User Access Management for large Enterprises in Kubernetes

WhizUs GmbH Kubernetes Certiﬁed Service Provider February 2020
User Access Management
for large Enterprises in
Kubernetes
Real World Use Case

View Slide

About
- Ronald Wimmer
- Ops Engineer @ÖBB (BCC)
- Manages tons of Kubernetes
Clusters everyday
- Dimitrij Klesev
- Kubernetes Engineer @WhizUs
- Supports Ronald in managing tons
of Kubernetes Clusters everyday

View Slide

When we setup a k8s cluster, we usually do this
here
admin@master:~$ kubeadm init ...
admin@master:~$ cp /etc/kubernetes/admin.conf
~/.kube/conﬁg
For “single cluster few users” setup we’re ok with that

View Slide

But how do we handle this here?
Dev Cluster
Lab Cluster
GPU Cluster
Prod Cluster
Big Hell Hybrid Cluster
Windows-Subcluster

View Slide

Only admin.conf is not really an option sometimes…
Especially if one has more users (so different permissions)
Project
Dev Ops QA
Team A Team B

View Slide

Or there are different independent projects
Happy Devs
Project A Project B Project N

View Slide

Or there are different independent projects
But the main point here is….
… ONE has to manage all of this somehow!

View Slide

What about LDAP?

View Slide

Most companies have different hierarchies
Holding
Company A Company B
Dep. A Dep. B Dep. C
Dev A Dev B You know, ﬂat hierarchies….

View Slide

Most companies have different hierarchies
So it’s quite common that there will or could be some
form of Directory Service
Some common ones:
- Active Directory (Azure)
- Red Hat Directory Server
- Or “LDAP” in general

View Slide

Kubernetes supports different types of authn
LDAP, however, is not supported
But OpenID Connect is supported

View Slide

Let’s look into the Docs

View Slide

Source: https://kubernetes.io/docs/reference/access-authn-authz/authentication/#openid-connect-tokens

View Slide

As Identity Provider we’ll use Keycloak
The IdP will be connected to the Directory Service by using
LDAP
Note: we’re not talking about authz yet

View Slide

DEMO

View Slide

What about authz?

View Slide

Kubernetes supports such things like
- Node (special for kubelets)
Usually one uses RBAC
- RBAC (most commonly used)
- ABAC (more advanced, but more complicated)
- Webhook (using external systems)

View Slide

Source: https://www.cncf.io/blog/2018/08/01/demystifying-rbac-in-kubernetes/

View Slide

pod-read-create, cluster-read-only,
watch-all-ingresses, a.s.o…. (just few examples)
Without using meaningful patterns things could
become cumbersome
How to manage authz (with RBAC) in a reasonable
way without going crazy?

View Slide

What about LDAP?
(again)

View Slide

We remember:
“Especially if one has more users (so different permissions)”
Project
Dev Ops QA
Team A Team B

View Slide

We remember:
What about this (Note: this is not always a solution!)
Project
Dev Ops QA
Team A Team B
Cluster A Cluster B Cluster N
Namespace A Namespace B

View Slide

We can use groups with their hierarchies from LDAP
and map this to our RBAC!
[customer]_project_[cluster]_[namespace]_[...]_role
* [ ] means optional
oebb_k8s_cluster-admin
oebb_k8s_dev_demo_read-only

View Slide

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: oidc-demo_read-only
namespace: demo
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: view
subjects:
- kind: Group
name: /oebb_k8s_dev_demo_read-only

View Slide

DEMO

View Slide

Thank You!

View Slide

Additional Info
https://github.com/whizus
https://speakerdeck.com/dklesev
https://kubernetes.io/docs/reference/access-authn-authz/authentication/
https://www.freeipa.org/
https://www.keycloak.org/
https://blog.lithnet.io/2018/03/the-ldap-authentication-anti-pattern.html

View Slide

User Access Management for large Enterprises in Kubernetes

User Access Management for large Enterprises in Kubernetes

Dimitrij Klesev

More Decks by Dimitrij Klesev

Other Decks in How-to & DIY

Featured

Transcript