Securing Your Kubernetes Cluster with Webhook and Keystone
This presentation discusses the importance of access control for Kubernetes API, utilizing Kubernetes Admission Control with Webhook mode, configuring Keystone authenticator, and the benefits of using these mechanisms for securing your Kubernetes cluster. It also covers topics like mutating and validating admission control, webhook token authentication, and configuration examples for different versions of kubectl clients.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.
E N D
Presentation Transcript
Securing your Kubernetes cluster with Webhook and Keystone Soumitra Khuntia, Solution Architect Pradeep Kumar K.S, Solution Architect Ericsson Ericsson Internal | 2018-02-21
Agenda Why do we need Access control to Kubernetes API Kubernetes Admission Control Using Webhook mode Configuration of Keystone Authenticator Benefits Ericsson Internal | 2018-02-21
Why do we need Access control for Kubernetes API Kubelets expose HTTPS endpoints which grant powerful control over the node and containers Access control ensures that every user do not have same privilege for all namespaces, pods and other resources Access control permissions ensures separation of responsibility depending on what actions a client might perform Also, there is a need to rotate infrastructure credentials frequently Having Keystone as the authentication mechanism helps re-use existing LDAP users Ericsson Internal | 2018-02-21
Overview Ericsson Internal | 2018-02-21
Kubernetes Admission Control Mutating Admission Validating Admission Ericsson Internal | 2018-02-21
Configuration of Keystone authenticator New kubectl clients from v1.11.0 and later, this is how .kube/config file would look like Ericsson Internal | 2018-02-21
Using Webhook mode A Webhook is an HTTP callback: an HTTP POST that occurs when something happens; a simple event-notification via HTTP POST. Webhook token authentication is a hook for verifying bearer tokens Ericsson Internal | 2018-02-21
Configurationof Keystone Authenticator For older kubectl clients, (older than v1.8.0 to v1.10.x), this is how .kube/config file would look like Ericsson Internal | 2018-02-21
Benefits Provider agnostic authentication and authorization Token based authentication for real-time user data Rule based access control to restrict and grant access to specific resources Automatically create service accounts based on LDAP in a managed K8s Ericsson Internal | 2018-02-21
References https://github.com/kubernetes/cloud-provider-openstack https://kubernetes.io/docs/reference/access-authn-authz/webhook/ https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token- authentication https://kubernetes.io/blog/2019/03/21/a-guide-to-kubernetes-admission-controllers/ Ericsson Internal | 2018-02-21
