SlideShare a Scribd company logo

User authentication and authorizarion in Kubernetes

Neependra Khare
Neependra Khare

User authentication and authorizarion in Kubernetes

Technology
1 of 22
Download to read offline
K8sOM#15 User Authentication and Authorization in Kubernetes Neependra Khare, CloudYuga
About the Speaker - Neependra Khare ● Founder and Principal Consultant at CloudYuga ● Author of Docker Cookbook - 2015 ● Author of “Introduction to Kubernetes” course on Edx ● Running Docker Meetup Group in Bangalore, India for more than 4 years now
Kubernetes Architecture Controller Scheduler API Server key/value store Master Node Node Kubelet kube-proxy Node Kubelet kube-proxy Node Kubelet kube-proxy CLI/API
Kubernetes API Request Authenticaion Can a user to login to the cluster ? Authorization Can a user do requested action ? Admission Control Is it a valid request ? K8s objects
Authentication
Kubernetes Users ● Users are not first class citizen of Kubernetes, like Pods ● In most of the cases, it is offloaded to external services like Active Directory, LDAP
Kubernetes Users ● Users are not first class citizen like Pods ● In most of the cases, it is offloaded to external services like Active Directory, LDAP Normal Users Service Accounts
Normal Users ● Basic Authentication ○ Pass a configutation with content like following to API Server <password>,<username>,<uid>,"<group1,group2>" <password>,<username>,<uid>,"<group1,group3>” ● X.509 Client Certificate ○ Create a user’s Public/Private key combination ○ Get it certified by a CA (Kubernetes CA) ● Bearer Tokens (JSON Web Tokens) ○ OpenID Connect ■ On Top of OAuth 2.0 ○ Webhooks
Service Account ● Think of it as a user, using which a process inside a Pod can access API Server. ● A Service Account with default name, gets created as we create a new namesapce. ● User defined Service Accounts can be created as well, which we can attach to the pod running in same namespace.
Kubeconfig File apiVersion: v1 clusters: - cluster: certificate-authority: /Users/neependra/.minikube/ca.crt server: https://192.168.99.100:8443 name: minikube contexts: - context: cluster: minikube user: minikube name: minikube current-context: minikube kind: Config preferences: {} users: - name: minikube user: client-certificate: /Users/neependra/.minikube/client.crt client-key: /Users/neependra/.minikube/client.key User dev Cluster devContext dev User qa Cluster qaContext qa User prod Cluster prodContext prod
Authentication Demo Workflow nkhare.key (openssl) nkhare.csr (openssl) nkhare-csr (k8s object) nkhare.crt K8s CA
Authentication Demo
Authorization
Kubernetes Authorization Can a User do Requested Action ?
Kubernetes Authorization Can a User do Requested Action ? ● Kubernetes Autorization Modules ○ AlwaysAllow ○ AlwaysDeny ○ Node ○ Attribute Based Access Control (ABAC) ○ Role Based Access Control (RBAC) ○ Webhook
Operations on Kubernetes Objects ● create ● get ● delete ● list ● update ● edit ● patch ● watch ● ….
Role Based Access Control (RBAC) - Roles Role “Applicable to a given namespace only.” kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: namespace: cloudyuga name: deployment-manager rules: - apiGroups: ["", "apps"] resources: ["deployments", "replicasets", "pods"] verbs: ["get", "list", "watch", "create", "update"] ClusterRole “Applicable Cluster Wide.” kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: deployment-manager-cluster rules: - apiGroups: ["", "apps"] resources: ["deployments", "replicasets", "pods"] verbs: ["get", "list", "watch", "create", "update"]
Kubernetes - APIs / /healthz /metrics /api /apis ….. /api/v1 /api/v1/pods /api/v1/nodes /api/v1/services …… /apis/apps /apis/apps/v1 /apis/apps/v1/Deployment /apis/apps/v1/DaemonSet /apis/apps/v1/StatefulSet ……. /apis/apps/v1beta1 /apis/…..
Role Based Access Control (RBAC) - Role Bindings RoleBinding “Applicable to a given namespace only.” ClusterRoleBinding “Applicable Cluster Wide.” Role Subjects - Normal Users - Service Accounts - Groups ClusterRole Subjects - Normal Users - Service Accounts - Groups
Role Based Access Control (RBAC) - Role Bindings RoleBinding kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: deployment-manager-binding namespace: cloudyuga subjects: - kind: User name: nkhare apiGroup: "rbac.authorization.k8s.io" roleRef: kind: Role name: deployment-manager apiGroup: "rbac.authorization.k8s.io" ClusterRoleBinding kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: cluster-manager-binding subjects: - kind: User name: nkhare apiGroup: "rbac.authorization.k8s.io" roleRef: kind: ClusterRole name: deployment-manager-cluster apiGroup: "rbac.authorization.k8s.io"
Authorization Demo
Thanks @neependra https://www.linkedin.com/in/neependra/

Recommended

Role based access control - RBAC - Kubernetes
Role based access control - RBAC - KubernetesRole based access control - RBAC - Kubernetes
Role based access control - RBAC - Kubernetes
Milan Das
 
What Is Kubernetes | Kubernetes Introduction | Kubernetes Tutorial For Beginn...
What Is Kubernetes | Kubernetes Introduction | Kubernetes Tutorial For Beginn...What Is Kubernetes | Kubernetes Introduction | Kubernetes Tutorial For Beginn...
What Is Kubernetes | Kubernetes Introduction | Kubernetes Tutorial For Beginn...
Edureka!
 
Introduction to kubernetes
Introduction to kubernetesIntroduction to kubernetes
Introduction to kubernetes
Raffaele Di Fazio
 
Introduction to Kubernetes RBAC
Introduction to Kubernetes RBACIntroduction to Kubernetes RBAC
Introduction to Kubernetes RBAC
Kublr
 
Kubernetes #4 volume &amp; stateful set
Kubernetes #4 volume &amp; stateful setKubernetes #4 volume &amp; stateful set
Kubernetes #4 volume &amp; stateful set
Terry Cho
 
Autoscaling Kubernetes
Autoscaling KubernetesAutoscaling Kubernetes
Autoscaling Kubernetes
craigbox
 
Hands-On Introduction to Kubernetes at LISA17
Hands-On Introduction to Kubernetes at LISA17Hands-On Introduction to Kubernetes at LISA17
Hands-On Introduction to Kubernetes at LISA17
Ryan Jarvinen
 
Everything You Need To Know About Persistent Storage in Kubernetes
Everything You Need To Know About Persistent Storage in KubernetesEverything You Need To Know About Persistent Storage in Kubernetes
Everything You Need To Know About Persistent Storage in Kubernetes
The {code} Team
 

Recommended

Role based access control - RBAC - Kubernetes
Role based access control - RBAC - KubernetesRole based access control - RBAC - Kubernetes
Role based access control - RBAC - Kubernetes
Milan Das
 
What Is Kubernetes | Kubernetes Introduction | Kubernetes Tutorial For Beginn...
What Is Kubernetes | Kubernetes Introduction | Kubernetes Tutorial For Beginn...What Is Kubernetes | Kubernetes Introduction | Kubernetes Tutorial For Beginn...
What Is Kubernetes | Kubernetes Introduction | Kubernetes Tutorial For Beginn...
Edureka!
 
Introduction to kubernetes
Introduction to kubernetesIntroduction to kubernetes
Introduction to kubernetes
Raffaele Di Fazio
 
Introduction to Kubernetes RBAC
Introduction to Kubernetes RBACIntroduction to Kubernetes RBAC
Introduction to Kubernetes RBAC
Kublr
 
Kubernetes #4 volume &amp; stateful set
Kubernetes #4 volume &amp; stateful setKubernetes #4 volume &amp; stateful set
Kubernetes #4 volume &amp; stateful set
Terry Cho
 
Autoscaling Kubernetes
Autoscaling KubernetesAutoscaling Kubernetes
Autoscaling Kubernetes
craigbox
 
Hands-On Introduction to Kubernetes at LISA17
Hands-On Introduction to Kubernetes at LISA17Hands-On Introduction to Kubernetes at LISA17
Hands-On Introduction to Kubernetes at LISA17
Ryan Jarvinen
 
Everything You Need To Know About Persistent Storage in Kubernetes
Everything You Need To Know About Persistent Storage in KubernetesEverything You Need To Know About Persistent Storage in Kubernetes
Everything You Need To Know About Persistent Storage in Kubernetes
The {code} Team
 
Kubernetes 101 for Beginners
Kubernetes 101 for BeginnersKubernetes 101 for Beginners
Kubernetes 101 for Beginners
Oktay Esgul
 
Kubernetes and container security
Kubernetes and container securityKubernetes and container security
Kubernetes and container security
Volodymyr Shynkar
 
Kubernetes for Beginners: An Introductory Guide
Kubernetes for Beginners: An Introductory GuideKubernetes for Beginners: An Introductory Guide
Kubernetes for Beginners: An Introductory Guide
Bytemark
 
stupid-simple-kubernetes-final.pdf
stupid-simple-kubernetes-final.pdfstupid-simple-kubernetes-final.pdf
stupid-simple-kubernetes-final.pdf
DaniloQueirozMota
 
Kubernetes - Security Journey
Kubernetes - Security JourneyKubernetes - Security Journey
Kubernetes - Security Journey
Jerry Jalava
 
Mastering kubernetes ingress nginx
Mastering kubernetes ingress nginxMastering kubernetes ingress nginx
Mastering kubernetes ingress nginx
Sidhartha Mani
 
An Introduction to Kubernetes
An Introduction to KubernetesAn Introduction to Kubernetes
An Introduction to Kubernetes
Imesh Gunaratne
 
Kubernetes security
Kubernetes securityKubernetes security
Kubernetes security
Thomas Fricke
 
How we can do Multi-Tenancy on Kubernetes
How we can do Multi-Tenancy on KubernetesHow we can do Multi-Tenancy on Kubernetes
How we can do Multi-Tenancy on Kubernetes
Opsta
 
Kubernetes Basics
Kubernetes BasicsKubernetes Basics
Kubernetes Basics
Antonin Stoklasek
 
Kubernetes Introduction
Kubernetes IntroductionKubernetes Introduction
Kubernetes Introduction
Eric Gustafson
 
Kubernetes - introduction
Kubernetes - introductionKubernetes - introduction
Kubernetes - introduction
Sparkbit
 
Rancher 2.0 Technical Deep Dive
Rancher 2.0 Technical Deep DiveRancher 2.0 Technical Deep Dive
Rancher 2.0 Technical Deep Dive
LINE Corporation
 
Kubernetes Deployment Tutorial | Kubernetes Tutorial For Beginners | Kubernet...
Kubernetes Deployment Tutorial | Kubernetes Tutorial For Beginners | Kubernet...Kubernetes Deployment Tutorial | Kubernetes Tutorial For Beginners | Kubernet...
Kubernetes Deployment Tutorial | Kubernetes Tutorial For Beginners | Kubernet...
Edureka!
 
Persistent Storage with Containers with Kubernetes & OpenShift
Persistent Storage with Containers with Kubernetes & OpenShiftPersistent Storage with Containers with Kubernetes & OpenShift
Persistent Storage with Containers with Kubernetes & OpenShift
Red Hat Events
 
Kubernetes Networking
Kubernetes NetworkingKubernetes Networking
Kubernetes Networking
CJ Cullen
 
왜 쿠버네티스는 systemd로 cgroup을 관리하려고 할까요
왜 쿠버네티스는 systemd로 cgroup을 관리하려고 할까요왜 쿠버네티스는 systemd로 cgroup을 관리하려고 할까요
왜 쿠버네티스는 systemd로 cgroup을 관리하려고 할까요
Jo Hoon
 
Kubernetes Networking | Kubernetes Services, Pods & Ingress Networks | Kubern...
Kubernetes Networking | Kubernetes Services, Pods & Ingress Networks | Kubern...Kubernetes Networking | Kubernetes Services, Pods & Ingress Networks | Kubern...
Kubernetes Networking | Kubernetes Services, Pods & Ingress Networks | Kubern...
Edureka!
 
Kubernetes dealing with storage and persistence
Kubernetes dealing with storage and persistenceKubernetes dealing with storage and persistence
Kubernetes dealing with storage and persistence
Janakiram MSV
 
Bare Metal Cluster with Kubernetes, Istio and Metallb | Nguyen Phuong An, Ngu...
Bare Metal Cluster with Kubernetes, Istio and Metallb | Nguyen Phuong An, Ngu...Bare Metal Cluster with Kubernetes, Istio and Metallb | Nguyen Phuong An, Ngu...
Bare Metal Cluster with Kubernetes, Istio and Metallb | Nguyen Phuong An, Ngu...
Vietnam Open Infrastructure User Group
 
Security considerations while deploying Containerized Applications by Neepend...
Security considerations while deploying Containerized Applications by Neepend...Security considerations while deploying Containerized Applications by Neepend...
Security considerations while deploying Containerized Applications by Neepend...
Agile India
 
K8s hard-way on DigitalOcean
K8s hard-way on DigitalOceanK8s hard-way on DigitalOcean
K8s hard-way on DigitalOcean
CloudYuga
 

More Related Content

What's hot

Kubernetes and container security
Kubernetes and container securityKubernetes and container security
Kubernetes and container security
Volodymyr Shynkar
 
An Introduction to Kubernetes
An Introduction to KubernetesAn Introduction to Kubernetes
An Introduction to Kubernetes
Imesh Gunaratne
 
Kubernetes Deployment Tutorial | Kubernetes Tutorial For Beginners | Kubernet...
Kubernetes Deployment Tutorial | Kubernetes Tutorial For Beginners | Kubernet...Kubernetes Deployment Tutorial | Kubernetes Tutorial For Beginners | Kubernet...
Kubernetes Deployment Tutorial | Kubernetes Tutorial For Beginners | Kubernet...
Edureka!
 
Persistent Storage with Containers with Kubernetes & OpenShift
Persistent Storage with Containers with Kubernetes & OpenShiftPersistent Storage with Containers with Kubernetes & OpenShift
Persistent Storage with Containers with Kubernetes & OpenShift
Red Hat Events
 

What's hot (20)

Kubernetes 101 for Beginners
Kubernetes 101 for BeginnersKubernetes 101 for Beginners
Kubernetes 101 for Beginners
 
Kubernetes and container security
Kubernetes and container securityKubernetes and container security
Kubernetes and container security
 
Kubernetes for Beginners: An Introductory Guide
Kubernetes for Beginners: An Introductory GuideKubernetes for Beginners: An Introductory Guide
Kubernetes for Beginners: An Introductory Guide
 
stupid-simple-kubernetes-final.pdf
stupid-simple-kubernetes-final.pdfstupid-simple-kubernetes-final.pdf
stupid-simple-kubernetes-final.pdf
 
Kubernetes - Security Journey
Kubernetes - Security JourneyKubernetes - Security Journey
Kubernetes - Security Journey
 
Mastering kubernetes ingress nginx
Mastering kubernetes ingress nginxMastering kubernetes ingress nginx
Mastering kubernetes ingress nginx
 
An Introduction to Kubernetes
An Introduction to KubernetesAn Introduction to Kubernetes
An Introduction to Kubernetes
 
Kubernetes security
Kubernetes securityKubernetes security
Kubernetes security
 
How we can do Multi-Tenancy on Kubernetes
How we can do Multi-Tenancy on KubernetesHow we can do Multi-Tenancy on Kubernetes
How we can do Multi-Tenancy on Kubernetes
 
Kubernetes Basics
Kubernetes BasicsKubernetes Basics
Kubernetes Basics
 
Kubernetes Introduction
Kubernetes IntroductionKubernetes Introduction
Kubernetes Introduction
 
Kubernetes - introduction
Kubernetes - introductionKubernetes - introduction
Kubernetes - introduction
 
Rancher 2.0 Technical Deep Dive
Rancher 2.0 Technical Deep DiveRancher 2.0 Technical Deep Dive
Rancher 2.0 Technical Deep Dive
 
Kubernetes Deployment Tutorial | Kubernetes Tutorial For Beginners | Kubernet...
Kubernetes Deployment Tutorial | Kubernetes Tutorial For Beginners | Kubernet...Kubernetes Deployment Tutorial | Kubernetes Tutorial For Beginners | Kubernet...
Kubernetes Deployment Tutorial | Kubernetes Tutorial For Beginners | Kubernet...
 
Persistent Storage with Containers with Kubernetes & OpenShift
Persistent Storage with Containers with Kubernetes & OpenShiftPersistent Storage with Containers with Kubernetes & OpenShift
Persistent Storage with Containers with Kubernetes & OpenShift
 
Kubernetes Networking
Kubernetes NetworkingKubernetes Networking
Kubernetes Networking
 
왜 쿠버네티스는 systemd로 cgroup을 관리하려고 할까요
왜 쿠버네티스는 systemd로 cgroup을 관리하려고 할까요왜 쿠버네티스는 systemd로 cgroup을 관리하려고 할까요
왜 쿠버네티스는 systemd로 cgroup을 관리하려고 할까요
 
Kubernetes Networking | Kubernetes Services, Pods & Ingress Networks | Kubern...
Kubernetes Networking | Kubernetes Services, Pods & Ingress Networks | Kubern...Kubernetes Networking | Kubernetes Services, Pods & Ingress Networks | Kubern...
Kubernetes Networking | Kubernetes Services, Pods & Ingress Networks | Kubern...
 
Kubernetes dealing with storage and persistence
Kubernetes dealing with storage and persistenceKubernetes dealing with storage and persistence
Kubernetes dealing with storage and persistence
 
Bare Metal Cluster with Kubernetes, Istio and Metallb | Nguyen Phuong An, Ngu...
Bare Metal Cluster with Kubernetes, Istio and Metallb | Nguyen Phuong An, Ngu...Bare Metal Cluster with Kubernetes, Istio and Metallb | Nguyen Phuong An, Ngu...
Bare Metal Cluster with Kubernetes, Istio and Metallb | Nguyen Phuong An, Ngu...
 

Similar to User authentication and authorizarion in Kubernetes

Kubernetes: від знайомства до використання у CI/CD
Kubernetes: від знайомства до використання у CI/CDKubernetes: від знайомства до використання у CI/CD
Kubernetes: від знайомства до використання у CI/CD
Stfalcon Meetups
 
DCEU 18: Docker Container Networking
DCEU 18: Docker Container NetworkingDCEU 18: Docker Container Networking
DCEU 18: Docker Container Networking
Docker, Inc.
 

Similar to User authentication and authorizarion in Kubernetes (20)

Security considerations while deploying Containerized Applications by Neepend...
Security considerations while deploying Containerized Applications by Neepend...Security considerations while deploying Containerized Applications by Neepend...
Security considerations while deploying Containerized Applications by Neepend...
 
K8s hard-way on DigitalOcean
K8s hard-way on DigitalOceanK8s hard-way on DigitalOcean
K8s hard-way on DigitalOcean
 
Getting started with kubernetes
Getting started with kubernetesGetting started with kubernetes
Getting started with kubernetes
 
Docker Dublin Meetup | 22 Feb 2018 | Docker + Kubernetes
Docker Dublin Meetup | 22 Feb 2018 | Docker + KubernetesDocker Dublin Meetup | 22 Feb 2018 | Docker + Kubernetes
Docker Dublin Meetup | 22 Feb 2018 | Docker + Kubernetes
 
Introduction to kubernetes
Introduction to kubernetesIntroduction to kubernetes
Introduction to kubernetes
 
K8s in 3h - Kubernetes Fundamentals Training
K8s in 3h - Kubernetes Fundamentals TrainingK8s in 3h - Kubernetes Fundamentals Training
K8s in 3h - Kubernetes Fundamentals Training
 
Introduction to Kubernetes Workshop
Introduction to Kubernetes WorkshopIntroduction to Kubernetes Workshop
Introduction to Kubernetes Workshop
 
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
 
Kubernetes 101 for_penetration_testers_-_null_mumbai
Kubernetes 101 for_penetration_testers_-_null_mumbaiKubernetes 101 for_penetration_testers_-_null_mumbai
Kubernetes 101 for_penetration_testers_-_null_mumbai
 
Extending kubernetes
Extending kubernetesExtending kubernetes
Extending kubernetes
 
RBAC in Kuberetes
RBAC in KuberetesRBAC in Kuberetes
RBAC in Kuberetes
 
Docker kubernetes fundamental(pod_service)_190307
Docker kubernetes fundamental(pod_service)_190307Docker kubernetes fundamental(pod_service)_190307
Docker kubernetes fundamental(pod_service)_190307
 
FIWARE Global Summit - Leveraging Kubernetes for FIWARE Components Automations
FIWARE Global Summit - Leveraging Kubernetes for FIWARE Components AutomationsFIWARE Global Summit - Leveraging Kubernetes for FIWARE Components Automations
FIWARE Global Summit - Leveraging Kubernetes for FIWARE Components Automations
 
Kubernetes: від знайомства до використання у CI/CD
Kubernetes: від знайомства до використання у CI/CDKubernetes: від знайомства до використання у CI/CD
Kubernetes: від знайомства до використання у CI/CD
 
04_Azure Kubernetes Service: Basic Practices for Developers_GAB2019
04_Azure Kubernetes Service: Basic Practices for Developers_GAB201904_Azure Kubernetes Service: Basic Practices for Developers_GAB2019
04_Azure Kubernetes Service: Basic Practices for Developers_GAB2019
 
DCEU 18: Docker Container Networking
DCEU 18: Docker Container NetworkingDCEU 18: Docker Container Networking
DCEU 18: Docker Container Networking
 
Kubernetes basics
Kubernetes basicsKubernetes basics
Kubernetes basics
 
Creating a Kubernetes Operator in Java
Creating a Kubernetes Operator in JavaCreating a Kubernetes Operator in Java
Creating a Kubernetes Operator in Java
 
Kubernetes-Meetup
Kubernetes-MeetupKubernetes-Meetup
Kubernetes-Meetup
 
MongoDB World 2018: Partner Talk - Red Hat: Deploying to Enterprise Kubernetes
MongoDB World 2018: Partner Talk - Red Hat: Deploying to Enterprise KubernetesMongoDB World 2018: Partner Talk - Red Hat: Deploying to Enterprise Kubernetes
MongoDB World 2018: Partner Talk - Red Hat: Deploying to Enterprise Kubernetes
 

More from Neependra Khare

More from Neependra Khare (11)

002 a solooverviewjul2020-ceposta
002 a solooverviewjul2020-ceposta002 a solooverviewjul2020-ceposta
002 a solooverviewjul2020-ceposta
 
Service Discovery with Consul - Arunvel Arunachalam
Service Discovery with Consul - Arunvel Arunachalam Service Discovery with Consul - Arunvel Arunachalam
Service Discovery with Consul - Arunvel Arunachalam
 
Containarized Gluster Storage in Kubernetes
Containarized Gluster Storage in KubernetesContainarized Gluster Storage in Kubernetes
Containarized Gluster Storage in Kubernetes
 
Securing modern infrastructure
Securing modern infrastructureSecuring modern infrastructure
Securing modern infrastructure
 
DevOps India Days' 17 Keynote
DevOps India Days' 17 KeynoteDevOps India Days' 17 Keynote
DevOps India Days' 17 Keynote
 
CNCF Projects Overview
CNCF Projects OverviewCNCF Projects Overview
CNCF Projects Overview
 
Project Moby
Project MobyProject Moby
Project Moby
 
Docker Networking (Libnetwork) - Lakshman Kumar
Docker Networking (Libnetwork) - Lakshman KumarDocker Networking (Libnetwork) - Lakshman Kumar
Docker Networking (Libnetwork) - Lakshman Kumar
 
Docker Multi Host Networking, Rachit Arora, IBM
Docker Multi Host Networking, Rachit Arora, IBMDocker Multi Host Networking, Rachit Arora, IBM
Docker Multi Host Networking, Rachit Arora, IBM
 
Kubernetes Networking - Giragadurai Vallirajan
Kubernetes Networking - Giragadurai VallirajanKubernetes Networking - Giragadurai Vallirajan
Kubernetes Networking - Giragadurai Vallirajan
 
Performance characterization in large distributed file system with gluster fs
Performance characterization in large distributed file system with gluster fsPerformance characterization in large distributed file system with gluster fs
Performance characterization in large distributed file system with gluster fs
 

Recently uploaded

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 

Recently uploaded (20)

Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 

User authentication and authorizarion in Kubernetes

  • 1. K8sOM#15 User Authentication and Authorization in Kubernetes Neependra Khare, CloudYuga
  • 2. About the Speaker - Neependra Khare ● Founder and Principal Consultant at CloudYuga ● Author of Docker Cookbook - 2015 ● Author of “Introduction to Kubernetes” course on Edx ● Running Docker Meetup Group in Bangalore, India for more than 4 years now
  • 3. Kubernetes Architecture Controller Scheduler API Server key/value store Master Node Node Kubelet kube-proxy Node Kubelet kube-proxy Node Kubelet kube-proxy CLI/API
  • 4. Kubernetes API Request Authenticaion Can a user to login to the cluster ? Authorization Can a user do requested action ? Admission Control Is it a valid request ? K8s objects
  • 6. Kubernetes Users ● Users are not first class citizen of Kubernetes, like Pods ● In most of the cases, it is offloaded to external services like Active Directory, LDAP
  • 7. Kubernetes Users ● Users are not first class citizen like Pods ● In most of the cases, it is offloaded to external services like Active Directory, LDAP Normal Users Service Accounts
  • 8. Normal Users ● Basic Authentication ○ Pass a configutation with content like following to API Server <password>,<username>,<uid>,"<group1,group2>" <password>,<username>,<uid>,"<group1,group3>” ● X.509 Client Certificate ○ Create a user’s Public/Private key combination ○ Get it certified by a CA (Kubernetes CA) ● Bearer Tokens (JSON Web Tokens) ○ OpenID Connect ■ On Top of OAuth 2.0 ○ Webhooks
  • 9. Service Account ● Think of it as a user, using which a process inside a Pod can access API Server. ● A Service Account with default name, gets created as we create a new namesapce. ● User defined Service Accounts can be created as well, which we can attach to the pod running in same namespace.
  • 10. Kubeconfig File apiVersion: v1 clusters: - cluster: certificate-authority: /Users/neependra/.minikube/ca.crt server: https://192.168.99.100:8443 name: minikube contexts: - context: cluster: minikube user: minikube name: minikube current-context: minikube kind: Config preferences: {} users: - name: minikube user: client-certificate: /Users/neependra/.minikube/client.crt client-key: /Users/neependra/.minikube/client.key User dev Cluster devContext dev User qa Cluster qaContext qa User prod Cluster prodContext prod
  • 14. Kubernetes Authorization Can a User do Requested Action ?
  • 15. Kubernetes Authorization Can a User do Requested Action ? ● Kubernetes Autorization Modules ○ AlwaysAllow ○ AlwaysDeny ○ Node ○ Attribute Based Access Control (ABAC) ○ Role Based Access Control (RBAC) ○ Webhook
  • 16. Operations on Kubernetes Objects ● create ● get ● delete ● list ● update ● edit ● patch ● watch ● ….
  • 17. Role Based Access Control (RBAC) - Roles Role “Applicable to a given namespace only.” kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: namespace: cloudyuga name: deployment-manager rules: - apiGroups: ["", "apps"] resources: ["deployments", "replicasets", "pods"] verbs: ["get", "list", "watch", "create", "update"] ClusterRole “Applicable Cluster Wide.” kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: deployment-manager-cluster rules: - apiGroups: ["", "apps"] resources: ["deployments", "replicasets", "pods"] verbs: ["get", "list", "watch", "create", "update"]
  • 18. Kubernetes - APIs / /healthz /metrics /api /apis ….. /api/v1 /api/v1/pods /api/v1/nodes /api/v1/services …… /apis/apps /apis/apps/v1 /apis/apps/v1/Deployment /apis/apps/v1/DaemonSet /apis/apps/v1/StatefulSet ……. /apis/apps/v1beta1 /apis/…..
  • 19. Role Based Access Control (RBAC) - Role Bindings RoleBinding “Applicable to a given namespace only.” ClusterRoleBinding “Applicable Cluster Wide.” Role Subjects - Normal Users - Service Accounts - Groups ClusterRole Subjects - Normal Users - Service Accounts - Groups
  • 20. Role Based Access Control (RBAC) - Role Bindings RoleBinding kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: deployment-manager-binding namespace: cloudyuga subjects: - kind: User name: nkhare apiGroup: "rbac.authorization.k8s.io" roleRef: kind: Role name: deployment-manager apiGroup: "rbac.authorization.k8s.io" ClusterRoleBinding kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: cluster-manager-binding subjects: - kind: User name: nkhare apiGroup: "rbac.authorization.k8s.io" roleRef: kind: ClusterRole name: deployment-manager-cluster apiGroup: "rbac.authorization.k8s.io"