Skip to content

Commit

Permalink
Slides for 20241113
Browse files Browse the repository at this point in the history
  • Loading branch information
@nicholasdille
nicholasdille committed Nov 12, 2024
1 parent 5168594 commit 45d64e9
Show file tree
Hide file tree
Showing 20 changed files with 1,678 additions and 0 deletions.
29 changes: 29 additions & 0 deletions slides/2024-11-13/000_introduction/02_bio.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
<!-- .slide: id="bio" -->

## Nicholas Dille

<img src="images/NicholasDille.jpg" style="width: 25%; float: right; border-radius: 8px;" />

**Husband, father, runner, trumpeteer**

- <span class="fa-li"><i class="fa fa-globe"></i></span> [Blogger][1] since 2003
- <span class="fa-li"><i class="fa fa-microphone"></i></span> [Speaker][2] since 2009
- <span class="fa-li"><i class="fa-brands fa-windows"></i></span> Microsoft MVP Alumni (2010-2023)
- <span class="fa-li"><i class="fa fa-briefcase"></i></span> [Haufe Group][3] since 2016
- <span class="fa-li"><i class="fa-brands fa-docker"></i></span> [Docker Captain][4] since 2017
- <span class="fa-li"><i class="fa fa-person-chalkboard"></i></span> Self-employed [trainer][5] since 2020
- <span class="fa-li"><i class="fa fa-user-helmet-safety"></i></span> Initiator/maintainer of [uniget][6] since 2021

<!-- .element: class="fa-ul" style="line-height: 175%;" -->

*Reach out via* [<i class="fa-brands fa-mastodon"></i>][7] [<i class="fa-brands fa-bluesky"></i>][8] [<i class="fa-brands fa-github"></i>][9]

[1]: https://dille.name
[2]: https://dille.name/blog/tags/#Slides
[3]: https://www.docker.com/captains/nicholas-dille
[4]: https://haufegroup.com
[5]: https://dille.name
[6]: https://uniget.dev
[7]: https://freiburg.social/@nicholasdille
[8]: https://bsky.app/profile/nicholasdille.bsky.social
[9]: https://github.com/nicholasdille
123 changes: 123 additions & 0 deletions slides/2024-11-13/120_kubernetes/oidc/oidc.drawio.svg
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
61 changes: 61 additions & 0 deletions slides/2024-11-13/120_kubernetes/oidc/slides.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,61 @@
## Open ID Connect

![](120_kubernetes/oidc/oidc.drawio.svg) <!-- .element: style="float: right; width: 40%;" -->

Open ID Connect (OIDC) [](https://de.wikipedia.org/wiki/OpenID_Connect) builds on OAuth [](https://de.wikipedia.org/wiki/OAuth)

1. User authenticates with OIDC provider<br/>and receives token

2. User presents token to service

3. Service validates token<br/>and authorizes access

OIDC providers include: Keycloak [](https://github.com/keycloak/keycloak), Dex [](https://github.com/dexidp/dex#connectors), GitLab [](https://docs.gitlab.com/ee/integration/openid_connect_provider.html)

### Kubernetes [](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#openid-connect-tokens)

Use OIDC provider to authenticate

Authorize access to resources

---

## Internals

```json
{
"iss": "https://gitlab.com",
"sub": "REDACTED",
"aud": "REDACTED",
"exp": REDACTED,
"iat": REDACTED,
"nonce": "REDACTED",
"auth_time": REDACTED,
"sub_legacy": "REDACTED",
"name": "Nicholas Dille",
"nickname": "nicholasdille",
"preferred_username": "nicholasdille",
"website": "https://dille.name",
"profile": "REDACTED",
"picture": "REDACTED",
"groups_direct": [
"k8s-oidc-demo"
]
}
```

<!-- .element: style="float: right; font-size: smaller; width: 24em; padding-left: 1em;" -->

Token contains claims useful for authorization

Claims are generated from...
- LDAP groups
- GitLab groups

Token owner `preferred_username` is mapped to a Kubernetes `User`

Each claim from `groups_direct` is mapped to a Kubernetes `Group`

Use [kubelogin](https://github.com/int128/kubelogin) to avoid token in kubeconfig

### Demo [<i class="fa fa-comment-code"></i>](https://github.com/nicholasdille/container-slides/blob/master/120_kubernetes/oidc/oidc.demo "oidc.demo")
46 changes: 46 additions & 0 deletions slides/2024-11-13/120_kubernetes/rbac/aggregation.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
## Aggregating ClusterRoles

Automagically aggregate rules into new ClusterRoles [](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles)

```yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: monitoring
aggregationRule:
clusterRoleSelectors:
- matchLabels:
aggregate-to-monitoring: "true"
rules: []
```
<!-- .element: style="float: left; font-size: smaller; width: 25em;" -->
```yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: monitoring-endpoints
labels:
aggregate-to-monitoring: "true"
rules:
- apiGroups: [""]
resources: ["services", "endpointslices", "pods"]
verbs: ["get", "list", "watch"]
```
<!-- .element: style="float: right; font-size: smaller; width: 25em;" -->
Rules from ClusterRole `monitoring-endpoints` are aggregated into `monitoring` based on labels

Heavily used in builtin ClusterRoles [](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles)

- `rbac.authorization.k8s.io/aggregate-to-(admin|edit|view)`

--

## Demo [<i class="fa fa-comment-code"></i>](https://github.com/nicholasdille/container-slides/blob/master/120_kubernetes/rbac/aggregation.demo "aggregation.demo")

Inspect builtin ClusterRoles with aggregation

Create custom aggregation
Loading

0 comments on commit 45d64e9

Please sign in to comment.