Upgrade to Pro — share decks privately, control downloads, hide ads and more …

KubeCon 2017: SIG auth update

Eric Chiang
December 08, 2017
230

KubeCon 2017: SIG auth update

Eric Chiang (CoreOS), Jordan Liggitt (Red Hat)

Eric Chiang

December 08, 2017
Tweet

Transcript

  1. Overview: this session • Overview of recent Kubernetes SIG-auth features

    ◦ See this for up to date recommendations: https://kubernetes.io/docs/tasks/administer-cluster/securing-a-cluster/ • Future roadmap • Questions
  2. Kubelet client cert bootstrapping and rotation (1.7+) • https://kubernetes.io/docs/admin/kubelet-tls-bootstrapping/ •

    Kubelets request credentials via CSR API for initial bootstrap and renewal • Approval of CSRs can be controlled through RBAC (1.7) • Credentials and identity are unique to each node
  3. Node authorizer and admission controller (1.7+) • https://kubernetes.io/docs/admin/authorization/node/ • Nodes

    can only access resources required to run pods scheduled to them ◦ Can no longer request arbitrary secrets • Requires unique credentials for nodes (Pairs well with TLS bootstrapping) • Use in combination with RBAC
  4. Pod security policies (1.8+) • https://kubernetes.io/docs/concepts/policy/pod-security-policy/ • Restricts the kind

    of pods that can be created in a namespace • Administered through RBAC (or external authorizer) • Can prevent a user from creating pods that: ◦ mount arbitrary volumes ◦ run in the host network ◦ use privileged containers ◦ run processes as root ◦ etc.
  5. Advanced audit logs (1.8+) • https://kubernetes.io/docs/tasks/debug-application-cluster/audit/ • Improved audit logging:

    ◦ Policy to control what events get audited and at what level (headers, request body, etc.) ◦ JSON formatted audit logs ◦ Webhook mode to aggregate audit events across multiple API servers • Tooling can consume/act on the new audit format: ◦ https://github.com/liggitt/audit2rbac ◦ ...
  6. Authorizer improvements (1.8-1.9) • RBAC aggregated cluster roles (1.9+) ◦

    Easily contribute custom permissions to default “user-facing” roles • External authorizer short-circuit deny (1.9+) ◦ External authorizers can now override RBAC • SelfSubjectRulesReview (1.8+) ◦ Authorizer API for determining what the current user can do
  7. Planned for 1.10: NodeRestriction enhancements • https://github.com/kubernetes/community/pull/911 • Lock down

    kubelet self-modification • Remove kubelets’ ability to label themselves arbitrarily • Remove kubelets’ ability to untaint themselves
  8. Planned for 1.10: Secret encryption at rest • https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/ •

    Alpha since 1.7 • New external encrypt/decrypt extension point planned for 1.10 • External KMS integration (Vault, Google, Azure) via extension point
  9. Planned for 1.10: Service account improvements • https://github.com/kubernetes/community/pull/1460 • Service

    account credential improvements • Goal is to allow moving service account tokens out of Secret API objects • Point of use creation, attenuated by node/pod, with bounded lifetime
  10. Ongoing efforts: Container Identity WG • https://github.com/kubernetes/community/tree/master/wg-container-identity • Better identities

    for containers than service accounts ◦ Differentiate between pods running on different nodes ◦ Scoped identities that only work for target services • Improved container identities enable external secret management • Focus on mechanisms for delivering credentials/identity directly to pods
  11. Future efforts: TLS bootstrapping and rotation • https://github.com/kubernetes/features/issues/267 • Server

    certificate rotation to beta • Kubelet address validation • Attestation as part of CSR process