Let Python automate the process of sharing your Kubernetes cluster
Dishant Sethi (~dishant24) |
Kubernetes features a role-based access control (RBAC) to control access to the cluster. For that, a user must authenticate itself to the API-server and there are various ways for doing that: https://kubernetes.io/docs/reference/access-authn-authz/authentication/
A user wanting to authenticate needs to have a certificate with his/her username as the subject’s commonName. And the certificate needs to be signed by the cluster’s ca. Although the concept is quite easy, creating certificates using the OpenSSL-CLI often proves to be difficult. You will need to run a couple of OpenSSL commands, set credentials for a user. This is NOT where the process ends. You need to authorize also.
Different levels of authorization in Kubernetes can be achieved through namespaces, roles, and role bindings. In order to limit a user to his/her own space in the cluster, we create a personal namespace and bind a role to it. The role describes the types of access, the user will have.
This session will summarize, how one can automate all the step Authentication and Authorization steps using PyOpenssl and Kubernetes APIs. Just in case someone is not aware of the kubectl and OpenSSL way, I will start with a brief explanation of that also.
Creating User's key, self-signed certificate, certificate signing request, kubeconfig file
Creating namespace, rules, roles, role binding and service account
If you don't want to spend time following a long process providing access to your cluster to someone, This talk is for you.
The following is the outline around topics to be covered during the talk:
(2 min) Introduction to RBAC
(4 min) Create user's Key, Cert Signing Request to the Cluster Authority via OpenSSL
(4 min) Create role for a user using kubectl
(7.5 min + 7.5 min = 15 min) Create script for authentication using PyOpenSSL, Demonstrate script for authorisation using python-client (rules/roles/rolebining)
(5 min) Slot for QnA
- Kubernetes 101 concepts:
- role binding
- service account
- Python Language 101 concepts
- A Kubernetes cluster, if you want to do hands-on.
Hey, I am Dishant Sethi, A Software Engineer at Essentia Softserv. I have been developing and deploying web applications using Python for quite a some time now. I am passionate about supporting education system and meeting new people. I believe in free and open information/internet access for everyone.
Interested in opportunities to contribute as: ♦ Web Developer ♦ System / Cloud Engineer ♦ DevOps
Talk to me about: ♦ Web Development Practices ♦ Free and Open Source Software (FOSS) Community ♦ Starting Software Engineering Journey