Guest post from Onkar Bhat, Engineering Manager and Deepika Dixit, Software Engineer, Kasten by Veeam
Security is a critical requirement for application development, as is configuring authentication and authorization workflows in a way that makes the user experience seamless and hassle-free. Fortunately, there’s an easy way to do this in Kubernetes — without reinventing the wheel.
In a recent webinar, Kasten by Veeam’s Engineering Manager Onkar Bhat and Software Engineer Deepika Dixit shared a simple way to configure authentication and authorization workflows using Dex and Role-based Access Control (RBAC). Bhat and Dixit tackled authorization and authentication separately, explaining how their approach works and providing a step-by-step demo for the audience.
First, Authentication with Dex
To get the webinar started, Bhat provided a detailed overview of the Dex Authentication workflow. Developers using Dex simply configure the application to redirect users to Dex when they attempt to access an application. Dex then verifies that the application is registered with itself and attempts to authenticate with the third-party identity provider — Google, GitHub, Active Directory or others. Dex supports a long list of IDPs, but for the purpose of the demo, Bhat used LDAP.
Once a user is authenticated with the IDP, he or she is redirected back to Dex, who approves the user access to the client application. Bhat noted that IDPs are usually outside of Kubernetes, and that it’s possible to configure connectors to multiple IDPs within Dex.
Following the overview, Bhat walked viewers through how to configure Dex and provided screenshots to illustrate key sections of the authentication workflow. He then performed a live demo, where he installed and ran a client application to test the Dex authentication workflow for individual users, groups of users and administrators.
Next, Authorization with RBAC
Application security isn’t complete without a process for authorizing users, and RBAC provides a simple way to accomplish this in conjunction with the Dex authentication workflow.
As Dixit noted, Kubernetes has its own method for regulating access to your computer or network resources, based on the roles of individual users within your organization. Kubernetes RBAC allows you to use your existing users and groups, and assign them roles. The method is flexible and powerful — you define your rules once and you can use them multiple times, not only within the cluster but across multiple clusters. RBAC clearly defines who has access to what, which allows for a dynamic calculation across the cluster as the application changes and grows.
Dixit noted that for administrators, multi-tenancy is often a concern, especially as clusters and applications mature after the initial setup. They must decide how to restrict user access to just their applications and components within their applications. Kubernetes RBAC makes it easier to define the rules and regulate who has access to what, while allowing for separation and security between users and applications.
Dixit shared examples of roles and clusterRoles from the Kubernetes documentation, to show that it’s possible to differentiate between application-level and cluster-level access. She also pointed out that rules are a specific set of permissions that are additive in nature; a user by default has no access, unless it’s bound to a role. It’s possible to expand on the rules and provide additional access. Rules can be as broad as “all” or very granular, down to a specific resource in an API group.
According to Dixit, subjects for the rules can be of three types: Users, Groups or Service Accounts. RoleBInding and ClusterRoleBinding can be used to define various levels of access either at the namespace or cluster level.
An important feature for Kubernetes RBAC is the ability to change authentication systems. Once you’ve defined your roles and access levels as RBAC objects, you can switch from one IDP to another and the RBAC roles you’ve are persistent.
Dexit’s discussion was followed by a step-by-step demo of how to configure access for all types of subjects using RBAC in Kubernetes.
Watch the Demos
Together, Dex and RBAC can be used to provide powerful security for Kubernetes applications. You can watch the full webinar and see the demos on-demand, here.