Kubernetes における最高の認証フローを本気で考え直してみた / GitHub Team Based Access Control

Transcript

1. ©2018 Wantedly, Inc. GitHub Team Based Access Control Kubernetes ʹ͓͚Δ࠷ߴͷೝূϑϩʔΛຊؾͰߟ͑௚ͯ͠Έͨ

   Kubernetes Meetup Tokyo #11 17.May.2018 - Shimpei Otsubo - @potsbo

2. ©2018 Wantedly, Inc. Wantedly ͷ ։ൃࣄ৘ GitHub ΊͬͪΌ࢖͏ ΞϓϦΤϯδχΞ
   LVCFDUM
   ΊͬͪΌ࢖͏ ΊͬͪΌࣗಈԽ͢Δ

   ˞؆ུ൛XSBQQFS ऑ͍ݖݶ΋΄͍͠ʜ ࣾ಺શһ(JU)VC 5FBN
   ຖʹݖݶΛ੍ݶ

3. ©2018 Wantedly, Inc. ୡ੒͍ͨ͜͠ͱ͕͋Δ GitHub ͷࣾ಺ϑϩʔʹ৐Γ͍ͨʂʂ ؾܰʹΞΫηεݖΛ෇༩͍ͨ͠ʂʂ $*ʹ͸࠷௿ݶͷݖݶΛ෇༩͍ͨ͠ʂʂ ݱঢ়͸
   "MM
   PS
   /PUIJOH
   ͳͷͰΠϯλʔϯ͕೉͍͠ʜ ʮʙͷݖݶΛ͍ͩ͘͞ʯΛ
   )3
   ʹ೚͍ͤͨ

4. ©2018 Wantedly, Inc. G enmon ݳ໳ ͍ΖΜͳνʔϜʹ ͍ΖΜͳݖݶΛ NEW!! GitHub

   ͷࣾ಺ϑϩʔΛLTͰ΋࢖͏
   
   (JU)VC
   5PLFO
   Λ౤͛Δ͚ͩ ؾܰʹ෇༩Ͱ͖ΔΑ͏ʹ by wantedly G Token Token Token Teams Groups RBAC!! Results genmon TokenReview

5. ©2018 Wantedly, Inc.  %BFNPO4FU
   Ͱ֤
   NBTUFS
   ʹ
   HFONPO
   ͕ଘࡏ
    8FCIPPL
   "VUIFOUJDBUJPO
   Ͱ
   HFONPO
   ΁
   
   
   
   5FBN
   
   
   
   
   
   (SPVQ
   ͱͯ͠ѻ͍
   3#"$ Architecture

   https://github.com/appscode/guard https://github.com/oursky/kubernetes-github-authn ࢀߟ࣮૷ https://kubernetes.io/docs/admin/authentication/#webhook-token-authentication Role Based Access Control G Token Token Token Teams Groups RBAC!! Results genmon TokenReview

6. ©2018 Wantedly, Inc. Examples deploybot deployer deployment-patcher potsbo intern-short view

   user Team Role potsbo infrastructure cluster-admin ඞཁ࠷௿ݶͷݖݶͷΈΛ෇༩

7. ©2018 Wantedly, Inc. ࣾ಺ͷ GitHub ͷطଘϑϩʔʹ৐ͬͨ·· LVCFDUM
   Ͱ
   (JU)VC
   5PLFO
   ΛૹΔ͚ͩͰ 3#"$
   Ͱ୭ʹͰ΋ඞཁे෼ͳݖݶΛ෇༩ ΠϯλʔϯͰ΋ $PSQPSBUF
   ͕ߦ͍ͬͯΔ
   (JU)VC
   ͷઃఆ͕ͦͷ··࢖͑Δ

   ,VCFSOFUFT
   ʹ͓͚Δ࠷ߴͷೝূϑϩʔΛຊؾͰߟ͑௚ͯ͠Έͨ݁Ռ