It’s My HomeLab Why Would I Want SSO? Matt Williams – Evangelist @ Infra matt@infrahq.com | @technovangelist

It’s My HomeLab Why Would I Want Single Sign On? Or Roles? Or Users? * Specific to Kubernetes Matt Williams – Evangelist @ Infra matt@infrahq.com | @technovangelist

A HomeLab can be whatever you want it to be.

A HomeLab can be made of whatever you have

My first HomeLab was…

My HomeLab Today

Kubernetes in the HomeLab Can take advantage of a hodgepodge of machines

Kubernetes in the HomeLab Consistent Deployments

Why Users and Roles in K8S at Home?

Kubernetes: What is a User? They don’t exist - or – • A signed certificate in a kubeconfig file •

apiVersion: v1 clusters: - cluster: certificate-authority-data: certgoeshere server: https://clusterendpoint.k8s.ondigitalocean.com name: mycluster contexts: - context: cluster: mycluster user: do-sfo3-matt-primary-admin name: mycontext current-context: mycontext kind: Config preferences: {} users: - name: do-sfo3-matt-primary-admin user: token: dop_v1_dea9d7ff2b8eb092f53ffebogus31d2bd4602a62a19b5ac4

apiVersion: v1 clusters: - cluster: certificate-authority-data: certgoeshere server: https://clusterendpoint.k8s.ondigitalocean.com name: mycluster contexts: - context: cluster: mycluster user: do-sfo3-matt-primary-admin name: mycontext current-context: mycontext kind: Config preferences: {} users: - name: do-sfo3-matt-primary-admin user: token: dop_v1_dea9d7ff2b8eb092f53ffebogus31d2bd4602a62a19b5ac4

apiVersion: v1 clusters: - cluster: certificate-authority-data: certgoeshere server: https://clusterendpoint.k8s.ondigitalocean.com name: mycluster contexts: - context: cluster: mycluster user: do-sfo3-matt-primary-admin name: mycontext current-context: mycontext kind: Config preferences: {} users: - name: do-sfo3-matt-primary-admin user: token: dop_v1_dea9d7ff2b8eb092f53ffebogus31d2bd4602a62a19b5ac4

apiVersion: v1 clusters: - cluster: certificate-authority-data: certgoeshere server: https://clusterendpoint.k8s.ondigitalocean.com name: mycluster contexts: - context: cluster: mycluster user: do-sfo3-matt-primary-admin name: mycontext current-context: mycontext kind: Config preferences: {} users: - name: do-sfo3-matt-primary-admin user: token: dop_v1_dea9d7ff2b8eb092f53ffebogus31d2bd4602a62a19b5ac4

Kubernetes: What is a Role? • Defines the level of access a ‘user’ has to the cluster • • Resource Verb

Kubernetes: What is a Role? apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: marketing-dev labels: app.infrahq.com/include-role: “true” rules: - apiGroups: [“”] # “” indicates the core API group resources: [“pods”] verbs: [“get”, “watch”, “list”]

Kubernetes: What is a Role? apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: marketing-dev labels: app.infrahq.com/include-role: “true” rules: - apiGroups: [“”] # “” indicates the core API group resources: [“pods”] verbs: [“get”, “watch”, “list”]

Kubernetes: What is a Role? apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: marketing-dev labels: app.infrahq.com/include-role: “true” rules: - apiGroups: [“”] # “” indicates the core API group resources: [“pods”] verbs: [“get”, “watch”, “list”]

Kubernetes: What is a Role? apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: marketing-dev labels: app.infrahq.com/include-role: “true” rules: - apiGroups: [“”] # “” indicates the core API group resources: [“pods”] verbs: [“get”, “watch”, “list”]

How to create a User Create the user key (openssl genpkey…) • Create the CSR (openssl req –new) • Submit the CSR to the cluster (yaml) • Approve the request (kubectl certificate • approve…)

How to create a User Get the approved request (kubectl get csr…) • Build the kubeconfig (kubectl —kubeconfig • myuserconfig config set-credentials, kubectl -kubeconfig myuserconfig configset-context) • Then distribute the file https://infrahq.com/blog/how-to-create-users

How to create a User • And then repeat often • • ensure bad parties can’t access And redistribute

Just give everyone admin??? • What happens when User fired • User compromised • • Kubernetes is Remote Execution as a Service

Can we automate it?

Brendan Burns - AddUser • https://github.com/brendandburns/kub ernetes-adduser

What’s missing from the script • Key / Config file distribution

How about something easier?

Infra • Two deployment options Self Hosted • Use Infra Cloud (coming soon) •

Demo

Summary HomeLabs let you practice • You should be using Users/Roles/SSO with K8s • Users in K8s are hard • Infra is easy • Infra lets you do the hard stuff without much thinking •

It’s My HomeLab Why Would I Want SSO? Matt Williams – Evangelist @ Infra matt@infrahq.com | @technovangelist