- 快召唤伙伴们来围观吧
- 微博 QQ QQ空间 贴吧
- 文档嵌入链接
- 复制
- 微信扫一扫分享
- 已成功复制到剪贴板
跨多个 Kubernetes 集群管理 RBAC
展开查看详情
1 . Managing RBAC Cross Multiple Kubernetes Clusters Alena Prokharchyk, Engineering manager @RancherLabs
2 . Kubernetes has become a commodity across public and private cloud ecosystem
3 .Having multiple Kubernetes clusters is a new de facto
4 .Usecase #1 - Geographical separation Cluster per region Front faced by GEO LB
5 . Usecase #2 - Logical Separation driven by security reasons Cluster per project Different level of protection
6 . Usecase #3 - Logical separation driven by functionality reasons Cluster per team Different teams = different best practices
7 . Kubernetes cloud types Homogeneous Heterogeneous
8 . Challenges Different hosted Kubernetes provider - different authentication type Authentication strategy on a hosted provider can’t be changed Configuring role based access rules for the same user cross clusters is a Herculean task
9 .Our goal was to build an authenticaion and authorization management system, that is: Open source Written and developed as a Kubernetes native application Extends Kubernetes APIs using CRDs Logic is implemented as custom controllers
10 . What is CRD? A way to extend Kubernetes API server
11 . Custom Controller Watches for the resource changes Executes custom logic based on the resource spec or status Updates the resource status with the result There can be multiple controllers updating the same object
12 . Kubernetes Native App Runs in Kubernetes pod Deployed using Kubernetes yaml manifest Utilizes Kubernetes constructs like ConfigMaps, Secrets Managed via Kubernetes APIs
13 .https://github.com/rancher/rancher
14 .Cross Clusters Authentication
15 .One time configuration
16 .Centralized authentication
17 . Implementation details User and Group are first class objects represented by CRDs Admin can grant permissions on per user/group to a particular cluster Kubernetes token based authentication is being leveraged when authenticate to a cluster
18 .RBAC authorization cross clusters
19 .RBAC Roles level in Kubernetes
20 .Multi cluster management roles
21 . Global role is a new CRD used to Manage users Manage user roles Manage authentication configs
22 .Need for teams collaboration calls for an extra role
23 . Project is A collection of namespaces A way to define RBAC rules once for a group of namespaces Ensures automatic RBAC inheritance once the user is added to the project
24 . Project RBAC controller Controller subscribes to user add/remove events Copies RBAC rule to every underlying namespace Once user is removed from the project, the RBAC rules are revoked from namespaces
25 . Infrastructure protection on a project level Network access Pod Security policy Resource quota management
26 .Network policy on a project is a great way to support multitenancy Pilot Project Stable Project
27 .Network policy on a project is a great way to support multitenancy Pilot Project Stable Project
28 .Demo time
29 .Thank you!