Role based access control - RBAC - Kubernetes
3 likes573 views
This document discusses Role Based Access Control (RBAC) in Kubernetes. It begins with an introduction of the speaker and then provides an overview of RBAC including roles, bindings, and how authentication works. It demonstrates how to configure RBAC and manage users through extensions like Auth0 to restrict access at the namespace and cluster level. The speaker then shows a demo of setting up RBAC roles and bindings in a Minikube cluster to configure secure access to the Kubernetes dashboard.
Role based access control - RBAC - Kubernetes
- 1. Kubernetes Role Based Access Control (RBAC) RBAC
- 2. About Me Milan Das https://github.com/dmilan77/kubernetes-rbac-presentation Cloud Solution Architect (Equifax) & Photographer (when not working) https://www.linkedin.com/in/milandas/
- 3. Milan Das ● Love to code (Java, Python, Scala, Spark) ● My Journey ○ Started with Java ○ IBM Middleware MQ/ETL ○ Camel ESB ○ BPM ○ Bigdata ○ Reactive Microservices : Akka, Domain Driven Design, ○ Cloud & Kubernetes ● My Son is 9 Years old. He plays Cricket ● Equifax: Data is our gold
- 4. Real Life Role Based Access (Driving a CDL) Who Are You Is Valid License ? AuthN AuthZ Identify Restictions Assign car
- 5. RBAC in one-slide RBAC is set of rules to map allowed operations on set of resources in a namespace (ns1) or cluster
- 6. Authorization and RBAC ● Default: Deny ALL ● Contains Subject-Verb-Resource-Namespace
- 7. Roles Vs Binding ● Role contains rules that represent a set of permissions. ● Binding grants the permissions defined in a role to a user or set of users ● Two types of roles/bindings: ○ Roles/RoleBinding: Scope is Namespace level ○ ClusterRoles/ClusterRoleBinding : Scope at cluster level.
- 8. Roles Example Roles Cluster Roles
- 10. User Management in Kubernetes ? Expectation: kubectl create user john Kubectl create group adminns1 Kubectl add john to adminns1
- 11. No User Management in Kubernetes Expectation: kubectl create user john Kubectl create group adminns1 Kubectl add john to adminns1
- 12. How to manage user ? User Plugin ● Certificate based Authentication (x509) ● Token based Authentication ● Basic Authentication ● OAuth2: OIDC ○ Third party: Dex, OpenUnison https://kubernetes.io/docs/reference/access-authn-authz/authentication/#openid-connect-tokens
- 13. How OIDC works
- 14. JWT Token
- 15. Auth0 Authentication ● A OpenID Connect provider similar to ○ Auth0, github, google, Ping, SecureAuth, ADFS, Azure Active Directory ● The authentication flow looks like: ○ OAuth2 client logs a user in through Auth0. ○ That client uses the returned ID Token as a bearer token when talking to the Kubernetes API. ○ A claim designated as the username (and optionally group information) will be associated with that request.
- 16. Demo time Create RBAC based minikube cluster
- 17. Demo time: Configure Dashboard ● Configuring Secrets kube-dashboard-secrets ● Setup a minikube kubernetes dashboard using : openresty-oidc ○ https://hub.docker.com/r/myobplatform/openresty-oidc/
- 18. Demo time: Create RBAC role-bindings ● Create namespaces: ns1-namespace, ns2-namespace ● Deploy Role bindings: ○ ClusterRoleBinding (k8s-admin) ○ RoleBinding (ns1) ○ RoleBinding(ns2) ● Create user in auth0
- 19. Auth0 Extension
- 20. RBAC basd Kubernetes dashboard