logo
ArticlesConferencesPresentations
Dates
Author
Conferences
Tags

Sort by:  

K8s and Active Directory Can Be Friends! How to Use Dex to Bridge the Gap

Conference:  KubeCon + CloudNativeCon Europe 2022
Authors: Onkar Bhat
2022-05-18

tldr - powered by Generative AI

The tutorial demonstrates how to secure access to a Kubernetes application using Active Directory-based authentication with OpenLDAP, DEX, and OAuth2 Proxy.
  • The tutorial is aimed at users who want to migrate applications to Kubernetes or deploy new applications in Kubernetes and leverage their Active Directory server for authentication.
  • Option one involves rewriting the application to send an LDAP request to the OpenLDAP server, but the tutorial focuses on option three, which does not require rewriting the application.
  • Option three involves deploying OpenLDAP, DEX, and OAuth2 Proxy, and editing the system's hosts file to redirect the browser to the local host address where the servers are listening.
  • OpenLDAP is a directory service developed by Microsoft for Windows domain networks that uses the Lightweight Directory Access Protocol (LDAP).
  • DEX is an identity service that uses OpenID Connect, and OAuth2 Proxy is a reverse proxy for handling OAuth.
  • The tutorial includes step-by-step instructions for deploying OpenLDAP, DEX, and OAuth2 Proxy, and editing the system's hosts file.
  • At the end of the tutorial, the Pac-Man application is installed and access to it is secured by authenticating against the OpenLDAP server running in the Kubernetes cluster.
Tags:
Kubernetes
Active Directory
Dex
OpenID
LDAP

Everything Wrong with K8s Authentication and How We Worked Around It

Conference:  KubeCon + CloudNativeCon North America 2021
Authors: Mo Khan, Margo Crawford
2021-10-15

tldr - powered by Generative AI

The presentation discusses the importance of secure identity assertion in Kubernetes clusters and presents a workaround using X.509 client certificates.
  • Impersonation proxies in Kubernetes have had critical CVEs in the past
  • Using the standard library instead of Kubernetes for critical code is safer
  • X.509 client certificates are a secure way to assert identity in Kubernetes
  • Piniped provides a workaround for revoking certificates using the cluster signing key
Tags:
Kubernetes
authentication
OIDC
LDAP
federated login

Fine-Grained User Authorization for Kubernetes with OPA and LDAP

Conference:  KubeCon + CloudNativeCon North America 2021
Authors: Cagri Cetin, Quentin Long
2021-10-14
Yelp recently migrated their container-orchestration system from Mesos to Kubernetes. However, existing Kubernetes authorization mechanisms were insufficient to implement least-privilege access control rules. Yelp needed to authorize its users to hundreds of services owned by hundreds of different teams. By leveraging the Open Policy Agent (OPA), Yelp has implemented an authorization system that allows defining fine-grained authorization rules: These can rely on service ownerships, resources’ or actions’ sensitivity levels. This talk covers Yelp’s journey to a fine-grained Kubernetes authorization using OPA and LDAP. It will discuss: - Shortcomings of existing Kubernetes authorization mechanisms - Design details of the new OPA-based system - Strategies for provisioning authorization rules at scale - Migration to the new system with zero downtime - Issues encountered along the way and lessons learned
Tags:
Kubernetes
Authorization
OPA
LDAP
Yelp