Securing Clusters with Kubernetes Extensibility

Transcript

1. 4FDVSJOH
   $MVTUFST
   XJUI
   ,VCFSOFUFT
   &YUFOTJCJMJUZ "ZB
   0[BXB
   !MBEJDMF
   
   5BLBTIJ
   ,VTVNJ
   ,VCFSOFUFT
   
   $MPVE
   /BUJWF
   .FFUVQ

2. 
    "CPVU
   VT "ZB
   0[BXB
   
   !MBEJDMF
   4PGUXBSF
   &OHJOFFS
   
   BU
   ;
   -BC
   $PSQ 5BLBTIJ
   ,VTVNJ
   4PGUXBSF
   &OHJOFFS
   
   BU
   ;
   -BC
   $PSQ

3. 
    "ZB 5BLBTIJ 5PEBZˏT
   BHFOEB 
   ,VCFSOFUFT
   BT
   B
   4FSWJDF
   GPS
   :BIPP
   +BQBO
   
   )PX
   TIPVME
   XF
   DPOUSPM
   BDDFTT
   UP
   UIF
   ,VCFSOFUFT
   "1*
   TFSWFS
   
   8IBU
   JT
   +85
   BOE
   3#"$
   BOE
   )PX
   UP
   VTF
   JU

   
   3#"$
   JT
   /05
   FOPVHI
   
   %FNPOTUSBUJPO
   PG
   QSJWJMFHF
   FTDBMBUJPO
   4FDVSJOH
   ,VCFSOFUFT
   XJUI
   7BMJEBUJOH"ENJTTJPO8FCIPPL

4. ;
   -BC
   ,VCFSOFUFT
   BT
   B
   4FSWJDF 4 .BTUFS
   ,VCFSOFUFT
   $MVTUFS 6TFS
   ,VCFSOFUFT
   $MVTUFS 6TFS
   
   ,VCFSOFUFT
   $MVTUFS 6TFS
   
   ,VCFSOFUFT
   $MVTUFS

   Ӝ4FMGIFBMJOH
   UIF
   XIPMF
   DMVTUFS
   Ӝ4DBMJOH
   DMVTUFS
   FBTJMZ
   Ӝ;FSPEPXOUJNF
   VQHSBEF
   DMVTUFS
   WFSTJPO .BKPS
   'FBUVSFT .BTUFS
   $MVTUFS
   NBOBHFT
   NVMUJQMF
   6TFS
   ,VCFSOFUFT
   $MVTUFS
   BOE
   JUTFMG
   VTJOH
   $3%

5. )PX
   TIPVME
   XF
   DPOUSPM
   BDDFTT 5 .BTUFS
   ,VCFSOFUFT
   $MVTUFS 6TFS
   ,VCFSOFUFT
   $MVTUFS 6TFS
   
   ,VCFSOFUFT
   $MVTUFS 6TFS
   
   ,VCFSOFUFT
   $MVTUFS

   "QQ
   %FWFMPQFS "QQ
   %FWFMPQFS "QQ
   0QFSBUPS LT
   0QFSBUPS "UUBDLFS ✖%&/:

6. "DDFTT
   $POUSPM

7. 
   TUFQT
   "DDFTT
   $POUSPM 7 "VUIFOUJDBUJPO
   "VUI/ "VUIPSJ[BUJPO
   "VUI; "ENJTTJPO
   $POUSPM "1*
   4FSWFS "DDFTT

8. "MMPX 8IBU
   IBQQFOT
   JO
   FBDI
   TUFQ 8 "DDFTT 8IP
   BSF
   ZPV ✔
   $SFBUF
   9
   ✖
   %FMFUF
   :
    8IBU
   DBO
   ZPV
   EP %FOZ

   %FOZ %FOZ 7BMJEBUJOH
   
   .PEJGZJOH ٥٥٥ "MMPX "MMPX "VUI/ "VUI; "ENJTTJPO
   $POUSPM

9. "DDFTT
   $POUSPM
   NPEVMFT 9 9
   DMJFOU
   DFSU 1BTTXPSE +85 1MBOF
   5PLFO "VUI/ "VUI; "ENJTTJPO
   $POUSPM "#"$

   3#"$ 8FCIPPL /PEF
   3PMF 4FSWJDF"DDPVOU 3FTPVSDF2VPUB 1SJPSJUZ 7BMJEBUJOH
   "ENJTTJPO
   8FCIPPL FUD FUD FUD

10. 8IZ
    EP
    XF
    VTF
    +85 10 9
    DMJFOU
    DFSU 1BTTXPSE +85 1MBOF
    5PLFO "VUI/ "VUI; "ENJTTJPO
    $POUSPM "#"$

    3#"$ 8FCIPPL /PEF
    3PMF 4FSWJDF"DDPVOU 3FTPVSDF2VPUB 1SJPSJUZ 7BMJEBUJOH
    "ENJTTJPO
    FUD FUD FUD Ӝ %ZOBNJD
    VTFS
    BVUIFOUJDBUJPO
    Ӝ 1BTTXPSE
    BOE
    1MBOF
    5PLFO
    NPEVMFT
    SFRVJSF
    UP
    TFU
    "VUI/
    TFUUJOH
    XIFO
    CPPUJOH
    "1*
    TFSWFS
    Ӝ 4FWFSBM
    0*%$
    *E1T
    TVQQPSU
    UIJT
    NPEVMF

11. 8IZ
    EP
    XF
    VTF
    3#"$ 11 9
    DMJFOU
    DFSU 1BTTXPSE +85 1MBOF
    5PLFO "VUI/ "VUI; "ENJTTJPO
    $POUSPM "#"$

    3#"$ 8FCIPPL /PEF
    3PMF 4FSWJDF"DDPVOU 3FTPVSDF2VPUB 1SJPSJUZ 7BMJEBUJOH
    "ENJTTJPO
    FUD FUD FUD Ӝ %ZOBNJD
    BDDFTT
    BVUIPSJ[BUJPO
    Ӝ /P
    BEEJUJPOBM
    EFWFMPQNFOU
    Ӝ 3#"$
    TFUUJOHT
    DBO
    CF
    DPOSNFE
    CZ
    LVCFDUM
    MJLF
    BOZ
    PUIFS
    SFTPVSDFT /05&
    *G
    ZPV
    BMSFBEZ
    IBWF
    "VUI;
    TZTUFN
    8FCIPPL
    JT
    B
    HPPE
    DIPJDF

12. "VUI/
    +85
    
    4FSWJDF"DDPVOU
    
    0*%$

13. 5XP
    DBUFHPSJFT
    PG
    6TFST 13 "1*
    4FSWFS "DDFTT 6TFS
    NBOBHFE
    CZ
    LT
    FH
    #PU /PSNBM
    6TFS
    FH
    "MJDF

14. #PUI
    4"
    BOE
    0*%$
    VTJOH
    +85 14 "1*
    4FSWFS 6TFS
    NBOBHFE
    CZ
    LT
    FH
    #PU /PSNBM
    6TFS
    FH
    "MJDF +85 +85 (FU
    +85
    GSPN
    B
    0*%$
    *E1

    (FU
    +85
    GSPN
    B
    4FSWJDF"DDPVOU

15. 4"
    4FDSFU
    IBT
    +85 15 
    $SFBUF
    B
    CPU
    4"
    JO
    UIF
    TZTUFN
    /4 
    %FUFDU
    UIF
    DSFBUJPO
    FWFOU 
    $SFBUF
    B
    CPU
    4"
    4FDSFU
    
    XJUI
    +85
    JO
    UIF
    TZTUFN
    /4 5PLFO
    
    $POUSPMMFS

    4FSWJDF
    "DDPVOU 4FDSFU
    +85

16. 4"
    $POUSPMMFS
    DSFBUFT
    EFGBVMU
    4"
    GPS
    BMM
    /4 16 
    $SFBUF
    TZTUFN
    /BNFTQBDF 
    $SFBUF
    EFGBVMU
    4"
    JO
    TZTUFN
    /4 4"
    $POUSPMMFS 4FSWJDF
    "DDPVOU

    /BNF
    TQBDF 
    %FUFDU
    UIF
    DSFBUJPO
    FWFOU

17. 7PMVNF "MM
    1PET
    BTTPDJBUF
    4FSWJDF"DDPVOU 17 4"
    "ENJTTJPO
    $POUSPMMFS .PVOU 
    $SFBUF
    1PE 
    4FU
    EFGBVMU
    /"
    *G
    UIF
    1PE
    EPFT
    OPU
    IBWF
    4" 4FDSFU
    

    +85 1PE 
    4FU
    *NBHF1VMM4FDSFUT
    PG
    4"
    *G
    UIF
    1PE
    EPFT
    OPU
    IBWF
    JU 
    4FU
    4FDSFU
    PG
    4"
    UP
    UIF
    1PE
    WPMVNF .PEJGZ
    1PE

18. %FY
    0QFO*%
    $POOFDU
    *%
    1SPWJEFS 18 %FY
    0*%$
    *E1 3FEJSFDU +85 6QTUSFBN
    *E1
    FH
    'BDFCPPL $MJFOU IUUQTHJUIVCDPNEFYJEQEFY
    

    0*%$
    JT
    B
    TJNQMF
    JEFOUJUZ
    MBZFS
    PO
    UPQ
    PG
    UIF
    0"VUI
    
    QSPUPDPM
    

19. +40/
    8FC
    5PLFO
    DPOTJTUT
    PG
    
    QBSUT 19 )FBEFS 1BZMPBE 4JHOBUVSF IUUQTKXUJP
    

20. 7FSJGZJOH
    +85
    PG
    0*%$ 20 "1*
    4FSWFS LVCFDUM +85 
    $BMM
    "1*
    XJUI
    +85 
    *T
    +85
    TJHOBUVSF
    WBMJE
    
    )BT
    UIF
    +85
    FYQJSFE
    

    MBU FYQ
    
    6TFS
    "VUIPSJ[FE 
    3FUVSO
    SFTVMU "VUIPSJ[BUJPO
    #FBSFS
    +85 ⚠
    /05&
    4"ˏT
    +85
    EPFT
    OPU
    IBWF
    FYQJSBUJPO
    EBUF
    BOE
    JU
    JT
    OPU
    SPUBUFE

21. "VUI;
    3#"$

22. 3PMF
    #BTF
    "DDFTT
    $POUSPM 22 "DDFTT %FOZ "MMPX 7JFXFS
    3PMF 4VCKFDU 3PMF Y $POUSPM

    #PC 7JFXFS
    DBO
    HFU
    SFTPVSDFT IBT
    SVMFT
    UIBU
     #JOEJOH
    NBOBHFS
    (SPVQ
    BOE
    
    7JFXFS
    3PMF *G
    #PC
    JT
    B
    NBOBHFS *G
    #PC
    JT
    OPU
    B
    NBOBHFS "DDFTT
    6TFS
    JT
    #PC

23. 3PMF 3PMF
    #JOEJOHT 3PMF 3#"$
    JO
    ,VCFSOFUFT 23 Y $POUSPM Ӝ
    4"
    Ӝ
    6TFS
    

    Ӝ
    (SPVQ /PSNBM
    6TFS ,T
    6TFS "VUIFOUJDBUFE
    6TFS %FOZ "MMPX ,VCFSOFUFT
    "1*
    0CKFDU subjects: - kind: Group name: manager roleRef: kind: Role name: viewer 4VCKFDU "DDFTT

24. 3PMF 3PMF
    #JOEJOHT 3PMF 3#"$
    JO
    ,VCFSOFUFT 24 Y $POUSPM %FOZ "MMPX

    ,VCFSOFUFT
    "1*
    0CKFDU metadata: name: viewer rules: - apiGroups: [""] resources: ["pods","pods/exec"] verbs: ["get","list","watch"] - nonResourceURLs: ["/version","/healthz"] verbs: [""] 4VCKFDU Ӝ
    4"
    Ӝ
    6TFS
    Ӝ
    (SPVQ /PSNBM
    6TFS ,T
    6TFS "VUIFOUJDBUFE
    6TFS "DDFTT

25. 8IJDI
    3#"$
    SFTPVSDFT
    TIPVME
    ZPV
    VTF 25 #JOEJOHT $MVTUFS3PMF#JOEJOHT 3PMF (SBOU
    QFSNJTTJPOT
    UP
    SFTPVSDFT
    JO
    UIF
    TQFDJD
    OBNFTQBDF $MVTUFS 3PMF 6TF
    $MVTUFS3PMF
    GSPN
    NVMUJQMF
    

    OBNFTQBDFT ˖ (SBOU
    BDDFTT
    UP
    OPO
    "1*
    SFTPVSDFT
    ˖ (SBOU
    BDDFTT
    QFSNJTTJPO
    UP
    SFTPVSDFT
    PG
    BMM
    OBNFTQBDFT $MVTUFS999
    EPFT
    OPU
    CFMPOH
    UP
    UIF
    /BNFTQBDFT

26. #VU
    3#"$
    JT
    /05
    FOPVHI

27. 1SFWFOU
    QSJWJMFHF
    FTDBMBUJPO Ӝ  Ӝ  DBO
    PCUBJO
    IPTUT
    SPPU
    CZ
    NPVOUJOH
    %PDLFS
    TPDLFU
    Ӝ  DBO
    BDDFTT
    IPTUT
    MFTZTUFN
    WJB
    QSPD<1*%>SPPU
    Ӝ

    
     ☠
    5IFTF
    BSF
    FTFOUJBMMZ
    FRVJWBMFOU
    UP
    SPPU
    PO
    UIF
    IPTU

28. SPOILER ALERT! :PV
    DBO
    VTF
    1PE4FDVSJUZ1PMJDZ
    PS
    
    7BMJEBUJOH"ENJTTJPO8FCIPPL
    UP
    QSFWFOU
    JU

29. %FNP
    1SJWJMFHF
    FTDBMBUJPO
    CZ
    IPTU1BUI 29
    
    IUUQTBTDJJOFNBPSHBG'+X+E4F#S)S%V.
    
    
    

30. )PX
    UP
    QSFWFOU
    QSJWJMFHF
    FTDBMBUJPO Ӝ 1PE4FDVSJUZ1PMJDZ
    %FOF
    BOE
    NBOBHF
    TFDVSJUZ
    QPMJDZ
    XJUI
    3#"$
    "EE
    
    UP
    
    UP
    VTF
    JU
    OFFE
    UP
    SFTUBSU
    LVCFBQJTFSWFS
    $BOOPU
    DSFBUF
    BOZ
    QPET
    XJUIPVU
    QPMJDZ
    OP
    EFGBVMU
    QSPWJEFE
    Ӝ

    7BMJEBUJOH"ENJTTJPO8FCIPPL
    *NQMFNFOU
    ZPVS
    PXO
    QPMJDZ
    DBO
    CF
    EZOBNJDBMMZ
    DPOHVSFE
    CZ
    
    /P
    OFFE
    UP
    SFTUBSU
    LVCFBQJTFSWFS
    

31. 7BMJEBUJOH"ENJTTJPO8FCIPPL
     "1*
    4FSWFS :PVS
    8FCIPPL     

              *T
    UIF
    PCKFDU
    BMMPXFE ZFT
    
    OP

32. 4VNNBSZ Ӝ $VTUPN3FTPVSDF%FOJUJPO
    UP
    DSFBUF
    ,VCFSOFUFTBTB4FSWJDF
    JUTFMG
    Ӝ 0QFO*%
    $POOFDU
    
    "VUIPSJ[BUJPO
    8FCIPPL
    UP
    JOUFHSBUF
    PVS
    BVUIO
    
    BVUI[
    TZTUFN
    Ӝ 7BMJEBUJOH"ENJTTJPO8FCIPPL
    UP
    QSFWFOU
    QSJWJMFHF
    FTDBMBUJPO
    BOE
    JNQMFNFOU
    DVTUPN
    QPMJDZ

    
     ,VCFSOFUFT
    FYUFOTJCJMJUZ
    BSF
    BMTP
    VTFGVM
    UP
    TFDVSF
    DMVTUFST

33. 8F
    BSF
    IJSJOH CJUMZ[MBCDBSFFST