Kubernetes の認証・認可と RBAC

,VCFSOFUFTך钠鏾٥钠〳ה3#"$ 5BLBTIJ,VTVNJ ;-BC

钠鏾ה钠〳הכ Ӝ 钠鏾 "VUIFOUJDBUJPO"VUI/ ِ٦ؠך劤➂䚍׾然钠ׅ׷ ⢽*%1BTTXPSEדBMJDFהְֲِ٦ؠ׾陎ⴽ٥然钠ׅ׷ Ӝ 钠〳 "VUIPSJ[BUJPO"VUI;
ِ٦ؠח㼎ׅ׷ٔا٦أך،ؙإأ埄ꣲⵖ䖴׾遤ֲ ⢽BMJDFהְֲِ٦ؠכ1PEך铣׫《׶埄ꣲָ֮׷ַ

钠鏾٥钠〳כ"1*4FSWFSד遤׻׸׷ controllers master components scheduler etcd API Server kubelet
kube-proxy node 1 kubelet kube-proxy node 2 LVCFMFU kube-proxy node 3 Users

钠鏾٥钠〳ך崧׸ 钠鏾 "VUI/ 钠〳 "VUI; "ENJTTJPO$POUSPM plugin 1 plugin
2 plugin 3 plugin 1 plugin 2 plugin 3 plugin 1 plugin 2 plugin 3 6TFS*%(SPVQ׾《䖤 "MMPX%FOZ 圫ղזؙٔؒأزⵖ䖴

钠鏾 "VUI/

,VCFSOFUFTךِ٦ؠ Ӝ 4FSWJDF"DDPVOU ,VCFSOFUFTָ盖椚ׅ׷،فٔ؛٦ءّٝ欽،ؕؐٝز 1PEⰻַ׵"1*4FSWFSח،ؙإأׅ׷ꥷחⵃ欽דֹ׷ ؙٓأة㢩鿇ד׮$*זוך،ؕؐٝزה׃גⵃ欽〳腉 Ӝ 6TFS"DDPVOU ➂꟦ך׋׭ך،ؕؐٝز ,VCFSOFUFTך盖椚㢩կ钠鏾فؚٓ؎ٝ׾鸐׃ג㢩鿇ד盖椚

钠鏾倯䒭 Ӝ 9ؙٓ؎،ٝز鏾僇剅 Ӝ ꫼涸ز٦ؙٝؿ؋؎ٕ Ӝ ـ٦زأزٓحفز٦ؙٝ Ӝ ꫼涸ػأٙ٦سؿ؋؎ٕ Ӝ
4FSWJDF"DDPVOU Ӝ 0QFO*%$POOFDU Ӝ 8FCIPPL Ӝ 钠鏾فؙٗء٦ Ӝ ,FZ4UPOF 0QFO4UBDL ぐ倯䒭ד钠鏾׾遤ְِ٦ؠせהؚٕ٦فせזוך䞔㜠׾《䖤ׅ׷

4FSWJDF"DDPVOU Ӝ ぐOBNFTQBDFכEFGBVMUהְֲ4FSWJDF"DDPVOUָ荈⹛涸ח⡲׵ ׸ծぐ1PEח׉ךز٦ָؙٝوؐٝزׁ׸גְ׷ 1PEⰻַ׵"1*4FSWFSח،ؙإأדֹ׷״ֲחז׏גְ׷ Ӝ LVCFDUMDSFBUFTB/".&הְֲ؝وٝسד知⽃ח⡲䧭דֹ׷ 4FSWJDF"DDPVOUכOBNFTQBDFⰻח⡲׵׸׷ Ӝ 荈⹛涸ח+85䕎䒭ךز٦ָؙٝ⡲׵׸׷
ؙٓأة㢩鿇ַ׵׮$*זוך،ؕؐٝزה׃גⵃ欽〳腉

9ؙٓ؎،ٝز鏾僇剅 Certificate: Data: ... Validity Not Before: Apr 16
02:14:52 2017 GMT Not After : Apr 16 02:14:52 2018 GMT Subject: O=system:masters, CN=minikube "1*4FSWFSךDMJFOUDBMFؔفءّٝד$"׾䭷㹀 0 0SHBOJ[BUJPO ָؚٕ٦فせծ$/ $PNNPO/BNF ָِ٦ؠせ

0QFO*%$POOFDU Ӝ 0QFO*%$POOFDUך*%UPLFO׾ِ٦ؠ䞔㜠ה׃גⵃ欽ׅ׷ (PPHMFזו㢩鿇ך*EFOUJUZ1SPWJEFS׾⢪欽〳腉 Ӝ וךDMBJN׾ِ٦ؠせծؚٕ٦فせה׃ג⢪ֲַ䭷㹀ׅ׷ رؿٕؓزדכFNBJM FNBJM@WFSJFEָ䗳銲 ָِ٦ؠせ Ӝ
植朐כ*%SFGSFTIUPLFOכⴽך䩛媮ד《䖤ׅ׷䗳銲ָ֮׷

"OPOZNPVTSFRVFTU Ӝ דכرؿٕؓزד⼡せ،ؙإأָ剣⸬ 钠鏾ָ鸐׵זֻג׮钠〳ח鹌׬ "1*4FSWFSךBOPOZNPVTBVUIؔفءّٝד㢌刿〳 Ӝ "1*4FSWFSךقٕأثؑحؙװغ٦آّٝ䞔㜠כ3#"$ךرؿؓ ٕزד⼡せِ٦ؠח鏩〳ׁ׸גְ׷ TZTUFNEJTDPWFSZ
Ӝ ⼡せِ٦ؠכ⟃♴ךِ٦ؠ䞔㜠הז׷ ِ٦ؠせTZTUFNBOPOZNPVT ؚٕ٦فせTZTUFNVOBVUIFOUJDBUFE

钠〳 "VUI;

钠〳فؚٓ؎ٝ Ӝ 3PMF#BTFE"DDFTT$POUSPM 3#"$ Ӝ "UUSJCVUF#BTFE"DDFTT$POUSPM "#"$ Ӝ
8FCIPPL Ӝ "MXBZT"MMPX"MXBZT%FOZ 钠鏾فؚٓ؎ٝד《䖤׃׋ِ٦ؠせծؚٕ٦فせה،ؙإأׅ׷ؙٔ ؒأز䞔㜠׾⯋ח،ؙإأⵖ䖴׾遤ֲկ

ؙٔؒأز䞔㜠 BVUIPSJ[PS"UUSJCVUFT Ӝ ِ٦ؠ䞔㜠 OBNF HSPVQTזו Ӝ "1*ٔا٦أַやַ Ӝ
ؙٔؒأزךػأ䞔㜠 Ӝ 乼⡲珏ⴽ WFSC)551.FUIPE HFU DSFBUF VQEBUF瘝 Ӝ ٔا٦أ珏ⴽ Ӝ ؟ـٔا٦أ珏ⴽ Ӝ ؔـآؙؑزせ Ӝ "1*ؚٕ٦ف Ӝ "1*غ٦آّٝ

"1*3FTPVSDFͱ/PO3FTPVSDF63- Ӝ "1*3FTPVSDF ,VCFSOFUFT♳ד䪔׻׸׷1PE 4FSWJDFזוך䞔㜠 "1*ؚٕ٦فהְֲؚٕ٦فך嚊䙀׾䭯א ♧鿇כ؟ـٔا٦أ QPETFYFD QPETMPH ׾䭯א
Ӝ /PO3FTPVSDF63- غ٦آّٝ䞔㜠ך《䖤װقٕأثؑحؙזוח⢪׻׸׷63- IFBMUI[ WFSTJPOזוָ鑩䔲ׅ׷

"1*4FSWFSפךؙٔؒأز $ kubectl get --namespace myns pods mypod GET
https://.../api/v1/namespaces/myns/pods/mypod Accept: application/json Authorization: Bearer eyJ...Ptw # 認証情報 ...

3PMF#BTFE"DDFTT$POUSPM Ӝ WדCFUBחז׏׋ رؿٕؓزךهٔء٦ָ欽䠐ׁ׸׷״ֲחז׏׋ Ӝ W儗挿ד"#"$כ꫼涸ז䞔㜠׃ַ盖椚דֹזְ׋׭ծ⹛涸ז، ؙإأⵖ䖴׾遤ֲחכ3#"$ַ8FCIPPL׾鼅䫛ׅ׷䕎חז׷ Ӝ ٗ٦ٕ׾㹀纏׃ծ׉׸חِ٦ؠ׾秡➰ֽ׷䕎䒭 ٗ٦ٕך㹀纏$MVTUFS3PMF3PMF
ٗ٦ٕך秡➰ֽ$MVTUFS3PMF#JOEJOH3PMF#JOEJOH

ٗ٦ٕך㹀纏ה秡➰ֽ pod-reader pod-reader Role RoleBinding 6TFS (SPVQ׾ٗ٦ٕח秡➰ֽ׷ וךٔا٦أח⡦ָדֹ׷ַ ⢽1PEח㼎׃ג铣׫《׶׾鏩〳
⢽BMJDFחQPESFBEFSٗ٦ٕ׾➰♷

ٗ٦ٕך㹀纏 3PMF 1PEח㼎׃גEFGBVMUط٦يأل٦أךHFUXBUDIMJTU׾鏩〳ׅ׷ kind: Role apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: namespace:
default name: pod-reader rules: # ルールは複数書ける - apiGroups: [""] # Core グループ resources: ["pods"] # リソース verbs: ["get", "watch", "list"] # 読み取り権限

ٗ٦ٕך秡➰ֽ 3PMF#JOEJOH kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: read-pods
namespace: default subjects: - kind: User name: alice # alice を紐付ける apiGroup: rbac.authorization.k8s.io roleRef: kind: Role name: pod-reader # 紐付けるのは pod-reader ロール apiGroup: rbac.authorization.k8s.io

ؙٓأة⽃⡘ךٗ٦ٕ Ӝ 3PMFה$MVTUFS3PMFךאָ֮׷ 3PMFכOBNFTQBDFח秡בֻ $MVTUFS3PMFכؙٓأة VOOBNFTQBDFE ח秡בֻ /PEF 1FSTJTUFOU7PMVNFהְ׏׋ؙٓأةٔا٦أך埄ꣲ׮ ♷ִ׵׸׷
Ӝ 3PMF#JOEJOHה$MVTUFS3PMF#JOEJOH׮ず圫 3PMF#JOEJOHד$MVTUFS3PMFח秡➰ֽ׷ֿה׮דֹ׷

رؿٕؓزهٔء٦ W Ӝ Wדرؿٕؓزך3#"$هٔء٦ָ鷄⸇ׁ׸׋ Ӝ ءأذيך؝ٝه٦طٝزָ⢪ֲٗ٦ٕ LVCFTDIFEVMFS LVCFQSPYZזוָ⢪ֲ㼔欽ٗ٦ٕ Ӝ ِ٦ؠָ害欽涸ח⢪ִ׷ٗ٦ٕ
盖椚罏埄ꣲ BENJO ծ铣׫《׶埄ꣲ WJFX הְ׏׋害欽ٗ٦ٕ

害欽涸זرؿٕؓز$MVUFS3PMF DMVTUFSBENJO ؙٓأةךⰋ埄ꣲ׾׮׏׋盖椚罏埄ꣲկ رؿٕؓزדTZTUFNNBTUFSTָ秡➰ֽ׵׸גְ׷ BENJO OBNFTQBDFⰻך盖椚罏埄ꣲ FEJU OBNFTQBDFⰻך铣׫剅ֹ埄ꣲ 3PMF3PMF#JOEJOHחꟼׅ׷埄ꣲכ䭯׋זְ
WJFX OBNFTQBDFⰻך铣׫《׶埄ꣲ 4FDSFUך铣׫《׶埄ꣲכ䭯׋זְ

"ENJTTJPO$POUSPMMFS

"ENJTTJPO$POUSPMMFS Ӝ 圫ղזؙٔؒأزךⵖ䖴׾遤ֲ堣腉 ؙٔؒأزךؔـآؙؑز䞔㜠׾剅ֹ䳔ִ׋׶ծ䞔㜠ח״׏ג 䬧や׃׋׶ׅ׷ "1*4FSWFSךBENJTTJPODPOUSPMؔفءّٝד醱侧䭷㹀 Ӝ ⢽"MXBZT1VMM*NBHFT 1PEך*NBHF1VMM1PMJDZ׾荈⹛ד"MXBZTח鏣㹀ׅ׷ Ӝ
⢽4FSWJDF"DDPVOU 4FSWJDF"DDPVOUךء٦ؙٖحز䞔㜠׾荈⹛דوؐٝزׅ׷

"ENJTTJPO$POUSPMMFSך♧鋮 Ӝ "MXBZT"ENJU Ӝ "MXBZT1VMM*NBHFT Ӝ "MXBZT%FOZ Ӝ %FOZ&TDBMBUJOH&YFD
Ӝ *NBHF1PMJDZ8FCIPPL Ӝ 4FSWJDF"DDPVOU Ӝ 4FDVSJUZ$POUFYU%FOZ Ӝ 3FTPVSDF2VPUB Ӝ -JNJU3BOHFS Ӝ *OJUJBM3FTPVSDFT Ӝ /BNFTQBDF-JGFDZDMF Ӝ %FGBVMU4UPSBHF$MBTT Ӝ %FGBVMU5PMFSBUJPO4FDPOET Ӝ 1PE4FDVSJUZ1PMJDZ

湊叨 "VEJU

湊叨 "VEJU Ӝ W儗挿דכ㛇劤涸ז湊叨ؚٗ⳿⸂ָ㹋鄲ׁ׸גְ׷ "1*4FSWFSחBVEJUMPHQBUIؔفءّٝד⳿⸂⯓׾䭷㹀 Ӝ ،ؙإأ遤ד⳿⸂ׁ׸׷ չְאպչ铩ָպչ⡦׾պչוֲ乼⡲׃׋ַպ չוֲ乼⡲׃׋ַպ鿇ⴓכ植朐כ)551.FUIPEך䞔㜠ך׫ Ӝ
״׶鑫稢ז䞔㜠חאְגכ➙䖓㹋鄲✮㹀ך垷圫 չؔـآؙؑزָוֲ㢌刿ׁ׸׋ַպ 8*1"EWBODFEBVEJUQSPQPTBM

湊叨ؚٗך⳿⸂䞔㜠 Ӝ ְא 5; Ӝ 铩ָ JQVTFSNJOJLVCFHSPVQT=TZTUFNNBTUFST= =TZTUFNBVUIFOUJDBUFE=BTTFMGBTHSPVQTMPPLVQ Ӝ ⡦׾
OBNFTQBDFEFGBVMUVSJBQJTFYUFOTJPOTWCFUBOBNFTQBDFT EFGBVMUEFQMPZNFOUT Ӝ וֲ乼⡲׃׋ַ NFUIPE1045

钠鏾٥钠〳ך孡חז׷13JTTVF

,VCFDUMMPHJOTVCDPNNBOE Ӝ &SJD$IJBOHׁ׿ $PSF04 Ӝ LVCFDUMך؟ـ؝وٝسד湫䱸ؚٗ؎ٝ׃גؙٖرٝءٍٕ׾《䖤ׅ׷ Ӝ 1SPQPTBMכو٦آ幥׫
Ӝ IUUQTHJUIVCDPNLVCFSOFUFTGFBUVSFTJTTVFT

8*1"EWBODFEBVEJUQSPQPTBM Ӝ .BDJFK4[VMJLׁ׿ 3FE)BU Ӝ ״׶넝䏝ז湊叨ؚٗחꟼׅ׷QSPQPTBM Ӝ 圓鸡⻉ؚٗװչؔـآؙؑزָוֲ㢌刿ׁ׸׋ַպזוך䲿周 Ӝ
IUUQTHJUIVCDPNLVCFSOFUFTDPNNVOJUZQVMM

תה׭ Ӝ ,VCFSOFUFTכׁתׂתז钠鏾ה钠〳ח㼎䘔钠鏾٥钠〳כⴽؿؑ٦ؤד遤׻׸⦐ⴽח鏣㹀דֹ׷ Ӝ 钠鏾4FSWJDF"DDPVOU Yؙٓ؎،ٝز鏾僇剅ծ0*%$ Ӝ 钠〳דכ3PMF#BTFE"DDFT$POUSPM 3#"$
ָؔأأً Wד害欽涸זرؿٕؓزهٔء٦ָ欽䠐ׁ׸׋

8FBSFIJSJOH IUUQT[MBCDPKQ

Kubernetes の認証・認可と RBAC

Kubernetes の認証・認可と RBAC

More Decks by Takashi Kusumi

Other Decks in Technology

Featured

Transcript