CoreOS Fest 2016: Kubernetes Access Control with dex

Slide 1

Slide 1 text

Eric Chiang @erchiang | [email protected] Kubernetes Access Control with dex

Slide 2

Slide 2 text

1. Kubernetes authn/authz for admins 2. How dex fits into this Today’s agenda!

Slide 3

Slide 3 text

Kubernetes

Slide 4

Slide 4 text

Kubernetes ● Distributed application management system ● Container based ● Powerful API

Slide 5

Slide 5 text

kubelet proxy Internet Kubernetes Worker 1/n

Slide 6

Slide 6 text

kubelet proxy Internet Kubernetes Worker 1/n Control Plane API Server Scheduler Controller kubeclt

Slide 7

Slide 7 text

kubelet proxy Internet Kubernetes Worker 1/n Control Plane API Server Scheduler Controller kubeclt

Slide 8

Slide 8 text

What wants to talk to the API Server? ● Users through kubectl ● Containers inside Kubernetes ● Control plane components ● Basically everything

Slide 9

Slide 9 text

API Server: Auth flow ● How do things get to talk to the API Server? ● Authn ○ Identifying the user ○ Please show me your ID. ● Authz ○ Admission rules ○ You’re not old enough to drink!

Slide 10

Slide 10 text

API Server: Auth flow plugins Authenticator Plugin Authorizer Plugin Admission Plugin

Slide 11

Slide 11 text

Authorizer Plugin Admission Plugin HTTP(S) Request Allow/Deny Additional request modification or specialized field level rules. API Server: Auth flow plugins Get ● User name ● User ID ● Groups Authenticator Plugin

Slide 12

Slide 12 text

API Server: Auth flow ● Everything must go through this flow. ● Doesn’t matter if you’re an app or a human sitting at a workstation

Slide 13

Slide 13 text

Authn Plugins ● Who’s making the request? ○ x509 Client Certs ○ Password/token files ○ Keystone ○ Service Accounts ○ OpenID Connect ○ Webhook (v1.3)

Slide 14

Slide 14 text

Authn Plugins: x509 Client Cert

Slide 15

Slide 15 text

Authn Plugins: x509 Client Cert $ cat /etc/kubernetes/worker.conf apiVersion: v1 kind: Config clusters: - name: local cluster: certificate-authority: /etc/kubernetes/ssl/ca.pem users: - name: kubelet user: client-certificate: /etc/kubernetes/ssl/worker.pem client-key: /etc/kubernetes/ssl/worker-key.pem

Slide 16

Slide 16 text

Authn Plugins: x509 Client Cert $ openssl x509 -in admin.pem -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: 15171329550234977082 Signature Algorithm: sha256WithRSAEncryption Issuer: CN=kube-ca Validity Not Before: Dec 29 20:02:40 2015 GMT Not After : Dec 28 20:02:40 2016 GMT Subject: CN=kube-admin

Slide 17

Slide 17 text

Authn Plugins: Password/Token File

Slide 18

Slide 18 text

Authn Plugins: Password/Token File $ cat /etc/k8s/passwords.csv password1,eric,1000 password2,bobby,1001 $ /hyperkube apiserver \ --basic-auth-file=/etc/k8s/passwords.csv $ cat /etc/k8s/tokens.csv secrettoken1,eric,1000 secrettoken2,bobby,1001 $ /hyperkube apiserver \ --token-auth-file=/etc/k8s/tokens.csv

Slide 19

Slide 19 text

Authn Plugins: Keystone

Slide 20

Slide 20 text

Authn Plugins: Keystone $ /hyperkube apiserver \ --experimental-keystone-url=https://ks.example.com GET /apis HTTP/1.1 Host: https://apiserver.example.com Authorization: Basic {{ Keystone username/password }}

Slide 21

Slide 21 text

Authn Plugins: Service accounts

Slide 22

Slide 22 text

Authn Plugins: Service accounts ● Automatically enabled ● Can be assigned to pods ● Useful for automation

Slide 23

Slide 23 text

Authn Plugins: Service accounts $ kubectl create serviceaccount bob-the-bot

Slide 24

Slide 24 text

Authn Plugins: Service accounts $ kubectl create serviceaccount bob-the-bot $ kubectl get serviceaccount bob-the-bot -o yaml apiVersion: v1 kind: ServiceAccount secrets: - name: bob-the-bot-token-308g1 $ kubectl get secret bob-the-bot-token-308g1 -o yaml apiVersion: v1 data: namespace: ZGVmYXVsdA== ca.crt: {{ CA CERT OF API SERVER }} token: {{ TOKEN }}

Slide 25

Slide 25 text

Authn Plugins: Token Webhook (1.3)

Slide 26

Slide 26 text

Authn Plugins: Token Webhook (1.3) ● Query an outside provider ● Roll your own authenticator Authenticato r Plugin Remove Service

Slide 27

Slide 27 text

Authn Plugins: OpenID Connect

Slide 28

Slide 28 text

Authn Plugins: OpenID Connect ● Contributed by CoreOS ● OpenID Connect ○ Basically OAuth2 ○ Returns signed token with access token for offline third party authentication ○ Implemented by Google and SalesForce ● Tectonic uses this plugin with dex

Slide 29

Slide 29 text

● Open-source https://github.com/coreos/dex ● Identity service ○ Tired of rewriting authn ● Implements OpenID Connect Dex

Slide 30

Slide 30 text

Dex: account.tectonic.com

Slide 31

Slide 31 text

Dex: account.tectonic.com account.tectonic.com End user auth.tectonic.com dex 1 2 3 4 5

Slide 32

Slide 32 text

Dex: Tectonic Tectonic Console End user Tectonic Identity dex 1 2 3 4 5

Slide 33

Slide 33 text

Dex: Tectonic Tectonic Console End user Tectonic Identity dex 1 2 3 4 5

Slide 34

Slide 34 text

Dex: Federation dex

Slide 35

Slide 35 text

Dex: Federation dex

Slide 36

Slide 36 text

Authn Plugins: OpenID Connect Work for 1.3: ● Better kubectl support ○ kubectl login ○ Refresh token support

Slide 37

Slide 37 text

Kubernetes Authz

Slide 38

Slide 38 text

Authenticato r Plugin Authorizer Plugin Admission Plugin Get ● User name ● User ID ● Groups HTTP(S) Request Allow/Deny Additional request modification or specialized field level rules. Kubernetes Authz

Slide 39

Slide 39 text

Authz Plugins ● ABAC ● Webhook ● RBAC (1.3)

Slide 40

Slide 40 text

Authz Plugins: ABAC $ /hyperkube apiserver \ --authorization-policy-file=/etc/k8s/policy.jsonl { "user": "eric", "namespace": "tectonic", "resource": "jobs", "apiGroup": "batch/v1" }

Slide 41

Slide 41 text

Authz Plugins: ABAC { "group": "developer", "namespace": "dev", "resource": "*", "apiGroup": "*" } { "group": "developer", "namespace": "prod", "resource": "*", "apiGroup": "*", "readonly": true }

Slide 42

Slide 42 text

Authz Plugins: Webhook

Slide 43

Slide 43 text

Authz Plugins: Webhook ● Query an outside provider ● Roll your own authorizer Authorizer Plugin Remove Service

Slide 44

Slide 44 text

Authz Plugins: Webhook ● What happens if the remote service dies? ○ Deny all Authorizer Plugin Remove Service

Slide 45

Slide 45 text

Authz Plugins: RBAC (1.3)

Slide 46

Slide 46 text

Authz Plugins: RBAC (1.3)

Slide 47

Slide 47 text

Authz Plugins: RBAC (1.3) ● Upstreamed from Openshift ● Define roles ○ Roles contain a group of policies (like ABAC) ● Bind users groups or service accounts to roles ○ Cluster level or namespace

Slide 48

Slide 48 text

Authz Plugins: RBAC (1.3) $ cat role.yml apiVersion: rbac.authorization/v1alpha1 kind: ClusterRole metadata: name: namespace-user rules: - verbs: [*] apiGroups: ["v1", "batch/v1"] resources: [*] - verbs: ["get", "watch"] apiGroups: ["authorization.rbac/v1alpha1"] resources: [*] $ kubectl create -f role.yml

Slide 49

Slide 49 text

Authz Plugins: RBAC (1.3) Cluster level Role: namespace-user Policies: - Can read/write core resources - Can read RBAC Namespace: Tectonic Role Binding: - User Eric can login as namespace-user - User Ed can login as namespace-user

Slide 50

Slide 50 text

Kubernetes: Admission control

Slide 51

Slide 51 text

Authorizer Plugin Admission Plugin HTTP(S) Request Allow/Deny Additional request modification or specialized field level rules. Kubernetes: Admission control Get ● User name ● User ID ● Groups Authenticator Plugin

Slide 52

Slide 52 text

Admission Control Plugins ● Resource quotas ● Limit ranges ● Lots of others

Slide 53

Slide 53 text

Admission Control: Resource quotas

Slide 54

Slide 54 text

Admission Control: Resource quotas ● If an action would exceed a quota, reject it

Slide 55

Slide 55 text

Admission Control: Resource quotas $ cat quota.yml apiVersion: v1 kind: ResourceQuota metadata: name: quota spec: hard: memory: 1Gi cpu: 20 pods: 10 services: 5 replicationcontrollers:20 resourcequotas:1 $ kubectl create --namespace=development quota.yml

Slide 56

Slide 56 text

Admission Control: Limit ranges

Slide 57

Slide 57 text

Admission Control: Limit ranges ● Like resource quotas, but on a per pod basis ● E.g: Pods can’t request more than 1/4th of a CPU

Slide 58

Slide 58 text

Admission Control: Limit ranges $ cat limits.yml apiVersion: v1 kind: LimitRange metadata: name: limits namespace: default spec: limits: - type: Container defaultRequests: cpu: 250m $ kubectl create --namespace=development limits.yml

Slide 59

Slide 59 text

Admission Control: Other stuff

Slide 60

Slide 60 text

Admission Control: Other stuff ● DenyEscalatingExec ● InitialResources ● SecurityContextDeny ● ServiceAccount (non the authn stuff) ● Future: field level auth

Slide 61

Slide 61 text

API Server: Auth flow plugins Authorizer Plugin Admission Plugin Authenticator Plugin

Slide 62

Slide 62 text

Conclusion ● Lots of tools for cluster admins ● Extensible through webhooks and projects like dex ● Continuing to add more

Slide 63

Slide 63 text

Thank you! Eric Chiang @erchiang | [email protected] We’re hiring in all departments! Email: [email protected] Positions: coreos.com/careers