Tweet
Tweet

Slide 1

Slide 1 text

Mercari Meetup for Microservices Platform, Jul 19, 2018 Kubernetes RBAC in microservices

Slide 2

Slide 2 text

2 About me @spesnova SRE at Mercari Microservices Platform team Kubernetes Tokyo Community Organizer

Slide 3

Slide 3 text

3 Agenda 1. AuthN/Z in Kubernetes 2. Design Principles 3. RBAC Policy

Slide 4

Slide 4 text

AuthN/Z in Kubernetes

Slide 5

Slide 5 text

What is Kubernetes RBAC?

Slide 6

Slide 6 text

6 What is Kubernetes RBAC? Role Based Access Control

Slide 7

Slide 7 text

7 a method of regulating access to computer or network resources based on the roles of individual users within an enterprise What is Kubernetes RBAC? https://kubernetes.io/docs/reference/access-authn-authz/rbac/

Slide 8

Slide 8 text

8 Role based? ● User based - easy but inefficient ● Team based - intermediate ● Role based - efficient but not easy

Slide 9

Slide 9 text

9 4 Objects in Kubernetes RBAC Roles ClusterRoles RoleBindings ClusterRoleBindings

Slide 10

Slide 10 text

Roles and ClusterRoles

Slide 11

Slide 11 text

11 Roles and ClusterRoles Roles ClusterRoles Verbs Resources Verbs Resources

Slide 12

Slide 12 text

12 Verbs Verbs “create” “get”, “list” “update” “patch” “delete”, “deletecollection” “watch”

Slide 13

Slide 13 text

13 Resources Resources “pods” “deployments” “configmaps” “secrets” “namespaces” “resourcequotas” “nodes”

Slide 14

Slide 14 text

14 Namespace scoped resources Namespace scoped resources “pods” “deployments” “configmaps” “secrets” “namespaces” “resourcequotas” “nodes”

Slide 15

Slide 15 text

15 Cluster scoped resources Cluster scoped resources “pods” “deployments” “configmaps” “secrets” “namespaces” “resourcequotas” “nodes”

Slide 16

Slide 16 text

16 Roles example - a role can read pods in default namespace kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: namespace: default name: pod-reader rules: - apiGroups: [""] # "" indicates the core API group resources: ["pods"] verbs: ["get", "watch", "list"]

Slide 17

Slide 17 text

17 ClusterRoles example - a clusterrole can read pods in all namespaces kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: # “namespace” is not required name: global-pod-reader rules: - apiGroups: [""] # "" indicates the core API group resources: ["pods"] verbs: ["get", "watch", "list"]

Slide 18

Slide 18 text

RoleBindingss and ClusterRoleBindings

Slide 19

Slide 19 text

19 4 Objects in Kubernetes RBAC Roles ClusterRoles RoleBindings ClusterRoleBindings

Slide 20

Slide 20 text

20 RoleBindings and ClusterRoleBindings RoleBindings ClusterRoleBindings Role/ClusterRole Subjects ClusterRole Subjects

Slide 21

Slide 21 text

21 Subjects Subjects “User” “Group” “ServiceAccount”

Slide 22

Slide 22 text

22 RoleBinding example - spesnova can read pods in default namespace kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: read-pods namespace: default subjects: - kind: User name: spesnova@example.com apiGroup: rbac.authorization.k8s.io roleRef: kind: Role name: pod-reader apiGroup: rbac.authorization.k8s.io

Slide 23

Slide 23 text

23 RoleBinding example - spesnova can read pods in default namespace kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: read-pods namespace: default subjects: - kind: User name: spesnova@example.com apiGroup: rbac.authorization.k8s.io roleRef: kind: ClusterRole name: global-pod-reader apiGroup: rbac.authorization.k8s.io

Slide 24

Slide 24 text

24 RoleBinding example - spesnova can read pods in all namespace kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: read-pods # “namespace” is not required subjects: - kind: User name: spesnova@example.com apiGroup: rbac.authorization.k8s.io roleRef: kind: ClusterRole name: global-pod-reader apiGroup: rbac.authorization.k8s.io

Slide 25

Slide 25 text

Default ClusterRoles

Slide 26

Slide 26 text

26 Default ClusterRoles / admin Allows read/write access to most resources in a namespace, including the ability to create roles and rolebindings within the namespace. https://kubernetes.io/docs/reference/access-authn-authz/rbac/

Slide 27

Slide 27 text

27 Default ClusterRoles / edit Allows read/write access to most objects in a namespace. It does not allow viewing or modifying roles or rolebindings. https://kubernetes.io/docs/reference/access-authn-authz/rbac/

Slide 28

Slide 28 text

28 Default ClusterRoles / view Allows read-only access to see most objects in a namespace. It does not allow viewing roles or rolebindings. It does not allow viewing secrets, since those are escalating. https://kubernetes.io/docs/reference/access-authn-authz/rbac/

Slide 29

Slide 29 text

29 How to test RBAC settings? $ kubectl auth can-i get pods / --namespace=default / --as=spesnova@example.com yes

Slide 30

Slide 30 text

Authentication in GKE

Slide 31

Slide 31 text

31 Authentication in GKE (skip details because of time limitation) Google OAuth2 (OpenID Connect Tokens authentication)

Slide 32

Slide 32 text

Design Principles

Slide 33

Slide 33 text

End-to-End Ownership

Slide 34

Slide 34 text

34 The purpose of microservices Getting agility at large scale org&system

Slide 35

Slide 35 text

35 The purpose of microservices How to get agility? How to make people high-performer?

Slide 36

Slide 36 text

With Great power comes great responsibility

Slide 37

Slide 37 text

Great power requires great responsibility

Slide 38

Slide 38 text

38 I was in an organization holding 1000+ engineers Small responsibility makes people low-performer

Slide 39

Slide 39 text

39 Great responsibility means... End-to-End ownership

Slide 40

Slide 40 text

40 Our platform mission Build system & organization which people have E2E ownership

Slide 41

Slide 41 text

Hide complexity behind infrastructure

Slide 42

Slide 42 text

42 Hide complexity behind infrastructure Microservices architecture itself is already complicated

Slide 43

Slide 43 text

43 Microservices architecture

Slide 44

Slide 44 text

44 Microservices architecture Each microservices become simple but operations become complex

Slide 45

Slide 45 text

45 Hide complexity behind infrastructure Keep each components simple Hide complexity behind infrastructure

Slide 46

Slide 46 text

46 Hide complexity behind infrastructure Make each RBAC policy simple Handle the complexity with tools

Slide 47

Slide 47 text

RBAC Policy

Slide 48

Slide 48 text

Namespace/Team per microservices

Slide 49

Slide 49 text

49 Our microservices conventions Team per microservice Namespace per microservice

Slide 50

Slide 50 text

50 Namespace per microservice microservice A microservice B microservice C Kubernetes Cluster

Slide 51

Slide 51 text

51 Namespace per microservice microservice A microservice B microservice C namespace A namespace B namespace C Kubernetes Cluster

Slide 52

Slide 52 text

52 Namespace and Team per microservice microservice A microservice B microservice C namespace A namespace B namespace C Kubernetes Cluster team A team B team C

Slide 53

Slide 53 text

Give namespace-admin

Slide 54

Slide 54 text

54 Give namespace-admin = End-to-End ownership microservice A microservice B microservice C namespace A namespace B namespace C Kubernetes Cluster team A team B team C

Slide 55

Slide 55 text

55 Give namespace-admin = End-to-End ownership microservice A microservice B microservice C namespace A namespace B namespace C Kubernetes Cluster team A team B team C RoleBiding A RoleBiding B RoleBiding C

Slide 56

Slide 56 text

56 RoleBinding example - hello team members are namespace admin in hello ns kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: service-admins namespace: hello subjects: - kind: User name: spesnova@example.com apiGroup: rbac.authorization.k8s.io roleRef: kind: ClusterRole name: admin apiGroup: rbac.authorization.k8s.io

Slide 57

Slide 57 text

Microservice diversity

Slide 58

Slide 58 text

58 Microservice diversity Roles namespace A Kubernetes Cluster team A / service Admins RoleBindings Secrets Deployments ConfigMaps ClusterRoleBiding admins

Slide 59

Slide 59 text

59 Some teams want “read-only” namespace A Kubernetes Cluster team A / service Viewers Deployments ConfigMaps ClusterRoleBiding viewers

Slide 60

Slide 60 text

60 RoleBinding example - some members are namespace view in hello namespace kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: service-viewers namespace: hello subjects: - kind: User name: dtan4@example.com apiGroup: rbac.authorization.k8s.io roleRef: kind: ClusterRole name: view apiGroup: rbac.authorization.k8s.io

Slide 61

Slide 61 text

61 Some teams want to restrict RBAC editing namespace A Kubernetes Cluster team A / service Editors Deployments ConfigMaps ClusterRoleBiding editors Secrets

Slide 62

Slide 62 text

62 RoleBinding example - some members are namespace edit in hello namespace kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: service-editors namespace: hello subjects: - kind: User name: babarot@example.com apiGroup: rbac.authorization.k8s.io roleRef: kind: ClusterRole name: edit apiGroup: rbac.authorization.k8s.io

Slide 63

Slide 63 text

63 Using default ClusterRoles Accept diversity but keep it simple

Slide 64

Slide 64 text

64 Microservice diversity If required, they can create custom roles

Slide 65

Slide 65 text

65 But...avoid to create custom role as possible (RBAC rabbit hole) $ kubectl get clusterroles/admin -o yaml | wc -l 457 457 lines yaml !!

Slide 66

Slide 66 text

Handle complexity with tools

Slide 67

Slide 67 text

67 Our microservices conventions Team per microservice Namespace per microservice

Slide 68

Slide 68 text

68 Namespace and Team per microservice microservice A microservice B microservice C namespace A namespace B namespace C Kubernetes Cluster team A team B team C

Slide 69

Slide 69 text

69 Namespace and Team per microservice, then... So many namespaces and teams!!

Slide 70

Slide 70 text

70 We aim to have 200+ microservices Impossible to create hundreds RoleBindings by hand

Slide 71

Slide 71 text

71 Too many namespaces and teams? No, it is intended

Slide 72

Slide 72 text

72 Hide complexity behind infrastructure Keep each components simple Hide complexity behind infrastructure

Slide 73

Slide 73 text

73 Keep each components simple If multiple services/teams in a namespace, RBAC must become much more complicated

Slide 74

Slide 74 text

74 Hide complexity behind infrastructure Keep each components simple Hide complexity behind infrastructure

Slide 75

Slide 75 text

75 Microservice Starter Kit An internal Terraform module to reduce provisioning burdun from developers and manage infrastructure as code https://speakerdeck.com/b4b4r07/terraform-ops-for-microservices?slide=13

Slide 76

Slide 76 text

76 Automate RoleBindings creation with microservice-starter-kit (WIP) module “hello-service” { ... service_admins = [ "spesnova@example.com", "tcnksm@example.com", "b4b4r07@example.com", ] ...

Slide 77

Slide 77 text

77 Automate RoleBindings creation with microservice-starter-kit (WIP) … service_editors = [ "dtan4@example.com", ] … service_viewers = [ "terry@example.com", ]

Slide 78

Slide 78 text

78 Automate RoleBindings creation with microservice-starter-kit (WIP) microservice A microservice B microservice C namespace A namespace B namespace C Kubernetes Cluster team A team B team C RoleBiding A RoleBiding B RoleBiding C

Slide 79

Slide 79 text

79 Need to implement kubernetes_rolebinding Terraform resource (WIP) No official resource!

Slide 80

Slide 80 text

Recap

Slide 81

Slide 81 text

81 Recap Delegation Simplicity Tools Keep RBAC policy simple as possible Delegate enough permission to teams Handle complexity with tools

Slide 82

Slide 82 text

End