User Access Management for large Enterprises in Kubernetes

Transcript

1. WhizUs GmbH Kubernetes Certified Service Provider February 2020 WhizUs GmbH

   Kubernetes Certified Service Provider February 2020 User Access Management for large Enterprises in Kubernetes Real World Use Case

2. WhizUs GmbH Kubernetes Certified Service Provider February 2020 About -

   Ronald Wimmer - Ops Engineer @ÖBB (BCC) - Manages tons of Kubernetes Clusters everyday - Dimitrij Klesev - Kubernetes Engineer @WhizUs - Supports Ronald in managing tons of Kubernetes Clusters everyday

3. WhizUs GmbH Kubernetes Certified Service Provider February 2020 When we

   setup a k8s cluster, we usually do this here admin@master:~$ kubeadm init ... admin@master:~$ cp /etc/kubernetes/admin.conf ~/.kube/config For “single cluster few users” setup we’re ok with that

4. WhizUs GmbH Kubernetes Certified Service Provider February 2020 But how

   do we handle this here? Dev Cluster Lab Cluster GPU Cluster Prod Cluster Big Hell Hybrid Cluster Windows-Subcluster

5. WhizUs GmbH Kubernetes Certified Service Provider February 2020 Only admin.conf

   is not really an option sometimes… Especially if one has more users (so different permissions) Project Dev Ops QA Team A Team B

6. WhizUs GmbH Kubernetes Certified Service Provider February 2020 Only admin.conf

   is not really an option sometimes… Or there are different independent projects Happy Devs Project A Project B Project N Especially if one has more users (so different permissions)

7. WhizUs GmbH Kubernetes Certified Service Provider February 2020 Only admin.conf

   is not really an option sometimes… Especially if one has more users (so different permissions) Or there are different independent projects But the main point here is…. … ONE has to manage all of this somehow!

8. WhizUs GmbH Kubernetes Certified Service Provider February 2020 What about

   LDAP?

9. WhizUs GmbH Kubernetes Certified Service Provider February 2020 Most companies

   have different hierarchies Holding Company A Company B Dep. A Dep. B Dep. C Dev A Dev B You know, flat hierarchies….

10. WhizUs GmbH Kubernetes Certified Service Provider February 2020 Most companies

    have different hierarchies So it’s quite common that there will or could be some form of Directory Service Some common ones: - Active Directory (Azure) - Red Hat Directory Server - Or “LDAP” in general

11. WhizUs GmbH Kubernetes Certified Service Provider February 2020 Kubernetes supports

    different types of authn LDAP, however, is not supported But OpenID Connect is supported

12. WhizUs GmbH Kubernetes Certified Service Provider February 2020 Let’s look

    into the Docs

13. WhizUs GmbH Kubernetes Certified Service Provider February 2020 Source: https://kubernetes.io/docs/reference/access-authn-authz/authentication/#openid-connect-tokens

14. WhizUs GmbH Kubernetes Certified Service Provider February 2020 As Identity

    Provider we’ll use Keycloak The IdP will be connected to the Directory Service by using LDAP Note: we’re not talking about authz yet

15. WhizUs GmbH Kubernetes Certified Service Provider February 2020 DEMO

16. WhizUs GmbH Kubernetes Certified Service Provider February 2020 What about

    authz?

17. WhizUs GmbH Kubernetes Certified Service Provider February 2020 Kubernetes supports

    such things like - Node (special for kubelets) Usually one uses RBAC - RBAC (most commonly used) - ABAC (more advanced, but more complicated) - Webhook (using external systems)

18. WhizUs GmbH Kubernetes Certified Service Provider February 2020 Source: https://www.cncf.io/blog/2018/08/01/demystifying-rbac-in-kubernetes/

19. WhizUs GmbH Kubernetes Certified Service Provider February 2020 pod-read-create, cluster-read-only,

    watch-all-ingresses, a.s.o…. (just few examples) Without using meaningful patterns things could become cumbersome How to manage authz (with RBAC) in a reasonable way without going crazy?

20. WhizUs GmbH Kubernetes Certified Service Provider February 2020 What about

    LDAP? (again)

21. WhizUs GmbH Kubernetes Certified Service Provider February 2020 We remember:

    “Especially if one has more users (so different permissions)” Project Dev Ops QA Team A Team B

22. WhizUs GmbH Kubernetes Certified Service Provider February 2020 We remember:

    What about this (Note: this is not always a solution!) Project Dev Ops QA Team A Team B Cluster A Cluster B Cluster N Namespace A Namespace B

23. WhizUs GmbH Kubernetes Certified Service Provider February 2020 We can

    use groups with their hierarchies from LDAP and map this to our RBAC! [customer]_project_[cluster]_[namespace]_[...]_role * [ ] means optional oebb_k8s_cluster-admin oebb_k8s_dev_demo_read-only

24. WhizUs GmbH Kubernetes Certified Service Provider February 2020 kind: RoleBinding

    apiVersion: rbac.authorization.k8s.io/v1 metadata: name: oidc-demo_read-only namespace: demo roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: view subjects: - kind: Group name: /oebb_k8s_dev_demo_read-only

25. WhizUs GmbH Kubernetes Certified Service Provider February 2020 DEMO

26. WhizUs GmbH Kubernetes Certified Service Provider February 2020 Thank You!

27. WhizUs GmbH Kubernetes Certified Service Provider February 2020 Additional Info

    https://github.com/whizus https://speakerdeck.com/dklesev https://kubernetes.io/docs/reference/access-authn-authz/authentication/ https://www.freeipa.org/ https://www.keycloak.org/ https://blog.lithnet.io/2018/03/the-ldap-authentication-anti-pattern.html