Securing Clusters with Kubernetes Extensibility

4FDVSJOH$MVTUFSTXJUI ,VCFSOFUFT&YUFOTJCJMJUZ "ZB0[BXB !MBEJDMF 5BLBTIJ,VTVNJ ,VCFSOFUFT$MPVE/BUJWF.FFUVQ

"CPVUVT "ZB0[BXB!MBEJDMF 4PGUXBSF&OHJOFFS BU;-BC$PSQ 5BLBTIJ,VTVNJ 4PGUXBSF&OHJOFFS BU;-BC$PSQ

"ZB 5BLBTIJ 5PEBZˏTBHFOEB ,VCFSOFUFTBTB4FSWJDFGPS:BIPP+BQBO )PXTIPVMEXFDPOUSPMBDDFTTUPUIF,VCFSOFUFT"1*TFSWFS 8IBUJT+85BOE3#"$ BOE)PXUPVTFJU
3#"$JT/05FOPVHI %FNPOTUSBUJPOPGQSJWJMFHFFTDBMBUJPO 4FDVSJOH,VCFSOFUFTXJUI7BMJEBUJOH"ENJTTJPO8FCIPPL

;-BC,VCFSOFUFTBTB4FSWJDF 4 .BTUFS ,VCFSOFUFT$MVTUFS 6TFS ,VCFSOFUFT$MVTUFS 6TFS ,VCFSOFUFT$MVTUFS 6TFS ,VCFSOFUFT$MVTUFS
Ӝ4FMGIFBMJOHUIFXIPMF DMVTUFS Ӝ4DBMJOHDMVTUFSFBTJMZ Ӝ;FSPEPXOUJNFVQHSBEF DMVTUFSWFSTJPO .BKPS'FBUVSFT .BTUFS$MVTUFSNBOBHFTNVMUJQMF6TFS ,VCFSOFUFT$MVTUFSBOEJUTFMGVTJOH$3%

)PXTIPVMEXFDPOUSPMBDDFTT 5 .BTUFS ,VCFSOFUFT$MVTUFS 6TFS ,VCFSOFUFT$MVTUFS 6TFS ,VCFSOFUFT$MVTUFS 6TFS ,VCFSOFUFT$MVTUFS
"QQ %FWFMPQFS "QQ %FWFMPQFS "QQ 0QFSBUPS LT 0QFSBUPS "UUBDLFS ✖%&/:

"DDFTT$POUSPM

TUFQT"DDFTT$POUSPM 7 "VUIFOUJDBUJPO "VUI/ "VUIPSJ[BUJPO "VUI; "ENJTTJPO $POUSPM "1*4FSWFS "DDFTT

"MMPX 8IBUIBQQFOTJOFBDITUFQ 8 "DDFTT 8IPBSFZPV ✔$SFBUF9 ✖%FMFUF:  8IBUDBOZPVEP %FOZ
%FOZ %FOZ 7BMJEBUJOH .PEJGZJOH ٥٥٥ "MMPX "MMPX "VUI/ "VUI; "ENJTTJPO$POUSPM

"DDFTT$POUSPMNPEVMFT 9 9DMJFOUDFSU 1BTTXPSE +85 1MBOF5PLFO "VUI/ "VUI; "ENJTTJPO$POUSPM "#"$
3#"$ 8FCIPPL /PEF3PMF 4FSWJDF"DDPVOU 3FTPVSDF2VPUB 1SJPSJUZ 7BMJEBUJOH "ENJTTJPO 8FCIPPL FUD FUD FUD

8IZEPXFVTF+85 10 9DMJFOUDFSU 1BTTXPSE +85 1MBOF5PLFO "VUI/ "VUI; "ENJTTJPO$POUSPM "#"$
3#"$ 8FCIPPL /PEF3PMF 4FSWJDF"DDPVOU 3FTPVSDF2VPUB 1SJPSJUZ 7BMJEBUJOH "ENJTTJPO FUD FUD FUD Ӝ %ZOBNJDVTFSBVUIFOUJDBUJPO Ӝ 1BTTXPSEBOE1MBOF5PLFONPEVMFT SFRVJSFUPTFU"VUI/TFUUJOHXIFOCPPUJOH "1*TFSWFS Ӝ 4FWFSBM0*%$*E1TTVQQPSUUIJTNPEVMF

8IZEPXFVTF3#"$ 11 9DMJFOUDFSU 1BTTXPSE +85 1MBOF5PLFO "VUI/ "VUI; "ENJTTJPO$POUSPM "#"$
3#"$ 8FCIPPL /PEF3PMF 4FSWJDF"DDPVOU 3FTPVSDF2VPUB 1SJPSJUZ 7BMJEBUJOH "ENJTTJPO FUD FUD FUD Ӝ %ZOBNJDBDDFTTBVUIPSJ[BUJPO Ӝ /PBEEJUJPOBMEFWFMPQNFOU Ӝ 3#"$TFUUJOHTDBOCF DPOSNFECZLVCFDUMMJLFBOZ PUIFSSFTPVSDFT /05&*GZPVBMSFBEZIBWF"VUI;TZTUFN 8FCIPPLJTBHPPEDIPJDF

"VUI/+85 4FSWJDF"DDPVOU0*%$

5XPDBUFHPSJFTPG6TFST 13 "1*4FSWFS "DDFTT 6TFSNBOBHFECZLT FH#PU /PSNBM6TFS FH"MJDF

#PUI4"BOE0*%$VTJOH+85 14 "1*4FSWFS 6TFSNBOBHFECZLT FH#PU /PSNBM6TFS FH"MJDF +85 +85 (FU+85GSPNB0*%$*E1
(FU+85GSPN B4FSWJDF"DDPVOU

4"4FDSFUIBT+85 15 $SFBUFBCPU4" JOUIFTZTUFN/4 %FUFDUUIF DSFBUJPOFWFOU $SFBUFBCPU4"4FDSFU XJUI+85JOUIFTZTUFN/4 5PLFO $POUSPMMFS
4FSWJDF "DDPVOU 4FDSFU +85

4"$POUSPMMFSDSFBUFTEFGBVMU4"GPSBMM/4 16 $SFBUFTZTUFN /BNFTQBDF $SFBUFEFGBVMU 4"JOTZTUFN/4 4" $POUSPMMFS 4FSWJDF "DDPVOU
/BNF TQBDF %FUFDUUIF DSFBUJPOFWFOU

7PMVNF "MM1PETBTTPDJBUF4FSWJDF"DDPVOU 17 4""ENJTTJPO $POUSPMMFS .PVOU $SFBUF1PE 4FUEFGBVMU/"*GUIF 1PEEPFTOPUIBWF4" 4FDSFU
+85 1PE 4FU*NBHF1VMM4FDSFUTPG4"*G UIF1PEEPFTOPUIBWFJU 4FU4FDSFUPG4"UPUIF1PEWPMVNF .PEJGZ1PE

%FY0QFO*%$POOFDU*%1SPWJEFS 18 %FY 0*%$*E1 3FEJSFDU +85 6QTUSFBN*E1 FH'BDFCPPL $MJFOU IUUQTHJUIVCDPNEFYJEQEFY
0*%$JTBTJNQMFJEFOUJUZMBZFSPO UPQPGUIF0"VUIQSPUPDPM

+40/8FC5PLFODPOTJTUTPGQBSUT 19 )FBEFS 1BZMPBE 4JHOBUVSF IUUQTKXUJP

7FSJGZJOH+85PG0*%$ 20 "1*4FSWFS LVCFDUM +85 $BMM"1*XJUI+85 *T+85TJHOBUVSFWBMJE )BTUIF+85FYQJSFE
MBU FYQ 6TFS"VUIPSJ[FE 3FUVSOSFTVMU "VUIPSJ[BUJPO#FBSFS+85 ⚠/05& 4"ˏT+85EPFTOPUIBWFFYQJSBUJPOEBUF BOEJUJTOPUSPUBUFE

"VUI;3#"$

3PMF#BTF"DDFTT$POUSPM 22 "DDFTT %FOZ "MMPX 7JFXFS3PMF 4VCKFDU 3PMF Y $POUSPM
#PC 7JFXFSDBOHFU SFTPVSDFT IBTSVMFTUIBU #JOEJOH NBOBHFS(SPVQ BOE 7JFXFS3PMF *G#PCJTB NBOBHFS *G#PCJTOPU BNBOBHFS "DDFTT6TFSJT #PC

3PMF 3PMF #JOEJOHT 3PMF 3#"$JO,VCFSOFUFT 23 Y $POUSPM Ӝ4" Ӝ6TFS
Ӝ(SPVQ /PSNBM6TFS ,T6TFS "VUIFOUJDBUFE6TFS %FOZ "MMPX ,VCFSOFUFT"1*0CKFDU subjects: - kind: Group name: manager roleRef: kind: Role name: viewer 4VCKFDU "DDFTT

3PMF 3PMF #JOEJOHT 3PMF 3#"$JO,VCFSOFUFT 24 Y $POUSPM %FOZ "MMPX
,VCFSOFUFT"1*0CKFDU metadata: name: viewer rules: - apiGroups: [""] resources: ["pods","pods/exec"] verbs: ["get","list","watch"] - nonResourceURLs: ["/version","/healthz"] verbs: [""] 4VCKFDU Ӝ4" Ӝ6TFS Ӝ(SPVQ /PSNBM6TFS ,T6TFS "VUIFOUJDBUFE6TFS "DDFTT

8IJDI3#"$SFTPVSDFTTIPVMEZPVVTF 25 #JOEJOHT $MVTUFS3PMF#JOEJOHT 3PMF (SBOUQFSNJTTJPOTUPSFTPVSDFTJOUIF TQFDJDOBNFTQBDF $MVTUFS 3PMF 6TF$MVTUFS3PMFGSPNNVMUJQMF
OBNFTQBDFT ˖ (SBOUBDDFTTUPOPO"1*SFTPVSDFT ˖ (SBOUBDDFTTQFSNJTTJPOUPSFTPVSDFTPG BMMOBNFTQBDFT $MVTUFS999EPFTOPUCFMPOH UPUIF/BNFTQBDFT

#VU3#"$JT/05FOPVHI

1SFWFOUQSJWJMFHFFTDBMBUJPO Ӝ  Ӝ  DBOPCUBJOIPTUTSPPUCZNPVOUJOH%PDLFSTPDLFU Ӝ  DBOBDDFTTIPTUTMFTZTUFNWJBQSPD<1*%>SPPU Ӝ
 ☠5IFTFBSFFTFOUJBMMZFRVJWBMFOUUPSPPUPOUIFIPTU

SPOILER ALERT! :PVDBOVTF 1PE4FDVSJUZ1PMJDZ PS 7BMJEBUJOH"ENJTTJPO8FCIPPL UPQSFWFOUJU

%FNP1SJWJMFHFFTDBMBUJPOCZIPTU1BUI 29 IUUQTBTDJJOFNBPSHBG'+X+E4F#S)S%V.

)PXUPQSFWFOUQSJWJMFHFFTDBMBUJPO Ӝ 1PE4FDVSJUZ1PMJDZ %FOFBOENBOBHFTFDVSJUZQPMJDZXJUI3#"$ "EEUPUPVTFJU OFFEUPSFTUBSULVCFBQJTFSWFS $BOOPUDSFBUFBOZQPETXJUIPVUQPMJDZ OPEFGBVMUQSPWJEFE Ӝ
7BMJEBUJOH"ENJTTJPO8FCIPPL *NQMFNFOUZPVSPXOQPMJDZ DBOCFEZOBNJDBMMZDPOHVSFECZ /POFFEUPSFTUBSULVCFBQJTFSWFS

7BMJEBUJOH"ENJTTJPO8FCIPPL "1*4FSWFS :PVS8FCIPPL     
          *TUIFPCKFDUBMMPXFE ZFTOP

4VNNBSZ Ӝ $VTUPN3FTPVSDF%FOJUJPO UPDSFBUF,VCFSOFUFTBTB4FSWJDFJUTFMG Ӝ 0QFO*%$POOFDU"VUIPSJ[BUJPO8FCIPPL UPJOUFHSBUFPVSBVUIOBVUI[TZTUFN Ӝ 7BMJEBUJOH"ENJTTJPO8FCIPPL UPQSFWFOUQSJWJMFHFFTDBMBUJPOBOEJNQMFNFOUDVTUPNQPMJDZ
,VCFSOFUFTFYUFOTJCJMJUZBSFBMTPVTFGVMUPTFDVSFDMVTUFST

8FBSFIJSJOH CJUMZ[MBCDBSFFST

Securing Clusters with Kubernetes Extensibility

Securing Clusters with Kubernetes Extensibility

Aya (Igarashi) Ozawa

More Decks by Aya (Igarashi) Ozawa

Other Decks in Technology

Featured

Transcript

4FDVSJOH$MVTUFSTXJUI ,VCFSOFUFT&YUFOTJCJMJUZ "ZB0[BXB !MBEJDMF 5BLBTIJ,VTVNJ ,VCFSOFUFT$MPVE/BUJWF.FFUVQ

"CPVUVT "ZB0[BXB!MBEJDMF 4PGUXBSF&OHJOFFS BU;-BC$PSQ 5BLBTIJ,VTVNJ 4PGUXBSF&OHJOFFS BU;-BC$PSQ

"ZB 5BLBTIJ 5PEBZˏTBHFOEB ,VCFSOFUFTBTB4FSWJDFGPS:BIPP+BQBO )PXTIPVMEXFDPOUSPMBDDFTTUPUIF,VCFSOFUFT"1*TFSWFS 8IBUJT+85BOE3#"$ BOE)PXUPVTFJU

;-BC,VCFSOFUFTBTB4FSWJDF 4 .BTUFS ,VCFSOFUFT$MVTUFS 6TFS ,VCFSOFUFT$MVTUFS 6TFS ,VCFSOFUFT$MVTUFS 6TFS ,VCFSOFUFT$MVTUFS

)PXTIPVMEXFDPOUSPMBDDFTT 5 .BTUFS ,VCFSOFUFT$MVTUFS 6TFS ,VCFSOFUFT$MVTUFS 6TFS ,VCFSOFUFT$MVTUFS 6TFS ,VCFSOFUFT$MVTUFS

"DDFTT$POUSPM

TUFQT"DDFTT$POUSPM 7 "VUIFOUJDBUJPO "VUI/ "VUIPSJ[BUJPO "VUI; "ENJTTJPO $POUSPM "1*4FSWFS "DDFTT

"MMPX 8IBUIBQQFOTJOFBDITUFQ 8 "DDFTT 8IPBSFZPV ✔$SFBUF9 ✖%FMFUF:  8IBUDBOZPVEP %FOZ

"DDFTT$POUSPMNPEVMFT 9 9DMJFOUDFSU 1BTTXPSE +85 1MBOF5PLFO "VUI/ "VUI; "ENJTTJPO$POUSPM "#"$

8IZEPXFVTF+85 10 9DMJFOUDFSU 1BTTXPSE +85 1MBOF5PLFO "VUI/ "VUI; "ENJTTJPO$POUSPM "#"$

8IZEPXFVTF3#"$ 11 9DMJFOUDFSU 1BTTXPSE +85 1MBOF5PLFO "VUI/ "VUI; "ENJTTJPO$POUSPM "#"$

"VUI/+85 4FSWJDF"DDPVOU0*%$

5XPDBUFHPSJFTPG6TFST 13 "1*4FSWFS "DDFTT 6TFSNBOBHFECZLT FH#PU /PSNBM6TFS FH"MJDF

#PUI4"BOE0%$VTJOH+85 14 "14FSWFS 6TFSNBOBHFECZLT FH#PU /PSNBM6TFS FH"MJDF +85 +85 (FU+85GSPNB0%$E1

4"4FDSFUIBT+85 15 $SFBUFBCPU4" JOUIFTZTUFN/4 %FUFDUUIF DSFBUJPOFWFOU $SFBUFBCPU4"4FDSFU XJUI+85JOUIFTZTUFN/4 5PLFO $POUSPMMFS

4"$POUSPMMFSDSFBUFTEFGBVMU4"GPSBMM/4 16 $SFBUFTZTUFN /BNFTQBDF $SFBUFEFGBVMU 4"JOTZTUFN/4 4" $POUSPMMFS 4FSWJDF "DDPVOU

7PMVNF "MM1PETBTTPDJBUF4FSWJDF"DDPVOU 17 4""ENJTTJPO $POUSPMMFS .PVOU $SFBUF1PE 4FUEFGBVMU/"*GUIF 1PEEPFTOPUIBWF4" 4FDSFU

%FY0QFO%$POOFDU%1SPWJEFS 18 %FY 0%$E1 3FEJSFDU +85 6QTUSFBN*E1 FH'BDFCPPL $MJFOU IUUQTHJUIVCDPNEFYJEQEFY

+40/8FC5PLFODPOTJTUTPGQBSUT 19 )FBEFS 1BZMPBE 4JHOBUVSF IUUQTKXUJP

7FSJGZJOH+85PG0%$ 20 "14FSWFS LVCFDUM +85 $BMM"1XJUI+85 T+85TJHOBUVSFWBMJE )BTUIF+85FYQJSFE

"VUI;3#"$

3PMF#BTF"DDFTT$POUSPM 22 "DDFTT %FOZ "MMPX 7JFXFS3PMF 4VCKFDU 3PMF Y $POUSPM

3PMF 3PMF #JOEJOHT 3PMF 3#"$JO,VCFSOFUFT 23 Y $POUSPM Ӝ4" Ӝ6TFS

3PMF 3PMF #JOEJOHT 3PMF 3#"$JO,VCFSOFUFT 24 Y $POUSPM %FOZ "MMPX

8IJDI3#"$SFTPVSDFTTIPVMEZPVVTF 25 #JOEJOHT $MVTUFS3PMF#JOEJOHT 3PMF (SBOUQFSNJTTJPOTUPSFTPVSDFTJOUIF TQFDJDOBNFTQBDF $MVTUFS 3PMF 6TF$MVTUFS3PMFGSPNNVMUJQMF

#VU3#"$JT/05FOPVHI

SPOILER ALERT! :PVDBOVTF 1PE4FDVSJUZ1PMJDZ PS 7BMJEBUJOH"ENJTTJPO8FCIPPL UPQSFWFOUJU

%FNP1SJWJMFHFFTDBMBUJPOCZIPTU1BUI 29 IUUQTBTDJJOFNBPSHBG'+X+E4F#S)S%V.

4VNNBSZ Ӝ $VTUPN3FTPVSDF%FOJUJPO UPDSFBUF,VCFSOFUFTBTB4FSWJDFJUTFMG Ӝ 0QFO*%$POOFDU"VUIPSJ[BUJPO8FCIPPL UPJOUFHSBUFPVSBVUIOBVUI[TZTUFN Ӝ 7BMJEBUJOH"ENJTTJPO8FCIPPL UPQSFWFOUQSJWJMFHFFTDBMBUJPOBOEJNQMFNFOUDVTUPNQPMJDZ

8FBSFIJSJOH CJUMZ[MBCDBSFFST