Upgrade to Pro — share decks privately, control downloads, hide ads and more …

CoreOS Fest 2016: Kubernetes Access Control wit...

Eric Chiang
May 10, 2016
770

CoreOS Fest 2016: Kubernetes Access Control with dex

Eric Chiang

May 10, 2016
Tweet

Transcript

  1. What wants to talk to the API Server? • Users

    through kubectl • Containers inside Kubernetes • Control plane components • Basically everything
  2. API Server: Auth flow • How do things get to

    talk to the API Server? • Authn ◦ Identifying the user ◦ Please show me your ID. • Authz ◦ Admission rules ◦ You’re not old enough to drink!
  3. Authorizer Plugin Admission Plugin HTTP(S) Request Allow/Deny Additional request modification

    or specialized field level rules. API Server: Auth flow plugins Get • User name • User ID • Groups Authenticator Plugin
  4. API Server: Auth flow • Everything must go through this

    flow. • Doesn’t matter if you’re an app or a human sitting at a workstation
  5. Authn Plugins • Who’s making the request? ◦ x509 Client

    Certs ◦ Password/token files ◦ Keystone ◦ Service Accounts ◦ OpenID Connect ◦ Webhook (v1.3)
  6. Authn Plugins: x509 Client Cert $ cat /etc/kubernetes/worker.conf apiVersion: v1

    kind: Config clusters: - name: local cluster: certificate-authority: /etc/kubernetes/ssl/ca.pem users: - name: kubelet user: client-certificate: /etc/kubernetes/ssl/worker.pem client-key: /etc/kubernetes/ssl/worker-key.pem
  7. Authn Plugins: x509 Client Cert $ openssl x509 -in admin.pem

    -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: 15171329550234977082 Signature Algorithm: sha256WithRSAEncryption Issuer: CN=kube-ca Validity Not Before: Dec 29 20:02:40 2015 GMT Not After : Dec 28 20:02:40 2016 GMT Subject: CN=kube-admin
  8. Authn Plugins: Password/Token File $ cat /etc/k8s/passwords.csv password1,eric,1000 password2,bobby,1001 $

    /hyperkube apiserver \ --basic-auth-file=/etc/k8s/passwords.csv $ cat /etc/k8s/tokens.csv secrettoken1,eric,1000 secrettoken2,bobby,1001 $ /hyperkube apiserver \ --token-auth-file=/etc/k8s/tokens.csv
  9. Authn Plugins: Keystone $ /hyperkube apiserver \ --experimental-keystone-url=https://ks.example.com GET /apis

    HTTP/1.1 Host: https://apiserver.example.com Authorization: Basic {{ Keystone username/password }}
  10. Authn Plugins: Service accounts $ kubectl create serviceaccount bob-the-bot $

    kubectl get serviceaccount bob-the-bot -o yaml apiVersion: v1 kind: ServiceAccount secrets: - name: bob-the-bot-token-308g1 $ kubectl get secret bob-the-bot-token-308g1 -o yaml apiVersion: v1 data: namespace: ZGVmYXVsdA== ca.crt: {{ CA CERT OF API SERVER }} token: {{ TOKEN }}
  11. Authn Plugins: Token Webhook (1.3) • Query an outside provider

    • Roll your own authenticator Authenticato r Plugin Remove Service
  12. Authn Plugins: OpenID Connect • Contributed by CoreOS • OpenID

    Connect ◦ Basically OAuth2 ◦ Returns signed token with access token for offline third party authentication ◦ Implemented by Google and SalesForce • Tectonic uses this plugin with dex
  13. Authn Plugins: OpenID Connect Work for 1.3: • Better kubectl

    support ◦ kubectl login ◦ Refresh token support
  14. Authenticato r Plugin Authorizer Plugin Admission Plugin Get • User

    name • User ID • Groups HTTP(S) Request Allow/Deny Additional request modification or specialized field level rules. Kubernetes Authz
  15. Authz Plugins: ABAC $ /hyperkube apiserver \ --authorization-policy-file=/etc/k8s/policy.jsonl { "user":

    "eric", "namespace": "tectonic", "resource": "jobs", "apiGroup": "batch/v1" }
  16. Authz Plugins: ABAC { "group": "developer", "namespace": "dev", "resource": "*",

    "apiGroup": "*" } { "group": "developer", "namespace": "prod", "resource": "*", "apiGroup": "*", "readonly": true }
  17. Authz Plugins: Webhook • Query an outside provider • Roll

    your own authorizer Authorizer Plugin Remove Service
  18. Authz Plugins: Webhook • What happens if the remote service

    dies? ◦ Deny all Authorizer Plugin Remove Service
  19. Authz Plugins: RBAC (1.3) • Upstreamed from Openshift • Define

    roles ◦ Roles contain a group of policies (like ABAC) • Bind users groups or service accounts to roles ◦ Cluster level or namespace
  20. Authz Plugins: RBAC (1.3) $ cat role.yml apiVersion: rbac.authorization/v1alpha1 kind:

    ClusterRole metadata: name: namespace-user rules: - verbs: [*] apiGroups: ["v1", "batch/v1"] resources: [*] - verbs: ["get", "watch"] apiGroups: ["authorization.rbac/v1alpha1"] resources: [*] $ kubectl create -f role.yml
  21. Authz Plugins: RBAC (1.3) Cluster level Role: namespace-user Policies: -

    Can read/write core resources - Can read RBAC Namespace: Tectonic Role Binding: - User Eric can login as namespace-user - User Ed can login as namespace-user
  22. Authorizer Plugin Admission Plugin HTTP(S) Request Allow/Deny Additional request modification

    or specialized field level rules. Kubernetes: Admission control Get • User name • User ID • Groups Authenticator Plugin
  23. Admission Control: Resource quotas $ cat quota.yml apiVersion: v1 kind:

    ResourceQuota metadata: name: quota spec: hard: memory: 1Gi cpu: 20 pods: 10 services: 5 replicationcontrollers:20 resourcequotas:1 $ kubectl create --namespace=development quota.yml
  24. Admission Control: Limit ranges • Like resource quotas, but on

    a per pod basis • E.g: Pods can’t request more than 1/4th of a CPU
  25. Admission Control: Limit ranges $ cat limits.yml apiVersion: v1 kind:

    LimitRange metadata: name: limits namespace: default spec: limits: - type: Container defaultRequests: cpu: 250m $ kubectl create --namespace=development limits.yml
  26. Admission Control: Other stuff • DenyEscalatingExec • InitialResources • SecurityContextDeny

    • ServiceAccount (non the authn stuff) • Future: field level auth
  27. Conclusion • Lots of tools for cluster admins • Extensible

    through webhooks and projects like dex • Continuing to add more