Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Kubernetes の認証・認可と RBAC
Search
Takashi Kusumi
April 20, 2017
Technology
9
3.2k
Kubernetes の認証・認可と RBAC
Kubernetes Meetup Tokyo #4
https://k8sjp.connpass.com/event/53737/
Takashi Kusumi
April 20, 2017
Tweet
Share
More Decks by Takashi Kusumi
See All by Takashi Kusumi
Recap: eBPF セッションつまみ食い / eBPF sessions @ KubeCon EU 2023
tksm
1
3.7k
Unit Testing for Prometheus Rules
tksm
7
3.1k
Z Lab の教育への取組 / Cloud Native Education Efforts at Z Lab
tksm
7
1.5k
Recap: Securing Kubernetes with Admission Controllers
tksm
2
1.6k
Istio Mutual TLS
tksm
0
740
Debugging Applications in Kubernetes
tksm
16
4.2k
Kubernetes with Prometheus
tksm
5
2.5k
Kubernetes v1.7 の主な変更点 / Kubernetes v1.7 features
tksm
0
1.6k
kubectl apply の仕組み / How kubectl apply works
tksm
1
9.8k
Other Decks in Technology
See All in Technology
Figma + Storybook + PlaywrightのMCPを使ったフロントエンド開発
yug1224
10
3.4k
退屈なことはDevinにやらせよう〜〜Devin APIを使ったVisual Regression Testの自動追加〜
kawamataryo
4
920
浸透しなさいRFC 5322&7208
hinono
0
130
Jaws-ug名古屋_LT資料_20250829
azoo2024
3
190
AI時代に非連続な成長を実現するエンジニアリング戦略
sansantech
PRO
2
760
実践アプリケーション設計 ①データモデルとドメインモデル
recruitengineers
PRO
5
1.2k
DeNA での思い出 / Memories at DeNA
orgachem
PRO
6
1.9k
Preferred Networks (PFN) とLLM Post-Training チームの紹介 / 第4回 関東Kaggler会 スポンサーセッション
pfn
PRO
1
280
Vault meets Kubernetes
mochizuki875
0
140
AIとTDDによるNext.js「隙間ツール」開発の実践
makotot
6
790
おやつは300円まで!の最適化を模索してみた
techtekt
PRO
0
160
Yahoo!ニュースにおけるソフトウェア開発
lycorptech_jp
PRO
0
560
Featured
See All Featured
KATA
mclloyd
32
14k
Building an army of robots
kneath
306
46k
The Straight Up "How To Draw Better" Workshop
denniskardys
236
140k
The Language of Interfaces
destraynor
160
25k
How to Think Like a Performance Engineer
csswizardry
26
1.8k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
29
2.8k
Building Flexible Design Systems
yeseniaperezcruz
328
39k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
229
22k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
126
53k
A designer walks into a library…
pauljervisheath
207
24k
Save Time (by Creating Custom Rails Generators)
garrettdimon
PRO
32
1.5k
Practical Tips for Bootstrapping Information Extraction Pipelines
honnibal
PRO
23
1.4k
Transcript
,VCFSOFUFTך钠鏾٥钠〳ה3#"$ 5BLBTIJ,VTVNJ ;-BC
钠鏾ה钠〳הכ Ӝ 钠鏾 "VUIFOUJDBUJPO"VUI/ ِ٦ؠך劤➂䚍然钠ׅ ⢽*%1BTTXPSEדBMJDFהְֲِ٦ؠ陎ⴽ٥然钠ׅ Ӝ 钠〳 "VUIPSJ[BUJPO"VUI;
ِ٦ؠח㼎ׅٔا٦أך،ؙإأ埄ꣲⵖ䖴遤ֲ ⢽BMJDFהְֲِ٦ؠכ1PEך铣《埄ꣲַָ֮
钠鏾٥钠〳כ"1*4FSWFSד遤 controllers master components scheduler etcd API Server kubelet
kube-proxy node 1 kubelet kube-proxy node 2 LVCFMFU kube-proxy node 3 Users
钠鏾٥钠〳ך崧 钠鏾 "VUI/ 钠〳 "VUI; "ENJTTJPO$POUSPM plugin 1 plugin
2 plugin 3 plugin 1 plugin 2 plugin 3 plugin 1 plugin 2 plugin 3 6TFS*%(SPVQ《䖤 "MMPX%FOZ 圫ղזؙٔؒأزⵖ䖴
钠鏾 "VUI/
钠鏾٥钠〳ך崧 钠鏾 "VUI/ 钠〳 "VUI; "ENJTTJPO$POUSPM plugin 1 plugin
2 plugin 3 plugin 1 plugin 2 plugin 3 plugin 1 plugin 2 plugin 3 6TFS*%(SPVQ《䖤 "MMPX%FOZ 圫ղזؙٔؒأزⵖ䖴
,VCFSOFUFTךِ٦ؠ Ӝ 4FSWJDF"DDPVOU ,VCFSOFUFTָ盖椚ׅ،فٔ؛٦ءّٝ欽،ؕؐٝز 1PEⰻַ"1*4FSWFSח،ؙإأׅꥷחⵃ欽דֹ ؙٓأة㢩鿇ד$*זוך،ؕؐٝزה׃גⵃ欽〳腉 Ӝ 6TFS"DDPVOU ➂ךך،ؕؐٝز ,VCFSOFUFTך盖椚㢩կ钠鏾فؚٓ؎ٝ鸐׃ג㢩鿇ד盖椚
钠鏾倯䒭 Ӝ 9ؙٓ؎،ٝز鏾僇剅 Ӝ 涸ز٦ؙٝؿ؋؎ٕ Ӝ ـ٦زأزٓحفز٦ؙٝ Ӝ 涸ػأٙ٦سؿ؋؎ٕ Ӝ
4FSWJDF"DDPVOU Ӝ 0QFO*%$POOFDU Ӝ 8FCIPPL Ӝ 钠鏾فؙٗء٦ Ӝ ,FZ4UPOF 0QFO4UBDL ぐ倯䒭ד钠鏾遤ְِ٦ؠせהؚٕ٦فせזוך䞔㜠《䖤ׅ
4FSWJDF"DDPVOU Ӝ ぐOBNFTQBDFכEFGBVMUהְֲ4FSWJDF"DDPVOUָ荈⹛涸ח⡲ ծぐ1PEחךز٦ָؙٝوؐٝزׁגְ 1PEⰻַ"1*4FSWFSח،ؙإأדֹ״ֲחזגְ Ӝ LVCFDUMDSFBUFTB/".&הְֲ؝وٝسד知⽃ח⡲䧭דֹ 4FSWJDF"DDPVOUכOBNFTQBDFⰻח⡲ Ӝ 荈⹛涸ח+85䕎䒭ךز٦ָؙٝ⡲
ؙٓأة㢩鿇ַ$*זוך،ؕؐٝزה׃גⵃ欽〳腉
9ؙٓ؎،ٝز鏾僇剅 Certificate: Data: ... Validity Not Before: Apr 16
02:14:52 2017 GMT Not After : Apr 16 02:14:52 2018 GMT Subject: O=system:masters, CN=minikube "1*4FSWFSךDMJFOUDBMFؔفءّٝד$"䭷㹀 0 0SHBOJ[BUJPO ָؚٕ٦فせծ$/ $PNNPO/BNF ָِ٦ؠせ
0QFO*%$POOFDU Ӝ 0QFO*%$POOFDUך*%UPLFOِ٦ؠ䞔㜠ה׃גⵃ欽ׅ (PPHMFזו㢩鿇ך*EFOUJUZ1SPWJEFS⢪欽〳腉 Ӝ וךDMBJNِ٦ؠせծؚٕ٦فせה׃ג⢪ֲַ䭷㹀ׅ رؿٕؓزדכFNBJM FNBJM@WFSJFEָ䗳銲 ָِ٦ؠせ Ӝ
植朐כ*%SFGSFTIUPLFOכⴽך䩛媮ד《䖤ׅ䗳銲ָ֮
"OPOZNPVTSFRVFTU Ӝ דכرؿٕؓزד⼡せ،ؙإأָ剣⸬ 钠鏾ָ鸐זֻג钠〳ח鹌 "1*4FSWFSךBOPOZNPVTBVUIؔفءّٝד㢌刿〳 Ӝ "1*4FSWFSךقٕأثؑحؙװغ٦آّٝ䞔㜠כ3#"$ךرؿؓ ٕزד⼡せِ٦ؠח鏩〳ׁגְ TZTUFNEJTDPWFSZ
Ӝ ⼡せِ٦ؠכ⟃♴ךِ٦ؠ䞔㜠הז ِ٦ؠせTZTUFNBOPOZNPVT ؚٕ٦فせTZTUFNVOBVUIFOUJDBUFE
钠〳 "VUI;
钠鏾٥钠〳ך崧 钠鏾 "VUI/ 钠〳 "VUI; "ENJTTJPO$POUSPM plugin 1 plugin
2 plugin 3 plugin 1 plugin 2 plugin 3 plugin 1 plugin 2 plugin 3 6TFS*%(SPVQ《䖤 "MMPX%FOZ 圫ղזؙٔؒأزⵖ䖴
钠〳فؚٓ؎ٝ Ӝ 3PMF#BTFE"DDFTT$POUSPM 3#"$ Ӝ "UUSJCVUF#BTFE"DDFTT$POUSPM "#"$ Ӝ
8FCIPPL Ӝ "MXBZT"MMPX"MXBZT%FOZ 钠鏾فؚٓ؎ٝד《䖤׃ِ٦ؠせծؚٕ٦فせה،ؙإأؙׅٔ ؒأز䞔㜠⯋ח،ؙإأⵖ䖴遤ֲկ
ؙٔؒأز䞔㜠 BVUIPSJ[PS"UUSJCVUFT Ӝ ِ٦ؠ䞔㜠 OBNF HSPVQTזו Ӝ "1*ٔا٦أַやַ Ӝ
ؙٔؒأزךػأ䞔㜠 Ӝ 乼⡲珏ⴽ WFSC)551.FUIPE HFU DSFBUF VQEBUF瘝 Ӝ ٔا٦أ珏ⴽ Ӝ ؟ـٔا٦أ珏ⴽ Ӝ ؔـآؙؑزせ Ӝ "1*ؚٕ٦ف Ӝ "1*غ٦آّٝ
"1*3FTPVSDFͱ/PO3FTPVSDF63- Ӝ "1*3FTPVSDF ,VCFSOFUFT♳ד䪔1PE 4FSWJDFזוך䞔㜠 "1*ؚٕ٦فהְֲؚٕ٦فך嚊䙀䭯א ♧鿇כ؟ـٔا٦أ QPETFYFD QPETMPH 䭯א
Ӝ /PO3FTPVSDF63- غ٦آّٝ䞔㜠ך《䖤װقٕأثؑحؙזוח⢪63- IFBMUI[ WFSTJPOזוָ鑩䔲ׅ
"1*4FSWFSפךؙٔؒأز $ kubectl get --namespace myns pods mypod GET
https://.../api/v1/namespaces/myns/pods/mypod Accept: application/json Authorization: Bearer eyJ...Ptw # 認証情報 ...
3PMF#BTFE"DDFTT$POUSPM Ӝ WדCFUBחז رؿٕؓزךهٔء٦ָ欽䠐ׁ״ֲחז Ӝ W儗挿ד"#"$כ涸ז䞔㜠׃ַ盖椚דֹזְծ⹛涸ז، ؙإأⵖ䖴遤ֲחכ3#"$ַ8FCIPPL鼅䫛ׅ䕎חז Ӝ ٗ٦ٕ㹀纏׃ծחِ٦ؠ秡➰ֽ䕎䒭 ٗ٦ٕך㹀纏$MVTUFS3PMF3PMF
ٗ٦ٕך秡➰ֽ$MVTUFS3PMF#JOEJOH3PMF#JOEJOH
ٗ٦ٕך㹀纏ה秡➰ֽ pod-reader pod-reader Role RoleBinding 6TFS (SPVQٗ٦ٕח秡➰ֽ וךٔا٦أח⡦ָדַֹ ⢽1PEח㼎׃ג铣《鏩〳
⢽BMJDFחQPESFBEFSٗ٦ٕ➰♷
ٗ٦ٕך㹀纏 3PMF 1PEח㼎׃גEFGBVMUط٦يأل٦أךHFUXBUDIMJTU鏩〳ׅ kind: Role apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: namespace:
default name: pod-reader rules: # ルールは複数書ける - apiGroups: [""] # Core グループ resources: ["pods"] # リソース verbs: ["get", "watch", "list"] # 読み取り権限
ٗ٦ٕך秡➰ֽ 3PMF#JOEJOH kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: read-pods
namespace: default subjects: - kind: User name: alice # alice を紐付ける apiGroup: rbac.authorization.k8s.io roleRef: kind: Role name: pod-reader # 紐付けるのは pod-reader ロール apiGroup: rbac.authorization.k8s.io
ؙٓأة⽃⡘ךٗ٦ٕ Ӝ 3PMFה$MVTUFS3PMFךאָ֮ 3PMFכOBNFTQBDFח秡בֻ $MVTUFS3PMFכؙٓأة VOOBNFTQBDFE ח秡בֻ /PEF 1FSTJTUFOU7PMVNFהְؙٓأةٔا٦أך埄ꣲ ♷ִ
Ӝ 3PMF#JOEJOHה$MVTUFS3PMF#JOEJOHず圫 3PMF#JOEJOHד$MVTUFS3PMFח秡➰ֽֿהדֹ
رؿٕؓزهٔء٦ W Ӝ Wדرؿٕؓزך3#"$هٔء٦ָ鷄⸇ׁ Ӝ ءأذيך؝ٝه٦طٝزָ⢪ֲٗ٦ٕ LVCFTDIFEVMFS LVCFQSPYZזוָ⢪ֲ㼔欽ٗ٦ٕ Ӝ ِ٦ؠָ害欽涸ח⢪ִٗ٦ٕ
盖椚罏埄ꣲ BENJO ծ铣《埄ꣲ WJFX הְ害欽ٗ٦ٕ
害欽涸זرؿٕؓز$MVUFS3PMF DMVTUFSBENJO ؙٓأةךⰋ埄ꣲ盖椚罏埄ꣲկ رؿٕؓزדTZTUFNNBTUFSTָ秡➰ֽגְ BENJO OBNFTQBDFⰻך盖椚罏埄ꣲ FEJU OBNFTQBDFⰻך铣剅ֹ埄ꣲ 3PMF3PMF#JOEJOHחꟼׅ埄ꣲכ䭯זְ
WJFX OBNFTQBDFⰻך铣《埄ꣲ 4FDSFUך铣《埄ꣲכ䭯זְ
%FNP
"ENJTTJPO$POUSPMMFS
钠鏾٥钠〳ך崧 钠鏾 "VUI/ 钠〳 "VUI; "ENJTTJPO$POUSPM plugin 1 plugin
2 plugin 3 plugin 1 plugin 2 plugin 3 plugin 1 plugin 2 plugin 3 6TFS*%(SPVQ《䖤 "MMPX%FOZ 圫ղזؙٔؒأزⵖ䖴
"ENJTTJPO$POUSPMMFS Ӝ 圫ղזؙٔؒأزךⵖ䖴遤ֲ堣腉 ؙٔؒأزךؔـآؙؑز䞔㜠剅ֹ䳔ִծ䞔㜠ח״ג 䬧や׃ׅ "1*4FSWFSךBENJTTJPODPOUSPMؔفءّٝד醱侧䭷㹀 Ӝ ⢽"MXBZT1VMM*NBHFT 1PEך*NBHF1VMM1PMJDZ荈⹛ד"MXBZTח鏣㹀ׅ Ӝ
⢽4FSWJDF"DDPVOU 4FSWJDF"DDPVOUךء٦ؙٖحز䞔㜠荈⹛דوؐٝزׅ
"ENJTTJPO$POUSPMMFSך♧鋮 Ӝ "MXBZT"ENJU Ӝ "MXBZT1VMM*NBHFT Ӝ "MXBZT%FOZ Ӝ %FOZ&TDBMBUJOH&YFD
Ӝ *NBHF1PMJDZ8FCIPPL Ӝ 4FSWJDF"DDPVOU Ӝ 4FDVSJUZ$POUFYU%FOZ Ӝ 3FTPVSDF2VPUB Ӝ -JNJU3BOHFS Ӝ *OJUJBM3FTPVSDFT Ӝ /BNFTQBDF-JGFDZDMF Ӝ %FGBVMU4UPSBHF$MBTT Ӝ %FGBVMU5PMFSBUJPO4FDPOET Ӝ 1PE4FDVSJUZ1PMJDZ
湊叨 "VEJU
湊叨 "VEJU Ӝ W儗挿דכ㛇劤涸ז湊叨ؚٗ⳿⸂ָ㹋鄲ׁגְ "1*4FSWFSחBVEJUMPHQBUIؔفءّٝד⳿⸂⯓䭷㹀 Ӝ ،ؙإأ遤ד⳿⸂ׁ չְאպչ铩ָպչ⡦պչוֲ乼⡲׃ַպ չוֲ乼⡲׃ַպ鿇ⴓכ植朐כ)551.FUIPEך䞔㜠ך Ӝ
״鑫稢ז䞔㜠חאְגכ➙䖓㹋鄲✮㹀ך垷圫 չؔـآؙؑزָוֲ㢌刿ַׁպ 8*1"EWBODFEBVEJUQSPQPTBM
湊叨ؚٗך⳿⸂䞔㜠 Ӝ ְא 5; Ӝ 铩ָ JQVTFSNJOJLVCFHSPVQT=TZTUFNNBTUFST= =TZTUFNBVUIFOUJDBUFE=BTTFMGBTHSPVQTMPPLVQ Ӝ ⡦
OBNFTQBDFEFGBVMUVSJBQJTFYUFOTJPOTWCFUBOBNFTQBDFT EFGBVMUEFQMPZNFOUT Ӝ וֲ乼⡲׃ַ NFUIPE1045
钠鏾٥钠〳ך孡חז13JTTVF
,VCFDUMMPHJOTVCDPNNBOE Ӝ &SJD$IJBOHׁ $PSF04 Ӝ LVCFDUMך؟ـ؝وٝسד湫䱸ؚٗ؎ٝ׃גؙٖرٝءٍٕ《 䖤ׅ Ӝ 1SPQPTBMכو٦آ幥
Ӝ IUUQTHJUIVCDPNLVCFSOFUFTGFBUVSFTJTTVFT
8*1"EWBODFEBVEJUQSPQPTBM Ӝ .BDJFK4[VMJLׁ 3FE)BU Ӝ ״넝䏝ז湊叨ؚٗחꟼׅQSPQPTBM Ӝ 圓鸡⻉ؚٗװչؔـآؙؑزָוֲ㢌刿ַׁպזוך䲿周 Ӝ
IUUQTHJUIVCDPNLVCFSOFUFTDPNNVOJUZQVMM
תה Ӝ ,VCFSOFUFTכׁתׂתז钠鏾ה钠〳ח㼎䘔 钠鏾٥钠〳כⴽؿؑ٦ؤד遤⦐ⴽח鏣㹀דֹ Ӝ 钠鏾4FSWJDF"DDPVOU Yؙٓ؎،ٝز鏾僇剅ծ0*%$ Ӝ 钠〳דכ3PMF#BTFE"DDFT$POUSPM 3#"$
ָؔأأً Wד害欽涸זرؿٕؓزهٔء٦ָ欽䠐ׁ
8FBSFIJSJOH IUUQT[MBCDPKQ