►
From YouTube: Compliance and Identity Management in Kubernetes [I] - Marc Boorshtein, Tremolo Security, Inc.
Description
Compliance and Identity Management in Kubernetes [I] - Marc Boorshtein, Tremolo Security, Inc.
Compliance with what? Depends on your industry. As k8s continues to expand into regulated enterprises such as government, health care and financials deployments will need to understand how managing users and their access relates to compliance obligations. This session will focus on how identity management can be approached for solving this issue. How do you onboard users? Authorize their access to a namespace? Offboard them? Is there a need to differentiate between a privileged user and an unprivileged user? I'll go beyond the technical implementation in k8s and tie it to specific compliance requirements in FISMA and demo how solving the compliance issue can also improve the usability and security of your k8s deployment. This talk will follow a similar form to https://www.tremolosecurity.com/openshift-compliance-and-identity-management/ but specifically on k8s.
About Marc Boorshtein
Marc has nearly fifteen years of identity and access management experience as a software engineer, product developer, and consultant. He is experienced building, deploying, and managing identity systems from most major vendors across numerous industries as well as working with security teams to analyze compliance impacts and assist with remediation. Marc has been the lead architect for multiple civilian agency's FICAM programs and has previously spoken at Google DevFest 2016, The Information Security Systems Association conference, given multiple briefings on identity management for OpenShift Commons and presented on OpenShift identity management compliance at Red Hat Summit 2017.
Join us for KubeCon + CloudNativeCon in Barcelona May 20 - 23, Shanghai June 24 - 26, and San Diego November 18 - 21! Learn more at https://kubecon.io. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy and all of the other CNCF-hosted projects.
A
Well,
thank
you
for
coming
out.
My
session
today
is
going
to
be
like
the
screen
says
on
a
dating
management
and
compliance.
We're
gonna
talk
a
little
bit
about.
Why
do
you
care
about
this?
Why
is
identity
management
important
to
compliance
and
why
I
broke
it
out
from
say
what
we
folks
typically
talk
about
compliance
and
what
is
compliance?
I
know
the
first
time
I
used
to
work
in
an
audit
firm.
Someone
asked
me,
you
know:
is
this
compliant?
A
Have
you
taken
compliance
into
account
and
my
first
question
was
compliance
with
what
so
we'll
talk
a
little
bit
about
that?
How
does
it
apply
it?
Being
identity,
management
to
appliance
compliance
and
we'll
talk
about
some
real-life
workflows
and
then
finally,
we'll
get
into
some
tech
stuff
and
a
demo?
Any
questions
please
hold
till
the
end,
since
it's
a
pretty
short
session,
I
want
to
get
through
all
the
fun
stuff.
First,
so
Who
am
I.
My
name
is
Marc
portney
and
I'm.
The
CTO
tremelo
security.
We
are
an
identity
management.
A
Company
I
have
been
doing
identity
management
for
close
to
15
years.
You
name
the
industry
and
the
product
before
I
start
a
tremolo,
pretty
good
chance
that
somewhere
in
that
cross-section,
I've
done
a
deployment.
I
also
spent
time
as
a
fight
and
market
tech.
That's
in
federal
government
what
they
call
identity,
management
for
multiple
3-letter
civilian
agencies
and
have
had
to
work
a
lot
in
the
compliance
space,
especially
with
the
feds,
and
if
anybody
has
worked
on
open
ID
connect
with
kubernetes
I
contributed
a
lot
of
the
documentation
around
open.
Id
connect
all
right.
A
So
why
is
compliance
important?
So
there
are
two
reasons
why
compliance
is
really
important.
The
first
is,
it
will
often
be
used
against
you
if
somebody
doesn't
want
you
to
put
something
into
their
environment.
The
first
question
is:
is
it
compliant
whether
or
not
it
has
to
be
compliant
is
a
little
bit
of
a
squishy
or
subject,
and
it
really
depends
on
whether
or
not
people
want
things
in
the
environment,
but
when
you're
trying
to
push
something
a
new
disruptive
technology-
and
they
will
all
agree
that
kubernetes
is
pretty
disruptive.
A
It's
always
good
to
have
the
compliance
question
in
your
back
pocket.
The
happy
pass
which
I'm
going
to
spend
more
time
on
today
is
this
mathematical
equation,
I
like
to
have
where,
if
you
take
DevOps
identity
management,
you
put
them
together.
You
make
everybody
happy.
You
make
the
suits
happy
because
guess
what
they
don't
like
pouring
through
ten
thousand
emails,
any
more
than
you
like
putting
them
together
and
makes
your
admins
happy,
because
there
is
nothing
more
annoying.
A
A
So
what
is
compliance?
So
there
are
two
types
of
compliance
frameworks
out
there.
There
is
the
classic
NIST
853,
which
is
a
true
framework,
so
just
like
coo
Bernays
doesn't
do
anything
unless
you
tell
it
to
in
this.
The
853
doesn't
actually
tell
you
what
compliance
is.
It
gives
you
a
framework
to
design
your
compliance.
So
here
we
have
a
control.
A
There
we
go
so
this
control
here,
the
the
the
step
one
to
find
your
policy
will
say:
alright,
you
need
to
have
a
policy
in
this
area
and
then
it's
up
to
you
as
the
implementer
to
define
what
that
policy
is.
And
then
you
have
often
much
more
industry
focused
compliance
frameworks
and
they
tend
to
be
a
little
more
prescriptive.
So
I
do
all
work
with
law
enforcement,
and
so
she
just
comes
up
a
lot.
A
So
has
the
IDM
fit
into
this?
So
if
we're
working
in
this
state
hundred
fifty
three,
this
is
an
actual
control
authorized
access
to
the
information
system
based
on
one
a
act,
valid
access
authorization
as
an
extremely
helpful
control.
That
is
a
palindrome.
So
basically,
what
it's
saying
is
you
need
to
have
a
process
designed
to
say
why
somebody
should
have
access
to
it
and
then
from
a
technology
standpoint?
How
do
you
implement
that?
A
That's
where
Identity
Management
fits
in
and
then
looking
here
at
see
just
the
section
deals
with
passwords
password
complexity,
how
often
you
have
to
change
them,
etc?
And
again,
that's
you
want
to
have
identity
management.
So,
let's
talk
about
the
unhappy
past
with
compliance
and
no
DevOps
everybody's
gone
through.
This
I
need
access
to
something
in
kubernetes,
whether
it's
a
namespace
a
cost
or
whatnot
I'm,
gonna
email,
my
boss,
say:
hey
I
need
access
to
this.
A
They
forward
it
on
to
an
admin
saying:
I
approve
it
or
the
admin
you
know
sends
an
email
saying:
hey
do
you
approve
this
access.
Admin
gets
told,
yes
goes
ahead,
creates
the
access,
maybe
they're,
creating
a
role
binding,
maybe
they're,
creating
an
object
in
a
directory
somewhere
a
database
and
then
send
you
an
email.
And
if
everything
worked
according
to
plan,
you
have
access.
A
If
they
work
according
to
plan,
then
you
go
into
this
state
of
going
back
and
forth
with
a
sysadmin
who
really
has
better
things
to
do.
Then,
every
year,
every
few
months,
whatever
the
the
compliance
requires,
you
go
through
the
certification
process.
If
the
admins
really
good
at
saving
those
emails,
then
they
just
packed
up
the
emails
and
send
them
if
they're
not
really
good,
at
saving
those
emails
that
admins
not
going
to
have
a
good
day
trying
to
go
through
all
those
emails.
A
Even
if
you're,
using
a
ticketing
system,
you
know
remedy
service,
now,
you're
still
digging
through
a
lot
of
information
to
get
to
what
the
auditors
need.
Somebody's
really
happy
with
that.
So
here's
the
happy
path.
When
you,
when
you
take
DevOps
and
identity
management,
you
pull
them
together
to
do
this
user
logs
into
a
portal.
Ask
for
access
to
something
ID,
Andy
management
figures
out
hey!
This
is
the
workflow
that
has
to
happen
this.
You
know
the
manager
has
to
approve
it
and
the
the
namespace
owner
has
to
approve
it.
A
User
goes
ahead,
gets
notified
that
it.
The
request
is
out
there.
The
approvers
get
notified
they
log
in
they
approve
it.
It
all
gets
audited.
The
user
gets
notified
that
they
now
have
access
notice.
There's
no
admin
anywhere
in
there,
because
the
admins
have
better
things
to
be
doing
than
giving
users
access.
Then,
when
it
comes
time
for
the
auditors
to
come
along
here's
a
report,
everybody's
happy,
the
users
are
getting
into
their
systems.
A
The
admins
are
not
dealing
with
user
stores
and
user
permissions
and
users,
and
they
don't
have
to
deal
with
the
orders
everybody's
getting
what
they
want
out
of
it.
So,
let's
talk
a
little
bit
about
technology.
Has
this
actually
work
in
kubernetes
I,
break
identity
management
down
into
who?
What
and
why?
Who
are
you?
What
can
you
do?
A
Why
can
you
do
it
so
the
who
is
where
the
most
existing
implementation
is
inside
of
kubernetes,
and
so
that's
typically
authentication
you
have
certificates,
you
have
open,
ID,
connect
and
reverse
proxy
are
really
the
big
ones
and
then
custom
I
am
NOT
a
huge
fan
of
certificate
authentication
for
kubernetes,
and
the
reason
is
a
few
fold
won.
Certificates
are
really
easy
to
do
poorly
really
hard
to
do
correctly.
A
Kubernetes
does
support
TRL's
now,
but
in
order
to
do
group
authorizations
inside
of
a
certificate,
you've
got
to
embed
it
into
the
DN
and
that
can
get
messy,
especially
if
you
have
long-lived
certificates
and
then
from
a
client
standpoint.
One
of
the
things
that's
really
important
with
compliance
is
you
want
to
do
as
little
as
possible?
You
want
some.
A
So
that's
a
shoe
one
from
a
compliance
standpoint
from
an
operational
standpoint
order
to
do
certificate
based
authentication,
you
need
a
point-to-point
connection,
which
means
no
inspection
of
the
content
going
across
the
wire.
You
do
reverse
proxies,
but
your
your
proxying
network
traffic
you're,
not
looking
at
the
information.
So
if
you
have
a
Web,
Application
Firewall
in
place,
you
can't
do
that.
Now.
You
might
be
able
to
make
the
argument.
A
You
don't
really
need,
or
shouldn't
have
to
have
a
web
application
firewall
in
place
for
the
kubernetes
api
server,
and
I
probably
agree
with
that
too,
be
honest,
but
again
going
back
to
compliance
as
a
weapon
against
your
implementation.
That
is
yet
another
argument
you
have
to
have.
So
it's
a
few
of
the
reasons
why
I
am
NOT
a
huge
fan
of
certificates
for
kubernetes,
open,
I,
D
connect.
A
This
is
my
personal
favorite
I'm,
a
big
fan
of
the
way
kubernetes
implements
it,
because
you
can
generate
these
short-lived
tokens
that
last
10
seconds
30
seconds
a
minute
and
be
forced
to
refresh
them.
You
can
also
embed
authorization
information
into
the
token,
which
is
what
I'm
going
to
show
here.
A
So
it
covers
you
from
the
standpoint
of
you
are
now
not
issuing
individual
credentials
to
people,
so
you
don't
have
to
manage
passwords.
You
don't
have
to
manage
revocation
of
those
passwords
and
you
so
from
a
compliance
standpoint
that
helps
cover
you.
Anybody
who's
familiar
with
NIST
863,
which
is
the
federal
government's
kind
of
recommendations
for
authentication.
The
latest
revision
that
came
out
a
couple
months
ago
now
includes
oak,
an
ID
connect.
A
So
if
somebody
comes
after
you
for
that
you're
covered,
and
so
you
have
a
lot
more
flexibility,
it
works
well
with
any
kind
of
network
infrastructure
that
you
have
and
it's
pretty
common
out.
There
reverse
proxy
plus
header
I'm,
not
a
huge
fan
of
either
because
raise
of
hands
beyond
Corp
anybody
heard
of
it
concept
is
the
zero
trust
network.
You
don't
let
anybody
yeah,
you,
don't
trust
anything
on
your
network.
Your
network
is
not
trusted.
You
just
assume
you're
breached
and
somebody's
in
there.
A
So
now
you
have
your
API
server
if
somebody's
inside
your
network
and
just
start
injecting
commands
because
they
can
inject
headers
that
are
not
verifiable.
That's
really
not
a
lot
of
fun
custom.
To
be
honest,
if
your
solution
is
custom-
and
you
don't
have
a
cloud,
I
would
really
think
long
and
hard
about
it
because
most
of
the
people
I
talk
to
when
they
start
saying
well,
I
just
want
something
simple
and
you
start
kind
of
going
through
and
iterating
all
the
things
you
guys
think
about.
They
basically
have
open
ID
connect.
A
So
that's
the
who,
who
are
you
the?
What?
What
can
you
do
so
in
kubernetes?
That's
via
our
back?
Our
back
is
via
from
one
eight
one,
eight
or
one
seven
is
now
the
standard
of
how
you
do
it
and
it's
a
pretty
actually
straightforward
process.
You
combine
a
subject
who
you
are
a
role,
which
is
a
description
of
a
collection
of
actions.
You
have
verbs
and
nouns
and
a
role
binding,
which
is
taking
that
role,
information
and
binding
it
to
particular
users,
and
then
you
have
the
same
thing
at
the
cluster
level.
A
A
lot
of
people
will
use
the
role
bindings
as
the
facto
groups,
not
a
huge
fan
of
that
approach,
because
it's
really
easy
to
add
users
to
that.
What's
whoops.
Thank
you.
What's
a
little
harder
is
doing
the
reverse,
hey.
What
does
Mark
have
access
to
new
functionality
is
coming
in
for
that,
but,
quite
frankly,
there
are
a
lot
of
tools,
they're,
really
good
at
doing
that
outside
of
kubernetes
I
like
to
do
as
little
work
as
possible
and
then
finally,
the
Y
through
noise
has
nothing.
A
That
does
that,
for
you,
you
need
something
to
track
why
someone
should
have
access
and
that's
where
you
start
to
get
into
identity
management
systems,
so
we
had
demo
for
you,
and
so
what
we
are
demoing
here
is
open
unison,
which
is
our
open
source
project.
You
can
do
this
a
lot
of
different
ways,
so
I
have
seen
people
do
similar
things
with
Jenkins
I
have
seen
people
do
similar
things
with
bash
scripts,
so
they're
the
this
is
by
no
means
the
only
way
that
you're
ever
going
to
be
able
to
do
compliance.
A
But
this
is
an
open
source
project.
Source
code
is
going
to
be
referenced
here
in
the
slide,
and
what
we're
doing
is
we're
using
the
open,
unison,
what
I
call
the
Identity
Manager
for
kubernetes.
So
it's
a
version
of
open
unison
that
we
have
put
in
features
specifically
for
managing
kubernetes
runs
inside
of
it,
and
so
what
we
have
here
is
probably
easier.
If
I
come
over
here,
so
we've
got
kubernetes
one
eight
cluster.
It
is
running
open,
unison
as
a
container,
and
we
have
a
relational
database.
A
It's
actually
not
running
inside
of
kubernetes,
but
it
is
storing
our
audit
data
and
it's
also
storing
our
authorization
data.
So
common
issue
in
Identity
Management
is
organizational
people
own.
The
identity
data
are
not
the
same
people
who
need
to
use
it.
If
you
need
to
read
ID
and
E
data
from
ad
a
DFS,
whichever
that's
usually
relatively
easy,
where
things
become
harder
is
you
need
to
write
to
it
and
you
know
think
about
those
are
the
keys
to
the
kingdom.
A
You
know:
that's
your
company's
entire
infrastructure,
especially
if
you're
on
the
enterprise
side,
so
they're
paranoid
for
a
reason.
So
what
we
are
you
doing
here
saying
all
right:
we're
not
going
to
connect
directly
to
your
ID,
we're
gonna
use
sam'l
to
to
authenticate
via
a
DFS,
and
because
this
is
a
compliance,
talk,
I
thought
it'd
be
a
little
fun
to
add
multi-factor,
so
we
are
going
to
show
how
we
do
multi-factor
with
open
ID
connect
and
u2f
tokens.
B
B
A
Okay,
there
we
go
so
what's
happening
now
is
that
the
assertion
has
all
the
information
about
the
user,
first
name
last
name,
email,
etc
and
being
asked
to
register.
In
my
token
now
anybody
who
actually
does
work
with
compliance
first
thing
they're
gonna
say
is
this
is
technically
not
valid
two-factor,
because,
if
registering
the
token
is
not
done
with
two
factors,
then
using
the
token
is
not
done
with
two
factors.
I
would
have
had
a
second
factor
for
this,
such
as
SMS,
which
technically
is
deprecated
by
NIST
863,
but
still
available,
maybe
by
email.
A
So
some
other
trusted
way
to
do
it.
I
have
35
minute
demo
I
wanted
to
keep
it
a
little
straightforward.
So
at
this
point,
I
have
registered
my
token
and
so
now
bounced
back
to
ad
FS.
I'm
gonna
tell
you,
but
oh
hey,
I'm.
Here
there
we
go.
This
is
the
oh,
so
valid
banner.
You
know,
I
I
solemnly
swear.
I
am
up
to
no
good
that
you're
gonna
have
to
click
to
acknowledge
that
you
should
do
no
harm,
and
so
now
I'm
in
so
this
is
scale
J
s.
This
is
our
front
end.
A
Everything
is
API,
driven
and
you'll,
see
I,
really
don't
have
a
lot
of
access
to
anything,
I'm,
a
user.
Here's
my
information,
if
I
want
to
request
access
to
something,
for
instance,
I,
want
to
become
a
namespace
administrator
or
actually
doing
is
pulling
this
information
directly
out
of
Cru
Benes.
So,
as
we
add
new
project
or
namespaces
they'll
show
up
here,
so
you
don't
have
to
create
new
workflows.
A
Every
time
you
on
board
someone,
so
the
first
thing
I'm
going
to
do
as
this
user
is
I'm
going
to
ask
for
a
new
namespace
great
thing
about
kubernetes,
it's
all
API
driven.
So
if
I
want
to
create
a
new
namespace
with
ID,
a
management
I've
already
got
the
workflow
engine
and
the
connections
to
do
that.
So
I'm
going
to
go
ahead
and
create
a
new
namespace
called
user
sandbox
for
demo.
A
So
that
request
has
been
submitted
and
then
again,
this
is
where
the
DevOps
plus
identity
manage
our
compliance,
makes
life
better.
An
identity
management
I
want
to
see
my
open
requests.
I'm,
sorry,
boss,
I
can't
do
my
job,
because
this
guy
Matt
Mosley
hasn't
approved
it.
Yet
let
me
go
bug
the
him
so
I'm
gonna
log
out
and
log
back
in
as
Matt.
How
am
I
doing
on
time,
beautiful
so
I'm
gonna
log
in
as
our
super
administrator.
A
A
We
go
here
are
all
the
objects
being
created
in
kubernetes
for
D
use
or
two,
so
that's
now
all
audited
and
then
the
next
thing
I'm
going
to
do
because
I
forgot
to
do
this
when
I
requested
it
is.
He
needs
access
to
my
sin.
Whoops.
My
sandbox
is
mr.
Mosely,
so
I'm
going
to
go
ahead
and
request
access
on
his
behalf,
so
request
access,
name,
space,
administrators
and
where's.
A
A
The
request
would
go
through
because
I
can't
its
dynamic,
so
I
can't
figure
out
who's
a
valid
approver
up
front,
but
the
approval
would
fail
and
it
would
be
logged
that
it
failed
and
that
I
was
the
one
requesting
it
so
I'm
gonna
go
ahead
and
submit
that
so
that
was
already
pre-approved,
so
I
would
not
get
a
notification
to
go
ahead
and
approve
it.
So
at
this
point
our
d
user
2
is
going
to
be
able
to
log
back
in.
A
A
1-7,
I
think
the
dashboard
now
supports
authentication
my
favorite
way
to
do
that
is
via
reverse
proxy.
We
just
inject
you're,
open
ID,
connect
token
right
in,
and
it
then
takes
that
and
passes
it
along
to
the
API
server.
So
whatever
you
as
the
user
can
do
dashboard
can
do
and
it
does
it
on
your
behalf.
It's
not
quite
there
where
it's!
It's
like.
You
can
see
that
it's
complaining
that
I
don't
have
access
to
do
certain
things,
so
it's
not
quite
intelligent
enough
to
preempt
those
things.
A
But
if
we
come
down
here
and
I
say
go
to
my
sandbox
you'll
see
I
no
longer
have
any
error
messages
and
then
oops.
The
other
thing
that
I'm
gonna
want
to
do
is
actually
start
doing
some
work.
So
when
we
talk
about
Open,
ID,
Connect
and
tokens,
the
thing
to
realize
is
that
you
need
to
tell
Kubb
control
what
your
token
is,
and
then
you
need
to
tell
coop
control
how
to
refresh
that
token.
You
want
short-lived
tokens,
especially
if
you're
embedding
identity
data
on
authorization
data
into
those
tokens.
A
So
I
like
to
scope
my
tokens
at
a
minute
and
what
we
have
here
is
just
a
giant
cube
control
command
that
gets
generated
for
me
to
be
able
to
update
my
cube
config,
so
I
can
go
ahead
and
start
working
with
it
and
what
koop
control
will
do
here
is
start
refreshing
tokens
as
they
expire.
So
the
nice
thing
about
this
approach
is:
we've
separated
out
your
authentication
from
your
from
your
cube
control
access,
so
we're
authenticating
via
sam'l,
but
we're
still
using
Open
ID
Connect.
A
B
A
A
Ok,
cool
you
figured
out
how
use
this
I
want
you
in
my
sandbox
anymore,
so
I'm
gonna
go
ahead
and
log
out
now.
The
other
thing
about
this
session
is:
is
it's
actually
tied
to
my
web
session,
so
once
I
log
out
and
that
token
expires
in
about
35
seconds?
I
won't
be
able
to
refresh
it,
even
though
technically
the
refresh
token
is
still
valid.
A
A
A
A
If
you
know
you
really
want
to
understand
how
the
different
certificate
authorities
work
and
and
how
that
all
fits
in,
and
then
this
is
a
link
to
the
original
blog
post
that
I
wrote
when
I
actually
wrote
this.
Originally,
it
was
for
OpenShift
the
folks
at
Red
Hat
put
together
really
nice
compliance
framework
and
everything
that
had
to
do
with
identity
management
was
go
talk
to
someone
else.
So
I
want
to
provide
a
that's
someone
else,
a
little
bit
of
shameless
self-promotion.
You
can
catch
us
on
the
web.
We
have
here
my
Twitter
handles.
A
A
A
A
So
we're
not
actually
that's
a
great
question
so
we're
not
actually
adding
users
directly
to
role
bindings.
We
created
a
group
inside
of
our
database
and
then
in
when
we
created
the
namespace.
We
created
the
role
binding
and
added
the
group
to
the
role
binding,
so
we
don't
have
to
update
the
role
binding
every
time
we
only
have
to
update
our
internal
group,
so
it
gives
us
a
level
of
separation.