跨多个 Kubernetes 集群管理 RBAC

在组织中实现多个 Kubernetes 集群将很快成为事实。这种需求可由地理分隔驱动,其中集群位于不同的区域;或者当集群用于特定团队或部门时由逻辑驱动。这给管理员带来了新的挑战——管理异构 Kubernetes 云中的用户及其权限。 在本次会议,我想分享我的团队利用 Kubernetes CRD 创建开源身份验证/授权框架的经验,这使跨集群认证和 RBAC 变得更容易,通过: * 多集群,但单一身份认证和授权点 * 管理用户跨集群 RBAC 权限,并自动授予用户权限 * 将集群资源分组为可管理子集的有效方法,使 RBAC/PodSecurity/NetworkPolicy 应用程序更容易。
展开查看详情

1. Managing RBAC Cross Multiple Kubernetes Clusters Alena Prokharchyk, Engineering manager @RancherLabs

2. Kubernetes has become a commodity across public and private cloud ecosystem

3.Having multiple Kubernetes clusters is a new de facto

4.Usecase #1 - Geographical separation Cluster per region Front faced by GEO LB

5. Usecase #2 - Logical Separation driven by security reasons Cluster per project Different level of protection

6. Usecase #3 - Logical separation driven by functionality reasons Cluster per team Different teams = different best practices

7. Kubernetes cloud types Homogeneous Heterogeneous

8. Challenges Different hosted Kubernetes provider - different authentication type Authentication strategy on a hosted provider can’t be changed Configuring role based access rules for the same user cross clusters is a Herculean task

9.Our goal was to build an authenticaion and authorization management system, that is: Open source Written and developed as a Kubernetes native application Extends Kubernetes APIs using CRDs Logic is implemented as custom controllers

10. What is CRD? A way to extend Kubernetes API server

11. Custom Controller Watches for the resource changes Executes custom logic based on the resource spec or status Updates the resource status with the result There can be multiple controllers updating the same object

12. Kubernetes Native App Runs in Kubernetes pod Deployed using Kubernetes yaml manifest Utilizes Kubernetes constructs like ConfigMaps, Secrets Managed via Kubernetes APIs

13.https://github.com/rancher/rancher

14.Cross Clusters Authentication

15.One time configuration

16.Centralized authentication

17. Implementation details User and Group are first class objects represented by CRDs Admin can grant permissions on per user/group to a particular cluster Kubernetes token based authentication is being leveraged when authenticate to a cluster

18.RBAC authorization cross clusters

19.RBAC Roles level in Kubernetes

20.Multi cluster management roles

21. Global role is a new CRD used to Manage users Manage user roles Manage authentication configs

22.Need for teams collaboration calls for an extra role

23. Project is A collection of namespaces A way to define RBAC rules once for a group of namespaces Ensures automatic RBAC inheritance once the user is added to the project

24. Project RBAC controller Controller subscribes to user add/remove events Copies RBAC rule to every underlying namespace Once user is removed from the project, the RBAC rules are revoked from namespaces

25. Infrastructure protection on a project level Network access Pod Security policy Resource quota management

26.Network policy on a project is a great way to support multitenancy Pilot Project Stable Project

27.Network policy on a project is a great way to support multitenancy Pilot Project Stable Project

28.Demo time

29.Thank you!