With no built-in solutions for managing user accounts, Kubernetes has to rely on external systems for this. Can we use one UAA solution for both Cloud Foundry and Kubernetes authentication while building a hybrid deployment?
2. @altoros@altoros
Fire Exit Announcement
• Please note the locations of the surrounding emergency exits &
located the nearest lit EXIT sign to you
• In the event of a fire alarm or other emergency, please calmly
exit to the public concourse area
• Emergency exit stairwells leading to the outside of thisfacility
are located along the public concourse
• For your safety in an emergency, please follow the directions of
the Public Safety Staff
6. @altoros@altoros
What isAuthentication and Authorization
• Authentication (AuthN) - determining the identity of auser,
server, or client.
• Authorization (AuthZ) - determining whether that user,
server, or client as permission to do something.
7. @altoros@altoros
AuthN and AuthZ consumers in Kubernetes
• Operators (using kubectl command-line tool)
• Internal communication:
• Pods
• Control Plane (apiserver, controller, scheduler etc.)
14. @altoros@altoros
OpenID Connect AuthN Plugin
• Delegate authentication of users to a trusted IdP.
• Extension for OAuth 2.0.
• “OpenID Connect 1.0 is a simple identity layer on top of
the OAuth 2.0 protocol. It allows Clients to verify the
identity of the End-User based on the authentication
performed by an Authorization Server, as well as to obtain
basic profile information about the End-User in an
interoperable and REST-like manner.”
18. @altoros@altoros
What is UAA
• User Account and Authorization server
• OAuth2 server
• SAML, LDAP and OpenID Connect integration
• Supports APIs for user account management
• APIs defined by the specs for OAuth2 and OpenID Connect
19. @altoros@altoros
How Does it Work with Kubernetes?
User kubectl
Identity
Provider
API Server
Login to IdP
IdP provide access_token
and id_token Call kubectl using
provided id_token Send token in Authorization
header to the API server
Validate JWT
signature
Check id_token
expiration date
UserAuthorized?
Send response to kubectl
Send result to the user
24. @altoros@altoros
RBAC and ABAC comparison
RBAC ABAC
Authorization policy changes can
be made using kubectl
command-line tool.
Requires SSHand file system
access on Kubernetes Master to
make changes in authorization
policy file.
Changes are applied on the fly. Operator must restart API server
to pickup new policy.
Authorization is managed by
Kubernetes API.
Authorization is managed by
user-configured local file.
26. @altoros@altoros
Configure OpenID Connect in Kubernetes
Just configure additional flags on the API server:
• --oidc-issuer-url=URL
• --oidc-client-id=ID
• --oidc-username-claim=email
• --oidc-ca-file=/k8s-ca.em
28. @altoros@altoros
Lessons Learned
• Use one solution for Cloud Foundry and Kubernetes
• OpenID Connect includes discovery
• Easy to configure
• Minimize password security risks