Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Kubernetes の認証・認可と RBAC
Search
Takashi Kusumi
April 20, 2017
Technology
9
3.1k
Kubernetes の認証・認可と RBAC
Kubernetes Meetup Tokyo #4
https://k8sjp.connpass.com/event/53737/
Takashi Kusumi
April 20, 2017
Tweet
Share
More Decks by Takashi Kusumi
See All by Takashi Kusumi
Recap: eBPF セッションつまみ食い / eBPF sessions @ KubeCon EU 2023
tksm
1
3.6k
Unit Testing for Prometheus Rules
tksm
6
2.8k
Z Lab の教育への取組 / Cloud Native Education Efforts at Z Lab
tksm
7
1.4k
Recap: Securing Kubernetes with Admission Controllers
tksm
2
1.5k
Istio Mutual TLS
tksm
0
690
Debugging Applications in Kubernetes
tksm
16
4k
Kubernetes with Prometheus
tksm
5
2.4k
Kubernetes v1.7 の主な変更点 / Kubernetes v1.7 features
tksm
0
1.6k
kubectl apply の仕組み / How kubectl apply works
tksm
1
9.7k
Other Decks in Technology
See All in Technology
スタートアップで取り組んでいるAzureとMicrosoft 365のセキュリティ対策/How to Improve Azure and Microsoft 365 Security at Startup
yuj1osm
0
230
[Ruby] Develop a Morse Code Learning Gem & Beep from Strings
oguressive
1
170
5分でわかるDuckDB
chanyou0311
10
3.2k
Oracle Cloudの生成AIサービスって実際どこまで使えるの? エンジニア目線で試してみた
minorun365
PRO
4
290
サービスでLLMを採用したばっかりに振り回され続けたこの一年のあれやこれや
segavvy
2
490
re:Invent 2024 Innovation Talks(NET201)で語られた大切なこと
shotashiratori
0
320
1等無人航空機操縦士一発試験 合格までの道のり ドローンミートアップ@大阪 2024/12/18
excdinc
0
170
第3回Snowflake女子会_LT登壇資料(合成データ)_Taro_CCCMK
tarotaro0129
0
200
新機能VPCリソースエンドポイント機能検証から得られた考察
duelist2020jp
0
230
kargoの魅力について伝える
magisystem0408
0
210
10分で学ぶKubernetesコンテナセキュリティ/10min-k8s-container-sec
mochizuki875
3
350
WACATE2024冬セッション資料(ユーザビリティ)
scarletplover
0
210
Featured
See All Featured
Designing for humans not robots
tammielis
250
25k
Building Better People: How to give real-time feedback that sticks.
wjessup
365
19k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
28
9.1k
Fantastic passwords and where to find them - at NoRuKo
philnash
50
2.9k
Building Your Own Lightsaber
phodgson
103
6.1k
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
356
29k
Java REST API Framework Comparison - PWX 2021
mraible
28
8.3k
GraphQLの誤解/rethinking-graphql
sonatard
67
10k
Imperfection Machines: The Place of Print at Facebook
scottboms
266
13k
Visualization
eitanlees
146
15k
Building an army of robots
kneath
302
44k
Writing Fast Ruby
sferik
628
61k
Transcript
,VCFSOFUFTך钠鏾٥钠〳ה3#"$ 5BLBTIJ,VTVNJ ;-BC
钠鏾ה钠〳הכ Ӝ 钠鏾 "VUIFOUJDBUJPO"VUI/ ِ٦ؠך劤➂䚍然钠ׅ ⢽*%1BTTXPSEדBMJDFהְֲِ٦ؠ陎ⴽ٥然钠ׅ Ӝ 钠〳 "VUIPSJ[BUJPO"VUI;
ِ٦ؠח㼎ׅٔا٦أך،ؙإأ埄ꣲⵖ䖴遤ֲ ⢽BMJDFהְֲِ٦ؠכ1PEך铣《埄ꣲַָ֮
钠鏾٥钠〳כ"1*4FSWFSד遤 controllers master components scheduler etcd API Server kubelet
kube-proxy node 1 kubelet kube-proxy node 2 LVCFMFU kube-proxy node 3 Users
钠鏾٥钠〳ך崧 钠鏾 "VUI/ 钠〳 "VUI; "ENJTTJPO$POUSPM plugin 1 plugin
2 plugin 3 plugin 1 plugin 2 plugin 3 plugin 1 plugin 2 plugin 3 6TFS*%(SPVQ《䖤 "MMPX%FOZ 圫ղזؙٔؒأزⵖ䖴
钠鏾 "VUI/
钠鏾٥钠〳ך崧 钠鏾 "VUI/ 钠〳 "VUI; "ENJTTJPO$POUSPM plugin 1 plugin
2 plugin 3 plugin 1 plugin 2 plugin 3 plugin 1 plugin 2 plugin 3 6TFS*%(SPVQ《䖤 "MMPX%FOZ 圫ղזؙٔؒأزⵖ䖴
,VCFSOFUFTךِ٦ؠ Ӝ 4FSWJDF"DDPVOU ,VCFSOFUFTָ盖椚ׅ،فٔ؛٦ءّٝ欽،ؕؐٝز 1PEⰻַ"1*4FSWFSח،ؙإأׅꥷחⵃ欽דֹ ؙٓأة㢩鿇ד$*זוך،ؕؐٝزה׃גⵃ欽〳腉 Ӝ 6TFS"DDPVOU ➂ךך،ؕؐٝز ,VCFSOFUFTך盖椚㢩կ钠鏾فؚٓ؎ٝ鸐׃ג㢩鿇ד盖椚
钠鏾倯䒭 Ӝ 9ؙٓ؎،ٝز鏾僇剅 Ӝ 涸ز٦ؙٝؿ؋؎ٕ Ӝ ـ٦زأزٓحفز٦ؙٝ Ӝ 涸ػأٙ٦سؿ؋؎ٕ Ӝ
4FSWJDF"DDPVOU Ӝ 0QFO*%$POOFDU Ӝ 8FCIPPL Ӝ 钠鏾فؙٗء٦ Ӝ ,FZ4UPOF 0QFO4UBDL ぐ倯䒭ד钠鏾遤ְِ٦ؠせהؚٕ٦فせזוך䞔㜠《䖤ׅ
4FSWJDF"DDPVOU Ӝ ぐOBNFTQBDFכEFGBVMUהְֲ4FSWJDF"DDPVOUָ荈⹛涸ח⡲ ծぐ1PEחךز٦ָؙٝوؐٝزׁגְ 1PEⰻַ"1*4FSWFSח،ؙإأדֹ״ֲחזגְ Ӝ LVCFDUMDSFBUFTB/".&הְֲ؝وٝسד知⽃ח⡲䧭דֹ 4FSWJDF"DDPVOUכOBNFTQBDFⰻח⡲ Ӝ 荈⹛涸ח+85䕎䒭ךز٦ָؙٝ⡲
ؙٓأة㢩鿇ַ$*זוך،ؕؐٝزה׃גⵃ欽〳腉
9ؙٓ؎،ٝز鏾僇剅 Certificate: Data: ... Validity Not Before: Apr 16
02:14:52 2017 GMT Not After : Apr 16 02:14:52 2018 GMT Subject: O=system:masters, CN=minikube "1*4FSWFSךDMJFOUDBMFؔفءّٝד$"䭷㹀 0 0SHBOJ[BUJPO ָؚٕ٦فせծ$/ $PNNPO/BNF ָِ٦ؠせ
0QFO*%$POOFDU Ӝ 0QFO*%$POOFDUך*%UPLFOِ٦ؠ䞔㜠ה׃גⵃ欽ׅ (PPHMFזו㢩鿇ך*EFOUJUZ1SPWJEFS⢪欽〳腉 Ӝ וךDMBJNِ٦ؠせծؚٕ٦فせה׃ג⢪ֲַ䭷㹀ׅ رؿٕؓزדכFNBJM FNBJM@WFSJFEָ䗳銲 ָِ٦ؠせ Ӝ
植朐כ*%SFGSFTIUPLFOכⴽך䩛媮ד《䖤ׅ䗳銲ָ֮
"OPOZNPVTSFRVFTU Ӝ דכرؿٕؓزד⼡せ،ؙإأָ剣⸬ 钠鏾ָ鸐זֻג钠〳ח鹌 "1*4FSWFSךBOPOZNPVTBVUIؔفءّٝד㢌刿〳 Ӝ "1*4FSWFSךقٕأثؑحؙװغ٦آّٝ䞔㜠כ3#"$ךرؿؓ ٕزד⼡せِ٦ؠח鏩〳ׁגְ TZTUFNEJTDPWFSZ
Ӝ ⼡せِ٦ؠכ⟃♴ךِ٦ؠ䞔㜠הז ِ٦ؠせTZTUFNBOPOZNPVT ؚٕ٦فせTZTUFNVOBVUIFOUJDBUFE
钠〳 "VUI;
钠鏾٥钠〳ך崧 钠鏾 "VUI/ 钠〳 "VUI; "ENJTTJPO$POUSPM plugin 1 plugin
2 plugin 3 plugin 1 plugin 2 plugin 3 plugin 1 plugin 2 plugin 3 6TFS*%(SPVQ《䖤 "MMPX%FOZ 圫ղזؙٔؒأزⵖ䖴
钠〳فؚٓ؎ٝ Ӝ 3PMF#BTFE"DDFTT$POUSPM 3#"$ Ӝ "UUSJCVUF#BTFE"DDFTT$POUSPM "#"$ Ӝ
8FCIPPL Ӝ "MXBZT"MMPX"MXBZT%FOZ 钠鏾فؚٓ؎ٝד《䖤׃ِ٦ؠせծؚٕ٦فせה،ؙإأؙׅٔ ؒأز䞔㜠⯋ח،ؙإأⵖ䖴遤ֲկ
ؙٔؒأز䞔㜠 BVUIPSJ[PS"UUSJCVUFT Ӝ ِ٦ؠ䞔㜠 OBNF HSPVQTזו Ӝ "1*ٔا٦أַやַ Ӝ
ؙٔؒأزךػأ䞔㜠 Ӝ 乼⡲珏ⴽ WFSC)551.FUIPE HFU DSFBUF VQEBUF瘝 Ӝ ٔا٦أ珏ⴽ Ӝ ؟ـٔا٦أ珏ⴽ Ӝ ؔـآؙؑزせ Ӝ "1*ؚٕ٦ف Ӝ "1*غ٦آّٝ
"1*3FTPVSDFͱ/PO3FTPVSDF63- Ӝ "1*3FTPVSDF ,VCFSOFUFT♳ד䪔1PE 4FSWJDFזוך䞔㜠 "1*ؚٕ٦فהְֲؚٕ٦فך嚊䙀䭯א ♧鿇כ؟ـٔا٦أ QPETFYFD QPETMPH 䭯א
Ӝ /PO3FTPVSDF63- غ٦آّٝ䞔㜠ך《䖤װقٕأثؑحؙזוח⢪63- IFBMUI[ WFSTJPOזוָ鑩䔲ׅ
"1*4FSWFSפךؙٔؒأز $ kubectl get --namespace myns pods mypod GET
https://.../api/v1/namespaces/myns/pods/mypod Accept: application/json Authorization: Bearer eyJ...Ptw # 認証情報 ...
3PMF#BTFE"DDFTT$POUSPM Ӝ WדCFUBחז رؿٕؓزךهٔء٦ָ欽䠐ׁ״ֲחז Ӝ W儗挿ד"#"$כ涸ז䞔㜠׃ַ盖椚דֹזְծ⹛涸ז، ؙإأⵖ䖴遤ֲחכ3#"$ַ8FCIPPL鼅䫛ׅ䕎חז Ӝ ٗ٦ٕ㹀纏׃ծחِ٦ؠ秡➰ֽ䕎䒭 ٗ٦ٕך㹀纏$MVTUFS3PMF3PMF
ٗ٦ٕך秡➰ֽ$MVTUFS3PMF#JOEJOH3PMF#JOEJOH
ٗ٦ٕך㹀纏ה秡➰ֽ pod-reader pod-reader Role RoleBinding 6TFS (SPVQٗ٦ٕח秡➰ֽ וךٔا٦أח⡦ָדַֹ ⢽1PEח㼎׃ג铣《鏩〳
⢽BMJDFחQPESFBEFSٗ٦ٕ➰♷
ٗ٦ٕך㹀纏 3PMF 1PEח㼎׃גEFGBVMUط٦يأل٦أךHFUXBUDIMJTU鏩〳ׅ kind: Role apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: namespace:
default name: pod-reader rules: # ルールは複数書ける - apiGroups: [""] # Core グループ resources: ["pods"] # リソース verbs: ["get", "watch", "list"] # 読み取り権限
ٗ٦ٕך秡➰ֽ 3PMF#JOEJOH kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: read-pods
namespace: default subjects: - kind: User name: alice # alice を紐付ける apiGroup: rbac.authorization.k8s.io roleRef: kind: Role name: pod-reader # 紐付けるのは pod-reader ロール apiGroup: rbac.authorization.k8s.io
ؙٓأة⽃⡘ךٗ٦ٕ Ӝ 3PMFה$MVTUFS3PMFךאָ֮ 3PMFכOBNFTQBDFח秡בֻ $MVTUFS3PMFכؙٓأة VOOBNFTQBDFE ח秡בֻ /PEF 1FSTJTUFOU7PMVNFהְؙٓأةٔا٦أך埄ꣲ ♷ִ
Ӝ 3PMF#JOEJOHה$MVTUFS3PMF#JOEJOHず圫 3PMF#JOEJOHד$MVTUFS3PMFח秡➰ֽֿהדֹ
رؿٕؓزهٔء٦ W Ӝ Wדرؿٕؓزך3#"$هٔء٦ָ鷄⸇ׁ Ӝ ءأذيך؝ٝه٦طٝزָ⢪ֲٗ٦ٕ LVCFTDIFEVMFS LVCFQSPYZזוָ⢪ֲ㼔欽ٗ٦ٕ Ӝ ِ٦ؠָ害欽涸ח⢪ִٗ٦ٕ
盖椚罏埄ꣲ BENJO ծ铣《埄ꣲ WJFX הְ害欽ٗ٦ٕ
害欽涸זرؿٕؓز$MVUFS3PMF DMVTUFSBENJO ؙٓأةךⰋ埄ꣲ盖椚罏埄ꣲկ رؿٕؓزדTZTUFNNBTUFSTָ秡➰ֽגְ BENJO OBNFTQBDFⰻך盖椚罏埄ꣲ FEJU OBNFTQBDFⰻך铣剅ֹ埄ꣲ 3PMF3PMF#JOEJOHחꟼׅ埄ꣲכ䭯זְ
WJFX OBNFTQBDFⰻך铣《埄ꣲ 4FDSFUך铣《埄ꣲכ䭯זְ
%FNP
"ENJTTJPO$POUSPMMFS
钠鏾٥钠〳ך崧 钠鏾 "VUI/ 钠〳 "VUI; "ENJTTJPO$POUSPM plugin 1 plugin
2 plugin 3 plugin 1 plugin 2 plugin 3 plugin 1 plugin 2 plugin 3 6TFS*%(SPVQ《䖤 "MMPX%FOZ 圫ղזؙٔؒأزⵖ䖴
"ENJTTJPO$POUSPMMFS Ӝ 圫ղזؙٔؒأزךⵖ䖴遤ֲ堣腉 ؙٔؒأزךؔـآؙؑز䞔㜠剅ֹ䳔ִծ䞔㜠ח״ג 䬧や׃ׅ "1*4FSWFSךBENJTTJPODPOUSPMؔفءّٝד醱侧䭷㹀 Ӝ ⢽"MXBZT1VMM*NBHFT 1PEך*NBHF1VMM1PMJDZ荈⹛ד"MXBZTח鏣㹀ׅ Ӝ
⢽4FSWJDF"DDPVOU 4FSWJDF"DDPVOUךء٦ؙٖحز䞔㜠荈⹛דوؐٝزׅ
"ENJTTJPO$POUSPMMFSך♧鋮 Ӝ "MXBZT"ENJU Ӝ "MXBZT1VMM*NBHFT Ӝ "MXBZT%FOZ Ӝ %FOZ&TDBMBUJOH&YFD
Ӝ *NBHF1PMJDZ8FCIPPL Ӝ 4FSWJDF"DDPVOU Ӝ 4FDVSJUZ$POUFYU%FOZ Ӝ 3FTPVSDF2VPUB Ӝ -JNJU3BOHFS Ӝ *OJUJBM3FTPVSDFT Ӝ /BNFTQBDF-JGFDZDMF Ӝ %FGBVMU4UPSBHF$MBTT Ӝ %FGBVMU5PMFSBUJPO4FDPOET Ӝ 1PE4FDVSJUZ1PMJDZ
湊叨 "VEJU
湊叨 "VEJU Ӝ W儗挿דכ㛇劤涸ז湊叨ؚٗ⳿⸂ָ㹋鄲ׁגְ "1*4FSWFSחBVEJUMPHQBUIؔفءّٝד⳿⸂⯓䭷㹀 Ӝ ،ؙإأ遤ד⳿⸂ׁ չְאպչ铩ָպչ⡦պչוֲ乼⡲׃ַպ չוֲ乼⡲׃ַպ鿇ⴓכ植朐כ)551.FUIPEך䞔㜠ך Ӝ
״鑫稢ז䞔㜠חאְגכ➙䖓㹋鄲✮㹀ך垷圫 չؔـآؙؑزָוֲ㢌刿ַׁպ 8*1"EWBODFEBVEJUQSPQPTBM
湊叨ؚٗך⳿⸂䞔㜠 Ӝ ְא 5; Ӝ 铩ָ JQVTFSNJOJLVCFHSPVQT=TZTUFNNBTUFST= =TZTUFNBVUIFOUJDBUFE=BTTFMGBTHSPVQTMPPLVQ Ӝ ⡦
OBNFTQBDFEFGBVMUVSJBQJTFYUFOTJPOTWCFUBOBNFTQBDFT EFGBVMUEFQMPZNFOUT Ӝ וֲ乼⡲׃ַ NFUIPE1045
钠鏾٥钠〳ך孡חז13JTTVF
,VCFDUMMPHJOTVCDPNNBOE Ӝ &SJD$IJBOHׁ $PSF04 Ӝ LVCFDUMך؟ـ؝وٝسד湫䱸ؚٗ؎ٝ׃גؙٖرٝءٍٕ《 䖤ׅ Ӝ 1SPQPTBMכو٦آ幥
Ӝ IUUQTHJUIVCDPNLVCFSOFUFTGFBUVSFTJTTVFT
8*1"EWBODFEBVEJUQSPQPTBM Ӝ .BDJFK4[VMJLׁ 3FE)BU Ӝ ״넝䏝ז湊叨ؚٗחꟼׅQSPQPTBM Ӝ 圓鸡⻉ؚٗװչؔـآؙؑزָוֲ㢌刿ַׁպזוך䲿周 Ӝ
IUUQTHJUIVCDPNLVCFSOFUFTDPNNVOJUZQVMM
תה Ӝ ,VCFSOFUFTכׁתׂתז钠鏾ה钠〳ח㼎䘔 钠鏾٥钠〳כⴽؿؑ٦ؤד遤⦐ⴽח鏣㹀דֹ Ӝ 钠鏾4FSWJDF"DDPVOU Yؙٓ؎،ٝز鏾僇剅ծ0*%$ Ӝ 钠〳דכ3PMF#BTFE"DDFT$POUSPM 3#"$
ָؔأأً Wד害欽涸זرؿٕؓزهٔء٦ָ欽䠐ׁ
8FBSFIJSJOH IUUQT[MBCDPKQ