►
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
All
right
that
looks
good
again,
thank
you
for
showing
up
today
for
our
webinar
security
and
access
for
kubernetes
with
jonathan
canada.
Our
sales
engineer,
jonathan,
has
a
lot
of
experience
and
a
lot
of
certifications
in
the
industry
and
he's
going
to
go
over
a
workflow
on
how
to
use
rbac
and
sso
for
kubernetes
using
open
source
teleport
and
github
teams
work
around
so
jonathan.
Take
it
away.
B
B
B
In
this
section,
I'll
define
a
few
key
security
concepts
so
that
we
have
a
common
set
of
definitions
to
work
from
the
first
is
an
attack
surface
according
to
nist.
An
attack
surface
is
the
set
of
points
on
the
boundary
of
a
system,
a
system
element
or
an
environment
where
an
attacker
can
try
to
enter
cause,
an
effect
on
or
extract
data
from
that
system,
system,
element
or
environment.
B
So
some
questions
to
ask
within
each
one
of
these,
so
for
networks
and
infrastructure.
How
are
users
and
devices
accessing
your
networks
and
servers
is
ssh
being
used
applications?
What
applications
are
running
in
your
network?
Who
has
access
to
those?
How
are
those
being
secured,
as
well
as
the
underlying
operating
system
and
host?
B
How
is
data
being
protected
endpoints?
How
do
you
control
which
users
are
authorized
to
access
different
parts
of
your
network
in
different
parts
of
your
infrastructure
and,
lastly,
cloud?
Are
there
open
s3
buckets
or
api
keys
being
shared
or
not
rotated,
and
with
each
one
of
these
layers?
If
you
look
at
kubernetes,
the
kubernetes
deployment
can
cover
all
of
these
layers.
So
it's
critical
to
think
about
how
you
can
properly
secure
your
kubernetes.
B
B
B
B
B
So
you
really
want
to
make
sure
that
the
gateway
only
allows
sso
users
through
and
records
their
identity
with
their
requests.
The
other
thing
is
even
though
you're
using
kubernetes
and
it
hides
a
lot
of
the
underlying
hardware
and
infrastructure,
as
I
mentioned
in
that
layers
slide.
All
of
that
is
still
there.
The
servers
are
still
there.
There
are
applications
in
your
clusters.
B
B
So
when
you
create
a
role,
you
have
to
specify
the
namespace,
it
belongs
in
the
cluster
role,
on
the
other
hand,
is
a
non-namespace
resource,
so
the
resources
have
different
names,
role
versus
cluster
role,
because
a
kubernetes
object
always
has
to
be
either
name
spaced
or
not
name
space.
It
can't
be
both
if
you
want
to
define
a
role
within
a
namespace
use,
a
role
if
you
wanted
to
find
a
role.
B
B
I've
also
limited
within
kubernetes
that
the
dev
team
can
only
be
part
of
the
dev
name
space
they're
not
going
to
be
able
to
do
any
actions
outside
of
that
one
dev
namespace
I've
set
up
two
kubernetes
clusters:
two
internal
applications,
I've
enabled
ssh
on
one
of
my
two
kubernetes
clusters
and
I'm
using
let's
encrypt
for
sign
https
certificates
on
my
teleport
proxy.
B
B
From
their
perspective
they
will
never
directly
access
any
of
these.
So
that's
one
added
layer
of
protection
is
you
can
now
keep
your
kubernetes
server
api?
You
know
hidden
from
the
public
from
these
users
perspective.
They
go
through
the
proxy
before
they
access
anything
down
here
and
how
they
go
about
accessing
these
different
items
is
they
can
use
tsh,
which
is
teleport
cli
tool?
They
can
use
coupe
ctl
normal
coop
ctl
with
kubernetes,
or
they
can
use
a
web
ui.
That's
served
from
a
teleport
proxy.
B
B
B
So
when
either
one
of
these
successfully
authenticate,
they
will
receive
a
short-lived
ssh
certificate
that
they
can
use
for
accessing
ssh
servers
and
they
will
also
receive
a
short-lived
cube
config
that
they
will
use
for
interacting
with
kubernetes
and
again
everything
they
do
is
tied
back
to
their
identity
as
it
is
within
github.
For
this
example,.
B
B
B
B
B
B
This
is
the
name
of
this
role
and
here
are
the
rules,
so
somebody
who
has
this
role
is
going
to
be
able
to
do
all
these
verbs
on
these
resources
and
api
groups.
So
essentially
everything
within
this
dev
name
space
and
I've
also
created
a
role
binding,
which
is
going
to
bind
a
subject
to
that
role.
So,
in
my
case
the
subject
is
a
kind
of
group
and
the
group
name
I'm
creating
is
devs
also
within
the
dev
name
space
and
this
role
binding
is
referencing.
B
B
B
So
what
I'm
going
to
do
is
copy
and
paste
that
link
that
teleport
gave
me
so
it'll.
Allow
me
to
successfully
log
in
via
github,
because
I
was
already
logged
into
my
github
here
as
this
user.
So
if
I
return
back
to
my
terminal
window,
I
can
see
I've
successfully
logged
in
as
this
user.
So
that's
my
admin
username.
B
B
B
B
I
can
exit
out
of
this,
and
so
what
I'll
show
you
now
is
if
I
go
to
the
ui,
so
my
teleport
ui,
and
I'm
going
to
do
it
in
the
safari
browser
window,
because
this
is
where
I'm
logged
in
as
my
admin
user,
and
here,
if
I
go
to
the
login
page,
so
this
is
the
same
proxy.
I
was
just
interacting
with
in
my
terminal
window
teleport.gravitational.io,
so
I'm
going
to
log
in
using
my
github
team,
so
I
enter
here.
B
First
of
all,
these
are
two
servers
that
I've
enabled
ssh
access
on.
This
one
is
that
cluster
one
kubernetes
deployment.
I
I
showed
you
when
I
first
logged
in
via
tsh.
If
I
wanted
to
ssh
into
this,
I
could
click
connect
choose
one
of
these
two
users
to
ssh
as
and
this
other
server
here.
This
is
my
actual
proxy
that
I'm
I'm
on
right
now,
where
this
ui
is
being
served
from.
B
B
It's
all
tied
back
here,
and
so,
even
though
there's
all
these
in
this
robust
auditing,
you
can
also
set
up
third-party
integrations,
so
you
could
have
your
logs
be
sent
to
something
like
splunk
or
elastic
and
I'll
next
show
you
what
it
might
look
like
to
use
an
elk
stack,
but
first
I'm
going
to
click
this
session
player
button,
and
so
this
is
the
full
session
when
I
used
coop
ctl
exec
a
moment
ago.
This
is
everything
that
you
know
that
just
occurred.
B
So
this
this
feature
I
mean
auditors,
love
this.
I've
also
known
a
lot
of
developers,
myself
included,
who
love
this
when
they
have
to
go
back
and
try
to
configure
something
that
maybe
they
have
not
configured
for
a
while.
Maybe
they've
forgotten
some
steps.
You
can
come
back
in
here
watch.
One
of
these
you
know
copy
any
commands
that
are
occurring
and
then
use
this
to
reconfigure,
something.
B
B
B
B
So
this
kubernetes
dashboard
I've
deployed
into
one
of
my
clusters
and
it's
only
accessible
via
teleport,
so
I
would
have
to
use
that
same
sso
login
to
actually
access
something
like
this.
So
you
can
get
creative,
imagine
all
kinds
of
different
applications
you
might
deploy
in
kubernetes
and
then
expose
via
teleport,
maybe
jenkins,
grafana.
All
that
stuff.
B
B
B
B
So
if
I
paste
that
in
here
successful
login
come
back
here,
you
can
see
that
I've
logged
in
as
that
dev
user.
I
can
only
ssh
as
ubuntu
I'm
part
of
this
devs
kubernetes
group.
So
if
I
try
to
do
something
in
the
default
namespace,
it's
going
to
fail
because
this
user
they're
only
allowed
to
do
things
within
the
devnamespace.