Kubernetes RBAC in microservices

Mercari Meetup for Microservices Platform, Jul 19, 2018
Kubernetes RBAC in microservices

View Slide

2
About me
@spesnova
SRE at Mercari Microservices Platform team
Kubernetes Tokyo Community Organizer

View Slide

3
Agenda
1. AuthN/Z in Kubernetes
2. Design Principles
3. RBAC Policy

View Slide

AuthN/Z in Kubernetes

View Slide

What is Kubernetes RBAC?

View Slide

6
Role Based Access Control

View Slide

7
a method of regulating access to computer or
network resources based on the roles of
individual users within an enterprise
https://kubernetes.io/docs/reference/access-authn-authz/rbac/

View Slide

8
Role based?
● User based - easy but inefficient
● Team based - intermediate
● Role based - efficient but not easy

View Slide

9
4 Objects in Kubernetes RBAC
Roles
ClusterRoles
RoleBindings
ClusterRoleBindings

View Slide

Roles and ClusterRoles

View Slide

11
Roles and ClusterRoles
Roles
ClusterRoles
Verbs
Resources
Verbs
Resources

View Slide

12
Verbs
Verbs
“create”
“get”, “list”
“update”
“patch”
“delete”, “deletecollection”
“watch”

View Slide

13
Resources
Resources
“pods”
“deployments”
“configmaps”
“secrets”
“namespaces”
“resourcequotas”
“nodes”

View Slide

14
Namespace scoped resources
Namespace scoped
resources
“pods”
“deployments”
“configmaps”
“secrets”
“namespaces”
“nodes”

View Slide

15
Cluster scoped resources
Cluster scoped
resources
“pods”
“deployments”
“configmaps”
“secrets”
“namespaces”
“nodes”

View Slide

16
Roles example - a role can read pods in default namespace
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: default
name: pod-reader
rules:
- apiGroups: [""] # "" indicates the core API group
resources: ["pods"]
verbs: ["get", "watch", "list"]

View Slide

17
ClusterRoles example - a clusterrole can read pods in all namespaces
kind: ClusterRole
metadata:
# “namespace” is not required
name: global-pod-reader
rules:
- apiGroups: [""] # "" indicates the core API group
resources: ["pods"]
verbs: ["get", "watch", "list"]

View Slide

RoleBindingss
and
ClusterRoleBindings

View Slide

19
4 Objects in Kubernetes RBAC
Roles
ClusterRoles
RoleBindings
ClusterRoleBindings

View Slide

20
RoleBindings and ClusterRoleBindings
RoleBindings
ClusterRoleBindings
Role/ClusterRole
Subjects
ClusterRole
Subjects

View Slide

21
Subjects
Subjects
“User”
“Group”
“ServiceAccount”

View Slide

22
RoleBinding example - spesnova can read pods in default namespace
kind: RoleBinding
metadata:
name: read-pods
namespace: default
subjects:
- kind: User
name: [email protected]
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: pod-reader

View Slide

23
RoleBinding example - spesnova can read pods in default namespace
kind: RoleBinding
metadata:
name: read-pods
namespace: default
subjects:
- kind: User
roleRef:
kind: ClusterRole

View Slide

24
RoleBinding example - spesnova can read pods in all namespace
kind: ClusterRoleBinding
metadata:
name: read-pods
# “namespace” is not required
subjects:
- kind: User
roleRef:
kind: ClusterRole

View Slide

Default ClusterRoles

View Slide

26
Default ClusterRoles / admin
Allows read/write access to most resources
in a namespace, including the ability to create
roles and rolebindings within the namespace.

View Slide

27
Default ClusterRoles / edit
Allows read/write access to most objects in a
namespace. It does not allow viewing or
modifying roles or rolebindings.

View Slide

28
Default ClusterRoles / view
Allows read-only access to see most objects
in a namespace. It does not allow viewing
roles or rolebindings. It does not allow
viewing secrets, since those are escalating.

View Slide

29
How to test RBAC settings?
$ kubectl auth can-i get pods /
--namespace=default /
[email protected]
yes

View Slide

Authentication in GKE

View Slide

31
Authentication in GKE (skip details because of time limitation)
Google OAuth2
(OpenID Connect Tokens authentication)

View Slide

Design Principles

View Slide

End-to-End Ownership

View Slide

34
The purpose of microservices
Getting agility at large scale org&system

View Slide

35
The purpose of microservices
How to get agility?
How to make people high-performer?

View Slide

With Great power comes great responsibility

View Slide

Great power requires
great responsibility

View Slide

38
I was in an organization holding 1000+ engineers
Small responsibility makes
people low-performer

View Slide

39
Great responsibility means...
End-to-End ownership

View Slide

40
Our platform mission
Build system & organization which
people have E2E ownership

View Slide

Hide complexity behind infrastructure

View Slide

42
Microservices architecture itself
is already complicated

View Slide

43
Microservices architecture

View Slide

44
Microservices architecture
Each microservices become simple
but operations become complex

View Slide

45
Keep each components simple

View Slide

46
Make each RBAC policy simple
Handle the complexity with tools

View Slide

RBAC Policy

View Slide

Namespace/Team per microservices

View Slide

49
Our microservices conventions
Team per microservice
Namespace per microservice

View Slide

50
microservice A microservice B microservice C
Kubernetes Cluster

View Slide

51
namespace A namespace B namespace C
Kubernetes Cluster

View Slide

52
Namespace and Team per microservice
Kubernetes Cluster
team A team B team C

View Slide

Give namespace-admin

View Slide

54
Give namespace-admin = End-to-End ownership
Kubernetes Cluster

View Slide

55
Give namespace-admin = End-to-End ownership
Kubernetes Cluster
RoleBiding A RoleBiding B RoleBiding C

View Slide

56
RoleBinding example - hello team members are namespace admin in hello ns
kind: RoleBinding
metadata:
name: service-admins
namespace: hello
subjects:
- kind: User
roleRef:
kind: ClusterRole
name: admin

View Slide

Microservice diversity

View Slide

58
Roles
namespace A
Kubernetes Cluster
team A / service Admins
RoleBindings
Secrets
Deployments
ConfigMaps
ClusterRoleBiding admins

View Slide

59
Some teams want “read-only”
namespace A
Kubernetes Cluster
team A / service Viewers
Deployments
ConfigMaps
ClusterRoleBiding viewers

View Slide

60
RoleBinding example - some members are namespace view in hello namespace
kind: RoleBinding
metadata:
name: service-viewers
namespace: hello
subjects:
- kind: User
roleRef:
kind: ClusterRole
name: view

View Slide

61
Some teams want to restrict RBAC editing
namespace A
Kubernetes Cluster
team A / service Editors
Deployments
ConfigMaps
ClusterRoleBiding editors
Secrets

View Slide

62
RoleBinding example - some members are namespace edit in hello namespace
kind: RoleBinding
metadata:
name: service-editors
namespace: hello
subjects:
- kind: User
roleRef:
kind: ClusterRole
name: edit

View Slide

63
Using default ClusterRoles
Accept diversity but keep it simple

View Slide

64
If required, they can create custom roles

View Slide

65
But...avoid to create custom role as possible (RBAC rabbit hole)
$ kubectl get clusterroles/admin -o yaml | wc -l
457
457 lines yaml !!

View Slide

Handle complexity with tools

View Slide

67
Our microservices conventions
Team per microservice

View Slide

68
Namespace and Team per microservice
Kubernetes Cluster

View Slide

69
Namespace and Team per microservice, then...
So many namespaces and teams!!

View Slide

70
We aim to have 200+ microservices
Impossible to create
hundreds RoleBindings by hand

View Slide

71
Too many namespaces and teams?
No, it is intended

View Slide

72

View Slide

73
If multiple services/teams in a namespace,
RBAC must become much more complicated

View Slide

74

View Slide

75
Microservice Starter Kit
An internal Terraform module to reduce
provisioning burdun from developers and
manage infrastructure as code
https://speakerdeck.com/b4b4r07/terraform-ops-for-microservices?slide=13

View Slide

76
Automate RoleBindings creation with microservice-starter-kit (WIP)
module “hello-service” {
...
service_admins = [
"[email protected]",
]
...

View Slide

77
…
service_editors = [
]
…
service_viewers = [
]

View Slide

78
Kubernetes Cluster
RoleBiding A RoleBiding B RoleBiding C

View Slide

79
Need to implement kubernetes_rolebinding Terraform resource (WIP)
No official resource!

View Slide

Recap

View Slide

81
Recap
Delegation
Simplicity Tools
Keep RBAC policy
simple as possible
Delegate enough
permission to teams
Handle complexity
with tools

View Slide

End

View Slide

Kubernetes RBAC in microservices

Kubernetes RBAC in microservices

Seigo Uchida

More Decks by Seigo Uchida

Other Decks in Technology

Featured

Transcript