 Well, thank you for coming out My session today is going to be like the screen says on identity management and compliance. We're going to talk a little bit about Why do you care about this? Why is identity management important to compliance? And why I broke it out from say what we folks typically talk about compliance and what is compliance? I know the first time I used to work at an audit firm someone asked me You know is this compliant? Have you taken compliance into account and my first question was compliance with what? So we'll talk a little bit about that How does it apply it being identity management to appliance? Compliance and we'll talk about some real-life workflows And then finally we'll get into some tech stuff and a demo Any questions, please hold till the end since it's a pretty short session. I want to get through all the fun stuff first So who am I my name is Mark Borschtine. I'm the CTO of tremolo security. We are an identity management company I have been doing identity management for close to 15 years You name the industry and the product before I started tremolo pretty good chance that somewhere in that cross section I've done a deployment. I also spent time as a FICAM architect that's in the federal government what they call identity management For multiple three-letter civilian agencies and have had to work a lot in the compliance space, especially with the feds And if anybody has worked on Open ID connect with Kubernetes. I contributed a lot of the documentation around open ID connect All right, so why is compliance important? So there are two reasons why compliance is really important The first is it will often be used against you if somebody doesn't want you to put something into their environment The first question is is it compliant? Whether or not it has to be compliant is a little bit of a squishier subject And it really depends on whether or not people want things in the environment But when you're trying to push something a new disruptive technology, I think we'll all agree that Kubernetes is pretty disruptive It's always good to have the compliance question in your back pocket the happy path Which I'm gonna spend more time on today is this mathematical equation I like to have where if you take DevOps identity management you put them together you make everybody happy You make the suits happy because guess what they don't like pouring through 10,000 emails any more than you like putting them together and makes your admins happy because there is nothing more annoying Then having to answer tickets and add users to groups and have users who can't get into what they're doing Get upset complain to their boss. They complain to your boss So automation is really key So what is compliance? So there are two types of compliance frameworks out there There is the classic NIST 853 Which is a true framework. So just like Kubernetes doesn't do anything unless you tell it to NIST 853 doesn't actually tell you what compliance is it gives you a framework to design your compliance So here we have a control There we go. So this control here the The step one to find your policy will say all right You need to have a policy in this area and then it's up to you as the implementer to define what that policy is And then you have often much more industry focused Compliance frameworks and they tend to be a little more prescriptive So I do a lot of work with law enforcement and so see just comes up a lot So how does IDM fit into this? So if we're looking at NIST 853 This is an actual control Authorize access to the information system based on 1a at valid access authorization as an extremely helpful control That is a palindrome So basically what it's saying is you need to have a process designed to say Why somebody should have access to it and then from a technology in standpoint? How do you implement that? That's where identity management fits in and then looking here at CGIS The section deals with passwords password complexity how often you have to change them etc. And again, that's where you want to have identity management So let's talk about the unhappy past with compliance and no dev ops Everybody's gone through this. I need access to something in Kubernetes whether it's a namespace A cluster or whatnot. I'm gonna email my boss say hey I need access to this they forwarded on to an admin saying I approve it Or the admin, you know sends an email saying hey, do you approve this access admin gets told? Yes goes ahead creates the access Maybe they're creating a Roll binding maybe they're creating an object in a directory somewhere a database and then send you an email And if everything worked according to plan you have access If they work according to plan then you go into this state of going back and forth with a sys admin who really has better things to do then every year every few months whatever the Compliance requires you go through the certification process if the admin's really good at saving those emails Then they just pack trip the emails and send them if they're not really good at saving those emails that admin's not gonna have a good day Trying to go through all those emails. Even if you're using a ticketing system You know remedy service now you're still digging through a lot of information to get to what the auditors need So nobody's really happy with that. So here's the happy path when you when you take dev ops and identity management You pull them together to do this User logs into a portal ask for access to something Identity management figures out. Hey, this is the workflow that has to happen This you know the manager has to approve it and the namespace owner has to approve it User goes ahead gets notified that it the request is out there. The approvers get notified They log in they approve it it all gets audited the user gets notified that they now have access Notice there's no admin anywhere in there because the admins have better things to be doing than giving users access Then when it comes time for the auditors to come along here's a report Everybody's happy the users are getting into their systems. The admins are not dealing with user stores and user permissions and well users And they don't have to deal with the others everybody's getting what they want out of it So let's talk a little bit about technology has this actually work in Kubernetes. I break identity management down into who what and why Who are you? What can you do? Why can you do it? So the who is where the most? Existing implementation is inside of Kubernetes and so that's typically authentication. You have certificates You have open ID connect and reverse prox are really the big ones and then custom I am not a huge fan of certificate authentication for Kubernetes and the reason is a few fold one Certificates are really easy to do poorly Really hard to do correctly Kubernetes does support CRLs now But in order to do group authorizations inside of a certificate you've got to embed it into the DN And that can get messy especially if you have long-lived certificates And then from a compliance standpoint one of the things that's really important with compliance is you want to do as little as possible you want some You want as much to be someone else's problem as you can and when you're talking about compliance of credentials if You own the credential you own compliance for the credential You have to have all the controls in place to make sure that the credential gets revoked that you're managing it that if it's Privileged the you're handling it properly whereas if somebody else owns that credential that Compliance is also somebody else's problem. You just say go talk to your identity provider So with certificates you actually own the credentials. So that's issue one From a compliance standpoint from an operational standpoint order to do certificate-based authentication You need a point-to-point connection, which means no inspection of the content going across the wire You do reverse proxies, but you're you're proxying network traffic. You're not looking at the information So if you have a web application firewall in place You can't do that Now you might be able to make the argument you don't really need or shouldn't have to have a web application firewall in place For the kubernetes API server and I'd probably agree with that to be honest But again going back to compliance as a weapon against your implementation That is yet another argument you have to have so it's a few of the reasons why I'm not a huge fan of certificates for kubernetes Open I connect this is my personal favorite. I'm a big fan of the way kubernetes implements it Because you can generate these short-lived tokens that last 10 seconds 30 seconds a minute and be forced to refresh them You can also embed authorization information into the token, which is what I'm going to show here So it covers you from the standpoint of you are now not issuing individual Credentials to people so you don't have to manage passwords. You don't have to manage revocation of those passwords and And you so from a compliance standpoint that helps cover you anybody who's familiar with NIST 863 Which is the federal government's kind of recommendations for authentication the latest revision that came out a couple months ago now includes open ID connect So if somebody comes after you for that you're covered And so you have a lot more flexibility. It works well with any kind of network infrastructure that you have And it's pretty common out there Reverse proxy plus header. I'm not a huge fan of either because Raise the hands beyond corp anybody heard of it Concept is the zero trust network. You don't let anybody you know You don't trust anything on your network. Your network is not trusted. You just assume you're breached and somebody's in there so now you have Your API server if somebody's inside your network and just start injecting commands because they can inject headers They're not verifiable. That's really not a lot of fun Custom to be honest if your solution is custom and you don't have a cloud. I Would really think long and hard about it Because most of the people I talked to when they start saying well I just want something simple and you start kind of going through and iterating all the things you got to think About they basically have open ID connect So that's the who who are you the what what can you do? So in kubernetes that's done via our back our back is via from one Eight one eight or one seven is now the standard of how you do it and it's a pretty actually straightforward process You combine a subject who you are a role which is a description of Collection of actions, you know verbs and nouns and a Role binding which is taking that role information and binding it to particular users and then you have the same thing at the cluster level a Lot of people will use the role bindings as the facto groups Not a huge fan of that approach because it's really easy to add users to that What's whoops? Thank you What's a little harder is doing the reverse. Hey, what does mark have access to new? Functionality is coming in for that, but quite frankly there are a lot of tools. They're really good at doing that outside of kubernetes. I Like to do as little work as possible And then finally the why Kubernetes has nothing that does that for you need something to track why someone should have access And that's where you start to get into identity management systems so we had demo for you and So what we are demoing here is open unison, which is our open source project You can do this a lot of different ways So I have seen people do similar things with Jenkins. I have seen people do similar things with bash scripts So there this is by no means the only way that you're ever going to be able to do compliance But this is an open source project source code is going to be Reference here in the slide and what we're doing is we're using the open unison what I call the identity manager for kubernetes So it's a version of open unison that we have Put in features specifically for managing kubernetes runs inside of it And so what we have here is probably easier if I come over here So we've got kubernetes one eight cluster it is running open unison as a container and We have a relational database. It's actually not running inside of kubernetes But it is storing our audit data and it's also storing our authorization data So common issue in identity management is Organizational people own the identity data are not the same people who need to use it if you need to read identity data from AD ADFS whichever that's usually relatively easy where things become harder is you need to write to it and you know Think about those are the keys to the kingdom You know, that's your company's entire infrastructure, especially if you're on the enterprise side So they're paranoid for a reason So what we are doing here is saying, all right, we're not going to connect directly to your ad. We're going to use SAML 2 to authenticate via ADFS and Because this is a compliance talk. I thought it'd be a little fun to add multi-factor So we are going to show how we do multi-factor with open ID connect and U2F tokens Am I doing on time? I'm doing okay on time Okay, let's do it So I'm gonna go ahead and start off by logging in as a new user So you can see I'm being bounced over to ADFS My little token here. This is a Yubico U2F token. I think they're like 15 bucks Okay, there we go So what's happening now is that the assertion has all the information about the user first name last name email Etc. I'm being asked to register my token now anybody who Actually does work with compliance first thing they're gonna say is this is technically not valid to factor Because if registering the token is not done with two factors then using the token is not done with two factors I would have had a second factor for this such as SMS which technically is deprecated by NIST 863 but still available maybe by email So some other trusted way to do it. I have 35-minute demo. I wanted to keep it a little straightforward So at this point, I have registered my token And so now bounce back to ADFS. I'm gonna tell you Baco. Hey, I'm here There we go. This is the oh so valid Banner, you know, I I solemnly swear I am up to no good that you're gonna have to click to acknowledge that you should do no harm And so now I'm in so this is scale.js. This is our front-end Everything is API driven And you'll see I really don't have a lot of access to anything I'm a user. Here's my information if I want to request access to something For instance, I want to become a namespace administrator What we're actually doing is pulling this information directly out of Kubernetes So as we add new project or namespaces They'll show up here. So you don't have to create new workflows every time you onboard someone so the first thing I'm gonna do as This user is I'm gonna ask for a new namespace great thing about Kubernetes. It's all API driven So if I want to create a new namespace with IDA management I've already got the workflow engine and the connections to do that So I'm gonna go ahead and create a new namespace called the user sandbox For demo so that request has been submitted and Then again, this is where the DevOps plus identity manage Compliance makes life better in identity management. I want to see my open request. I'm sorry boss I can't do my job because this guy Matt Mosley hasn't approved it yet. Let me go bug the him So I'm gonna log out and log back in as Matt. How am I doing on time? Beautiful? So I'm gonna log in as our super administrator Second factor and you'll see I have this open request for D user to So I'm gonna review the request This person wants his own sandbox. I'm gonna say okay now If I go here to my reports I can see approvals completed by me and guess what there's the request by demo user and Then if I want to go see the audit reports Angel log for period well, yeah, and then I'm gonna go ahead and do today and There we can see for instance, there's the u2f data and then if I come all the way down here, I think Here we go. Here are all the objects being created in Kubernetes for D user to so that's now all audited And then the next thing I'm gonna do because I forgot to do this when I requested it is he needs access to my Sandbooks my sandbox as mr. Mosley. So I'm going to go ahead and request access on his behalf I'm gonna go request access name space administrators and Where's Matt Mosley right there? I'm gonna say for demo I'm gonna request for someone else and you can customize when this happens I'm gonna do a pre-approval approved Now if I requested this, but I was not a valid approver The request would go through because I can't it's dynamic So I can't figure out who's a valid approver up front But the approval would fail and it would be log that it failed and that I was the one requesting it So I'm gonna go ahead and submit that So that was already pre-approved so I would not get a notification to go ahead and approve it So at this point our de-user 2 Is going to be able to log back in and we're gonna see a couple of new badges here on the front So I have access to the dashboard because now I have something in kubernetes worth accessing I have access to a token so first if I go to the dashboard as of 1 7 I think the dashboard now supports authentication my favorite way to do that is via reverse proxy We just inject your open ID connect token right in and it then takes that and passes it along to the API server So whatever you as the user can do Dashboard can do and it does it on your behalf It's not quite there where it's it's like you can see that it's complaining that I don't have access to do certain things So it's not quite Intelligent enough to preempt those things, but if we come down here and I say go to my sandbox you'll see I no longer have any error messages and Then whoops the other thing that I'm gonna want to do is actually start doing some work So when we talk about open ID connect and tokens The thing to realize is that you need to tell kube control what your token is and then you need to tell kube control How to refresh that token? You want short-lived tokens, especially if you're embedding identity data or authorization data into those tokens so I like to scope my tokens at a minute and What we have here is just a giant kube control command that gets generated for me to be able to Update my kube config so I can go ahead and start working with it and what kube control will do here is start Refreshing tokens as they expire. So the nice thing about this approach is we've separated out your authentication from your from your kube control access So we're authenticating via SAML, but we're still using open ID connect Can everybody see that? Okay, cool. So I'm just gonna go ahead set that up. So I am now Not able to get all because I'm de-user. So let's do de-user to sandbox No resources found. So let's go ahead and deploy something Run nginx image so and then De-user to sandbox Sats up and running if I do get all you can see we're off to the races now. I was also authorized for Matt Mosley So I'm gonna go ahead and do the same thing, but this time I'm gonna run it in Matt's project So now we're off to the races there as well. So Matt says, okay, you've you've done So, okay, cool. You figured out how I use this. I don't want you in my sandbox anymore So I'm gonna go ahead and log out now the other thing about This session is it's actually tied to my web session. So once I log out and That token expires in about 35 seconds I won't be able to refresh it even though technically the refresh token is still valid So I'm gonna log in as Matt and I'm going to go ahead and revoke Demo user choose access to my project because he doesn't need it anymore Denied so it's been pre approved. It's gone through the approval process in the workflow now me personally I actually really enjoy when I look at compliance reports seeing rejected Because that means people are actually paying attention So if I go to the audit report and I see my completed approvals Rejected demo user to here we go not need anymore. So now when I go and I log in Even before I do that just to show that there was nothing up my sleeve at this point that Tokens no longer good We're gonna get a whole lot of unauthorized because I can't get a refresh token anymore So if we look at my groups, you'll see that I don't have M. Mosley anymore And if I do a get all on the M. Mosley project, I'm still gonna get that same access denied But oh wait home tokens Need to generate a new token here So now you'll see it's forbidden because I don't have access But if I do the same thing on my own, I'm still able to access it So that's the demo I can present mode just enough time for some questions. So a couple of useful resources And this is up on the slide Entry on shed Podcat pod cuddle episode 15 a couple of weeks ago. My mom thinks that the presenter was really smart Talking about identity management in Kubernetes The actual authentication page on Kubernetes has a lot of detailed information Pictures on how that sequence actually works This is a really great link for a blog post on how the CAs in Kubernetes work If you know, you really want to understand how the different certificate authorities work and how that all fits in And then this is a link to the original Blog post that I wrote when I actually wrote this originally it was for open shift the folks at Red Hat put together a really nice compliance framework and everything that had to do with identity management was Go talk to someone else. So I wanted to provide a that's someone else a little bit of shameless self promotion You can catch us on the web We have here my Twitter handles. Please feel free to reach out to me. I love talking to folks Hear the links to github for the identity managers and specifically the fork that I did that has the U2f support and the compliance page Please feel free to to ask for things support what not really happy to help out and with that I went the wrong direction I think that's pretty much it so Two minutes left any questions Yes, so we're not actually that's a great question. So we're not actually adding users directly to roll bindings we created a group inside of our database and Then when we created the namespace we created the roll binding and added the group to the roll binding So we don't have to update the roll binding every time We only have to update our internal group. So it gives us a level of separation exactly So that way you don't actually have to go into Kubernetes every time that you want to authorize or unauthorize someone great question Any other questions? Awesome. Well, thanks for coming by