Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Kubernetes における最高の認証フローを本気で考え直してみた / GitHub Team Based Access Control

Kubernetes における最高の認証フローを本気で考え直してみた / GitHub Team Based Access Control

Kubernetes Meetup Tokyo #11 の LT で発表した資料です。

089fe44e41bb1fa2d9421f919a99173c?s=128

Shimpei Otsubo

May 17, 2018
Tweet

Transcript

  1. ©2018 Wantedly, Inc. GitHub Team Based Access Control Kubernetes ʹ͓͚Δ࠷ߴͷೝূϑϩʔΛຊؾͰߟ͑௚ͯ͠Έͨ

    Kubernetes Meetup Tokyo #11 17.May.2018 - Shimpei Otsubo - @potsbo
  2. ©2018 Wantedly, Inc. Wantedly ͷ ։ൃࣄ৘ GitHub ΊͬͪΌ࢖͏ ΞϓϦΤϯδχΞLVCFDUMΊͬͪΌ࢖͏ ΊͬͪΌࣗಈԽ͢Δ

    ˞؆ུ൛XSBQQFS ऑ͍ݖݶ΋΄͍͠ʜ ࣾ಺શһ(JU)VC 5FBNຖʹݖݶΛ੍ݶ
  3. ©2018 Wantedly, Inc. ୡ੒͍ͨ͜͠ͱ͕͋Δ GitHub ͷࣾ಺ϑϩʔʹ৐Γ͍ͨʂʂ ؾܰʹΞΫηεݖΛ෇༩͍ͨ͠ʂʂ $*ʹ͸࠷௿ݶͷݖݶΛ෇༩͍ͨ͠ʂʂ ݱঢ়͸"MMPS/PUIJOHͳͷͰΠϯλʔϯ͕೉͍͠ʜ ʮʙͷݖݶΛ͍ͩ͘͞ʯΛ)3ʹ೚͍ͤͨ

  4. ©2018 Wantedly, Inc. G enmon ݳ໳ ͍ΖΜͳνʔϜʹ ͍ΖΜͳݖݶΛ NEW!! GitHub

    ͷࣾ಺ϑϩʔΛLTͰ΋࢖͏(JU)VC5PLFOΛ౤͛Δ͚ͩ ؾܰʹ෇༩Ͱ͖ΔΑ͏ʹ by wantedly G Token Token Token Teams Groups RBAC!! Results genmon TokenReview
  5. ©2018 Wantedly, Inc.  %BFNPO4FUͰ֤NBTUFSʹHFONPO͕ଘࡏ  8FCIPPL"VUIFOUJDBUJPOͰHFONPO΁  5FBN(SPVQͱͯ͠ѻ͍3#"$ Architecture

    https://github.com/appscode/guard https://github.com/oursky/kubernetes-github-authn ࢀߟ࣮૷ https://kubernetes.io/docs/admin/authentication/#webhook-token-authentication Role Based Access Control G Token Token Token Teams Groups RBAC!! Results genmon TokenReview
  6. ©2018 Wantedly, Inc. Examples deploybot deployer deployment-patcher potsbo intern-short view

    user Team Role potsbo infrastructure cluster-admin ඞཁ࠷௿ݶͷݖݶͷΈΛ෇༩
  7. ©2018 Wantedly, Inc. ࣾ಺ͷ GitHub ͷطଘϑϩʔʹ৐ͬͨ·· LVCFDUMͰ(JU)VC5PLFOΛૹΔ͚ͩͰ 3#"$Ͱ୭ʹͰ΋ඞཁे෼ͳݖݶΛ෇༩ ΠϯλʔϯͰ΋ $PSQPSBUF͕ߦ͍ͬͯΔ(JU)VCͷઃఆ͕ͦͷ··࢖͑Δ

    ,VCFSOFUFTʹ͓͚Δ࠷ߴͷೝূϑϩʔΛຊؾͰߟ͑௚ͯ͠Έͨ݁Ռ