman Kumar
Docker Networking (Libnetwork) - Lakshman Kumar
 
Docker Multi Host Networking, Rachit Arora, IBM
Docker Multi Host Networking, Rachit Arora, IBMDocker Multi Host Networking, Rachit Arora, IBM
Docker Multi Host Networking, Rachit Arora, IBM
 
Kubernetes Networking - Giragadurai Vallirajan
Kubernetes Networking - Giragadurai VallirajanKubernetes Networking - Giragadurai Vallirajan
Kubernetes Networking - Giragadurai Vallirajan
 
Performance characterization in large distributed file system with gluster fs
Performance characterization in large distributed file system with gluster fsPerformance characterization in large distributed file system with gluster fs
Performance characterization in large distributed file system with gluster fs
 

Recently uploaded

Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
Safe Software
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
DianaGray10
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
Neo4j
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
Prayukth K V
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
Uni Systems S.M.S.A.
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
Ana-Maria Mihalceanu
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
91mobiles
 
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
Neo4j
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Nexer Digital
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Quotidiano Piemontese
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
Kari Kakkonen
 
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
James Anderson
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
Ralf Eggert
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
nkrafacyberclub
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
Dorra BARTAGUIZ
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
Adtran
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
sonjaschweigert1
 

Recently uploaded (20)

Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
 
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
 
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
 

User authentication and authorizarion in Kubernetes

  • 1. K8sOM#15 User Authentication and Authorization in Kubernetes Neependra Khare, CloudYuga
  • 2. About the Speaker - Neependra Khare ● Founder and Principal Consultant at CloudYuga ● Author of Docker Cookbook - 2015 ● Author of “Introduction to Kubernetes” course on Edx ● Running Docker Meetup Group in Bangalore, India for more than 4 years now
  • 3. Kubernetes Architecture Controller Scheduler API Server key/value store Master Node Node Kubelet kube-proxy Node Kubelet kube-proxy Node Kubelet kube-proxy CLI/API
  • 4. Kubernetes API Request Authenticaion Can a user to login to the cluster ? Authorization Can a user do requested action ? Admission Control Is it a valid request ? K8s objects
  • 6. Kubernetes Users ● Users are not first class citizen of Kubernetes, like Pods ● In most of the cases, it is offloaded to external services like Active Directory, LDAP
  • 7. Kubernetes Users ● Users are not first class citizen like Pods ● In most of the cases, it is offloaded to external services like Active Directory, LDAP Normal Users Service Accounts
  • 8. Normal Users ● Basic Authentication ○ Pass a configutation with content like following to API Server <password>,<username>,<uid>,"<group1,group2>" <password>,<username>,<uid>,"<group1,group3>” ● X.509 Client Certificate ○ Create a user’s Public/Private key combination ○ Get it certified by a CA (Kubernetes CA) ● Bearer Tokens (JSON Web Tokens) ○ OpenID Connect ■ On Top of OAuth 2.0 ○ Webhooks
  • 9. Service Account ● Think of it as a user, using which a process inside a Pod can access API Server. ● A Service Account with default name, gets created as we create a new namesapce. ● User defined Service Accounts can be created as well, which we can attach to the pod running in same namespace.
  • 10. Kubeconfig File apiVersion: v1 clusters: - cluster: certificate-authority: /Users/neependra/.minikube/ca.crt server: https://192.168.99.100:8443 name: minikube contexts: - context: cluster: minikube user: minikube name: minikube current-context: minikube kind: Config preferences: {} users: - name: minikube user: client-certificate: /Users/neependra/.minikube/client.crt client-key: /Users/neependra/.minikube/client.key User dev Cluster devContext dev User qa Cluster qaContext qa User prod Cluster prodContext prod
  • 14. Kubernetes Authorization Can a User do Requested Action ?
  • 15. Kubernetes Authorization Can a User do Requested Action ? ● Kubernetes Autorization Modules ○ AlwaysAllow ○ AlwaysDeny ○ Node ○ Attribute Based Access Control (ABAC) ○ Role Based Access Control (RBAC) ○ Webhook
  • 16. Operations on Kubernetes Objects ● create ● get ● delete ● list ● update ● edit ● patch ● watch ● ….
  • 17. Role Based Access Control (RBAC) - Roles Role “Applicable to a given namespace only.” kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: namespace: cloudyuga name: deployment-manager rules: - apiGroups: ["", "apps"] resources: ["deployments", "replicasets", "pods"] verbs: ["get", "list", "watch", "create", "update"] ClusterRole “Applicable Cluster Wide.” kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: deployment-manager-cluster rules: - apiGroups: ["", "apps"] resources: ["deployments", "replicasets", "pods"] verbs: ["get", "list", "watch", "create", "update"]
  • 18. Kubernetes - APIs / /healthz /metrics /api /apis ….. /api/v1 /api/v1/pods /api/v1/nodes /api/v1/services …… /apis/apps /apis/apps/v1 /apis/apps/v1/Deployment /apis/apps/v1/DaemonSet /apis/apps/v1/StatefulSet ……. /apis/apps/v1beta1 /apis/…..
  • 19. Role Based Access Control (RBAC) - Role Bindings RoleBinding “Applicable to a given namespace only.” ClusterRoleBinding “Applicable Cluster Wide.” Role Subjects - Normal Users - Service Accounts - Groups ClusterRole Subjects - Normal Users - Service Accounts - Groups
  • 20. Role Based Access Control (RBAC) - Role Bindings RoleBinding kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: deployment-manager-binding namespace: cloudyuga subjects: - kind: User name: nkhare apiGroup: "rbac.authorization.k8s.io" roleRef: kind: Role name: deployment-manager apiGroup: "rbac.authorization.k8s.io" ClusterRoleBinding kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: cluster-manager-binding subjects: - kind: User name: nkhare apiGroup: "rbac.authorization.k8s.io" roleRef: kind: ClusterRole name: deployment-manager-cluster apiGroup: "rbac.authorization.k8s.io"