Kubernetes Identity Management

SSO & RBAC

• Marc Boorshtein• CTO Tremolo Security, Inc.• Identity Management developer and consultant• marc@tremolo.io• @mlbiam

Who Am I?

Why?• SSO• Compliance• Increase security• Ease of use

• RBAC• Compliance• Multi-tennancy• Different roles

K8S and Identities• Nothing stored k8s• Except service accounts• Different from OpenShift

• Only OpenID Connect for SSO• No SAML2

• No system for redirects• CLI and tokens• Dashboard is not RBAC aware

K8S 1.3

K8S 1.3• Keep it simple• Get and Post/Put• Monitors

• Use Groups, not Users• Offload as much as possible to your identity provider

How does it work? - SSO

Reference Architecture

Setup SSO• OpenID Connect Identity Provider• OpenUnison, KeyCloak, Dex, Google, Azure AD, others• Certificate MUST be signed be a CA• Self signed CA OK

• Additional API Server Parameters• NOTE – Most “quick starts” don’t support

- --oidc-issuer-url=https://mlb.tremolo.lan:8043/auth/idp/oidc - --oidc-client-id=kubernetes- --oidc-username-claim=sub- --oidc-groups-claim=user_role- --oidc-ca-file=/etc/kubernetes/ssl/kc-ca.pem

Setup RBAC• Setup SSO• Determine super user• Build initial policies• Add parameters to API Server

--runtime-config=extensions/v1beta1/networkpolicies=true,rbac.authorization.k8s.io/v1alpha1--authorization-mode=RBAC--authorization-rbac-super-user=kube-admin

Demo

Shameless Self Promotion• Details -

https://github.com/TremoloSecurity/wiki/blob/master/kubernetes.md

• KubeCon 2016 – Seattle, Washington November 8th & 9th • Web – https://www.tremolosecurity.com/• GitHub – https://www.github.com/tremolosecurity• Twitter - @tremolosecurity