December 25, 2019

180 words 1 min read

Defining Mutli-Tenant Access Controls for a Cluster

Defining Mutli-Tenant Access Controls for a Cluster

What we've learned while building an internal PaaS allowing automated self service access to our multi-tenant clusters. Teams have access to create service based namespaces on demand. Beginning with h …
Talk Title Defining Mutli-Tenant Access Controls for a Cluster
Speakers Anund McKague (Senior Developer, Atlassian)
Conference KubeCon + CloudNativeCon North America
Conf Tag
Location Seattle, WA, USA
Date Dec 9-14, 2018
URL Talk Page
Slides Talk Slides
Video

What we’ve learned while building an internal PaaS allowing automated self service access to our multi-tenant clusters. Teams have access to create service based namespaces on demand. Beginning with how users authenicate via our open source cli tool connecting ldap and 2fa, continuing through our use of authentication webhooks, on to our use of authorization webhooks and RBAC, and finishing with how we manage creation of dynamic RBAC based roles. Talk will touch on authentication webhooks, github.com/atlassian/kubetoken, mutating and validating webhooks, api servers as proxies to internal services, managing rbac roles and dynamic creation of role bindings, along with some of the security implications of cluster roles and cluster role bindings.

api automated security github open source paas cluster
comments powered by Disqus
You call it data lake; we call it Data Historian.

You call it data lake; we call it Data Historian.

December 4, 2019

There are a number of tools that make it easy to implement a data lake. However, most lack the essential features that prevent your data lake from turning into a data swamp. Naghman Waheed and Brian Arnold offer an overview of Monsanto's Data Historian platform, which can ingest, store, and access datasets without compromising ease of use, governance, or security.
Deep Dive: Operator Framework BoF

Deep Dive: Operator Framework BoF

December 25, 2019

An Operator is a method of packaging, deploying and managing a Kubernetes application. A Kubernetes application is an application that is both deployed on Kubernetes and managed using the Kubernetes A …
Implementing Least Privilege Security and Networking with BPF on Kubernetes

Implementing Least Privilege Security and Networking with BPF on Kubernetes

December 24, 2019

BPF is becoming the fastest growing technology in the Linux kernel and is revolutionizing networking, security, and tracing. At the same time, the rise of Kubernetes is creating demand for routing, lo …
The IoT botnet wars, Linux devices, and the absence of basic security hardening

The IoT botnet wars, Linux devices, and the absence of basic security hardening

December 24, 2019

Drew Moseley explores the malware infecting Linux IoT devices, including Mirai, Hajime, and BrickerBot, and the vulnerabilities they leverage to enslave or brick connected devices. Drew then walks you through specific vectors they used to exploit devices and covers some security hardening basic concepts and practices that would have largely protected against them.
Jenkins X: Continuous Delivery for Kubernetes

Jenkins X: Continuous Delivery for Kubernetes

December 23, 2019

Jenkins X is a new open source CI/CD platform for Kubernetes based on Jenkins. Jenkins X runs on Kubernetes and transparently uses on demand containers to run build agents and jobs, and isolate job ex …
The distributed authorization system: A Netflix case study

The distributed authorization system: A Netflix case study

December 19, 2019

Manish Mehta and Torin Sandall lead a deep dive into how Netflix enforces authorization policies (who can do what) at scale in its microservices ecosystem in a public cloud without introducing unreasonable latency in the request path.