k8s idm-devfest
TRANSCRIPT
Kubernetes Identity Management
SSO & RBAC
• Marc Boorshtein• CTO Tremolo Security, Inc.• Identity Management developer and consultant• [email protected]• @mlbiam
Who Am I?
Why?• SSO• Compliance• Increase security• Ease of use
• RBAC• Compliance• Multi-tennancy• Different roles
K8S and Identities• Nothing stored k8s• Except service accounts• Different from OpenShift
• Only OpenID Connect for SSO• No SAML2
• No system for redirects• CLI and tokens• Dashboard is not RBAC aware
K8S 1.3
K8S 1.3• Keep it simple• Get and Post/Put• Monitors
• Use Groups, not Users• Offload as much as possible to your identity provider
How does it work? - SSO
Reference Architecture
Setup SSO• OpenID Connect Identity Provider• OpenUnison, KeyCloak, Dex, Google, Azure AD, others• Certificate MUST be signed be a CA• Self signed CA OK
• Additional API Server Parameters• NOTE – Most “quick starts” don’t support
- --oidc-issuer-url=https://mlb.tremolo.lan:8043/auth/idp/oidc - --oidc-client-id=kubernetes- --oidc-username-claim=sub- --oidc-groups-claim=user_role- --oidc-ca-file=/etc/kubernetes/ssl/kc-ca.pem
Setup RBAC• Setup SSO• Determine super user• Build initial policies• Add parameters to API Server
--runtime-config=extensions/v1beta1/networkpolicies=true,rbac.authorization.k8s.io/v1alpha1--authorization-mode=RBAC--authorization-rbac-super-user=kube-admin
Demo
Shameless Self Promotion• Details -
https://github.com/TremoloSecurity/wiki/blob/master/kubernetes.md
• KubeCon 2016 – Seattle, Washington November 8th & 9th • Web – https://www.tremolosecurity.com/• GitHub – https://www.github.com/tremolosecurity• Twitter - @tremolosecurity