LDAP Authentication for Kubernetes using Webhook Token Authentication Plugin

Transcript

LDAP Authentication for Kubernetes Using Webhook Token Authentication Plugin `DRIDI

WALID`

DRIDI WALID Kubernetes Consultant/Trainer Lead Ops @FnacDarty Linkedin: https://www.linkedin.com/in/dridi-walid

Agenda: ❏ Kubernetes Access Stages ❏ LDAP Integration Flow ❏

DEMO!

kubectl request Overview of controlling access to the kubernetes api

... Authn Authz Admission Control 1. Authn: Checks the credentials, 2. Authz: Checks if user is allowed to perform the action, 3. Admission Control: Checks if the request conforms policies

kubectl request Overview of controlling access to the kubernetes api

Create new user entry // foo.ldif dn: cn=foo,dc=mycompany,dc=co objectClass: top

objectClass: inetOrgPerson cn: foo gn: Foo sn: Bar userPassword: foopassword ou: intern cn → username userPassword → password ou → groups ldapadd -H ldap://<LDAP-SERVER-IP> -x -D cn=admin,dc=mycompany,dc=co -w adminpassword -f foo.ldif ldapsearch -LLL -H ldap://<LDAP-SERVER-IP> -x -D cn=admin,dc=mycompany,dc=co -w adminpassword -b dc=mycompany,dc=co '(&(objectClass=inetOrgPerson)(cn=foo)(userPassword=foopassword))'

Kubectl config file using token authn apiVersion: v1 clusters: -

cluster: certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JS... server: https://<K8S-SERVER-IP>:6443 name: cluster.local contexts: - context: cluster: cluster.local user: foo name: [email protected] current-context: [email protected] kind: Config preferences: {} users: - name: foo user: token: foo:foopassword

Enable webhook token authn on api-server apiVersion: v1 kind: Pod

metadata: name: kube-apiserver-k8s-master namespace: kube-system spec: containers: - command: - kube-apiserver - --authentication-token-webhook-config-file=/etc/kubernetes/webhook-token-auth-config.yaml ...

Webhook token config file # clusters refers to the remote

service. clusters: - name: webhook-token-auth-cluster cluster: insecure-skip-tls-verify: true // We use self-signed tls certs server: https://<your-authn-service-ip> // Node.js Authentication Service # users refers to the API server's webhook configuration. users: - name: webhook-token-auth-user # kubeconfig files require a context. Provide one for the API server. current-context: webhook-token-auth contexts: - context: cluster: webhook-token-auth-cluster user: webhook-token-auth-user name: webhook-token-auth

Webhook Token Plugin Interface // Request { "apiVersion": "authentication.k8s.io/v1beta1", "kind":

"TokenReview", "spec": { "token": "username:password" } }

Webhook Token Plugin Interface { // Expected Response "apiVersion": "authentication.k8s.io/v1beta1",

"kind": "TokenReview", "spec": { "token": "e2ede302-9af2-4638-b492-32a34231cdbe" } "status": { "authenticated": true, "user": { "username": "<username>", "uid": "1", "groups": [ "intern" ] }, } }

Node.js Authentication Service Gist: https://gist.github.com/pocteo-co/acdbd7666bfdb1d5d15e9b611fcaa55f

FLOW

kubectl kubernetes Authn SVC ldap server Config File Webhook Token

trigger ldapsearch (cn,password) load request (username,password) status[,userinfo} request token:“username:password” 1. Use kubectl cli k8s client and point to the right configfile using --kubeconfig flag, 2. Make a request using bearer token, 3. API-Server receives a request and triggers a Webhook Token, 4. Webhook Token Plugin forwards credentials to Authn service for validation, 5. Authn service makes an ldapsearch operation, 6. LDAP-Server send status and userinfo if token is valid, 7. Authn service send back to api-server the result, 8. API-Server send 401 to user if token is invalid, 9. API-server pass userinfo to Authz stage for role/rolebinding mapping

kubectl kubernetes Authn SVC ldap server Config File Webhook Token

request token:“username:password” ldapsearch (cn,password) load request (username,password) status[,userinfo} trigger 1. Use kubectl cli k8s client and point to the right configfile using --kubeconfig flag, 2. Make a request using bearer token, 3. API-Server receives a request and triggers a Webhook Token, 4. Webhook Token Plugin forwards credentials to Authn service for validation, 5. Authn service makes an ldapsearch operation, 6. LDAP-Server send status and userinfo if token is valid, 7. Authn service send back to api-server the result, 8. API-Server send 401 to user if token is invalid, 9. API-server pass userinfo to Authz stage for role/rolebinding mapping

kubectl kubernetes Authn SVC ldap server Config File Webhook Token

request token:“username:password” trigger ldapsearch (cn,password) load request (username,password) status[,userinfo} 1. Use kubectl cli k8s client and point to the right configfile using --kubeconfig flag, 2. Make a request using bearer token, 3. API-Server receives a request and triggers a Webhook Token, 4. Webhook Token Plugin forwards credentials to Authn service for validation, 5. Authn service makes an ldapsearch operation, 6. LDAP-Server send status and userinfo if token is valid, 7. Authn service send back to api-server the result, 8. API-Server send 401 to user if token is invalid, 9. API-server pass userinfo to Authz stage for role/rolebinding mapping

LDAP Authentication for Kubernetes using Webhoo...

LDAP Authentication for Kubernetes using Webhook Token Authentication Plugin

pocteo

More Decks by pocteo

Other Decks in Technology

Featured

Transcript