Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Kubernetes RBAC in microservices

Kubernetes RBAC in microservices

Talk at Mercari Meetup for Microservices Platform: https://mercari.connpass.com/event/92168/

Explained how we (will) use RBAC in microservices architecture at Mercari, inc.

Avatar for Seigo Uchida

Seigo Uchida

July 19, 2018
Tweet

More Decks by Seigo Uchida

Other Decks in Technology

Transcript

  1. 7 a method of regulating access to computer or network

    resources based on the roles of individual users within an enterprise What is Kubernetes RBAC? https://kubernetes.io/docs/reference/access-authn-authz/rbac/
  2. 8 Role based? • User based - easy but inefficient

    • Team based - intermediate • Role based - efficient but not easy
  3. 15 Cluster scoped resources Cluster scoped resources “pods” “deployments” “configmaps”

    “secrets” “namespaces” “resourcequotas” “nodes”
  4. 16 Roles example - a role can read pods in

    default namespace kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: namespace: default name: pod-reader rules: - apiGroups: [""] # "" indicates the core API group resources: ["pods"] verbs: ["get", "watch", "list"]
  5. 17 ClusterRoles example - a clusterrole can read pods in

    all namespaces kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: # “namespace” is not required name: global-pod-reader rules: - apiGroups: [""] # "" indicates the core API group resources: ["pods"] verbs: ["get", "watch", "list"]
  6. 22 RoleBinding example - spesnova can read pods in default

    namespace kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: read-pods namespace: default subjects: - kind: User name: spesnova@example.com apiGroup: rbac.authorization.k8s.io roleRef: kind: Role name: pod-reader apiGroup: rbac.authorization.k8s.io
  7. 23 RoleBinding example - spesnova can read pods in default

    namespace kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: read-pods namespace: default subjects: - kind: User name: spesnova@example.com apiGroup: rbac.authorization.k8s.io roleRef: kind: ClusterRole name: global-pod-reader apiGroup: rbac.authorization.k8s.io
  8. 24 RoleBinding example - spesnova can read pods in all

    namespace kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: read-pods # “namespace” is not required subjects: - kind: User name: spesnova@example.com apiGroup: rbac.authorization.k8s.io roleRef: kind: ClusterRole name: global-pod-reader apiGroup: rbac.authorization.k8s.io
  9. 26 Default ClusterRoles / admin Allows read/write access to most

    resources in a namespace, including the ability to create roles and rolebindings within the namespace. https://kubernetes.io/docs/reference/access-authn-authz/rbac/
  10. 27 Default ClusterRoles / edit Allows read/write access to most

    objects in a namespace. It does not allow viewing or modifying roles or rolebindings. https://kubernetes.io/docs/reference/access-authn-authz/rbac/
  11. 28 Default ClusterRoles / view Allows read-only access to see

    most objects in a namespace. It does not allow viewing roles or rolebindings. It does not allow viewing secrets, since those are escalating. https://kubernetes.io/docs/reference/access-authn-authz/rbac/
  12. 29 How to test RBAC settings? $ kubectl auth can-i

    get pods / --namespace=default / --as=spesnova@example.com yes
  13. 31 Authentication in GKE (skip details because of time limitation)

    Google OAuth2 (OpenID Connect Tokens authentication)
  14. 38 I was in an organization holding 1000+ engineers Small

    responsibility makes people low-performer
  15. 51 Namespace per microservice microservice A microservice B microservice C

    namespace A namespace B namespace C Kubernetes Cluster
  16. 52 Namespace and Team per microservice microservice A microservice B

    microservice C namespace A namespace B namespace C Kubernetes Cluster team A team B team C
  17. 54 Give namespace-admin = End-to-End ownership microservice A microservice B

    microservice C namespace A namespace B namespace C Kubernetes Cluster team A team B team C
  18. 55 Give namespace-admin = End-to-End ownership microservice A microservice B

    microservice C namespace A namespace B namespace C Kubernetes Cluster team A team B team C RoleBiding A RoleBiding B RoleBiding C
  19. 56 RoleBinding example - hello team members are namespace admin

    in hello ns kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: service-admins namespace: hello subjects: - kind: User name: spesnova@example.com apiGroup: rbac.authorization.k8s.io roleRef: kind: ClusterRole name: admin apiGroup: rbac.authorization.k8s.io
  20. 58 Microservice diversity Roles namespace A Kubernetes Cluster team A

    / service Admins RoleBindings Secrets Deployments ConfigMaps ClusterRoleBiding admins
  21. 59 Some teams want “read-only” namespace A Kubernetes Cluster team

    A / service Viewers Deployments ConfigMaps ClusterRoleBiding viewers
  22. 60 RoleBinding example - some members are namespace view in

    hello namespace kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: service-viewers namespace: hello subjects: - kind: User name: dtan4@example.com apiGroup: rbac.authorization.k8s.io roleRef: kind: ClusterRole name: view apiGroup: rbac.authorization.k8s.io
  23. 61 Some teams want to restrict RBAC editing namespace A

    Kubernetes Cluster team A / service Editors Deployments ConfigMaps ClusterRoleBiding editors Secrets
  24. 62 RoleBinding example - some members are namespace edit in

    hello namespace kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: service-editors namespace: hello subjects: - kind: User name: babarot@example.com apiGroup: rbac.authorization.k8s.io roleRef: kind: ClusterRole name: edit apiGroup: rbac.authorization.k8s.io
  25. 65 But...avoid to create custom role as possible (RBAC rabbit

    hole) $ kubectl get clusterroles/admin -o yaml | wc -l 457 457 lines yaml !!
  26. 68 Namespace and Team per microservice microservice A microservice B

    microservice C namespace A namespace B namespace C Kubernetes Cluster team A team B team C
  27. 73 Keep each components simple If multiple services/teams in a

    namespace, RBAC must become much more complicated
  28. 75 Microservice Starter Kit An internal Terraform module to reduce

    provisioning burdun from developers and manage infrastructure as code https://speakerdeck.com/b4b4r07/terraform-ops-for-microservices?slide=13
  29. 76 Automate RoleBindings creation with microservice-starter-kit (WIP) module “hello-service” {

    ... service_admins = [ "spesnova@example.com", "tcnksm@example.com", "b4b4r07@example.com", ] ...
  30. 77 Automate RoleBindings creation with microservice-starter-kit (WIP) … service_editors =

    [ "dtan4@example.com", ] … service_viewers = [ "terry@example.com", ]
  31. 78 Automate RoleBindings creation with microservice-starter-kit (WIP) microservice A microservice

    B microservice C namespace A namespace B namespace C Kubernetes Cluster team A team B team C RoleBiding A RoleBiding B RoleBiding C
  32. 81 Recap Delegation Simplicity Tools Keep RBAC policy simple as

    possible Delegate enough permission to teams Handle complexity with tools
  33. End