Upgrade to Pro — share decks privately, control downloads, hide ads and more …

User Access Management for large Enterprises in Kubernetes

User Access Management for large Enterprises in Kubernetes

Dimitrij Klesev

February 27, 2020
Tweet

More Decks by Dimitrij Klesev

Other Decks in How-to & DIY

Transcript

  1. WhizUs GmbH Kubernetes Certified Service Provider February 2020 WhizUs GmbH

    Kubernetes Certified Service Provider February 2020 User Access Management for large Enterprises in Kubernetes Real World Use Case
  2. WhizUs GmbH Kubernetes Certified Service Provider February 2020 About -

    Ronald Wimmer - Ops Engineer @ÖBB (BCC) - Manages tons of Kubernetes Clusters everyday - Dimitrij Klesev - Kubernetes Engineer @WhizUs - Supports Ronald in managing tons of Kubernetes Clusters everyday
  3. WhizUs GmbH Kubernetes Certified Service Provider February 2020 When we

    setup a k8s cluster, we usually do this here admin@master:~$ kubeadm init ... admin@master:~$ cp /etc/kubernetes/admin.conf ~/.kube/config For “single cluster few users” setup we’re ok with that
  4. WhizUs GmbH Kubernetes Certified Service Provider February 2020 But how

    do we handle this here? Dev Cluster Lab Cluster GPU Cluster Prod Cluster Big Hell Hybrid Cluster Windows-Subcluster
  5. WhizUs GmbH Kubernetes Certified Service Provider February 2020 Only admin.conf

    is not really an option sometimes… Especially if one has more users (so different permissions) Project Dev Ops QA Team A Team B
  6. WhizUs GmbH Kubernetes Certified Service Provider February 2020 Only admin.conf

    is not really an option sometimes… Or there are different independent projects Happy Devs Project A Project B Project N Especially if one has more users (so different permissions)
  7. WhizUs GmbH Kubernetes Certified Service Provider February 2020 Only admin.conf

    is not really an option sometimes… Especially if one has more users (so different permissions) Or there are different independent projects But the main point here is…. … ONE has to manage all of this somehow!
  8. WhizUs GmbH Kubernetes Certified Service Provider February 2020 Most companies

    have different hierarchies Holding Company A Company B Dep. A Dep. B Dep. C Dev A Dev B You know, flat hierarchies….
  9. WhizUs GmbH Kubernetes Certified Service Provider February 2020 Most companies

    have different hierarchies So it’s quite common that there will or could be some form of Directory Service Some common ones: - Active Directory (Azure) - Red Hat Directory Server - Or “LDAP” in general
  10. WhizUs GmbH Kubernetes Certified Service Provider February 2020 Kubernetes supports

    different types of authn LDAP, however, is not supported But OpenID Connect is supported
  11. WhizUs GmbH Kubernetes Certified Service Provider February 2020 As Identity

    Provider we’ll use Keycloak The IdP will be connected to the Directory Service by using LDAP Note: we’re not talking about authz yet
  12. WhizUs GmbH Kubernetes Certified Service Provider February 2020 Kubernetes supports

    such things like - Node (special for kubelets) Usually one uses RBAC - RBAC (most commonly used) - ABAC (more advanced, but more complicated) - Webhook (using external systems)
  13. WhizUs GmbH Kubernetes Certified Service Provider February 2020 pod-read-create, cluster-read-only,

    watch-all-ingresses, a.s.o…. (just few examples) Without using meaningful patterns things could become cumbersome How to manage authz (with RBAC) in a reasonable way without going crazy?
  14. WhizUs GmbH Kubernetes Certified Service Provider February 2020 We remember:

    “Especially if one has more users (so different permissions)” Project Dev Ops QA Team A Team B
  15. WhizUs GmbH Kubernetes Certified Service Provider February 2020 We remember:

    What about this (Note: this is not always a solution!) Project Dev Ops QA Team A Team B Cluster A Cluster B Cluster N Namespace A Namespace B
  16. WhizUs GmbH Kubernetes Certified Service Provider February 2020 We can

    use groups with their hierarchies from LDAP and map this to our RBAC! [customer]_project_[cluster]_[namespace]_[...]_role * [ ] means optional oebb_k8s_cluster-admin oebb_k8s_dev_demo_read-only
  17. WhizUs GmbH Kubernetes Certified Service Provider February 2020 kind: RoleBinding

    apiVersion: rbac.authorization.k8s.io/v1 metadata: name: oidc-demo_read-only namespace: demo roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: view subjects: - kind: Group name: /oebb_k8s_dev_demo_read-only
  18. WhizUs GmbH Kubernetes Certified Service Provider February 2020 Additional Info

    https://github.com/whizus https://speakerdeck.com/dklesev https://kubernetes.io/docs/reference/access-authn-authz/authentication/ https://www.freeipa.org/ https://www.keycloak.org/ https://blog.lithnet.io/2018/03/the-ldap-authentication-anti-pattern.html