K8s rbac-sso
-
Upload
marc-boorshtein -
Category
Technology
-
view
128 -
download
1
Transcript of K8s rbac-sso
Kubernetes Identity Management
SSO & RBAC
• Founded in 2010• Built on Experience of Cofounders• Marc Boorshtein• Software Engineer at Octet String (now owned by
Oracle)• Open Source Developer• Consultant & Contractor
• Briane Bullock• IT Security Expert• Consultant & Contractor
Who Is Tremolo Security?
Why?• SSO• Compliance• Increase security• Ease of use
• RBAC• Compliance• Multi-tennancy• Different roles
K8S and Identities• Nothing stored k8s• Except service accounts• Different from OpenShift
• Only OpenID Connect for SSO• No SAML2
• No system for redirects• CLI and tokens• Dashboard is not RBAC aware
K8S 1.3
K8S 1.3• Keep it simple• Get and Post/Put• Monitors
• Use Groups, not Users• Offload as much as possible to your identity provider
How does it work? - SSO
How does it work? – User Provisioning
Setup SSO• OpenID Connect Identity Provider• KeyCloak, Dex, Google, Azure AD, others• Certificate MUST be signed be a CA• Self signed CA OK
• Additional API Server Parameters• NOTE – Most “quick starts” don’t support
- --oidc-issuer-url=https://kcdev.tremolosecurity.com:8443/auth/realms/kubernetes- --oidc-client-id=kubernetes- --oidc-username-claim=sub- --oidc-groups-claim=user_role- --oidc-ca-file=/etc/kubernetes/ssl/kc-ca.pem
Setup RBAC• Setup SSO• Determine super user• Build initial policies• Add parameters to API Server
--runtime-config=extensions/v1beta1/networkpolicies=true,rbac.authorization.k8s.io/v1alpha1--authorization-mode=RBAC--authorization-rbac-super-user=kube-admin
Demo
Shameless Self Promotion• Google DevFest DC – September 24th & 25th • KubeCon 2016 – Seattle, Washington November 8th & 9th • Web – https://www.tremolosecurity.com/• GitHub – https://www.github.com/tremolosecurity