CoreOS Fest 2016: Kubernetes Access Control with dex

9a5b28c1bf706b9138017bf0fd23ac45?s=47 Eric Chiang
May 10, 2016
720

CoreOS Fest 2016: Kubernetes Access Control with dex

9a5b28c1bf706b9138017bf0fd23ac45?s=128

Eric Chiang

May 10, 2016
Tweet

Transcript

  1. Eric Chiang @erchiang | eric.chiang@coreos.com Kubernetes Access Control with dex

  2. 1. Kubernetes authn/authz for admins 2. How dex fits into

    this Today’s agenda!
  3. Kubernetes

  4. Kubernetes • Distributed application management system • Container based •

    Powerful API
  5. kubelet proxy Internet Kubernetes Worker 1/n

  6. kubelet proxy Internet Kubernetes Worker 1/n Control Plane API Server

    Scheduler Controller kubeclt
  7. kubelet proxy Internet Kubernetes Worker 1/n Control Plane API Server

    Scheduler Controller kubeclt
  8. What wants to talk to the API Server? • Users

    through kubectl • Containers inside Kubernetes • Control plane components • Basically everything
  9. API Server: Auth flow • How do things get to

    talk to the API Server? • Authn ◦ Identifying the user ◦ Please show me your ID. • Authz ◦ Admission rules ◦ You’re not old enough to drink!
  10. API Server: Auth flow plugins Authenticator Plugin Authorizer Plugin Admission

    Plugin
  11. Authorizer Plugin Admission Plugin HTTP(S) Request Allow/Deny Additional request modification

    or specialized field level rules. API Server: Auth flow plugins Get • User name • User ID • Groups Authenticator Plugin
  12. API Server: Auth flow • Everything must go through this

    flow. • Doesn’t matter if you’re an app or a human sitting at a workstation
  13. Authn Plugins • Who’s making the request? ◦ x509 Client

    Certs ◦ Password/token files ◦ Keystone ◦ Service Accounts ◦ OpenID Connect ◦ Webhook (v1.3)
  14. Authn Plugins: x509 Client Cert

  15. Authn Plugins: x509 Client Cert $ cat /etc/kubernetes/worker.conf apiVersion: v1

    kind: Config clusters: - name: local cluster: certificate-authority: /etc/kubernetes/ssl/ca.pem users: - name: kubelet user: client-certificate: /etc/kubernetes/ssl/worker.pem client-key: /etc/kubernetes/ssl/worker-key.pem
  16. Authn Plugins: x509 Client Cert $ openssl x509 -in admin.pem

    -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: 15171329550234977082 Signature Algorithm: sha256WithRSAEncryption Issuer: CN=kube-ca Validity Not Before: Dec 29 20:02:40 2015 GMT Not After : Dec 28 20:02:40 2016 GMT Subject: CN=kube-admin
  17. Authn Plugins: Password/Token File

  18. Authn Plugins: Password/Token File $ cat /etc/k8s/passwords.csv password1,eric,1000 password2,bobby,1001 $

    /hyperkube apiserver \ --basic-auth-file=/etc/k8s/passwords.csv $ cat /etc/k8s/tokens.csv secrettoken1,eric,1000 secrettoken2,bobby,1001 $ /hyperkube apiserver \ --token-auth-file=/etc/k8s/tokens.csv
  19. Authn Plugins: Keystone

  20. Authn Plugins: Keystone $ /hyperkube apiserver \ --experimental-keystone-url=https://ks.example.com GET /apis

    HTTP/1.1 Host: https://apiserver.example.com Authorization: Basic {{ Keystone username/password }}
  21. Authn Plugins: Service accounts

  22. Authn Plugins: Service accounts • Automatically enabled • Can be

    assigned to pods • Useful for automation
  23. Authn Plugins: Service accounts $ kubectl create serviceaccount bob-the-bot

  24. Authn Plugins: Service accounts $ kubectl create serviceaccount bob-the-bot $

    kubectl get serviceaccount bob-the-bot -o yaml apiVersion: v1 kind: ServiceAccount secrets: - name: bob-the-bot-token-308g1 $ kubectl get secret bob-the-bot-token-308g1 -o yaml apiVersion: v1 data: namespace: ZGVmYXVsdA== ca.crt: {{ CA CERT OF API SERVER }} token: {{ TOKEN }}
  25. Authn Plugins: Token Webhook (1.3)

  26. Authn Plugins: Token Webhook (1.3) • Query an outside provider

    • Roll your own authenticator Authenticato r Plugin Remove Service
  27. Authn Plugins: OpenID Connect

  28. Authn Plugins: OpenID Connect • Contributed by CoreOS • OpenID

    Connect ◦ Basically OAuth2 ◦ Returns signed token with access token for offline third party authentication ◦ Implemented by Google and SalesForce • Tectonic uses this plugin with dex
  29. • Open-source https://github.com/coreos/dex • Identity service ◦ Tired of rewriting

    authn • Implements OpenID Connect Dex
  30. Dex: account.tectonic.com

  31. Dex: account.tectonic.com account.tectonic.com End user auth.tectonic.com dex 1 2 3

    4 5
  32. Dex: Tectonic Tectonic Console End user Tectonic Identity dex 1

    2 3 4 5
  33. Dex: Tectonic Tectonic Console End user Tectonic Identity dex 1

    2 3 4 5
  34. Dex: Federation dex

  35. Dex: Federation dex

  36. Authn Plugins: OpenID Connect Work for 1.3: • Better kubectl

    support ◦ kubectl login ◦ Refresh token support
  37. Kubernetes Authz

  38. Authenticato r Plugin Authorizer Plugin Admission Plugin Get • User

    name • User ID • Groups HTTP(S) Request Allow/Deny Additional request modification or specialized field level rules. Kubernetes Authz
  39. Authz Plugins • ABAC • Webhook • RBAC (1.3)

  40. Authz Plugins: ABAC $ /hyperkube apiserver \ --authorization-policy-file=/etc/k8s/policy.jsonl { "user":

    "eric", "namespace": "tectonic", "resource": "jobs", "apiGroup": "batch/v1" }
  41. Authz Plugins: ABAC { "group": "developer", "namespace": "dev", "resource": "*",

    "apiGroup": "*" } { "group": "developer", "namespace": "prod", "resource": "*", "apiGroup": "*", "readonly": true }
  42. Authz Plugins: Webhook

  43. Authz Plugins: Webhook • Query an outside provider • Roll

    your own authorizer Authorizer Plugin Remove Service
  44. Authz Plugins: Webhook • What happens if the remote service

    dies? ◦ Deny all Authorizer Plugin Remove Service
  45. Authz Plugins: RBAC (1.3)

  46. Authz Plugins: RBAC (1.3)

  47. Authz Plugins: RBAC (1.3) • Upstreamed from Openshift • Define

    roles ◦ Roles contain a group of policies (like ABAC) • Bind users groups or service accounts to roles ◦ Cluster level or namespace
  48. Authz Plugins: RBAC (1.3) $ cat role.yml apiVersion: rbac.authorization/v1alpha1 kind:

    ClusterRole metadata: name: namespace-user rules: - verbs: [*] apiGroups: ["v1", "batch/v1"] resources: [*] - verbs: ["get", "watch"] apiGroups: ["authorization.rbac/v1alpha1"] resources: [*] $ kubectl create -f role.yml
  49. Authz Plugins: RBAC (1.3) Cluster level Role: namespace-user Policies: -

    Can read/write core resources - Can read RBAC Namespace: Tectonic Role Binding: - User Eric can login as namespace-user - User Ed can login as namespace-user
  50. Kubernetes: Admission control

  51. Authorizer Plugin Admission Plugin HTTP(S) Request Allow/Deny Additional request modification

    or specialized field level rules. Kubernetes: Admission control Get • User name • User ID • Groups Authenticator Plugin
  52. Admission Control Plugins • Resource quotas • Limit ranges •

    Lots of others
  53. Admission Control: Resource quotas

  54. Admission Control: Resource quotas • If an action would exceed

    a quota, reject it
  55. Admission Control: Resource quotas $ cat quota.yml apiVersion: v1 kind:

    ResourceQuota metadata: name: quota spec: hard: memory: 1Gi cpu: 20 pods: 10 services: 5 replicationcontrollers:20 resourcequotas:1 $ kubectl create --namespace=development quota.yml
  56. Admission Control: Limit ranges

  57. Admission Control: Limit ranges • Like resource quotas, but on

    a per pod basis • E.g: Pods can’t request more than 1/4th of a CPU
  58. Admission Control: Limit ranges $ cat limits.yml apiVersion: v1 kind:

    LimitRange metadata: name: limits namespace: default spec: limits: - type: Container defaultRequests: cpu: 250m $ kubectl create --namespace=development limits.yml
  59. Admission Control: Other stuff

  60. Admission Control: Other stuff • DenyEscalatingExec • InitialResources • SecurityContextDeny

    • ServiceAccount (non the authn stuff) • Future: field level auth
  61. API Server: Auth flow plugins Authorizer Plugin Admission Plugin Authenticator

    Plugin
  62. Conclusion • Lots of tools for cluster admins • Extensible

    through webhooks and projects like dex • Continuing to add more
  63. Thank you! Eric Chiang @erchiang | eric.chiang@coreos.com We’re hiring in

    all departments! Email: careers@coreos.com Positions: coreos.com/careers