Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Kubernetes の認証・認可と RBAC
Search
Takashi Kusumi
April 20, 2017
Technology
9
3.1k
Kubernetes の認証・認可と RBAC
Kubernetes Meetup Tokyo #4
https://k8sjp.connpass.com/event/53737/
Takashi Kusumi
April 20, 2017
Tweet
Share
More Decks by Takashi Kusumi
See All by Takashi Kusumi
Recap: eBPF セッションつまみ食い / eBPF sessions @ KubeCon EU 2023
tksm
1
3.6k
Unit Testing for Prometheus Rules
tksm
6
2.8k
Z Lab の教育への取組 / Cloud Native Education Efforts at Z Lab
tksm
7
1.4k
Recap: Securing Kubernetes with Admission Controllers
tksm
2
1.5k
Istio Mutual TLS
tksm
0
690
Debugging Applications in Kubernetes
tksm
16
4k
Kubernetes with Prometheus
tksm
5
2.4k
Kubernetes v1.7 の主な変更点 / Kubernetes v1.7 features
tksm
0
1.6k
kubectl apply の仕組み / How kubectl apply works
tksm
1
9.7k
Other Decks in Technology
See All in Technology
日本版とグローバル版のモバイルアプリ統合の開発の裏側と今後の展望
miichan
1
130
Amazon Kendra GenAI Index 登場でどう変わる? 評価から学ぶ最適なRAG構成
naoki_0531
0
100
PHPからGoへのマイグレーション for DMMアフィリエイト
yabakokobayashi
1
160
マイクロサービスにおける容易なトランザクション管理に向けて
scalar
0
110
GitHub Copilot のテクニック集/GitHub Copilot Techniques
rayuron
24
11k
10分で学ぶKubernetesコンテナセキュリティ/10min-k8s-container-sec
mochizuki875
3
330
re:Invent 2024 Innovation Talks(NET201)で語られた大切なこと
shotashiratori
0
300
Amazon SageMaker Unified Studio(Preview)、Lakehouse と Amazon S3 Tables
ishikawa_satoru
0
150
生成AIのガバナンスの全体像と現実解
fnifni
1
180
ずっと昔に Star をつけたはずの思い出せない GitHub リポジトリを見つけたい!
rokuosan
0
150
OpenShift Virtualizationのネットワーク構成を真剣に考えてみた/OpenShift Virtualization's Network Configuration
tnk4on
0
130
サイバー攻撃を想定したセキュリティガイドライン 策定とASM及びCNAPPの活用方法
syoshie
3
1.2k
Featured
See All Featured
It's Worth the Effort
3n
183
28k
Performance Is Good for Brains [We Love Speed 2024]
tammyeverts
6
510
The Web Performance Landscape in 2024 [PerfNow 2024]
tammyeverts
2
290
Fashionably flexible responsive web design (full day workshop)
malarkey
405
66k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
365
25k
Save Time (by Creating Custom Rails Generators)
garrettdimon
PRO
28
900
GraphQLの誤解/rethinking-graphql
sonatard
67
10k
How To Stay Up To Date on Web Technology
chriscoyier
789
250k
Product Roadmaps are Hard
iamctodd
PRO
49
11k
Imperfection Machines: The Place of Print at Facebook
scottboms
266
13k
Rebuilding a faster, lazier Slack
samanthasiow
79
8.7k
Unsuck your backbone
ammeep
669
57k
Transcript
,VCFSOFUFTך钠鏾٥钠〳ה3#"$ 5BLBTIJ,VTVNJ ;-BC
钠鏾ה钠〳הכ Ӝ 钠鏾 "VUIFOUJDBUJPO"VUI/ ِ٦ؠך劤➂䚍然钠ׅ ⢽*%1BTTXPSEדBMJDFהְֲِ٦ؠ陎ⴽ٥然钠ׅ Ӝ 钠〳 "VUIPSJ[BUJPO"VUI;
ِ٦ؠח㼎ׅٔا٦أך،ؙإأ埄ꣲⵖ䖴遤ֲ ⢽BMJDFהְֲِ٦ؠכ1PEך铣《埄ꣲַָ֮
钠鏾٥钠〳כ"1*4FSWFSד遤 controllers master components scheduler etcd API Server kubelet
kube-proxy node 1 kubelet kube-proxy node 2 LVCFMFU kube-proxy node 3 Users
钠鏾٥钠〳ך崧 钠鏾 "VUI/ 钠〳 "VUI; "ENJTTJPO$POUSPM plugin 1 plugin
2 plugin 3 plugin 1 plugin 2 plugin 3 plugin 1 plugin 2 plugin 3 6TFS*%(SPVQ《䖤 "MMPX%FOZ 圫ղזؙٔؒأزⵖ䖴
钠鏾 "VUI/
钠鏾٥钠〳ך崧 钠鏾 "VUI/ 钠〳 "VUI; "ENJTTJPO$POUSPM plugin 1 plugin
2 plugin 3 plugin 1 plugin 2 plugin 3 plugin 1 plugin 2 plugin 3 6TFS*%(SPVQ《䖤 "MMPX%FOZ 圫ղזؙٔؒأزⵖ䖴
,VCFSOFUFTךِ٦ؠ Ӝ 4FSWJDF"DDPVOU ,VCFSOFUFTָ盖椚ׅ،فٔ؛٦ءّٝ欽،ؕؐٝز 1PEⰻַ"1*4FSWFSח،ؙإأׅꥷחⵃ欽דֹ ؙٓأة㢩鿇ד$*זוך،ؕؐٝزה׃גⵃ欽〳腉 Ӝ 6TFS"DDPVOU ➂ךך،ؕؐٝز ,VCFSOFUFTך盖椚㢩կ钠鏾فؚٓ؎ٝ鸐׃ג㢩鿇ד盖椚
钠鏾倯䒭 Ӝ 9ؙٓ؎،ٝز鏾僇剅 Ӝ 涸ز٦ؙٝؿ؋؎ٕ Ӝ ـ٦زأزٓحفز٦ؙٝ Ӝ 涸ػأٙ٦سؿ؋؎ٕ Ӝ
4FSWJDF"DDPVOU Ӝ 0QFO*%$POOFDU Ӝ 8FCIPPL Ӝ 钠鏾فؙٗء٦ Ӝ ,FZ4UPOF 0QFO4UBDL ぐ倯䒭ד钠鏾遤ְِ٦ؠせהؚٕ٦فせזוך䞔㜠《䖤ׅ
4FSWJDF"DDPVOU Ӝ ぐOBNFTQBDFכEFGBVMUהְֲ4FSWJDF"DDPVOUָ荈⹛涸ח⡲ ծぐ1PEחךز٦ָؙٝوؐٝزׁגְ 1PEⰻַ"1*4FSWFSח،ؙإأדֹ״ֲחזגְ Ӝ LVCFDUMDSFBUFTB/".&הְֲ؝وٝسד知⽃ח⡲䧭דֹ 4FSWJDF"DDPVOUכOBNFTQBDFⰻח⡲ Ӝ 荈⹛涸ח+85䕎䒭ךز٦ָؙٝ⡲
ؙٓأة㢩鿇ַ$*זוך،ؕؐٝزה׃גⵃ欽〳腉
9ؙٓ؎،ٝز鏾僇剅 Certificate: Data: ... Validity Not Before: Apr 16
02:14:52 2017 GMT Not After : Apr 16 02:14:52 2018 GMT Subject: O=system:masters, CN=minikube "1*4FSWFSךDMJFOUDBMFؔفءّٝד$"䭷㹀 0 0SHBOJ[BUJPO ָؚٕ٦فせծ$/ $PNNPO/BNF ָِ٦ؠせ
0QFO*%$POOFDU Ӝ 0QFO*%$POOFDUך*%UPLFOِ٦ؠ䞔㜠ה׃גⵃ欽ׅ (PPHMFזו㢩鿇ך*EFOUJUZ1SPWJEFS⢪欽〳腉 Ӝ וךDMBJNِ٦ؠせծؚٕ٦فせה׃ג⢪ֲַ䭷㹀ׅ رؿٕؓزדכFNBJM FNBJM@WFSJFEָ䗳銲 ָِ٦ؠせ Ӝ
植朐כ*%SFGSFTIUPLFOכⴽך䩛媮ד《䖤ׅ䗳銲ָ֮
"OPOZNPVTSFRVFTU Ӝ דכرؿٕؓزד⼡せ،ؙإأָ剣⸬ 钠鏾ָ鸐זֻג钠〳ח鹌 "1*4FSWFSךBOPOZNPVTBVUIؔفءّٝד㢌刿〳 Ӝ "1*4FSWFSךقٕأثؑحؙװغ٦آّٝ䞔㜠כ3#"$ךرؿؓ ٕزד⼡せِ٦ؠח鏩〳ׁגְ TZTUFNEJTDPWFSZ
Ӝ ⼡せِ٦ؠכ⟃♴ךِ٦ؠ䞔㜠הז ِ٦ؠせTZTUFNBOPOZNPVT ؚٕ٦فせTZTUFNVOBVUIFOUJDBUFE
钠〳 "VUI;
钠鏾٥钠〳ך崧 钠鏾 "VUI/ 钠〳 "VUI; "ENJTTJPO$POUSPM plugin 1 plugin
2 plugin 3 plugin 1 plugin 2 plugin 3 plugin 1 plugin 2 plugin 3 6TFS*%(SPVQ《䖤 "MMPX%FOZ 圫ղזؙٔؒأزⵖ䖴
钠〳فؚٓ؎ٝ Ӝ 3PMF#BTFE"DDFTT$POUSPM 3#"$ Ӝ "UUSJCVUF#BTFE"DDFTT$POUSPM "#"$ Ӝ
8FCIPPL Ӝ "MXBZT"MMPX"MXBZT%FOZ 钠鏾فؚٓ؎ٝד《䖤׃ِ٦ؠせծؚٕ٦فせה،ؙإأؙׅٔ ؒأز䞔㜠⯋ח،ؙإأⵖ䖴遤ֲկ
ؙٔؒأز䞔㜠 BVUIPSJ[PS"UUSJCVUFT Ӝ ِ٦ؠ䞔㜠 OBNF HSPVQTזו Ӝ "1*ٔا٦أַやַ Ӝ
ؙٔؒأزךػأ䞔㜠 Ӝ 乼⡲珏ⴽ WFSC)551.FUIPE HFU DSFBUF VQEBUF瘝 Ӝ ٔا٦أ珏ⴽ Ӝ ؟ـٔا٦أ珏ⴽ Ӝ ؔـآؙؑزせ Ӝ "1*ؚٕ٦ف Ӝ "1*غ٦آّٝ
"1*3FTPVSDFͱ/PO3FTPVSDF63- Ӝ "1*3FTPVSDF ,VCFSOFUFT♳ד䪔1PE 4FSWJDFזוך䞔㜠 "1*ؚٕ٦فהְֲؚٕ٦فך嚊䙀䭯א ♧鿇כ؟ـٔا٦أ QPETFYFD QPETMPH 䭯א
Ӝ /PO3FTPVSDF63- غ٦آّٝ䞔㜠ך《䖤װقٕأثؑحؙזוח⢪63- IFBMUI[ WFSTJPOזוָ鑩䔲ׅ
"1*4FSWFSפךؙٔؒأز $ kubectl get --namespace myns pods mypod GET
https://.../api/v1/namespaces/myns/pods/mypod Accept: application/json Authorization: Bearer eyJ...Ptw # 認証情報 ...
3PMF#BTFE"DDFTT$POUSPM Ӝ WדCFUBחז رؿٕؓزךهٔء٦ָ欽䠐ׁ״ֲחז Ӝ W儗挿ד"#"$כ涸ז䞔㜠׃ַ盖椚דֹזְծ⹛涸ז، ؙإأⵖ䖴遤ֲחכ3#"$ַ8FCIPPL鼅䫛ׅ䕎חז Ӝ ٗ٦ٕ㹀纏׃ծחِ٦ؠ秡➰ֽ䕎䒭 ٗ٦ٕך㹀纏$MVTUFS3PMF3PMF
ٗ٦ٕך秡➰ֽ$MVTUFS3PMF#JOEJOH3PMF#JOEJOH
ٗ٦ٕך㹀纏ה秡➰ֽ pod-reader pod-reader Role RoleBinding 6TFS (SPVQٗ٦ٕח秡➰ֽ וךٔا٦أח⡦ָדַֹ ⢽1PEח㼎׃ג铣《鏩〳
⢽BMJDFחQPESFBEFSٗ٦ٕ➰♷
ٗ٦ٕך㹀纏 3PMF 1PEח㼎׃גEFGBVMUط٦يأل٦أךHFUXBUDIMJTU鏩〳ׅ kind: Role apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: namespace:
default name: pod-reader rules: # ルールは複数書ける - apiGroups: [""] # Core グループ resources: ["pods"] # リソース verbs: ["get", "watch", "list"] # 読み取り権限
ٗ٦ٕך秡➰ֽ 3PMF#JOEJOH kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: read-pods
namespace: default subjects: - kind: User name: alice # alice を紐付ける apiGroup: rbac.authorization.k8s.io roleRef: kind: Role name: pod-reader # 紐付けるのは pod-reader ロール apiGroup: rbac.authorization.k8s.io
ؙٓأة⽃⡘ךٗ٦ٕ Ӝ 3PMFה$MVTUFS3PMFךאָ֮ 3PMFכOBNFTQBDFח秡בֻ $MVTUFS3PMFכؙٓأة VOOBNFTQBDFE ח秡בֻ /PEF 1FSTJTUFOU7PMVNFהְؙٓأةٔا٦أך埄ꣲ ♷ִ
Ӝ 3PMF#JOEJOHה$MVTUFS3PMF#JOEJOHず圫 3PMF#JOEJOHד$MVTUFS3PMFח秡➰ֽֿהדֹ
رؿٕؓزهٔء٦ W Ӝ Wדرؿٕؓزך3#"$هٔء٦ָ鷄⸇ׁ Ӝ ءأذيך؝ٝه٦طٝزָ⢪ֲٗ٦ٕ LVCFTDIFEVMFS LVCFQSPYZזוָ⢪ֲ㼔欽ٗ٦ٕ Ӝ ِ٦ؠָ害欽涸ח⢪ִٗ٦ٕ
盖椚罏埄ꣲ BENJO ծ铣《埄ꣲ WJFX הְ害欽ٗ٦ٕ
害欽涸זرؿٕؓز$MVUFS3PMF DMVTUFSBENJO ؙٓأةךⰋ埄ꣲ盖椚罏埄ꣲկ رؿٕؓزדTZTUFNNBTUFSTָ秡➰ֽגְ BENJO OBNFTQBDFⰻך盖椚罏埄ꣲ FEJU OBNFTQBDFⰻך铣剅ֹ埄ꣲ 3PMF3PMF#JOEJOHחꟼׅ埄ꣲכ䭯זְ
WJFX OBNFTQBDFⰻך铣《埄ꣲ 4FDSFUך铣《埄ꣲכ䭯זְ
%FNP
"ENJTTJPO$POUSPMMFS
钠鏾٥钠〳ך崧 钠鏾 "VUI/ 钠〳 "VUI; "ENJTTJPO$POUSPM plugin 1 plugin
2 plugin 3 plugin 1 plugin 2 plugin 3 plugin 1 plugin 2 plugin 3 6TFS*%(SPVQ《䖤 "MMPX%FOZ 圫ղזؙٔؒأزⵖ䖴
"ENJTTJPO$POUSPMMFS Ӝ 圫ղזؙٔؒأزךⵖ䖴遤ֲ堣腉 ؙٔؒأزךؔـآؙؑز䞔㜠剅ֹ䳔ִծ䞔㜠ח״ג 䬧や׃ׅ "1*4FSWFSךBENJTTJPODPOUSPMؔفءّٝד醱侧䭷㹀 Ӝ ⢽"MXBZT1VMM*NBHFT 1PEך*NBHF1VMM1PMJDZ荈⹛ד"MXBZTח鏣㹀ׅ Ӝ
⢽4FSWJDF"DDPVOU 4FSWJDF"DDPVOUךء٦ؙٖحز䞔㜠荈⹛דوؐٝزׅ
"ENJTTJPO$POUSPMMFSך♧鋮 Ӝ "MXBZT"ENJU Ӝ "MXBZT1VMM*NBHFT Ӝ "MXBZT%FOZ Ӝ %FOZ&TDBMBUJOH&YFD
Ӝ *NBHF1PMJDZ8FCIPPL Ӝ 4FSWJDF"DDPVOU Ӝ 4FDVSJUZ$POUFYU%FOZ Ӝ 3FTPVSDF2VPUB Ӝ -JNJU3BOHFS Ӝ *OJUJBM3FTPVSDFT Ӝ /BNFTQBDF-JGFDZDMF Ӝ %FGBVMU4UPSBHF$MBTT Ӝ %FGBVMU5PMFSBUJPO4FDPOET Ӝ 1PE4FDVSJUZ1PMJDZ
湊叨 "VEJU
湊叨 "VEJU Ӝ W儗挿דכ㛇劤涸ז湊叨ؚٗ⳿⸂ָ㹋鄲ׁגְ "1*4FSWFSחBVEJUMPHQBUIؔفءّٝד⳿⸂⯓䭷㹀 Ӝ ،ؙإأ遤ד⳿⸂ׁ չְאպչ铩ָպչ⡦պչוֲ乼⡲׃ַպ չוֲ乼⡲׃ַպ鿇ⴓכ植朐כ)551.FUIPEך䞔㜠ך Ӝ
״鑫稢ז䞔㜠חאְגכ➙䖓㹋鄲✮㹀ך垷圫 չؔـآؙؑزָוֲ㢌刿ַׁպ 8*1"EWBODFEBVEJUQSPQPTBM
湊叨ؚٗך⳿⸂䞔㜠 Ӝ ְא 5; Ӝ 铩ָ JQVTFSNJOJLVCFHSPVQT=TZTUFNNBTUFST= =TZTUFNBVUIFOUJDBUFE=BTTFMGBTHSPVQTMPPLVQ Ӝ ⡦
OBNFTQBDFEFGBVMUVSJBQJTFYUFOTJPOTWCFUBOBNFTQBDFT EFGBVMUEFQMPZNFOUT Ӝ וֲ乼⡲׃ַ NFUIPE1045
钠鏾٥钠〳ך孡חז13JTTVF
,VCFDUMMPHJOTVCDPNNBOE Ӝ &SJD$IJBOHׁ $PSF04 Ӝ LVCFDUMך؟ـ؝وٝسד湫䱸ؚٗ؎ٝ׃גؙٖرٝءٍٕ《 䖤ׅ Ӝ 1SPQPTBMכو٦آ幥
Ӝ IUUQTHJUIVCDPNLVCFSOFUFTGFBUVSFTJTTVFT
8*1"EWBODFEBVEJUQSPQPTBM Ӝ .BDJFK4[VMJLׁ 3FE)BU Ӝ ״넝䏝ז湊叨ؚٗחꟼׅQSPQPTBM Ӝ 圓鸡⻉ؚٗװչؔـآؙؑزָוֲ㢌刿ַׁպזוך䲿周 Ӝ
IUUQTHJUIVCDPNLVCFSOFUFTDPNNVOJUZQVMM
תה Ӝ ,VCFSOFUFTכׁתׂתז钠鏾ה钠〳ח㼎䘔 钠鏾٥钠〳כⴽؿؑ٦ؤד遤⦐ⴽח鏣㹀דֹ Ӝ 钠鏾4FSWJDF"DDPVOU Yؙٓ؎،ٝز鏾僇剅ծ0*%$ Ӝ 钠〳דכ3PMF#BTFE"DDFT$POUSPM 3#"$
ָؔأأً Wד害欽涸זرؿٕؓزهٔء٦ָ欽䠐ׁ
8FBSFIJSJOH IUUQT[MBCDPKQ