CNSCon 2024 Lightning Talk: Don’t Make Me Impersonate My Identity
techcet
167 views
6 slides
Jun 26, 2024
Slide 1 of 6
1
2
3
4
5
6
About This Presentation
Identities are a crucial part of running workloads on Kubernetes. How do you ensure Pods can securely access Cloud resources? In this lightning talk, you will learn how large Cloud providers work together to share Identity Provider responsibilities in order to federate identities in multi-cloud envi...
Slide Content
Don’t Make
Me
Impersonate
My Identity
Lightning Talk
Cynthia Thomas
linkedin.com/in/cynthia-thomas, @_techcet_
GKE Security, Google Cloud
Me
Impersonate
My Identity
Lightning Talk
Cynthia Thomas
linkedin.com/in/cynthia-thomas, @_techcet_
GKE Security, Google Cloud
Kubernetes Pods and their identities
-In Kubernetes, Pods are given a distinct identity
within a Kubernetes cluster
-How? Through a Service Account: typically an
account type for non-humans
-Pods are always given Service Accounts by default or
configured
-In Kubernetes, Pods are given a distinct identity
within a Kubernetes cluster
-How? Through a Service Account: typically an
account type for non-humans
-Pods are always given Service Accounts by default or
configured
How to get Pods to talk to Cloud Resources
Options:
1.Export credentials and mount as a Kubernetes
secret in the Pod at runtime
2.Use the worker node/VM identity credential
3.Use Workload Identity Federation
Options:
1.Export credentials and mount as a Kubernetes
secret in the Pod at runtime
2.Use the worker node/VM identity credential
3.Use Workload Identity Federation
Cloud provider K8s Cluster
K8s Worker Nodes
K8s Worker Nodes
K8s Worker Nodes
Namespace foo
Pod
Pod
K8s Control Plane
kube-API server
Workload Identity Federation at work
Step 2: Secured
communication
Cloud IAM
Cloud API
Step 1: Trust
Established
Blog: Kubernetes token support for OIDC
K8s Worker Nodes
K8s Worker Nodes
K8s Worker Nodes
Namespace foo
Pod
Pod
K8s Control Plane
kube-API server
Workload Identity Federation at work
Step 2: Secured
communication
Cloud IAM
Cloud API
Step 1: Trust
Established
Blog: Kubernetes token support for OIDC
Before After
Create Kubernetes namespace Create Kubernetes namespace
Create Kubernetes Service Account
(KSA)
Create Kubernetes Service Account
(KSA)
Create Google Service Account Not needed
Configure KSA to impersonate GSANot needed
Annotate KSA with the GSA so GKE
knows the link
Not needed
Bind role to Google Service Account
(GSA)
Bind role directly to KSA
SA
Impersonation
Just say no to impersonation
Create Kubernetes namespace Create Kubernetes namespace
Create Kubernetes Service Account
(KSA)
Create Kubernetes Service Account
(KSA)
Create Google Service Account Not needed
Configure KSA to impersonate GSANot needed
Annotate KSA with the GSA so GKE
knows the link
Not needed
Bind role to Google Service Account
(GSA)
Bind role directly to KSA
SA
Impersonation
Just say no to impersonation
-Dont worry about managing secrets
-Dont worry about identity impersonation
-Federate identities - supports OIDC/SAML and now X.509
certificates with SPIFFE
Don’t make me impersonate my identity
Be more secure with Workload Identity Federation!
-Dont worry about identity impersonation
-Federate identities - supports OIDC/SAML and now X.509
certificates with SPIFFE
Don’t make me impersonate my identity
Be more secure with Workload Identity Federation!
Categories
GeneralDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 167
- Slides 6
- Age 524 days
Related Slideshows
22
Pray For The Peace Of Jerusalem and You Will Prosper
RodolfoMoralesMarcuc
32 views
26
Don_t_Waste_Your_Life_God.....powerpoint
chalobrido8
33 views
31
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf
JaiJai148317
31 views
14
Fertility awareness methods for women in the society
Isaiah47
30 views
35
Chapter 5 Arithmetic Functions Computer Organisation and Architecture
RitikSharma297999
27 views
5
syakira bhasa inggris (1) (1).pptx.......
ourcommunity56
29 views