$30 off During Our Annual Pro Sale. View Details »

Kubernetes における最高の認証フローを本気で考え直してみた / GitHub Team Based Access Control

Kubernetes における最高の認証フローを本気で考え直してみた / GitHub Team Based Access Control

Kubernetes Meetup Tokyo #11 の LT で発表した資料です。

Shimpei Otsubo

May 17, 2018
Tweet

More Decks by Shimpei Otsubo

Other Decks in Technology

Transcript

  1. ©2018 Wantedly, Inc.
    GitHub Team Based Access Control
    Kubernetes ʹ͓͚Δ࠷ߴͷೝূϑϩʔΛຊؾͰߟ͑௚ͯ͠Έͨ
    Kubernetes Meetup Tokyo #11
    17.May.2018 - Shimpei Otsubo - @potsbo

    View Slide

  2. ©2018 Wantedly, Inc.
    Wantedly ͷ ։ൃࣄ৘
    GitHub ΊͬͪΌ࢖͏
    ΞϓϦΤϯδχΞLVCFDUMΊͬͪΌ࢖͏
    ΊͬͪΌࣗಈԽ͢Δ
    ˞؆ུ൛XSBQQFS
    ऑ͍ݖݶ΋΄͍͠ʜ
    ࣾ಺શһ(JU)VC 5FBNຖʹݖݶΛ੍ݶ

    View Slide

  3. ©2018 Wantedly, Inc.
    ୡ੒͍ͨ͜͠ͱ͕͋Δ
    GitHub ͷࣾ಺ϑϩʔʹ৐Γ͍ͨʂʂ
    ؾܰʹΞΫηεݖΛ෇༩͍ͨ͠ʂʂ
    $*ʹ͸࠷௿ݶͷݖݶΛ෇༩͍ͨ͠ʂʂ
    ݱঢ়͸"MMPS/PUIJOHͳͷͰΠϯλʔϯ͕೉͍͠ʜ
    ʮʙͷݖݶΛ͍ͩ͘͞ʯΛ)3ʹ೚͍ͤͨ

    View Slide

  4. ©2018 Wantedly, Inc.
    G enmon ݳ໳
    ͍ΖΜͳνʔϜʹ
    ͍ΖΜͳݖݶΛ
    NEW!!
    GitHub ͷࣾ಺ϑϩʔΛLTͰ΋࢖͏(JU)VC5PLFOΛ౤͛Δ͚ͩ
    ؾܰʹ෇༩Ͱ͖ΔΑ͏ʹ
    by wantedly
    G
    Token Token Token
    Teams
    Groups
    RBAC!!
    Results
    genmon
    TokenReview

    View Slide

  5. ©2018 Wantedly, Inc.
    %BFNPO4FUͰ֤NBTUFSʹHFONPO͕ଘࡏ
    8FCIPPL"VUIFOUJDBUJPOͰHFONPO΁
    5FBN(SPVQͱͯ͠ѻ͍3#"$
    Architecture
    https://github.com/appscode/guard
    https://github.com/oursky/kubernetes-github-authn
    ࢀߟ࣮૷
    https://kubernetes.io/docs/admin/authentication/#webhook-token-authentication
    Role Based Access Control
    G
    Token Token Token
    Teams
    Groups
    RBAC!!
    Results
    genmon
    TokenReview

    View Slide

  6. ©2018 Wantedly, Inc.
    Examples
    deploybot deployer deployment-patcher
    potsbo intern-short view
    user Team Role
    potsbo infrastructure cluster-admin
    ඞཁ࠷௿ݶͷݖݶͷΈΛ෇༩

    View Slide

  7. ©2018 Wantedly, Inc.
    ࣾ಺ͷ GitHub ͷطଘϑϩʔʹ৐ͬͨ··
    LVCFDUMͰ(JU)VC5PLFOΛૹΔ͚ͩͰ
    3#"$Ͱ୭ʹͰ΋ඞཁे෼ͳݖݶΛ෇༩
    ΠϯλʔϯͰ΋
    $PSQPSBUF͕ߦ͍ͬͯΔ(JU)VCͷઃఆ͕ͦͷ··࢖͑Δ
    ,VCFSOFUFTʹ͓͚Δ࠷ߴͷೝূϑϩʔΛຊؾͰߟ͑௚ͯ͠Έͨ݁Ռ

    View Slide