Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Kubernetes の認証・認可と RBAC
Search
Takashi Kusumi
April 20, 2017
Technology
9
3.1k
Kubernetes の認証・認可と RBAC
Kubernetes Meetup Tokyo #4
https://k8sjp.connpass.com/event/53737/
Takashi Kusumi
April 20, 2017
Tweet
Share
More Decks by Takashi Kusumi
See All by Takashi Kusumi
Recap: eBPF セッションつまみ食い / eBPF sessions @ KubeCon EU 2023
tksm
1
3.6k
Unit Testing for Prometheus Rules
tksm
6
2.8k
Z Lab の教育への取組 / Cloud Native Education Efforts at Z Lab
tksm
7
1.5k
Recap: Securing Kubernetes with Admission Controllers
tksm
2
1.5k
Istio Mutual TLS
tksm
0
700
Debugging Applications in Kubernetes
tksm
16
4.1k
Kubernetes with Prometheus
tksm
5
2.4k
Kubernetes v1.7 の主な変更点 / Kubernetes v1.7 features
tksm
0
1.6k
kubectl apply の仕組み / How kubectl apply works
tksm
1
9.7k
Other Decks in Technology
See All in Technology
デジタルアイデンティティ人材育成推進ワーキンググループ 翻訳サブワーキンググループ 活動報告 / 20250114-OIDF-J-EduWG-TranslationSWG
oidfj
0
530
re:Invent2024 KeynoteのAmazon Q Developer考察
yusukeshimizu
1
150
30分でわかる「リスクから学ぶKubernetesコンテナセキュリティ」/30min-k8s-container-sec
mochizuki875
3
450
Visual StudioとかIDE関連小ネタ話
kosmosebi
1
370
[IBM TechXchange Dojo]Watson Discoveryとwatsonx.aiでRAGを実現!座学①
siyuanzh09
0
110
Accessibility Inspectorを活用した アプリのアクセシビリティ向上方法
hinakko
0
180
AWSの生成AIサービス Amazon Bedrock入門!(2025年1月版)
minorun365
PRO
7
470
信頼されるためにやったこと、 やらなかったこと。/What we did to be trusted, What we did not do.
bitkey
PRO
0
2.2k
月間60万ユーザーを抱える 個人開発サービス「Walica」の 技術スタック変遷
miyachin
1
140
2024AWSで個人的にアツかったアップデート
nagisa53
1
110
Amazon Q Developerで.NET Frameworkプロジェクトをモダナイズしてみた
kenichirokimura
1
200
今から、 今だからこそ始める Terraform で Azure 管理 / Managing Azure with Terraform: The Perfect Time to Start
nnstt1
0
240
Featured
See All Featured
Designing Experiences People Love
moore
139
23k
Intergalactic Javascript Robots from Outer Space
tanoku
270
27k
We Have a Design System, Now What?
morganepeng
51
7.3k
YesSQL, Process and Tooling at Scale
rocio
170
14k
Agile that works and the tools we love
rasmusluckow
328
21k
Docker and Python
trallard
43
3.2k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
49
2.2k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
666
120k
What’s in a name? Adding method to the madness
productmarketing
PRO
22
3.2k
Testing 201, or: Great Expectations
jmmastey
41
7.2k
Making Projects Easy
brettharned
116
6k
4 Signs Your Business is Dying
shpigford
182
22k
Transcript
,VCFSOFUFTך钠鏾٥钠〳ה3#"$ 5BLBTIJ,VTVNJ ;-BC
钠鏾ה钠〳הכ Ӝ 钠鏾 "VUIFOUJDBUJPO"VUI/ ِ٦ؠך劤➂䚍然钠ׅ ⢽*%1BTTXPSEדBMJDFהְֲِ٦ؠ陎ⴽ٥然钠ׅ Ӝ 钠〳 "VUIPSJ[BUJPO"VUI;
ِ٦ؠח㼎ׅٔا٦أך،ؙإأ埄ꣲⵖ䖴遤ֲ ⢽BMJDFהְֲِ٦ؠכ1PEך铣《埄ꣲַָ֮
钠鏾٥钠〳כ"1*4FSWFSד遤 controllers master components scheduler etcd API Server kubelet
kube-proxy node 1 kubelet kube-proxy node 2 LVCFMFU kube-proxy node 3 Users
钠鏾٥钠〳ך崧 钠鏾 "VUI/ 钠〳 "VUI; "ENJTTJPO$POUSPM plugin 1 plugin
2 plugin 3 plugin 1 plugin 2 plugin 3 plugin 1 plugin 2 plugin 3 6TFS*%(SPVQ《䖤 "MMPX%FOZ 圫ղזؙٔؒأزⵖ䖴
钠鏾 "VUI/
钠鏾٥钠〳ך崧 钠鏾 "VUI/ 钠〳 "VUI; "ENJTTJPO$POUSPM plugin 1 plugin
2 plugin 3 plugin 1 plugin 2 plugin 3 plugin 1 plugin 2 plugin 3 6TFS*%(SPVQ《䖤 "MMPX%FOZ 圫ղזؙٔؒأزⵖ䖴
,VCFSOFUFTךِ٦ؠ Ӝ 4FSWJDF"DDPVOU ,VCFSOFUFTָ盖椚ׅ،فٔ؛٦ءّٝ欽،ؕؐٝز 1PEⰻַ"1*4FSWFSח،ؙإأׅꥷחⵃ欽דֹ ؙٓأة㢩鿇ד$*זוך،ؕؐٝزה׃גⵃ欽〳腉 Ӝ 6TFS"DDPVOU ➂ךך،ؕؐٝز ,VCFSOFUFTך盖椚㢩կ钠鏾فؚٓ؎ٝ鸐׃ג㢩鿇ד盖椚
钠鏾倯䒭 Ӝ 9ؙٓ؎،ٝز鏾僇剅 Ӝ 涸ز٦ؙٝؿ؋؎ٕ Ӝ ـ٦زأزٓحفز٦ؙٝ Ӝ 涸ػأٙ٦سؿ؋؎ٕ Ӝ
4FSWJDF"DDPVOU Ӝ 0QFO*%$POOFDU Ӝ 8FCIPPL Ӝ 钠鏾فؙٗء٦ Ӝ ,FZ4UPOF 0QFO4UBDL ぐ倯䒭ד钠鏾遤ְِ٦ؠせהؚٕ٦فせזוך䞔㜠《䖤ׅ
4FSWJDF"DDPVOU Ӝ ぐOBNFTQBDFכEFGBVMUהְֲ4FSWJDF"DDPVOUָ荈⹛涸ח⡲ ծぐ1PEחךز٦ָؙٝوؐٝزׁגְ 1PEⰻַ"1*4FSWFSח،ؙإأדֹ״ֲחזגְ Ӝ LVCFDUMDSFBUFTB/".&הְֲ؝وٝسד知⽃ח⡲䧭דֹ 4FSWJDF"DDPVOUכOBNFTQBDFⰻח⡲ Ӝ 荈⹛涸ח+85䕎䒭ךز٦ָؙٝ⡲
ؙٓأة㢩鿇ַ$*זוך،ؕؐٝزה׃גⵃ欽〳腉
9ؙٓ؎،ٝز鏾僇剅 Certificate: Data: ... Validity Not Before: Apr 16
02:14:52 2017 GMT Not After : Apr 16 02:14:52 2018 GMT Subject: O=system:masters, CN=minikube "1*4FSWFSךDMJFOUDBMFؔفءّٝד$"䭷㹀 0 0SHBOJ[BUJPO ָؚٕ٦فせծ$/ $PNNPO/BNF ָِ٦ؠせ
0QFO*%$POOFDU Ӝ 0QFO*%$POOFDUך*%UPLFOِ٦ؠ䞔㜠ה׃גⵃ欽ׅ (PPHMFזו㢩鿇ך*EFOUJUZ1SPWJEFS⢪欽〳腉 Ӝ וךDMBJNِ٦ؠせծؚٕ٦فせה׃ג⢪ֲַ䭷㹀ׅ رؿٕؓزדכFNBJM FNBJM@WFSJFEָ䗳銲 ָِ٦ؠせ Ӝ
植朐כ*%SFGSFTIUPLFOכⴽך䩛媮ד《䖤ׅ䗳銲ָ֮
"OPOZNPVTSFRVFTU Ӝ דכرؿٕؓزד⼡せ،ؙإأָ剣⸬ 钠鏾ָ鸐זֻג钠〳ח鹌 "1*4FSWFSךBOPOZNPVTBVUIؔفءّٝד㢌刿〳 Ӝ "1*4FSWFSךقٕأثؑحؙװغ٦آّٝ䞔㜠כ3#"$ךرؿؓ ٕزד⼡せِ٦ؠח鏩〳ׁגְ TZTUFNEJTDPWFSZ
Ӝ ⼡せِ٦ؠכ⟃♴ךِ٦ؠ䞔㜠הז ِ٦ؠせTZTUFNBOPOZNPVT ؚٕ٦فせTZTUFNVOBVUIFOUJDBUFE
钠〳 "VUI;
钠鏾٥钠〳ך崧 钠鏾 "VUI/ 钠〳 "VUI; "ENJTTJPO$POUSPM plugin 1 plugin
2 plugin 3 plugin 1 plugin 2 plugin 3 plugin 1 plugin 2 plugin 3 6TFS*%(SPVQ《䖤 "MMPX%FOZ 圫ղזؙٔؒأزⵖ䖴
钠〳فؚٓ؎ٝ Ӝ 3PMF#BTFE"DDFTT$POUSPM 3#"$ Ӝ "UUSJCVUF#BTFE"DDFTT$POUSPM "#"$ Ӝ
8FCIPPL Ӝ "MXBZT"MMPX"MXBZT%FOZ 钠鏾فؚٓ؎ٝד《䖤׃ِ٦ؠせծؚٕ٦فせה،ؙإأؙׅٔ ؒأز䞔㜠⯋ח،ؙإأⵖ䖴遤ֲկ
ؙٔؒأز䞔㜠 BVUIPSJ[PS"UUSJCVUFT Ӝ ِ٦ؠ䞔㜠 OBNF HSPVQTזו Ӝ "1*ٔا٦أַやַ Ӝ
ؙٔؒأزךػأ䞔㜠 Ӝ 乼⡲珏ⴽ WFSC)551.FUIPE HFU DSFBUF VQEBUF瘝 Ӝ ٔا٦أ珏ⴽ Ӝ ؟ـٔا٦أ珏ⴽ Ӝ ؔـآؙؑزせ Ӝ "1*ؚٕ٦ف Ӝ "1*غ٦آّٝ
"1*3FTPVSDFͱ/PO3FTPVSDF63- Ӝ "1*3FTPVSDF ,VCFSOFUFT♳ד䪔1PE 4FSWJDFזוך䞔㜠 "1*ؚٕ٦فהְֲؚٕ٦فך嚊䙀䭯א ♧鿇כ؟ـٔا٦أ QPETFYFD QPETMPH 䭯א
Ӝ /PO3FTPVSDF63- غ٦آّٝ䞔㜠ך《䖤װقٕأثؑحؙזוח⢪63- IFBMUI[ WFSTJPOזוָ鑩䔲ׅ
"1*4FSWFSפךؙٔؒأز $ kubectl get --namespace myns pods mypod GET
https://.../api/v1/namespaces/myns/pods/mypod Accept: application/json Authorization: Bearer eyJ...Ptw # 認証情報 ...
3PMF#BTFE"DDFTT$POUSPM Ӝ WדCFUBחז رؿٕؓزךهٔء٦ָ欽䠐ׁ״ֲחז Ӝ W儗挿ד"#"$כ涸ז䞔㜠׃ַ盖椚דֹזְծ⹛涸ז، ؙإأⵖ䖴遤ֲחכ3#"$ַ8FCIPPL鼅䫛ׅ䕎חז Ӝ ٗ٦ٕ㹀纏׃ծחِ٦ؠ秡➰ֽ䕎䒭 ٗ٦ٕך㹀纏$MVTUFS3PMF3PMF
ٗ٦ٕך秡➰ֽ$MVTUFS3PMF#JOEJOH3PMF#JOEJOH
ٗ٦ٕך㹀纏ה秡➰ֽ pod-reader pod-reader Role RoleBinding 6TFS (SPVQٗ٦ٕח秡➰ֽ וךٔا٦أח⡦ָדַֹ ⢽1PEח㼎׃ג铣《鏩〳
⢽BMJDFחQPESFBEFSٗ٦ٕ➰♷
ٗ٦ٕך㹀纏 3PMF 1PEח㼎׃גEFGBVMUط٦يأل٦أךHFUXBUDIMJTU鏩〳ׅ kind: Role apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: namespace:
default name: pod-reader rules: # ルールは複数書ける - apiGroups: [""] # Core グループ resources: ["pods"] # リソース verbs: ["get", "watch", "list"] # 読み取り権限
ٗ٦ٕך秡➰ֽ 3PMF#JOEJOH kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: read-pods
namespace: default subjects: - kind: User name: alice # alice を紐付ける apiGroup: rbac.authorization.k8s.io roleRef: kind: Role name: pod-reader # 紐付けるのは pod-reader ロール apiGroup: rbac.authorization.k8s.io
ؙٓأة⽃⡘ךٗ٦ٕ Ӝ 3PMFה$MVTUFS3PMFךאָ֮ 3PMFכOBNFTQBDFח秡בֻ $MVTUFS3PMFכؙٓأة VOOBNFTQBDFE ח秡בֻ /PEF 1FSTJTUFOU7PMVNFהְؙٓأةٔا٦أך埄ꣲ ♷ִ
Ӝ 3PMF#JOEJOHה$MVTUFS3PMF#JOEJOHず圫 3PMF#JOEJOHד$MVTUFS3PMFח秡➰ֽֿהדֹ
رؿٕؓزهٔء٦ W Ӝ Wדرؿٕؓزך3#"$هٔء٦ָ鷄⸇ׁ Ӝ ءأذيך؝ٝه٦طٝزָ⢪ֲٗ٦ٕ LVCFTDIFEVMFS LVCFQSPYZזוָ⢪ֲ㼔欽ٗ٦ٕ Ӝ ِ٦ؠָ害欽涸ח⢪ִٗ٦ٕ
盖椚罏埄ꣲ BENJO ծ铣《埄ꣲ WJFX הְ害欽ٗ٦ٕ
害欽涸זرؿٕؓز$MVUFS3PMF DMVTUFSBENJO ؙٓأةךⰋ埄ꣲ盖椚罏埄ꣲկ رؿٕؓزדTZTUFNNBTUFSTָ秡➰ֽגְ BENJO OBNFTQBDFⰻך盖椚罏埄ꣲ FEJU OBNFTQBDFⰻך铣剅ֹ埄ꣲ 3PMF3PMF#JOEJOHחꟼׅ埄ꣲכ䭯זְ
WJFX OBNFTQBDFⰻך铣《埄ꣲ 4FDSFUך铣《埄ꣲכ䭯זְ
%FNP
"ENJTTJPO$POUSPMMFS
钠鏾٥钠〳ך崧 钠鏾 "VUI/ 钠〳 "VUI; "ENJTTJPO$POUSPM plugin 1 plugin
2 plugin 3 plugin 1 plugin 2 plugin 3 plugin 1 plugin 2 plugin 3 6TFS*%(SPVQ《䖤 "MMPX%FOZ 圫ղזؙٔؒأزⵖ䖴
"ENJTTJPO$POUSPMMFS Ӝ 圫ղזؙٔؒأزךⵖ䖴遤ֲ堣腉 ؙٔؒأزךؔـآؙؑز䞔㜠剅ֹ䳔ִծ䞔㜠ח״ג 䬧や׃ׅ "1*4FSWFSךBENJTTJPODPOUSPMؔفءّٝד醱侧䭷㹀 Ӝ ⢽"MXBZT1VMM*NBHFT 1PEך*NBHF1VMM1PMJDZ荈⹛ד"MXBZTח鏣㹀ׅ Ӝ
⢽4FSWJDF"DDPVOU 4FSWJDF"DDPVOUךء٦ؙٖحز䞔㜠荈⹛דوؐٝزׅ
"ENJTTJPO$POUSPMMFSך♧鋮 Ӝ "MXBZT"ENJU Ӝ "MXBZT1VMM*NBHFT Ӝ "MXBZT%FOZ Ӝ %FOZ&TDBMBUJOH&YFD
Ӝ *NBHF1PMJDZ8FCIPPL Ӝ 4FSWJDF"DDPVOU Ӝ 4FDVSJUZ$POUFYU%FOZ Ӝ 3FTPVSDF2VPUB Ӝ -JNJU3BOHFS Ӝ *OJUJBM3FTPVSDFT Ӝ /BNFTQBDF-JGFDZDMF Ӝ %FGBVMU4UPSBHF$MBTT Ӝ %FGBVMU5PMFSBUJPO4FDPOET Ӝ 1PE4FDVSJUZ1PMJDZ
湊叨 "VEJU
湊叨 "VEJU Ӝ W儗挿דכ㛇劤涸ז湊叨ؚٗ⳿⸂ָ㹋鄲ׁגְ "1*4FSWFSחBVEJUMPHQBUIؔفءّٝד⳿⸂⯓䭷㹀 Ӝ ،ؙإأ遤ד⳿⸂ׁ չְאպչ铩ָպչ⡦պչוֲ乼⡲׃ַպ չוֲ乼⡲׃ַպ鿇ⴓכ植朐כ)551.FUIPEך䞔㜠ך Ӝ
״鑫稢ז䞔㜠חאְגכ➙䖓㹋鄲✮㹀ך垷圫 չؔـآؙؑزָוֲ㢌刿ַׁպ 8*1"EWBODFEBVEJUQSPQPTBM
湊叨ؚٗך⳿⸂䞔㜠 Ӝ ְא 5; Ӝ 铩ָ JQVTFSNJOJLVCFHSPVQT=TZTUFNNBTUFST= =TZTUFNBVUIFOUJDBUFE=BTTFMGBTHSPVQTMPPLVQ Ӝ ⡦
OBNFTQBDFEFGBVMUVSJBQJTFYUFOTJPOTWCFUBOBNFTQBDFT EFGBVMUEFQMPZNFOUT Ӝ וֲ乼⡲׃ַ NFUIPE1045
钠鏾٥钠〳ך孡חז13JTTVF
,VCFDUMMPHJOTVCDPNNBOE Ӝ &SJD$IJBOHׁ $PSF04 Ӝ LVCFDUMך؟ـ؝وٝسד湫䱸ؚٗ؎ٝ׃גؙٖرٝءٍٕ《 䖤ׅ Ӝ 1SPQPTBMכو٦آ幥
Ӝ IUUQTHJUIVCDPNLVCFSOFUFTGFBUVSFTJTTVFT
8*1"EWBODFEBVEJUQSPQPTBM Ӝ .BDJFK4[VMJLׁ 3FE)BU Ӝ ״넝䏝ז湊叨ؚٗחꟼׅQSPQPTBM Ӝ 圓鸡⻉ؚٗװչؔـآؙؑزָוֲ㢌刿ַׁպזוך䲿周 Ӝ
IUUQTHJUIVCDPNLVCFSOFUFTDPNNVOJUZQVMM
תה Ӝ ,VCFSOFUFTכׁתׂתז钠鏾ה钠〳ח㼎䘔 钠鏾٥钠〳כⴽؿؑ٦ؤד遤⦐ⴽח鏣㹀דֹ Ӝ 钠鏾4FSWJDF"DDPVOU Yؙٓ؎،ٝز鏾僇剅ծ0*%$ Ӝ 钠〳דכ3PMF#BTFE"DDFT$POUSPM 3#"$
ָؔأأً Wד害欽涸זرؿٕؓزهٔء٦ָ欽䠐ׁ
8FBSFIJSJOH IUUQT[MBCDPKQ