Securing Clusters with Kubernetes Extensibility

4FDVSJOH$MVTUFSTXJUI
,VCFSOFUFT&YUFOTJCJMJUZ
"ZB0[BXB !MBEJDMF
5BLBTIJ,VTVNJ
,VCFSOFUFT$MPVE/BUJWF.FFUVQ

View Slide

"CPVUVT
"ZB0[BXB!MBEJDMF
4PGUXBSF&OHJOFFS
BU;-BC$PSQ
5BLBTIJ,VTVNJ
4PGUXBSF&OHJOFFS
BU;-BC$PSQ

View Slide

"ZB
5BLBTIJ
5PEBZˏTBHFOEB
,VCFSOFUFTBTB4FSWJDFGPS:BIPP+BQBO
)PXTIPVMEXFDPOUSPMBDDFTTUPUIF,VCFSOFUFT"1*TFSWFS
8IBUJT+85BOE3#"$ BOE)PXUPVTFJU
3#"$JT/05FOPVHI
%FNPOTUSBUJPOPGQSJWJMFHFFTDBMBUJPO
4FDVSJOH,VCFSOFUFTXJUI7BMJEBUJOH"ENJTTJPO8FCIPPL

View Slide

;-BC,VCFSOFUFTBTB4FSWJDF
4
.BTUFS
,VCFSOFUFT$MVTUFS
6TFS
,VCFSOFUFT$MVTUFS
6TFS
,VCFSOFUFT$MVTUFS
6TFS
,VCFSOFUFT$MVTUFS
Ӝ4FMGIFBMJOHUIFXIPMF
DMVTUFS
Ӝ4DBMJOHDMVTUFSFBTJMZ
Ӝ;FSPEPXOUJNFVQHSBEF
DMVTUFSWFSTJPO
.BKPS'FBUVSFT
.BTUFS$MVTUFSNBOBHFTNVMUJQMF6TFS
,VCFSOFUFT$MVTUFSBOEJUTFMGVTJOH$3%

View Slide

)PXTIPVMEXFDPOUSPMBDDFTT
5
.BTUFS
,VCFSOFUFT$MVTUFS
6TFS
,VCFSOFUFT$MVTUFS
6TFS
,VCFSOFUFT$MVTUFS
6TFS
,VCFSOFUFT$MVTUFS

"QQ
%FWFMPQFS
"QQ
%FWFMPQFS
"QQ
0QFSBUPS
LT
0QFSBUPS
"UUBDLFS
✖%&/:

View Slide

"DDFTT$POUSPM

View Slide

TUFQT"DDFTT$POUSPM
7
"VUIFOUJDBUJPO
"VUI/

"VUIPSJ[BUJPO
"VUI;

"ENJTTJPO
$POUSPM
"1*4FSWFS
"DDFTT

View Slide

"MMPX
8IBUIBQQFOTJOFBDITUFQ
8
"DDFTT
8IPBSFZPV
✔$SFBUF9
✖%FMFUF:

8IBUDBOZPVEP
%FOZ %FOZ %FOZ
7BMJEBUJOH
.PEJGZJOH
٥٥٥
"MMPX "MMPX
"VUI/ "VUI; "ENJTTJPO$POUSPM

View Slide

"DDFTT$POUSPMNPEVMFT
9
9DMJFOUDFSU
1BTTXPSE
+85
1MBOF5PLFO
"#"$
3#"$
8FCIPPL
/PEF3PMF
4FSWJDF"DDPVOU
3FTPVSDF2VPUB
1SJPSJUZ
7BMJEBUJOH
"ENJTTJPO
8FCIPPL
FUD
FUD FUD

View Slide

8IZEPXFVTF+85
10
9DMJFOUDFSU
1BTTXPSE
+85
1MBOF5PLFO
"#"$
3#"$
8FCIPPL
/PEF3PMF
4FSWJDF"DDPVOU
3FTPVSDF2VPUB
1SJPSJUZ
7BMJEBUJOH
"ENJTTJPO
FUD
FUD FUD
Ӝ %ZOBNJDVTFSBVUIFOUJDBUJPO
Ӝ 1BTTXPSEBOE1MBOF5PLFONPEVMFT
SFRVJSFUPTFU"VUI/TFUUJOHXIFOCPPUJOH
"1*TFSWFS
Ӝ 4FWFSBM0*%$*E1TTVQQPSUUIJTNPEVMF

View Slide

8IZEPXFVTF3#"$
11
9DMJFOUDFSU
1BTTXPSE
+85
1MBOF5PLFO
"#"$
3#"$
8FCIPPL
/PEF3PMF
4FSWJDF"DDPVOU
3FTPVSDF2VPUB
1SJPSJUZ
7BMJEBUJOH
"ENJTTJPO
FUD
FUD FUD
Ӝ %ZOBNJDBDDFTTBVUIPSJ[BUJPO
Ӝ /PBEEJUJPOBMEFWFMPQNFOU
Ӝ 3#"$TFUUJOHTDBOCF
DPOSNFECZLVCFDUMMJLFBOZ
PUIFSSFTPVSDFT
/05&*GZPVBMSFBEZIBWF"VUI;TZTUFN
8FCIPPLJTBHPPEDIPJDF

View Slide

"VUI/+85 4FSWJDF"DDPVOU0*%$

View Slide

5XPDBUFHPSJFTPG6TFST
13
"1*4FSWFS
"DDFTT
6TFSNBOBHFECZLT
FH#PU
/PSNBM6TFS
FH"MJDF

View Slide

#PUI4"BOE0*%$VTJOH+85
14
"1*4FSWFS
6TFSNBOBHFECZLT
FH#PU
/PSNBM6TFS
FH"MJDF
+85
+85
(FU+85GSPNB0*%$*E1
(FU+85GSPN
B4FSWJDF"DDPVOU

View Slide

4"4FDSFUIBT+85
15
$SFBUFBCPU4"
JOUIFTZTUFN/4
%FUFDUUIF
DSFBUJPOFWFOU
$SFBUFBCPU4"4FDSFU
XJUI+85JOUIFTZTUFN/4
5PLFO
$POUSPMMFS
4FSWJDF
"DDPVOU
4FDSFU
+85

View Slide

4"$POUSPMMFSDSFBUFTEFGBVMU4"GPSBMM/4
16
$SFBUFTZTUFN
/BNFTQBDF
$SFBUFEFGBVMU
4"JOTZTUFN/4
4"
$POUSPMMFS
4FSWJDF
"DDPVOU
/BNF
TQBDF
%FUFDUUIF
DSFBUJPOFWFOU

View Slide

7PMVNF
"MM1PETBTTPDJBUF4FSWJDF"DDPVOU
17
4""ENJTTJPO
$POUSPMMFS
.PVOU
$SFBUF1PE
4FUEFGBVMU/"*GUIF
1PEEPFTOPUIBWF4"
4FDSFU
+85
1PE
4FU*NBHF1VMM4FDSFUTPG4"*G
UIF1PEEPFTOPUIBWFJU
4FU4FDSFUPG4"UPUIF1PEWPMVNF
.PEJGZ1PE

View Slide

%FY0QFO*%$POOFDU*%1SPWJEFS
18
%FY
0*%$*E1

3FEJSFDU
+85
6QTUSFBN*E1
FH'BDFCPPL
$MJFOU
IUUQTHJUIVCDPNEFYJEQEFY
0*%$JTBTJNQMFJEFOUJUZMBZFSPO
UPQPGUIF0"VUIQSPUPDPM

View Slide

+40/8FC5PLFODPOTJTUTPGQBSUT
19
)FBEFS
1BZMPBE
4JHOBUVSF
IUUQTKXUJP

View Slide

7FSJGZJOH+85PG0*%$
20
"1*4FSWFS
LVCFDUM
+85
$BMM"1*XJUI+85
*T+85TJHOBUVSFWBMJE
)BTUIF+85FYQJSFE MBUFYQ

6TFS"VUIPSJ[FE
3FUVSOSFTVMU
"VUIPSJ[BUJPO#FBSFS+85
⚠/05&
4"ˏT+85EPFTOPUIBWFFYQJSBUJPOEBUF
BOEJUJTOPUSPUBUFE

View Slide

"VUI;3#"$

View Slide

3PMF#BTF"DDFTT$POUSPM
22
"DDFTT
%FOZ
"MMPX
7JFXFS3PMF
4VCKFDU 3PMF
Y $POUSPM
#PC
7JFXFSDBOHFU
SFTPVSDFT
IBTSVMFTUIBU
#JOEJOH
NBOBHFS(SPVQ
BOE
7JFXFS3PMF
*G#PCJTB
NBOBHFS
*G#PCJTOPU
BNBOBHFS
"DDFTT6TFSJT
#PC

View Slide

3PMF
3PMF
#JOEJOHT
3PMF
3#"$JO,VCFSOFUFT
23
Y $POUSPM
Ӝ4"
Ӝ6TFS
Ӝ(SPVQ
/PSNBM6TFS
,T6TFS
"VUIFOUJDBUFE6TFS
%FOZ
"MMPX
,VCFSOFUFT"1*0CKFDU
subjects:
- kind: Group
name: manager
roleRef:
kind: Role
name: viewer
4VCKFDU
"DDFTT

View Slide

3PMF
3PMF
#JOEJOHT
3PMF
3#"$JO,VCFSOFUFT
24
Y $POUSPM
%FOZ
"MMPX
,VCFSOFUFT"1*0CKFDU
metadata:
name: viewer
rules:
- apiGroups: [""]
resources: ["pods","pods/exec"]
verbs: ["get","list","watch"]
- nonResourceURLs: ["/version","/healthz"]
verbs: [""]
4VCKFDU
Ӝ4"
Ӝ6TFS
Ӝ(SPVQ
/PSNBM6TFS
,T6TFS
"VUIFOUJDBUFE6TFS
"DDFTT

View Slide

8IJDI3#"$SFTPVSDFTTIPVMEZPVVTF
25
#JOEJOHT $MVTUFS3PMF#JOEJOHT
3PMF
(SBOUQFSNJTTJPOTUPSFTPVSDFTJOUIF
TQFDJDOBNFTQBDF
$MVTUFS
3PMF
6TF$MVTUFS3PMFGSPNNVMUJQMF
OBNFTQBDFT
˖ (SBOUBDDFTTUPOPO"1*SFTPVSDFT
˖ (SBOUBDDFTTQFSNJTTJPOUPSFTPVSDFTPG
BMMOBNFTQBDFT
$MVTUFS999EPFTOPUCFMPOH
UPUIF/BNFTQBDFT

View Slide

#VU3#"$JT/05FOPVHI

View Slide

1SFWFOUQSJWJMFHFFTDBMBUJPO
Ӝ 
Ӝ 
DBOPCUBJOIPTUTSPPUCZNPVOUJOH%PDLFSTPDLFU
Ӝ 
DBOBDDFTTIPTUTMFTZTUFNWJBQSPD<1*%>SPPU
Ӝ 

☠5IFTFBSFFTFOUJBMMZFRVJWBMFOUUPSPPUPOUIFIPTU

View Slide

SPOILER ALERT!
:PVDBOVTF
1PE4FDVSJUZ1PMJDZ
PS
7BMJEBUJOH"ENJTTJPO8FCIPPL
UPQSFWFOUJU

View Slide

%FNP1SJWJMFHFFTDBMBUJPOCZIPTU1BUI
29
IUUQTBTDJJOFNBPSHBG'+X+E4F#S)S%V.

View Slide

)PXUPQSFWFOUQSJWJMFHFFTDBMBUJPO
Ӝ 1PE4FDVSJUZ1PMJDZ
%FOFBOENBOBHFTFDVSJUZQPMJDZXJUI3#"$
"EEUPUPVTFJU
OFFEUPSFTUBSULVCFBQJTFSWFS
$BOOPUDSFBUFBOZQPETXJUIPVUQPMJDZ OPEFGBVMUQSPWJEFE

Ӝ 7BMJEBUJOH"ENJTTJPO8FCIPPL
*NQMFNFOUZPVSPXOQPMJDZ
DBOCFEZOBNJDBMMZDPOHVSFECZ
/POFFEUPSFTUBSULVCFBQJTFSWFS

View Slide

7BMJEBUJOH"ENJTTJPO8FCIPPL

"1*4FSWFS
:PVS8FCIPPL















*TUIFPCKFDUBMMPXFE ZFTOP

View Slide

4VNNBSZ
Ӝ $VTUPN3FTPVSDF%FOJUJPO
UPDSFBUF,VCFSOFUFTBTB4FSWJDFJUTFMG
Ӝ 0QFO*%$POOFDU"VUIPSJ[BUJPO8FCIPPL
UPJOUFHSBUFPVSBVUIOBVUI[TZTUFN
Ӝ 7BMJEBUJOH"ENJTTJPO8FCIPPL
UPQSFWFOUQSJWJMFHFFTDBMBUJPOBOEJNQMFNFOUDVTUPNQPMJDZ

,VCFSOFUFTFYUFOTJCJMJUZBSFBMTPVTFGVMUPTFDVSFDMVTUFST

View Slide

8FBSFIJSJOH
CJUMZ[MBCDBSFFST

View Slide

Securing Clusters with Kubernetes Extensibility

Securing Clusters with Kubernetes Extensibility

Aya (Igarashi) Ozawa

More Decks by Aya (Igarashi) Ozawa

Other Decks in Technology

Featured

Transcript