Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Kubernetes の認証・認可と RBAC
Search
Takashi Kusumi
April 20, 2017
Technology
9
3.1k
Kubernetes の認証・認可と RBAC
Kubernetes Meetup Tokyo #4
https://k8sjp.connpass.com/event/53737/
Takashi Kusumi
April 20, 2017
Tweet
Share
More Decks by Takashi Kusumi
See All by Takashi Kusumi
Recap: eBPF セッションつまみ食い / eBPF sessions @ KubeCon EU 2023
tksm
1
3.6k
Unit Testing for Prometheus Rules
tksm
7
3k
Z Lab の教育への取組 / Cloud Native Education Efforts at Z Lab
tksm
7
1.5k
Recap: Securing Kubernetes with Admission Controllers
tksm
2
1.5k
Istio Mutual TLS
tksm
0
710
Debugging Applications in Kubernetes
tksm
16
4.1k
Kubernetes with Prometheus
tksm
5
2.5k
Kubernetes v1.7 の主な変更点 / Kubernetes v1.7 features
tksm
0
1.6k
kubectl apply の仕組み / How kubectl apply works
tksm
1
9.8k
Other Decks in Technology
See All in Technology
SmartHR プロダクトエンジニア求人ガイド_2025 / PdE job guide 2025
smarthr
0
120
LangfuseでAIエージェントの 可観測性を高めよう!/Enhancing AI Agent Observability with Langfuse!
jnymyk
1
230
AWSLambdaMCPServerを使ってツールとMCPサーバを分離する
tkikuchi
1
3k
ソフトウェア開発現代史: "LeanとDevOpsの科学"の「科学」とは何か? - DORA Report 10年の変遷を追って - #DevOpsDaysTokyo
takabow
0
380
AI Agentを「期待通り」に動かすために:設計アプローチの模索と現在地
kworkdev
PRO
2
450
Classmethod AI Talks(CATs) #21 司会進行スライド(2025.04.17) / classmethod-ai-talks-aka-cats_moderator-slides_vol21_2025-04-17
shinyaa31
0
590
SnowflakeとDatabricks両方でRAGを構築してみた
kameitomohiro
1
390
技術者はかっこいいものだ!!~キルラキルから学んだエンジニアの生き方~
masakiokuda
2
270
プロダクト開発におけるAI時代の開発生産性
shnjtk
2
240
読んで学ぶ Amplify Gen2 / Amplify と CDK の関係を紐解く #jawsug_tokyo
tacck
PRO
1
140
JPOUG Tech Talk #12 UNDO Tablespace Reintroduction
nori_shinoda
2
140
CodePipelineのアクション統合から学ぶAWS CDKの抽象化技術 / codepipeline-actions-cdk-abstraction
gotok365
5
190
Featured
See All Featured
The Power of CSS Pseudo Elements
geoffreycrofte
75
5.8k
Become a Pro
speakerdeck
PRO
27
5.3k
The Art of Delivering Value - GDevCon NA Keynote
reverentgeek
13
1.4k
It's Worth the Effort
3n
184
28k
Designing for Performance
lara
608
69k
Facilitating Awesome Meetings
lara
54
6.3k
The Illustrated Children's Guide to Kubernetes
chrisshort
48
49k
Designing Experiences People Love
moore
141
24k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
331
21k
Large-scale JavaScript Application Architecture
addyosmani
512
110k
Bash Introduction
62gerente
611
210k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
45
9.5k
Transcript
,VCFSOFUFTך钠鏾٥钠〳ה3#"$ 5BLBTIJ,VTVNJ ;-BC
钠鏾ה钠〳הכ Ӝ 钠鏾 "VUIFOUJDBUJPO"VUI/ ِ٦ؠך劤➂䚍然钠ׅ ⢽*%1BTTXPSEדBMJDFהְֲِ٦ؠ陎ⴽ٥然钠ׅ Ӝ 钠〳 "VUIPSJ[BUJPO"VUI;
ِ٦ؠח㼎ׅٔا٦أך،ؙإأ埄ꣲⵖ䖴遤ֲ ⢽BMJDFהְֲِ٦ؠכ1PEך铣《埄ꣲַָ֮
钠鏾٥钠〳כ"1*4FSWFSד遤 controllers master components scheduler etcd API Server kubelet
kube-proxy node 1 kubelet kube-proxy node 2 LVCFMFU kube-proxy node 3 Users
钠鏾٥钠〳ך崧 钠鏾 "VUI/ 钠〳 "VUI; "ENJTTJPO$POUSPM plugin 1 plugin
2 plugin 3 plugin 1 plugin 2 plugin 3 plugin 1 plugin 2 plugin 3 6TFS*%(SPVQ《䖤 "MMPX%FOZ 圫ղזؙٔؒأزⵖ䖴
钠鏾 "VUI/
钠鏾٥钠〳ך崧 钠鏾 "VUI/ 钠〳 "VUI; "ENJTTJPO$POUSPM plugin 1 plugin
2 plugin 3 plugin 1 plugin 2 plugin 3 plugin 1 plugin 2 plugin 3 6TFS*%(SPVQ《䖤 "MMPX%FOZ 圫ղזؙٔؒأزⵖ䖴
,VCFSOFUFTךِ٦ؠ Ӝ 4FSWJDF"DDPVOU ,VCFSOFUFTָ盖椚ׅ،فٔ؛٦ءّٝ欽،ؕؐٝز 1PEⰻַ"1*4FSWFSח،ؙإأׅꥷחⵃ欽דֹ ؙٓأة㢩鿇ד$*זוך،ؕؐٝزה׃גⵃ欽〳腉 Ӝ 6TFS"DDPVOU ➂ךך،ؕؐٝز ,VCFSOFUFTך盖椚㢩կ钠鏾فؚٓ؎ٝ鸐׃ג㢩鿇ד盖椚
钠鏾倯䒭 Ӝ 9ؙٓ؎،ٝز鏾僇剅 Ӝ 涸ز٦ؙٝؿ؋؎ٕ Ӝ ـ٦زأزٓحفز٦ؙٝ Ӝ 涸ػأٙ٦سؿ؋؎ٕ Ӝ
4FSWJDF"DDPVOU Ӝ 0QFO*%$POOFDU Ӝ 8FCIPPL Ӝ 钠鏾فؙٗء٦ Ӝ ,FZ4UPOF 0QFO4UBDL ぐ倯䒭ד钠鏾遤ְِ٦ؠせהؚٕ٦فせזוך䞔㜠《䖤ׅ
4FSWJDF"DDPVOU Ӝ ぐOBNFTQBDFכEFGBVMUהְֲ4FSWJDF"DDPVOUָ荈⹛涸ח⡲ ծぐ1PEחךز٦ָؙٝوؐٝزׁגְ 1PEⰻַ"1*4FSWFSח،ؙإأדֹ״ֲחזגְ Ӝ LVCFDUMDSFBUFTB/".&הְֲ؝وٝسד知⽃ח⡲䧭דֹ 4FSWJDF"DDPVOUכOBNFTQBDFⰻח⡲ Ӝ 荈⹛涸ח+85䕎䒭ךز٦ָؙٝ⡲
ؙٓأة㢩鿇ַ$*זוך،ؕؐٝزה׃גⵃ欽〳腉
9ؙٓ؎،ٝز鏾僇剅 Certificate: Data: ... Validity Not Before: Apr 16
02:14:52 2017 GMT Not After : Apr 16 02:14:52 2018 GMT Subject: O=system:masters, CN=minikube "1*4FSWFSךDMJFOUDBMFؔفءّٝד$"䭷㹀 0 0SHBOJ[BUJPO ָؚٕ٦فせծ$/ $PNNPO/BNF ָِ٦ؠせ
0QFO*%$POOFDU Ӝ 0QFO*%$POOFDUך*%UPLFOِ٦ؠ䞔㜠ה׃גⵃ欽ׅ (PPHMFזו㢩鿇ך*EFOUJUZ1SPWJEFS⢪欽〳腉 Ӝ וךDMBJNِ٦ؠせծؚٕ٦فせה׃ג⢪ֲַ䭷㹀ׅ رؿٕؓزדכFNBJM FNBJM@WFSJFEָ䗳銲 ָِ٦ؠせ Ӝ
植朐כ*%SFGSFTIUPLFOכⴽך䩛媮ד《䖤ׅ䗳銲ָ֮
"OPOZNPVTSFRVFTU Ӝ דכرؿٕؓزד⼡せ،ؙإأָ剣⸬ 钠鏾ָ鸐זֻג钠〳ח鹌 "1*4FSWFSךBOPOZNPVTBVUIؔفءّٝד㢌刿〳 Ӝ "1*4FSWFSךقٕأثؑحؙװغ٦آّٝ䞔㜠כ3#"$ךرؿؓ ٕزד⼡せِ٦ؠח鏩〳ׁגְ TZTUFNEJTDPWFSZ
Ӝ ⼡せِ٦ؠכ⟃♴ךِ٦ؠ䞔㜠הז ِ٦ؠせTZTUFNBOPOZNPVT ؚٕ٦فせTZTUFNVOBVUIFOUJDBUFE
钠〳 "VUI;
钠鏾٥钠〳ך崧 钠鏾 "VUI/ 钠〳 "VUI; "ENJTTJPO$POUSPM plugin 1 plugin
2 plugin 3 plugin 1 plugin 2 plugin 3 plugin 1 plugin 2 plugin 3 6TFS*%(SPVQ《䖤 "MMPX%FOZ 圫ղזؙٔؒأزⵖ䖴
钠〳فؚٓ؎ٝ Ӝ 3PMF#BTFE"DDFTT$POUSPM 3#"$ Ӝ "UUSJCVUF#BTFE"DDFTT$POUSPM "#"$ Ӝ
8FCIPPL Ӝ "MXBZT"MMPX"MXBZT%FOZ 钠鏾فؚٓ؎ٝד《䖤׃ِ٦ؠせծؚٕ٦فせה،ؙإأؙׅٔ ؒأز䞔㜠⯋ח،ؙإأⵖ䖴遤ֲկ
ؙٔؒأز䞔㜠 BVUIPSJ[PS"UUSJCVUFT Ӝ ِ٦ؠ䞔㜠 OBNF HSPVQTזו Ӝ "1*ٔا٦أַやַ Ӝ
ؙٔؒأزךػأ䞔㜠 Ӝ 乼⡲珏ⴽ WFSC)551.FUIPE HFU DSFBUF VQEBUF瘝 Ӝ ٔا٦أ珏ⴽ Ӝ ؟ـٔا٦أ珏ⴽ Ӝ ؔـآؙؑزせ Ӝ "1*ؚٕ٦ف Ӝ "1*غ٦آّٝ
"1*3FTPVSDFͱ/PO3FTPVSDF63- Ӝ "1*3FTPVSDF ,VCFSOFUFT♳ד䪔1PE 4FSWJDFזוך䞔㜠 "1*ؚٕ٦فהְֲؚٕ٦فך嚊䙀䭯א ♧鿇כ؟ـٔا٦أ QPETFYFD QPETMPH 䭯א
Ӝ /PO3FTPVSDF63- غ٦آّٝ䞔㜠ך《䖤װقٕأثؑحؙזוח⢪63- IFBMUI[ WFSTJPOזוָ鑩䔲ׅ
"1*4FSWFSפךؙٔؒأز $ kubectl get --namespace myns pods mypod GET
https://.../api/v1/namespaces/myns/pods/mypod Accept: application/json Authorization: Bearer eyJ...Ptw # 認証情報 ...
3PMF#BTFE"DDFTT$POUSPM Ӝ WדCFUBחז رؿٕؓزךهٔء٦ָ欽䠐ׁ״ֲחז Ӝ W儗挿ד"#"$כ涸ז䞔㜠׃ַ盖椚דֹזְծ⹛涸ז، ؙإأⵖ䖴遤ֲחכ3#"$ַ8FCIPPL鼅䫛ׅ䕎חז Ӝ ٗ٦ٕ㹀纏׃ծחِ٦ؠ秡➰ֽ䕎䒭 ٗ٦ٕך㹀纏$MVTUFS3PMF3PMF
ٗ٦ٕך秡➰ֽ$MVTUFS3PMF#JOEJOH3PMF#JOEJOH
ٗ٦ٕך㹀纏ה秡➰ֽ pod-reader pod-reader Role RoleBinding 6TFS (SPVQٗ٦ٕח秡➰ֽ וךٔا٦أח⡦ָדַֹ ⢽1PEח㼎׃ג铣《鏩〳
⢽BMJDFחQPESFBEFSٗ٦ٕ➰♷
ٗ٦ٕך㹀纏 3PMF 1PEח㼎׃גEFGBVMUط٦يأل٦أךHFUXBUDIMJTU鏩〳ׅ kind: Role apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: namespace:
default name: pod-reader rules: # ルールは複数書ける - apiGroups: [""] # Core グループ resources: ["pods"] # リソース verbs: ["get", "watch", "list"] # 読み取り権限
ٗ٦ٕך秡➰ֽ 3PMF#JOEJOH kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: read-pods
namespace: default subjects: - kind: User name: alice # alice を紐付ける apiGroup: rbac.authorization.k8s.io roleRef: kind: Role name: pod-reader # 紐付けるのは pod-reader ロール apiGroup: rbac.authorization.k8s.io
ؙٓأة⽃⡘ךٗ٦ٕ Ӝ 3PMFה$MVTUFS3PMFךאָ֮ 3PMFכOBNFTQBDFח秡בֻ $MVTUFS3PMFכؙٓأة VOOBNFTQBDFE ח秡בֻ /PEF 1FSTJTUFOU7PMVNFהְؙٓأةٔا٦أך埄ꣲ ♷ִ
Ӝ 3PMF#JOEJOHה$MVTUFS3PMF#JOEJOHず圫 3PMF#JOEJOHד$MVTUFS3PMFח秡➰ֽֿהדֹ
رؿٕؓزهٔء٦ W Ӝ Wדرؿٕؓزך3#"$هٔء٦ָ鷄⸇ׁ Ӝ ءأذيך؝ٝه٦طٝزָ⢪ֲٗ٦ٕ LVCFTDIFEVMFS LVCFQSPYZזוָ⢪ֲ㼔欽ٗ٦ٕ Ӝ ِ٦ؠָ害欽涸ח⢪ִٗ٦ٕ
盖椚罏埄ꣲ BENJO ծ铣《埄ꣲ WJFX הְ害欽ٗ٦ٕ
害欽涸זرؿٕؓز$MVUFS3PMF DMVTUFSBENJO ؙٓأةךⰋ埄ꣲ盖椚罏埄ꣲկ رؿٕؓزדTZTUFNNBTUFSTָ秡➰ֽגְ BENJO OBNFTQBDFⰻך盖椚罏埄ꣲ FEJU OBNFTQBDFⰻך铣剅ֹ埄ꣲ 3PMF3PMF#JOEJOHחꟼׅ埄ꣲכ䭯זְ
WJFX OBNFTQBDFⰻך铣《埄ꣲ 4FDSFUך铣《埄ꣲכ䭯זְ
%FNP
"ENJTTJPO$POUSPMMFS
钠鏾٥钠〳ך崧 钠鏾 "VUI/ 钠〳 "VUI; "ENJTTJPO$POUSPM plugin 1 plugin
2 plugin 3 plugin 1 plugin 2 plugin 3 plugin 1 plugin 2 plugin 3 6TFS*%(SPVQ《䖤 "MMPX%FOZ 圫ղזؙٔؒأزⵖ䖴
"ENJTTJPO$POUSPMMFS Ӝ 圫ղזؙٔؒأزךⵖ䖴遤ֲ堣腉 ؙٔؒأزךؔـآؙؑز䞔㜠剅ֹ䳔ִծ䞔㜠ח״ג 䬧や׃ׅ "1*4FSWFSךBENJTTJPODPOUSPMؔفءّٝד醱侧䭷㹀 Ӝ ⢽"MXBZT1VMM*NBHFT 1PEך*NBHF1VMM1PMJDZ荈⹛ד"MXBZTח鏣㹀ׅ Ӝ
⢽4FSWJDF"DDPVOU 4FSWJDF"DDPVOUךء٦ؙٖحز䞔㜠荈⹛דوؐٝزׅ
"ENJTTJPO$POUSPMMFSך♧鋮 Ӝ "MXBZT"ENJU Ӝ "MXBZT1VMM*NBHFT Ӝ "MXBZT%FOZ Ӝ %FOZ&TDBMBUJOH&YFD
Ӝ *NBHF1PMJDZ8FCIPPL Ӝ 4FSWJDF"DDPVOU Ӝ 4FDVSJUZ$POUFYU%FOZ Ӝ 3FTPVSDF2VPUB Ӝ -JNJU3BOHFS Ӝ *OJUJBM3FTPVSDFT Ӝ /BNFTQBDF-JGFDZDMF Ӝ %FGBVMU4UPSBHF$MBTT Ӝ %FGBVMU5PMFSBUJPO4FDPOET Ӝ 1PE4FDVSJUZ1PMJDZ
湊叨 "VEJU
湊叨 "VEJU Ӝ W儗挿דכ㛇劤涸ז湊叨ؚٗ⳿⸂ָ㹋鄲ׁגְ "1*4FSWFSחBVEJUMPHQBUIؔفءّٝד⳿⸂⯓䭷㹀 Ӝ ،ؙإأ遤ד⳿⸂ׁ չְאպչ铩ָպչ⡦պչוֲ乼⡲׃ַպ չוֲ乼⡲׃ַպ鿇ⴓכ植朐כ)551.FUIPEך䞔㜠ך Ӝ
״鑫稢ז䞔㜠חאְגכ➙䖓㹋鄲✮㹀ך垷圫 չؔـآؙؑزָוֲ㢌刿ַׁպ 8*1"EWBODFEBVEJUQSPQPTBM
湊叨ؚٗך⳿⸂䞔㜠 Ӝ ְא 5; Ӝ 铩ָ JQVTFSNJOJLVCFHSPVQT=TZTUFNNBTUFST= =TZTUFNBVUIFOUJDBUFE=BTTFMGBTHSPVQTMPPLVQ Ӝ ⡦
OBNFTQBDFEFGBVMUVSJBQJTFYUFOTJPOTWCFUBOBNFTQBDFT EFGBVMUEFQMPZNFOUT Ӝ וֲ乼⡲׃ַ NFUIPE1045
钠鏾٥钠〳ך孡חז13JTTVF
,VCFDUMMPHJOTVCDPNNBOE Ӝ &SJD$IJBOHׁ $PSF04 Ӝ LVCFDUMך؟ـ؝وٝسד湫䱸ؚٗ؎ٝ׃גؙٖرٝءٍٕ《 䖤ׅ Ӝ 1SPQPTBMכو٦آ幥
Ӝ IUUQTHJUIVCDPNLVCFSOFUFTGFBUVSFTJTTVFT
8*1"EWBODFEBVEJUQSPQPTBM Ӝ .BDJFK4[VMJLׁ 3FE)BU Ӝ ״넝䏝ז湊叨ؚٗחꟼׅQSPQPTBM Ӝ 圓鸡⻉ؚٗװչؔـآؙؑزָוֲ㢌刿ַׁպזוך䲿周 Ӝ
IUUQTHJUIVCDPNLVCFSOFUFTDPNNVOJUZQVMM
תה Ӝ ,VCFSOFUFTכׁתׂתז钠鏾ה钠〳ח㼎䘔 钠鏾٥钠〳כⴽؿؑ٦ؤד遤⦐ⴽח鏣㹀דֹ Ӝ 钠鏾4FSWJDF"DDPVOU Yؙٓ؎،ٝز鏾僇剅ծ0*%$ Ӝ 钠〳דכ3PMF#BTFE"DDFT$POUSPM 3#"$
ָؔأأً Wד害欽涸זرؿٕؓزهٔء٦ָ欽䠐ׁ
8FBSFIJSJOH IUUQT[MBCDPKQ