LDAP Authentication for Kubernetes Using Webhook Token Authentication Plugin `DRIDI WALID` 

WHO AM I ? 

DRIDI WALID Kubernetes Consultant/Trainer Lead Ops @FnacDarty Linkedin: https://www.linkedin.com/in/dridi-walid 

Agenda: ❏ Kubernetes Access Stages ❏ LDAP Integration Flow ❏ DEMO! 

Kubernetes Access Stages 

kubectl request Overview of controlling access to the kubernetes api ... Authn Authz Admission Control 1. Authn: Checks the credentials, 2. Authz: Checks if user is allowed to perform the action, 3. Admission Control: Checks if the request conforms policies 

kubectl request Overview of controlling access to the kubernetes api ... Authn Authz Admission Control 1. Authn: Checks the credentials, 2. Authz: Checks if user is allowed to perform the action, 3. Admission Control: Checks if the request conforms policies 

kubectl request Overview of controlling access to the kubernetes api ... Authn Authz Admission Control 1. Authn: Checks the credentials, 2. Authz: Checks if user is allowed to perform the action, 3. Admission Control: Checks if the request conforms policies 

LDAP Integration Flow 

PRE-FLIGHT 

Create new user entry // foo.ldif dn: cn=foo,dc=mycompany,dc=co objectClass: top objectClass: inetOrgPerson cn: foo gn: Foo sn: Bar userPassword: foopassword ou: intern cn → username userPassword → password ou → groups ldapadd -H ldap:// -x -D cn=admin,dc=mycompany,dc=co -w adminpassword -f foo.ldif ldapsearch -LLL -H ldap:// -x -D cn=admin,dc=mycompany,dc=co -w adminpassword -b dc=mycompany,dc=co '(&(objectClass=inetOrgPerson)(cn=foo)(userPassword=foopassword))' 

Kubectl config file using token authn apiVersion: v1 clusters: - cluster: certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JS... server: https://:6443 name: cluster.local contexts: - context: cluster: cluster.local user: foo name: [email protected] current-context: [email protected] kind: Config preferences: {} users: - name: foo user: token: foo:foopassword 

Enable webhook token authn on api-server apiVersion: v1 kind: Pod metadata: name: kube-apiserver-k8s-master namespace: kube-system spec: containers: - command: - kube-apiserver - --authentication-token-webhook-config-file=/etc/kubernetes/webhook-token-auth-config.yaml ... 

Webhook token config file # clusters refers to the remote service. clusters: - name: webhook-token-auth-cluster cluster: insecure-skip-tls-verify: true // We use self-signed tls certs server: https:// // Node.js Authentication Service # users refers to the API server's webhook configuration. users: - name: webhook-token-auth-user # kubeconfig files require a context. Provide one for the API server. current-context: webhook-token-auth contexts: - context: cluster: webhook-token-auth-cluster user: webhook-token-auth-user name: webhook-token-auth 

Webhook Token Plugin Interface // Request { "apiVersion": "authentication.k8s.io/v1beta1", "kind": "TokenReview", "spec": { "token": "username:password" } } 

Webhook Token Plugin Interface { // Expected Response "apiVersion": "authentication.k8s.io/v1beta1", "kind": "TokenReview", "spec": { "token": "e2ede302-9af2-4638-b492-32a34231cdbe" } "status": { "authenticated": true, "user": { "username": "", "uid": "1", "groups": [ "intern" ] }, } } 

Node.js Authentication Service Gist: https://gist.github.com/pocteo-co/acdbd7666bfdb1d5d15e9b611fcaa55f 

FLOW 

kubectl kubernetes Authn SVC ldap server Config File Webhook Token trigger ldapsearch (cn,password) load request (username,password) status[,userinfo} request token:“username:password” 1. Use kubectl cli k8s client and point to the right configfile using --kubeconfig flag, 2. Make a request using bearer token, 3. API-Server receives a request and triggers a Webhook Token, 4. Webhook Token Plugin forwards credentials to Authn service for validation, 5. Authn service makes an ldapsearch operation, 6. LDAP-Server send status and userinfo if token is valid, 7. Authn service send back to api-server the result, 8. API-Server send 401 to user if token is invalid, 9. API-server pass userinfo to Authz stage for role/rolebinding mapping 

kubectl kubernetes Authn SVC ldap server Config File Webhook Token request token:“username:password” ldapsearch (cn,password) load request (username,password) status[,userinfo} trigger 1. Use kubectl cli k8s client and point to the right configfile using --kubeconfig flag, 2. Make a request using bearer token, 3. API-Server receives a request and triggers a Webhook Token, 4. Webhook Token Plugin forwards credentials to Authn service for validation, 5. Authn service makes an ldapsearch operation, 6. LDAP-Server send status and userinfo if token is valid, 7. Authn service send back to api-server the result, 8. API-Server send 401 to user if token is invalid, 9. API-server pass userinfo to Authz stage for role/rolebinding mapping 

kubectl kubernetes Authn SVC ldap server Config File Webhook Token request token:“username:password” trigger ldapsearch (cn,password) load request (username,password) status[,userinfo} 1. Use kubectl cli k8s client and point to the right configfile using --kubeconfig flag, 2. Make a request using bearer token, 3. API-Server receives a request and triggers a Webhook Token, 4. Webhook Token Plugin forwards credentials to Authn service for validation, 5. Authn service makes an ldapsearch operation, 6. LDAP-Server send status and userinfo if token is valid, 7. Authn service send back to api-server the result, 8. API-Server send 401 to user if token is invalid, 9. API-server pass userinfo to Authz stage for role/rolebinding mapping 

kubectl kubernetes Authn SVC ldap server Config File Webhook Token request token:“username:password” trigger ldapsearch (cn,password) load request (username,password) status[,userinfo} 1. Use kubectl cli k8s client and point to the right configfile using --kubeconfig flag, 2. Make a request using bearer token, 3. API-Server receives a request and triggers a Webhook Token, 4. Webhook Token Plugin forwards credentials to Authn service for validation, 5. Authn service makes an ldapsearch operation, 6. LDAP-Server send status and userinfo if token is valid, 7. Authn service send back to api-server the result, 8. API-Server send 401 to user if token is invalid, 9. API-server pass userinfo to Authz stage for role/rolebinding mapping 

kubectl kubernetes Authn SVC ldap server Config File Webhook Token request token:“username:password” trigger ldapsearch (cn,password) load request (username,password) status[,userinfo} 1. Use kubectl cli k8s client and point to the right configfile using --kubeconfig flag, 2. Make a request using bearer token, 3. API-Server receives a request and triggers a Webhook Token, 4. Webhook Token Plugin forwards credentials to Authn service for validation, 5. Authn service makes an ldapsearch operation, 6. LDAP-Server send status and userinfo if token is valid, 7. Authn service send back to api-server the result, 8. API-Server send 401 to user if token is invalid, 9. API-server pass userinfo to Authz stage for role/rolebinding mapping 

kubectl kubernetes Authn SVC ldap server Config File Webhook Token request token:“username:password” trigger ldapsearch (cn,password) load request (username,password) status[,userinfo} 1. Use kubectl cli k8s client and point to the right configfile using --kubeconfig flag, 2. Make a request using bearer token, 3. API-Server receives a request and triggers a Webhook Token, 4. Webhook Token Plugin forwards credentials to Authn service for validation, 5. Authn service makes an ldapsearch operation, 6. LDAP-Server send status and userinfo if token is valid, 7. Authn service send back to api-server the result, 8. API-Server send 401 to user if token is invalid, 9. API-server pass userinfo to Authz stage for role/rolebinding mapping 

kubectl kubernetes Authn SVC ldap server Config File Webhook Token request token:“username:password” trigger ldapsearch (cn,password) load request (username,password) status[,userinfo} 1. Use kubectl cli k8s client and point to the right configfile using --kubeconfig flag, 2. Make a request using bearer token, 3. API-Server receives a request and triggers a Webhook Token, 4. Webhook Token Plugin forwards credentials to Authn service for validation, 5. Authn service makes an ldapsearch operation, 6. LDAP-Server send status and userinfo if token is valid, 7. Authn service send back to api-server the result, 8. API-Server send 401 to user if token is invalid, 9. API-server pass userinfo to Authz stage for role/rolebinding mapping 

kubectl kubernetes Authn SVC ldap server Config File Webhook Token request token:“username:password” trigger ldapsearch (cn,password) load request (username,password) status[,userinfo} 1. Use kubectl cli k8s client and point to the right configfile using --kubeconfig flag, 2. Make a request using bearer token, 3. API-Server receives a request and triggers a Webhook Token, 4. Webhook Token Plugin forwards credentials to Authn service for validation, 5. Authn service makes an ldapsearch operation, 6. LDAP-Server send status and userinfo if token is valid, 7. Authn service send back to api-server the result, 8. API-Server send 401 to user if token is invalid, 9. API-server pass userinfo to Authz stage for role/rolebinding mapping 

kubectl kubernetes Authn SVC ldap server Config File Webhook Token request token:“username:password” trigger ldapsearch (cn,password) load request (username,password) status[,userinfo} 1. Use kubectl cli k8s client and point to the right configfile using --kubeconfig flag, 2. Make a request using bearer token, 3. API-Server receives a request and triggers a Webhook Token, 4. Webhook Token Plugin forwards credentials to Authn service for validation, 5. Authn service makes an ldapsearch operation, 6. LDAP-Server send status and userinfo if token is valid, 7. Authn service send back to api-server the result, 8. API-Server send 401 to user if token is invalid, 9. API-server pass userinfo to Authz stage for role/rolebinding mapping 

DEMO!! 

Thanks to Abir Hamzi & Majd Mimoun for the Node.js authn service quick implementation 

Question ?