Upgrade to Pro — share decks privately, control downloads, hide ads and more …

KubeCon 2016: Kubernetes Auth and Access Control

Eric Chiang
November 09, 2016
3
860

KubeCon 2016: Kubernetes Auth and Access Control

Eric Chiang

November 09, 2016
Tweet

More Decks by Eric Chiang

See All by Eric Chiang
Securing a Kubernetes Distribution - Container Security Summit
ericchiang
0
270
KubeCon 2017: SIG auth update
ericchiang
0
230
CoreOS Fest 2017 - Containers from Scratch
ericchiang
3
1k
Containers from Scratch
ericchiang
1
270
CoreOS Fest 2016: Kubernetes Access Control with dex
ericchiang
2
770
Kubernetes Access Control with dex
ericchiang
1
8.4k

Featured

See All Featured
RailsConf 2023
tenderlove
29
900
What's new in Ruby 2.0
geeforr
343
31k
Faster Mobile Websites
deanohume
305
30k
Writing Fast Ruby
sferik
627
61k
Intergalactic Javascript Robots from Outer Space
tanoku
269
27k
Ruby is Unlike a Banana
tanoku
97
11k
Optimising Largest Contentful Paint
csswizardry
33
2.9k
Mobile First: as difficult as doing things right
swwweet
222
8.9k
Building Better People: How to give real-time feedback that sticks.
wjessup
364
19k
Building a Modern Day 
E-commerce SEO Strategy
aleyda
38
6.9k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
246
1.3M
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
329
21k

Transcript

  1. Kubernetes Auth and Access Control Eric Chiang Software Engineer, CoreOS

    @erchiang | github.com/ericchiang

  2. Why a talk about auth? • Assumption: ◦ You’re all

    going to try to set up clusters and have to deal with this. • “Dealing with this” can range from: ◦ Whitelisting some set of nodes. ◦ Multi-tenant environments.

  3. Agenda 1. Overview of API server auth 2. Understanding users

    in Kubernetes 3. Authorization and RBAC 4. Fun stuff: dex demo

  4. kubelet proxy Internet Kubernetes Worker 1/n Control Plane API Server

    Scheduler Controller kubeclt

  5. kubelet proxy Internet Kubernetes Worker 1/n Control Plane API Server

    Scheduler Controller kubeclt

  6. API server auth: request flow Request comes in: • Authentication

    ◦ Credentials determine who’s talking to the API server. • Authorization ◦ API server then determines if that user can perform that action.

  7. Users in Kubernetes

  8. Users in Kubernetes • Kubernetes doesn’t have users* ◦ Not

    really true, but I find it easier to think this way.

  9. Users in Kubernetes • Kubernetes doesn’t have users* ◦ Not

    really true, but I find it easier to think this way. • “Users” are just strings associated with a request through credentials. ◦ Username=eric ◦ Groups=[“developer”, “gopher”]

  10. Users in Kubernetes: plugins Admins choose which credential strategies they

    support: • x509 client auth • Password files • Bearer token webhooks • etc

  11. /usr/bin/kube-apiserver \ --client-ca-file=/etc/kubernetes/ca.pem \ ... Users in Kubernetes: x509 certs

  12. $ openssl x509 -in hi.crt -text -noout Certificate: Data: Version:

    3 (0x2) Serial Number: 7920032060917626532 (0x6de99b3280b336a4) Signature Algorithm: sha256WithRSAEncryption Issuer: O=kube-cluster, CN=kube-ca Validity Not Before: Nov 1 19:50:23 2016 GMT Not After : Nov 1 19:50:24 2017 GMT Subject: O=kubelet, CN=kubelet-1 Users in Kubernetes: x509 certs

  13. $ openssl x509 -in hi.crt -text -noout Certificate: Data: Version:

    3 (0x2) Serial Number: 7920032060917626532 (0x6de99b3280b336a4) Signature Algorithm: sha256WithRSAEncryption Issuer: O=kube-cluster, CN=kube-ca Validity Not Before: Nov 1 19:50:23 2016 GMT Not After : Nov 1 19:50:24 2017 GMT Subject: O=kubelet, CN=kubelet-1 Users in Kubernetes: x509 certs

  14. Users in Kubernetes: x509 certs • Does this client have

    a valid client cert? ◦ No: reject request. ◦ Yes: determine username and groups based on certificate attributes.

  15. 99403c9f-8bf1,eric,3,"developer,gophers" a56ee84a-f41c,andrew,5,"human" Users in Kubernetes: token files

  16. Users in Kubernetes: Webhook API Server kubeclt User management system

    Authorization: Bearer (token) (token)

  17. What do these all have in common? • No objects

    in the API to interact with these plugins. • Complete managed outside Kubernetes.

  18. Users in Kubernetes: service accounts • Service accounts are credentials

    managed by k8s. • Only users that can be accessed through the k8s API.

  19. $ kubectl create serviceaccount do-the-robot Users in Kubernetes: service accounts

  20. $ kubectl create serviceaccount do-the-robot $ kubectl get serviceaccount do-the-robot

    -o yaml apiVersion: v1 kind: ServiceAccount metadata: name: do-the-robot # ... secrets: - name: do-the-robot-token-hlfte Users in Kubernetes: service accounts

  21. $ kubectl get secrets -o yaml do-the-robot-token-hlfte apiVersion: v1 data:

    ca.crt: ( LOT OF DATA ) namespace: ZGVmYXVsdA== token: ( JSON web token signed by API server) kind: Secret type: kubernetes.io/service-account-token metadata: # ... Users in Kubernetes: service accounts

  22. apiVersion: extensions/v1beta1 kind: Deployment metadata: name: nginx-deployment spec: replicas: 1

    template: spec: containers: - name: nginx image: nginx:1.7.9 serviceAccountName: do-the-robot Users in Kubernetes: service accounts

  23. spec: containers: # ... - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: do-the-robot-token-hlfte readOnly:

    true # ... volumes: - name: do-the-robot-token-hlfte secret: defaultMode: 420 secretName: do-the-robot-token-hlfte Users in Kubernetes: service accounts
  24. None

  25. Users in Kubernetes: service accounts • Have weird usernames: ◦

    system:serviceaccount:kube-system:default • Just JWTs (signed JSON payloads)

  26. • Automatically mounted into pods. ◦ Gives each pod credentials

    (and an associated user) for talking to the API server. • Only way to create users through the API. ◦ Credentials stored in secrets, be careful! • Can be used from outside the cluster. Users in Kubernetes: service accounts

  27. Users in Kubernetes: other options

  28. Users in Kubernetes: other options • Bearer token webhook ◦

    Used by GKE • OpenID Connect (will talk about later) • Static files (for bootstrapping)

  29. Authorization

  30. Authorization and RBAC • Authorization uses usernames and group names

    to create policy. • Ported from RedHat’s OpenShift.

  31. Authorization and RBAC • Default: deny all • Contain a

    subject, verb, resource, and namespace. ◦ User A can create pods in namespace B. • Cannot: ◦ Refer to a single object in a namespace. ◦ Refer to arbitrary fields in a resource. • Can: ◦ Refer to subresources (e.g. nodes/status)

  32. Authorization and RBAC • Role • RoleBinding • ClusterRole •

    ClusterRoleBinding

  33. Roles vs Bindings • Roles declare a set of powers.

    • Bindings allow users or groups to have those powers.

  34. kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1alpha1 metadata: name: secret-reader rules: - apiGroups:

    [""] # v1 namespace resources: ["secrets"] verbs: ["get", "watch", "list"] RBAC: Roles

  35. kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1alpha1 metadata: name: read-secrets subjects: - kind:

    Group # May be "User", "Group" or "ServiceAccount" name: manager roleRef: kind: ClusterRole name: secret-reader apiVersion: rbac.authorization.k8s.io/v1alpha1 RBAC: Role Bindings

  36. ClusterRoles vs. Roles • Roles can either exist in a

    cluster level or a namespace level. • Cluster role: ◦ Manage one set of roles for your entire cluster. • Role: ◦ Allow “namespace admins” to admin roles just for a namespace.

  37. ClusterRoleBindings vs. RoleBindings • ClusterRoleBindings grant a user power throughout

    the entire cluster. ◦ Can’t refer to a role, only a cluster role. • RoleBindings grant a user power within a namespace.

  38. RBAC: ClusterRoles vs Roles Namespace Namespace ClusterRole “Read Only” ClusterRole

    “Admin” Role “Pod Deleter” ClusterRole w/ ClusterRoleBinding ClusterRole w/ RoleBinding Role w/ RoleBinding

  39. Authorization and RBAC • BIGGEST GOT YA: you must have

    the power of a role to bind a user to that role. ◦ If you don’t have the ability to create secrets, you can’t give someone else that power. • Currently get around this with a bootstrapping flag that lets a user sidestep this.

  40. Authorization and RBAC: 1.6 • Lots of work done by

    @deads2k (RedHat). • Biggest highlight: default roles and role bindings! ◦ Extremely helpful for bootstrapping. ◦ Can mint x509 cert for “cluster-admin” to bootstrap cluster.

  41. Authorization: other plugins • Webhook! • ABAC policy file. ◦

    Another one extremely useful for bootstrapping.

  42. Dex

  43. Dex • Open source: https://github.com/coreos/dex • OpenID Connect server ◦

    Protocol is supported as a Kubernetes authentication plugin. • Federated logins ◦ Can login to dex through other identity providers.

  44. Dex v2

  45. Dex: OpenID Connect app

  46. Dex: OpenID Connect app

  47. Dex: OpenID Connect app

  48. Dex: OpenID Connect app

  49. Dex: OpenID Connect - ID Token app User:eric

  50. { "access_token": "HK6E_P6Dh8Y93mRNtsDB1Q", "token_type": "Bearer", "expires_in": 86400, "id_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IjhiNWI2ZjdmNmQ2YWRiODdkMjRmYWViYzFmZjNmMWEwODk4M jU1MjgifQ.eyJpc3MiOiJodHRwOi8vMTI3LjAuMC4xOjU1NTYvZGV4Iiwic3ViIjoiMDhhODY4NGIt

    ZGI4OC00YjczLTkwYTktM2NkMTY2MWY1NDY2IiwiYXVkIjoiZXhhbXBsZS1hcHAiLCJleHAiOjE0Nz gzMjA0NTEsImlhdCI6MTQ3ODIzNDA1MSwiZW1haWwiOiJhZG1pbkBleGFtcGxlLmNvbSIsImVtYWls X3ZlcmlmaWVkIjp0cnVlLCJuYW1lIjoiYWRtaW4ifQ.GQaNO0BAB6PGptumTZAwzHs_JiwLMT_AUkV wRXZhXI0rfj9kn0qC4Z9elXik074kho61FIFiqFRmj-ipP037a1WyGjoNZvZuzlhGqtFNBuOmg0qe5 tYDwAcBQ5UvHMLyiQvBDicEw-SblwBCE67Tl6yPTTMMvXzcw87NbxVSGmAL1njDJ94b1LniwazncAy tdMDTwQSdo3fZi-9mNcFf4UTFvKuhbMxTcjKgMlFx8TnFEFP8qFg5MZoGnclHMlEAjAp5S56xJhYUB D44Ui7H5T6UkiYM8mEtm62mIszQ6FT3ZBoSdyxZTtdJNaHaAmWe8WzQ3eaLrH1ytHDwjzLU4Q" } OpenID Connect Token Response

  51. { "access_token": "HK6E_P6Dh8Y93mRNtsDB1Q", "token_type": "Bearer", "expires_in": 86400, "id_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IjhiNWI2ZjdmNmQ2YWRiODdkMjRmYWViYzFmZjNmMWEwODk4M jU1MjgifQ.eyJpc3MiOiJodHRwOi8vMTI3LjAuMC4xOjU1NTYvZGV4Iiwic3ViIjoiMDhhODY4NGIt

    ZGI4OC00YjczLTkwYTktM2NkMTY2MWY1NDY2IiwiYXVkIjoiZXhhbXBsZS1hcHAiLCJleHAiOjE0Nz gzMjA0NTEsImlhdCI6MTQ3ODIzNDA1MSwiZW1haWwiOiJhZG1pbkBleGFtcGxlLmNvbSIsImVtYWls X3ZlcmlmaWVkIjp0cnVlLCJuYW1lIjoiYWRtaW4ifQ.GQaNO0BAB6PGptumTZAwzHs_JiwLMT_AUkV wRXZhXI0rfj9kn0qC4Z9elXik074kho61FIFiqFRmj-ipP037a1WyGjoNZvZuzlhGqtFNBuOmg0qe5 tYDwAcBQ5UvHMLyiQvBDicEw-SblwBCE67Tl6yPTTMMvXzcw87NbxVSGmAL1njDJ94b1LniwazncAy tdMDTwQSdo3fZi-9mNcFf4UTFvKuhbMxTcjKgMlFx8TnFEFP8qFg5MZoGnclHMlEAjAp5S56xJhYUB D44Ui7H5T6UkiYM8mEtm62mIszQ6FT3ZBoSdyxZTtdJNaHaAmWe8WzQ3eaLrH1ytHDwjzLU4Q" } OpenID Connect Token Response

  52. { "iss": "https://auth.example.com/dex", "sub": "08a8684b-db88-4b73-90a9-3cd1661f5466", "aud": "example-app", "exp": 1478320451, "iat":

    1478234051, "email": "[email protected]", "email_verified": true, "groups": ["developers", "developers"], "name": "admin" } OpenID Connect Token Response

  53. Dex: OpenID Connect - ID Token app User:eric

  54. Dex: OpenID Connect app User:eric

  55. Dex: OpenID Connect app User:eric

  56. Dex • Automatic signing key rotation. • Revocation through refresh

    tokens. • Lots of login options!

  57. Dex v2

  58. Dex v2 • Complete rewrite. • Dramatically simpler deployments. ◦

    Single scalable binary. • Reworked storage layer. ◦ Can now store state in the Kubernetes API through Third Party Resources.

  59. Dex v2 • Runs natively on your cluster. • Can

    authenticate through backends like Google, GitHub, LDAP, etc with the API server.

  60. Dex v2 Open source github.com/coreos/dex

  61. Dex v2 Demo time

  62. [email protected] @erchiang QUESTIONS? Thanks! We’re hiring: coreos.com/careers Let’s talk! IRC

    More events: coreos.com/community LONGER CHAT?