CoreOS Fest 2016: Kubernetes Access Control with dex

Transcript

1. Eric Chiang @erchiang | [email protected] Kubernetes Access Control with dex

2. 1. Kubernetes authn/authz for admins 2. How dex fits into

   this Today’s agenda!

3. Kubernetes

4. Kubernetes • Distributed application management system • Container based •

   Powerful API

5. kubelet proxy Internet Kubernetes Worker 1/n

6. kubelet proxy Internet Kubernetes Worker 1/n Control Plane API Server

   Scheduler Controller kubeclt

7. kubelet proxy Internet Kubernetes Worker 1/n Control Plane API Server

   Scheduler Controller kubeclt

8. What wants to talk to the API Server? • Users

   through kubectl • Containers inside Kubernetes • Control plane components • Basically everything

9. API Server: Auth flow • How do things get to

   talk to the API Server? • Authn ◦ Identifying the user ◦ Please show me your ID. • Authz ◦ Admission rules ◦ You’re not old enough to drink!

10. API Server: Auth flow plugins Authenticator Plugin Authorizer Plugin Admission

    Plugin

11. Authorizer Plugin Admission Plugin HTTP(S) Request Allow/Deny Additional request modification

    or specialized field level rules. API Server: Auth flow plugins Get • User name • User ID • Groups Authenticator Plugin

12. API Server: Auth flow • Everything must go through this

    flow. • Doesn’t matter if you’re an app or a human sitting at a workstation

13. Authn Plugins • Who’s making the request? ◦ x509 Client

    Certs ◦ Password/token files ◦ Keystone ◦ Service Accounts ◦ OpenID Connect ◦ Webhook (v1.3)

14. Authn Plugins: x509 Client Cert

15. Authn Plugins: x509 Client Cert $ cat /etc/kubernetes/worker.conf apiVersion: v1

    kind: Config clusters: - name: local cluster: certificate-authority: /etc/kubernetes/ssl/ca.pem users: - name: kubelet user: client-certificate: /etc/kubernetes/ssl/worker.pem client-key: /etc/kubernetes/ssl/worker-key.pem

16. Authn Plugins: x509 Client Cert $ openssl x509 -in admin.pem

    -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: 15171329550234977082 Signature Algorithm: sha256WithRSAEncryption Issuer: CN=kube-ca Validity Not Before: Dec 29 20:02:40 2015 GMT Not After : Dec 28 20:02:40 2016 GMT Subject: CN=kube-admin

17. Authn Plugins: Password/Token File

18. Authn Plugins: Password/Token File $ cat /etc/k8s/passwords.csv password1,eric,1000 password2,bobby,1001 $

    /hyperkube apiserver \ --basic-auth-file=/etc/k8s/passwords.csv $ cat /etc/k8s/tokens.csv secrettoken1,eric,1000 secrettoken2,bobby,1001 $ /hyperkube apiserver \ --token-auth-file=/etc/k8s/tokens.csv

19. Authn Plugins: Keystone

20. Authn Plugins: Keystone $ /hyperkube apiserver \ --experimental-keystone-url=https://ks.example.com GET /apis

    HTTP/1.1 Host: https://apiserver.example.com Authorization: Basic {{ Keystone username/password }}

21. Authn Plugins: Service accounts

22. Authn Plugins: Service accounts • Automatically enabled • Can be

    assigned to pods • Useful for automation

23. Authn Plugins: Service accounts $ kubectl create serviceaccount bob-the-bot

24. Authn Plugins: Service accounts $ kubectl create serviceaccount bob-the-bot $

    kubectl get serviceaccount bob-the-bot -o yaml apiVersion: v1 kind: ServiceAccount secrets: - name: bob-the-bot-token-308g1 $ kubectl get secret bob-the-bot-token-308g1 -o yaml apiVersion: v1 data: namespace: ZGVmYXVsdA== ca.crt: {{ CA CERT OF API SERVER }} token: {{ TOKEN }}

25. Authn Plugins: Token Webhook (1.3)

26. Authn Plugins: Token Webhook (1.3) • Query an outside provider

    • Roll your own authenticator Authenticato r Plugin Remove Service

27. Authn Plugins: OpenID Connect

28. Authn Plugins: OpenID Connect • Contributed by CoreOS • OpenID

    Connect ◦ Basically OAuth2 ◦ Returns signed token with access token for offline third party authentication ◦ Implemented by Google and SalesForce • Tectonic uses this plugin with dex

29. • Open-source https://github.com/coreos/dex • Identity service ◦ Tired of rewriting

    authn • Implements OpenID Connect Dex

30. Dex: account.tectonic.com

31. Dex: account.tectonic.com account.tectonic.com End user auth.tectonic.com dex 1 2 3

    4 5

32. Dex: Tectonic Tectonic Console End user Tectonic Identity dex 1

    2 3 4 5

33. Dex: Tectonic Tectonic Console End user Tectonic Identity dex 1

    2 3 4 5

34. Dex: Federation dex

35. Dex: Federation dex

36. Authn Plugins: OpenID Connect Work for 1.3: • Better kubectl

    support ◦ kubectl login ◦ Refresh token support

37. Kubernetes Authz

38. Authenticato r Plugin Authorizer Plugin Admission Plugin Get • User

    name • User ID • Groups HTTP(S) Request Allow/Deny Additional request modification or specialized field level rules. Kubernetes Authz

39. Authz Plugins • ABAC • Webhook • RBAC (1.3)

40. Authz Plugins: ABAC $ /hyperkube apiserver \ --authorization-policy-file=/etc/k8s/policy.jsonl { "user":

    "eric", "namespace": "tectonic", "resource": "jobs", "apiGroup": "batch/v1" }

41. Authz Plugins: ABAC { "group": "developer", "namespace": "dev", "resource": "*",

    "apiGroup": "*" } { "group": "developer", "namespace": "prod", "resource": "*", "apiGroup": "*", "readonly": true }

42. Authz Plugins: Webhook

43. Authz Plugins: Webhook • Query an outside provider • Roll

    your own authorizer Authorizer Plugin Remove Service

44. Authz Plugins: Webhook • What happens if the remote service

    dies? ◦ Deny all Authorizer Plugin Remove Service

45. Authz Plugins: RBAC (1.3)

46. Authz Plugins: RBAC (1.3)

47. Authz Plugins: RBAC (1.3) • Upstreamed from Openshift • Define

    roles ◦ Roles contain a group of policies (like ABAC) • Bind users groups or service accounts to roles ◦ Cluster level or namespace

48. Authz Plugins: RBAC (1.3) $ cat role.yml apiVersion: rbac.authorization/v1alpha1 kind:

    ClusterRole metadata: name: namespace-user rules: - verbs: [*] apiGroups: ["v1", "batch/v1"] resources: [*] - verbs: ["get", "watch"] apiGroups: ["authorization.rbac/v1alpha1"] resources: [*] $ kubectl create -f role.yml

49. Authz Plugins: RBAC (1.3) Cluster level Role: namespace-user Policies: -

    Can read/write core resources - Can read RBAC Namespace: Tectonic Role Binding: - User Eric can login as namespace-user - User Ed can login as namespace-user

50. Kubernetes: Admission control

51. Authorizer Plugin Admission Plugin HTTP(S) Request Allow/Deny Additional request modification

    or specialized field level rules. Kubernetes: Admission control Get • User name • User ID • Groups Authenticator Plugin

52. Admission Control Plugins • Resource quotas • Limit ranges •

    Lots of others

53. Admission Control: Resource quotas

54. Admission Control: Resource quotas • If an action would exceed

    a quota, reject it

55. Admission Control: Resource quotas $ cat quota.yml apiVersion: v1 kind:

    ResourceQuota metadata: name: quota spec: hard: memory: 1Gi cpu: 20 pods: 10 services: 5 replicationcontrollers:20 resourcequotas:1 $ kubectl create --namespace=development quota.yml

56. Admission Control: Limit ranges

57. Admission Control: Limit ranges • Like resource quotas, but on

    a per pod basis • E.g: Pods can’t request more than 1/4th of a CPU

58. Admission Control: Limit ranges $ cat limits.yml apiVersion: v1 kind:

    LimitRange metadata: name: limits namespace: default spec: limits: - type: Container defaultRequests: cpu: 250m $ kubectl create --namespace=development limits.yml

59. Admission Control: Other stuff

60. Admission Control: Other stuff • DenyEscalatingExec • InitialResources • SecurityContextDeny

    • ServiceAccount (non the authn stuff) • Future: field level auth

61. API Server: Auth flow plugins Authorizer Plugin Admission Plugin Authenticator

    Plugin

62. Conclusion • Lots of tools for cluster admins • Extensible

    through webhooks and projects like dex • Continuing to add more

63. Thank you! Eric Chiang @erchiang | [email protected] We’re hiring in

    all departments! Email: [email protected] Positions: coreos.com/careers