Athenzを用いたKubernetes Webhook Authorization

Transcript

1. AthenzΛ༻͍ͨKubernetes Webhook Authorization Kubernetes Meetup Tokyo #14, Nov 8, 2018

2. Yusuke Kato <[email protected]> @kpango Yahoo! JAPAN CTO Office SWAT Section

   / Language Support Go Team

3. About Yahoo! JAPAN

4. About Yahoo! JAPAN 1. On-premise Servers 2. ࣾ಺ʹ͸Kubernetes as a

   ServiceͱPaaS྆ํ͕͋Δ 3. k8sΫϥελͷ਺͸ࠓޙ΋૿Ճ͢ΔͱΈΒΕ͍ͯΔɻ 4. ࣾ಺ͷKubernetesΫϥελͷ਺͸148Ϋϥελ (2018/11/1࣌఺) 5. ࣾ಺ͷAPI΍PlatformͷೝূೝՄʹ͸
 Yahoo Inc. (ݱOath Inc.)͕OSSԽͨ͠AthenzΛར༻

5. Problem

6. Problem 1. ࣾ಺ͷଟ਺ͷk8s clusterʹର͢ΔΞΫηε੍ޚ 2. ϚϧνΫϥ΢υ؀ڥʹ͓͚Δ౷߹తͳΞΫηε੍ޚͷඞཁੑ 3. k8s RBAC ͱ

   Athenz RBACͷࢥ૝ͷҧ͍

7. Solution

8. 1. k8sͷAuthorization ModeΛRBAC͔ΒWebhookʹมߋ 2. GarmΛ༻͍ͯɺk8s SubjectAccessReviewΛAthenzͷRBAC ܗࣜʹม׵ 3. Garm͕Athenz΁໰͍߹ΘͤΛߦ͍AuthorizationΛAthenzʹ ू໿ɻ

   4. Kubernetes؅ཧऀ͸Athenz্ͰPolicy΍Roleͷߋ৽Λߦ͏ɻ Solution

9. About k8s authorization mode

10. Kubernetes Authorization Mode ▸ AlwaysAllow / AlwaysDeny ▸ ৗʹAllow /

    Deny͢ΔΞΫηείϯτϩʔϧ ▸ Node ▸ kubelet͔ΒͷϦΫΤετʹରͯ͠ΞΫηείϯτϩʔϧΛߦ͏ ▸ ABAC ▸ Attribute-based Access Control, ϦΫΤετ͞ΕͨଐੑͱPolicyͷத਎Λൺֱ͠Ϛον͢Δ ΋ͷ͕͋Ε͹ೝՄɻ ▸ RBAC ▸ Role-based Access Control, Role΍ClusterRoleͱPolicyΛBind͠ΞΫηεͰ͖ΔResource ͳͲΛίϯτϩʔϧ͍ͯ͠Δɻ ▸ Webhook ▸ SubjectAccessReviewͷ಺༰͕WebhookͰඈΜͰ͘ΔͷͰೝՄͷϩδοΫΛಠࣗʹఆٛͰ ͖Δɻ

11. About k8s webhook authorization mode

12. Kubernetes Webhook Authorization Mode ▸ WebhookϦΫΤετϖΠϩʔυ͸ SubjectAccessReviewΦϒδΣΫτ ▸ ResponseϖΠϩʔυͷstatus.allowedʹ
 true

    / falseΛฦ͢͜ͱͰίϯτϩʔϧ͢Δ ▸ resourceAttributesϑΟʔϧυʹ͸ଞʹɺ
 ResourceName, SubResourceͳͲ΋͋Δ

13. About Athenz

14. About Athenz ▸ Service Authentication ▸ Ϟμϯͳ؀ڥͷ͋ΒΏΔWorkload/Serviceʹ͓͍ͯx.509 certificateΛ༻͍ͨ҆શͳidentity authenticationΛఏڙ ▸

    Authorization ▸ Provides fine-grained Role Based Access Control (RBAC)

15. About Athenz RBAC Data Model

16. About Athenz RBAC Data Model

17. About Athenz RBAC Data Model શͯͷ৘ใΛ؅ཧ ͢Δ໊લۭؒ

18. About Athenz RBAC Data Model Authenticated User & Service

19. About Athenz RBAC Data Model Role = Grouped Principals

20. About Athenz RBAC Data Model AthenzͷΞΫηε੍ޚ ઃఆͷ࣮ଶ

21. Why Athenz

22. Single source of truth ▸ AWS, GCP΍Kubernetes OpenStack ͳͲͷΫϥ΢υ؀ڥͷଟ ͘͸͢ͰʹݸʑʹΞΫηε੍ޚͷػೳΛ͍࣋ͬͯΔ

    ▸ Athenz͸༷ʑͳ؀ڥͰಈ࡞͠ΞΫηε੍ޚ৘ใͷSSoT ʢSingle Source of TruthʣΛ࣮ݱ͢Δࣄ͕Ͱ͖Δ Cloud computing environments OpenStack Kubernetes Screwdriver Amazon EC2 AWS ECS AWS Lambda

23. About Garm

24. About Garm ▸ k8s webhook authorizationΛར༻͢Δ͜ͱͰ
 AthenzʹauthorizationΛҕৡ͢Δ ▸ golang੡ ▸

    yahoo/k8s-athenz-webhookͷϥΠϒϥϦΛར༻ ▸ yamlΛ༻͍ͨॊೈͳઃఆ ▸ k8s SubjectAccessReviewΛ
 AthenzͷData Modelʹॊೈʹม׵ ▸ ୯ମͰblack list / white listػೳ ▸ Kubernetes as a Service޲͚ͷAuthorizationػೳ

25. About Garm 1. WebhookʹΑΓSubjectAccessReview͕ૹΒΕͯ͘Δɻ 2. SubjectAccessReviewΛconfig.yamlΛݩʹɺAthenz޲͚ʹม ׵Λߦ͍Athenzʹ໰͍߹ΘͤΔɻ

26. ▸ Kubernetes RBACͱAthenz DataModelͷൺֱ About Garm Kubernetes Athenz Verb get,

    list, watch, create, update Action get, list, watch, create, update Namespace kube-system, default, … SubDomain {Top Level Domain}.{namespace} ex. athenz.kube-system API Group apps, autoscaling, extensions … Resource {API Group}.{Resource}.{Name} ex. apps.deployments.garm Resource pods, configmaps, replicasets, deployments… Name garm, istio, prometheus …

27. About Garm 1. White List FirstͳBlack List 2. Verb, Namespace,

    API Group, 
 Resource, ResourceName୯ҐͰͷ
 ΞΫηε੍ޚΛఏڙ 3. ϫΠϧυΧʔυ΍ਖ਼نදݱ
 ͕ར༻Մೳ garm config.yaml

28. Cluster Kube API Server About Garm Admin Domain Deny: kube-system’s

    secret User Domain KaaS Admin k8s user kube-system’s secret is kaas admin resource kubectl get secret -n kube-system kubectl get secret garm config.yaml

29. Demo

30. Wrap Up

31. kube-api-server send webhook to Garm Garm maps SubjectAccessReview to Athenz

    Style Garm checks the White List Garm checks the Admin Access List About Garm Garm decides the Athenz Domain Garm Send AccessCheck Request to Athenz Athenz Domain checks Policy & Principal & Role If Exists In Black List If Exists In White List Garm checks the Black List If Not Exists In Black List Garm API

32. Garm Future Work

33. Future Work ▸ Authenticationʹ΋ରԠ ▸ Garm <=> AthenzؒͷmTLSରԠ ▸ ෳ਺ͷUser

    DomainରԠ

34. Thank you!

35. About Athenz ▸ Athenz Website: http://athenz.io ▸ Athenz Github: https://github.com/yahoo/athenz

    ▸ Garm Github: https://github.com/yahoojapan/garm (ۙ೔ެ։) ▸ Athenz Slack: https://athenz.slack.com/ ▸ Questions or Comments: [email protected]

36. Appendix

37. Athenz Authorization

38. About Athenz ▸ Centralized Access Control ▸ Decentralized Access Control

39. Athenz Authorization Centralized Access Control

40. Athenz Authorization Decentralized Access Control

41. EOP