Kubernetes における最高の認証フローを本気で考え直してみた / GitHub Team Based Access Control

Transcript

1. ©2018 Wantedly, Inc.
   GitHub Team Based Access Control
   Kubernetes ʹ͓͚Δ࠷ߴͷೝূϑϩʔΛຊؾͰߟ͑௚ͯ͠Έͨ
   Kubernetes Meetup Tokyo #11
   17.May.2018 - Shimpei Otsubo - @potsbo
   

   View Slide

2. ©2018 Wantedly, Inc.
   Wantedly ͷ ։ൃࣄ৘
   GitHub ΊͬͪΌ࢖͏
   ΞϓϦΤϯδχΞLVCFDUMΊͬͪΌ࢖͏
   ΊͬͪΌࣗಈԽ͢Δ
   ˞؆ུ൛XSBQQFS
   ऑ͍ݖݶ΋΄͍͠ʜ
   ࣾ಺શһ(JU)VC 5FBNຖʹݖݶΛ੍ݶ
   

   View Slide

3. ©2018 Wantedly, Inc.
   ୡ੒͍ͨ͜͠ͱ͕͋Δ
   GitHub ͷࣾ಺ϑϩʔʹ৐Γ͍ͨʂʂ
   ؾܰʹΞΫηεݖΛ෇༩͍ͨ͠ʂʂ
   $*ʹ͸࠷௿ݶͷݖݶΛ෇༩͍ͨ͠ʂʂ
   ݱঢ়͸"MMPS/PUIJOHͳͷͰΠϯλʔϯ͕೉͍͠ʜ
   ʮʙͷݖݶΛ͍ͩ͘͞ʯΛ)3ʹ೚͍ͤͨ
   

   View Slide

4. ©2018 Wantedly, Inc.
   G enmon ݳ໳
   ͍ΖΜͳνʔϜʹ
   ͍ΖΜͳݖݶΛ
   NEW!!
   GitHub ͷࣾ಺ϑϩʔΛLTͰ΋࢖͏(JU)VC5PLFOΛ౤͛Δ͚ͩ
   ؾܰʹ෇༩Ͱ͖ΔΑ͏ʹ
   by wantedly
   G
   Token Token Token
   Teams
   Groups
   RBAC!!
   Results
   genmon
   TokenReview
   

   View Slide

5. ©2018 Wantedly, Inc.
   %BFNPO4FUͰ֤NBTUFSʹHFONPO͕ଘࡏ
   8FCIPPL"VUIFOUJDBUJPOͰHFONPO΁
   5FBN(SPVQͱͯ͠ѻ͍3#"$
   Architecture
   https://github.com/appscode/guard
   https://github.com/oursky/kubernetes-github-authn
   ࢀߟ࣮૷
   https://kubernetes.io/docs/admin/authentication/#webhook-token-authentication
   Role Based Access Control
   G
   Token Token Token
   Teams
   Groups
   RBAC!!
   Results
   genmon
   TokenReview
   

   View Slide

6. ©2018 Wantedly, Inc.
   Examples
   deploybot deployer deployment-patcher
   potsbo intern-short view
   user Team Role
   potsbo infrastructure cluster-admin
   ඞཁ࠷௿ݶͷݖݶͷΈΛ෇༩
   

   View Slide

7. ©2018 Wantedly, Inc.
   ࣾ಺ͷ GitHub ͷطଘϑϩʔʹ৐ͬͨ··
   LVCFDUMͰ(JU)VC5PLFOΛૹΔ͚ͩͰ
   3#"$Ͱ୭ʹͰ΋ඞཁे෼ͳݖݶΛ෇༩
   ΠϯλʔϯͰ΋
   $PSQPSBUF͕ߦ͍ͬͯΔ(JU)VCͷઃఆ͕ͦͷ··࢖͑Δ
   ,VCFSOFUFTʹ͓͚Δ࠷ߴͷೝূϑϩʔΛຊؾͰߟ͑௚ͯ͠Έͨ݁Ռ
   

   View Slide