Kubernetes Authentication

Kubernetes Authentication, Authorization

๋ณด์•ˆ๊ด€๋ฆฌ ๋ณดํ†ต 2๊ฐ€์ง€๊ฐ€ ์žˆ๋‹ค. ํด๋ผ์ด์–ธํŠธ ์ ‘์† ํ—ˆ๊ฐ€ ๊ด€๋ฆฌํ•˜๋Š” ์ธ์ฆ๊ด€๋ฆฌ์™€ ์ ‘์†์ด ํ—ˆ๊ฐ€๋œ ํด๋ผ์ด์–ธํŠธ์— ๋Œ€ํ•œ ๋ฆฌ์†Œ์Šค ์ ‘๊ทผ ๊ถŒํ•œ์„ ๊ด€๋ฆฌํ•˜๋Š” ๊ถŒํ•œ ๊ด€๋ฆฌ๊ฐ€ ์žˆ๋‹ค.

Authentication

์ฟ ๋ฒ„๋„คํ‹ฐ์Šค์—์„œ ์ธ์ฆ๋ฐฉ๋ฒ•์œผ๋กœ kubeconfig ํŒŒ์ผ๋กœ ์ธ์ฆ, ServiceAccount Token์„ ์ด์šฉํ•œ ์ธ์ฆ, ์ปจํ…Œ์ด๋„ˆ์— ๊ฐ€์ง€๊ณ  ์žˆ๋Š” Token์„ ์ด์šฉํ•œ ์ธ์ฆ, idP๋ฅผ ํ†ตํ•œ ์ธ์ฆ์ด ์žˆ๋‹ค.

kubeconfig ํŒŒ์ผ๋กœ ์ธ์ฆ

kubectl๋กœ API๋ฅผ ํ˜ธ์ถœํ•  ๋•Œ, kubeconfig ํŒŒ์ผ๋กœ ์ธ์ฆํ•˜๊ณ  ํด๋Ÿฌ์Šคํ„ฐ์— ์ ‘๊ทผํ•  ์ˆ˜ ์žˆ๋‹ค.

from kubernetes import client, config

config.load_kube_config()

v1=client.CoreV1Api()
print("Listing pods with their IPs:")
ret = v1.list_pod_for_all_namespaces(watch=False)

ServiceAccount ํ† ๊ทผ์„ ์ด์šฉํ•˜์—ฌ ์ธ์ฆ

ํŒŒ๋“œ๊ฐ€ API๋ฅผ ํ˜ธ์ถœํ•  ๋•Œ ServiceAccount ํ† ํฐ์„ ์ด์šฉํ•˜์—ฌ ์ธ์ฆํ•œ๋‹ค.

์ปจํ…Œ์ด๋„ˆ์— ์œ„์น˜ํ•œ ํ† ํฐ์„ ์ด์šฉํ•˜์—ฌ ์ธ์ฆ

์ฟ ๋ฒ„๋„คํ‹ฐ์Šค ํด๋ผ์ด์–ธํŠธ๋ฅผ ์‚ฌ์šฉํ•  ๋•Œ, ํŒŒ๋“œ ๋‚ด ์ปจํ…Œ์ด๋„ˆ์— ์œ„์น˜ํ•œ ํ† ํฐ์„ ์ด์šฉํ•˜์—ฌ ์ธ์ฆํ•œ๋‹ค.

configuration = config.load_incluster_config()
 
def load_incluster_config():
    InClusterConfigLoader(token_filename=SERVICE_TOKEN_FILENAME,
                          cert_filename=SERVICE_CERT_FILENAME).load_and_set()
 
SERVICE_TOKEN_FILENAME = "/var/run/secrets/kubernetes.io/serviceaccount/token"
SERVICE_CERT_FILENAME = "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"

idP๋ฅผ ํ†ตํ•œ ์ธ์ฆ

์ฟ ๋ฒ„๋„คํ‹ฐ์Šค๋Š” ์‚ฌ์šฉ์ž๋ฅผ API๋กœ ์ง์ ‘ ๊ด€๋ฆฌํ•˜์ง€ ์•Š๊ณ  Dex์™€ ์—ฐ๊ณ„ํ•˜์—ฌ ๊ธฐ์กด ์‹œ์Šคํ…œ(LDAP ๋“ฑ)์„ ํ™œ์šฉํ•˜์—ฌ ์ธ์ฆํ•  ์ˆ˜ ์žˆ๋‹ค. Dex๋Š” ์„œ๋“œํŒŒํ‹ฐ๋กœ ๋ถ€ํ„ฐ OAuth ์ธ์ฆ์„ ๊ด€๋ฆฌํ•˜๋Š” ๋„๊ตฌ์ด๋‹ค. Dex๋Š” OAuth ์„œ๋“œํŒŒํ‹ฐ์™€์˜ ์ค‘๊ฐ„ ๋งค๊ฐœ์ฒด ์—ญํ• ์„ ํ•ด์ฃผ๊ธฐ ๋•Œ๋ฌธ์— OAuth์˜ ์ธ์ฆ ํ† ํฐ ๋ฐœ๊ธ‰, ์ €์žฅ ๋ฐ ๊ด€๋ฆฌ๋ฅผ ์ข€๋” ์‰ฝ๊ฒŒ ํ•  ์ˆ˜ ์žˆ๋‹ค.

Authorization

์ฟ ๋ฒ„๋„คํ‹ฐ์Šค๋Š” RBAC์„ ์‚ฌ์šฉํ•˜์—ฌ ๋ฆฌ์†Œ์Šค ๊ถŒํ•œ์„ ๊ด€๋ฆฌํ•œ๋‹ค. ์–ด์นด์šดํŠธ๋Š” ์œ ์ € ์–ด์นด์šดํŠธ์™€ ์‹œ์Šคํ…œ ์–ด์นด์šดํŠธ๋กœ ๊ตฌ๋ถ„๋˜๋Š”๋ฐ, ์œ ์ € ์–ด์นด์šดํŠธ๋Š” User์™€ User๋ฅผ ๋ฌถ์€ Group์œผ๋กœ ์ •์˜ํ•˜๊ณ , ์‹œ์Šคํ…œ ์–ด์นด์šดํŠธ๋Š” ServiceAccount ๋กœ ์ •์˜ํ•œ๋‹ค. ์–ด์นด์šดํŠธ์˜ ๋ฆฌ์†Œ์Šค ๊ถŒํ•œ(์˜ˆ, Pod - create/list/delete)์€ Role์— ์ •์˜ํ•˜๋ฉฐ, Role์„ ์–ด์นด์šดํŠธ์— ๋ถ€์—ฌํ•  ๋•Œ RoleBinding์„ ์„ค์ •ํ•œ๋‹ค.

ClusterRole๊ณผ Role

Role์€ ์ ์šฉ ๋ฒ”์œ„์— ๋”ฐ๋ผ ClusterRole๊ณผ Role๋กœ ๊ตฌ๋ถ„ํ•œ๋‹ค. ClusterRole์€ ํด๋Ÿฌ์Šคํ„ฐ ์ „์ฒด ๋ฆฌ์†Œ์Šค ๊ถŒํ•œ์„ ์ •์˜ํ•˜๊ณ , Role์€ ํŠน์ • ๋„ค์ž„์ŠคํŽ˜์ด์Šค ๋‚ด์˜ ๋ฆฌ์†Œ์Šค ๊ถŒํ•œ์„ ์ •์˜ํ•œ๋‹ค.

Namespace

์ฟ ๋ฒ„๋„คํ‹ฐ์Šค๋Š” namespace๋ฅผ ์‚ฌ์šฉํ•˜์—ฌ ๋ฆฌ์†Œ์Šค๋ฅผ ๊ฒฉ๋ฆฌํ•˜๊ณ , ํด๋Ÿฌ์Šคํ„ฐ ๋‚ด์—์„œ ์—ฌ๋Ÿฌ ์‚ฌ์šฉ์ž๋“ค ์ž์›์„ ๊ตฌ๋ถ„ํ•ด์„œ ๋‚˜๋ˆ  ์“ธ ์ˆ˜ ์žˆ๋‹ค. ๋™์ผํ•œ namespace ๋‚ด์—์„œ ๋ฆฌ์†Œ์Šค๋Š” ๋ ˆ์ด๋ธ”์„ ์‚ฌ์šฉํ•˜์—ฌ ๊ตฌ๋ถ„ํ•œ๋‹ค.

์ฐธ๊ณ ์ž๋ฃŒ

https://lcc3108.github.io/articles/2020-12/Istio+Dex-์ธ์ฆ Istio Usage in Kubeflow, https://www.kubeflow.org/docs/other-guides/istio-in-kubeflow/ https://speakerdeck.com/chanyilin/authz?slide=15 https://speakerdeck.com/chanyilin/authz?slide=12 https://medium.com/kubeflow/enabling-kubeflow-with-enterprise-grade-auth-for-on-premise-deployments-ae7dd13a69e5 https://waspro.tistory.com/608 https://bcho.tistory.com/1272

PreviousKubernetes OperatorNextIstio

Last updated

Was this helpful?