It’s My HomeLab - Why Do I Need SSO?

It’s My HomeLab Why Would I Want SSO? Matt Williams – Evangelist @ Infra matt@infrahq.com | @technovangelist

It’s My HomeLab Why Would I Want Single Sign On? Or Roles? Or Users? * Specific to Kubernetes Matt Williams – Evangelist @ Infra matt@infrahq.com | @technovangelist

A HomeLab can be whatever you want it to be.

A HomeLab can be made of whatever you have

My first HomeLab was…

My HomeLab Today

Kubernetes in the HomeLab Can take advantage of a hodgepodge of machines

Kubernetes in the HomeLab Consistent Deployments

Why Users and Roles in K8S at Home?

Kubernetes: What is a User? They don’t exist - or – • A signed certificate in a kubeconfig file •

apiVersion: v1 clusters: - cluster: certificate-authority-data: certgoeshere server: https://clusterendpoint.k8s.ondigitalocean.com name: mycluster contexts: - context: cluster: mycluster user: do-sfo3-matt-primary-admin name: mycontext current-context: mycontext kind: Config preferences: {} users: - name: do-sfo3-matt-primary-admin user: token: dop_v1_dea9d7ff2b8eb092f53ffebogus31d2bd4602a62a19b5ac4

Kubernetes: What is a Role? • Defines the level of access a ‘user’ has to the cluster • • Resource Verb

Kubernetes: What is a Role? apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: marketing-dev labels: app.infrahq.com/include-role: “true” rules: - apiGroups: [“”] # “” indicates the core API group resources: [“pods”] verbs: [“get”, “watch”, “list”]

How to create a User Create the user key (openssl genpkey…) • Create the CSR (openssl req –new) • Submit the CSR to the cluster (yaml) • Approve the request (kubectl certificate • approve…)

How to create a User Get the approved request (kubectl get csr…) • Build the kubeconfig (kubectl —kubeconfig • myuserconfig config set-credentials, kubectl -kubeconfig myuserconfig configset-context) • Then distribute the file https://infrahq.com/blog/how-to-create-users

How to create a User • And then repeat often • • ensure bad parties can’t access And redistribute

Just give everyone admin??? • What happens when User fired • User compromised • • Kubernetes is Remote Execution as a Service

Can we automate it?

Brendan Burns - AddUser • https://github.com/brendandburns/kub ernetes-adduser

What’s missing from the script • Key / Config file distribution

How about something easier?

Infra • Two deployment options Self Hosted • Use Infra Cloud (coming soon) •

Demo

Summary HomeLabs let you practice • You should be using Users/Roles/SSO with K8s • Users in K8s are hard • Infra is easy • Infra lets you do the hard stuff without much thinking •

It’s My HomeLab Why Would I Want SSO? Matt Williams – Evangelist @ Infra matt@infrahq.com | @technovangelist

It’s My HomeLab - Why Do I Need SSO?

Slide 1

Slide 2

Slide 3

Slide 4

Slide 5

Slide 6

Slide 7

Slide 8

Slide 9

Slide 10

Slide 11

Slide 12

Slide 13

Slide 14

Slide 15

Slide 16

Slide 17

Slide 18

Slide 19

Slide 20

Slide 21

Slide 22

Slide 23

Slide 24

Slide 25

Slide 26

Slide 27

Slide 28

Slide 29

Slide 30

Slide 31

Slide 32

Slide 33

Slide 34

Slide 35

Slide 36

Slide 37