 So, welcome to Cloud Native Live where we dive into the code behind Cloud Native. I am Mohamad Shahriar, almost like a middle and a senior ambassador. So I will be your host tonight. Every week we bring a new sets of presenters to showcase how to work with Cloud Native technologies. They will build things, they will break things, and they will answer your questions. In today's session, I'm stoked to introduce Symes After, a developer relations manager who will be presenting on mastering Kubernetes access management. This is an official live stream of the CNCF and search is subject to the CNCF Code of Conduct. Please do not add anything to the chat or questions that would be in violation of the Code of Connect. Basically, please be respectful to all a few fellow participants and presenters. So with that, I will hand it over to Symes After and kick off today's presentation. So let me add Syme to the screen. So, hey, Syme, how are you? Thank you very much, Syriar, for actually inviting us on this wonderful topic. And thank you very much to the folks who actually just joined us on the chat. Hello, Ahmed. Hello, Manish. And hope you can actually be able to hear me. And if you see some of the noise or anything bad happened during the presentation, do let me know. And once again, thank you very much for joining. So my name is Symes After. As Syriar, we are the fellow CNCF ambassador and it's been the first time we're actually interacting on the live stream. It's been a great story. It's going to be a good session to go forward. So today I'm talking about Kubernetes access management and why you need to take into the consideration while you're actually working with the Kubernetes cluster on a daily basis. I saw some of the challenges and I look forward to tell you some of the challenges I faced and how I ever come to some of those. So I want to know now is you now, Syriar, and then share your screen. And then I will start the procedure. Yeah, that's true. Okay, so I guess we can start. Yes, absolutely. Thank you very much. Once again, I see more folks in the chat now. And I hope and everybody can able to see the slide right now. If you don't, please do let us know. So that is actually the agenda of the topic today. Mastering Kubernetes access management. And we are watching Cloud CNCF cloud native live. So I want to, can you go to the next slide, Syriar, please? So as I said, my name is Saim Sabhar. I live in Pakistan currently in Rawalpindi. And I am a CNCF ambassador and it's been a wonderful journey so far right now. So can you go to the next slide, please? So what is the agenda today for the discussion today? We will talk about Kubernetes platform because there's a lot of moving pieces. And access management is one of those. And then we talk about sheer responsibility access metrics. A key consideration for multi-tenant or the cluster-based access management. I will let you know about the security life cycle management if you're developing app on Kubernetes. There are some very overwhelmingly complex. Some of the requirements and the control access. We're talking about some solution to solve some of those. There's a demo I prepared with you and some highlight to let you know. At the end of the day, we will cover all these highlights in every day. So can you go to the next, Syriar? So currently, if you look at the Kubernetes operational, Kubernetes platform in general, you see automation, security, visibility, and governance. And that is bare minimum to have. I can expand it to the more further. But I believe these are the actual cornerstone of every Kubernetes or infrastructure if you're actually developing app on top of it. So there are two things you'd worry about. There's a modern life cycle management. And there is a Kubernetes infrastructure management life cycle. So basically, if you're working on Kubernetes today, might be you're using on data center, might be you're using Kubernetes on their own prem data center, or might be you're using Kubernetes on EKS, Azure on AKS, might be you're using GKE, or might be you're using remote or Edge Cloud. So if you're in the Kubernetes space, you see the requirements are you need to build an automation. You have a security in place that we call it zero trust. And we call it a security preparedness. And then you need a visibility because you have app team, you have FinOps team, you have product team, you have marketing team, and you have a bunch of other team. And you want to provide them a visibility so they can look at the platform and everybody can separate the concern between what they are doing and what the other team members are doing in the shared platform. And then we need a governance. Governance basically means when you do something, we need to take into the consideration. Like I am allowed to actually change the cluster. If I am, how much of the access I granted, or even you can take a look at the Kubernetes and tools like Open Policy Agent and Policy and Governance, those are the basic governance needs. But I will talk more about these four considerations. But today my focus is, can you go to the next slide please, Sherry? Yes. So basically if you look at the summary requirement of the platform need, that the platform is now composed of not one, but there are so many moving parts right now. So, Sherry, can you go to the next slide please? Because I see the previous one. Can you go back? Yes, I can see it. Thank you. So basically if you look at the platform today, and the, no, the previous one, Sherry, the previous one. Sherry, can you go back to the previous slide? I guess let's wait a bit, because our speaker has been stuck in the date. So yeah, hello everyone from Israel, Iran. Okay, so let's wait a bit, because our speaker has been truly disconnected from us. Let's wait, let's see. Sorry, sorry, sorry. Yeah. Sorry, I think I clicked a wrong button. Sorry for that. So yes, summary of the requirement of the platform need. Yes, that's the slide. Think, yes, yes. So if you look at the platform today's, you need these major five, five, six coronas though. You need a service match. You need network policies. You need trust access. You need policy and governance, policy enforcement. Then you need get off for drift detection. And then you need multi-tenancy because developers and the operations might there, you have tens and hundreds of teams. And by giving everyone a new cluster, kind of be overwhelmingly complex. So what you do is you share the cluster with the team member, so everybody using the same cluster. So that is the summary of requirement for the platform need. You need service match for managing logs and application and have a battle separation of concern. You have zero trust access, how you can actually enable everyone access the resources to you need get offs for the drift reduction. And then you need policy enforcement, meaning you have a cluster is in place and what the cluster is doing, you have some access to it and you want to find grain and you don't allow that. You don't do Kyberno open policy agent is a feasible here. So can you go to the next slide please? Because that's where we are talking about shared responsibility access management. If you look at the Kubernetes plus cloud and the traditional cloud, in the traditional cloud, we have physical infrastructure, networking, virtualization, guest OS, application, data, user access and identity. That is enough for you and then you have the application start and you add binaries and Linux operating system and you can add more into it. But that's a peer minimum, minimum you have to take into the consideration. Look at the Kubernetes plus cloud model. You have physical infrastructure, networking, virtualization, guest OS. Then the guest OS, you install Kubernetes on top of guest operating system, meaning you have Linux installed on top of it and then you have a Kubernetes infrastructure layer and look at the Kubernetes, what Kubernetes does for you. You have CNIs, container, network interface. You have CRIs, container, runtime interfaces. You have container storage interfaces. Then you link up service meshes, GitOps, policy and governance, multi-tenancy, runtime detection with Falco, observability with Grafana and Prometheus and for all the bottom layer to the top, you need a supply chain security tooling, making sure that container images that actually you are using have actually they have secured version, not a major one, so a very less surface area of attack. So that's a big, big model now and then you're actually installing your app and then you're actually running, working with your app. So look at the model right now and the access management become way harder right now. How much of the access your app team has compared to the how much of the access your DevOps team have. You have to separate the concern between both of the infrastructure and one bad command. Then the forensic start and the forensic is overwhelmingly complex to understand who does what. So can you go to the next slide please? Yes, absolutely. So if you type one bad command in anywhere, then there is a hustle and then there is an immediacy around who does what and you start doing some kind of forensic analysis and the forensic has become very difficult because you have a CNI layer networking. Is it something complicated or is something broken in the network layer? Is it something broken in the runtime layer? Is it something broken in the storage layer? Is it something broken in the service mesh layer? So battling for the root cause is not easy. It's very difficult. So today is my focus was is to reduce some of the concept around security and how app lifecycle management work. So in app lifecycle management you need zero trust application deployment meaning when you start a consta is you actually type a command kubectl get engine acts meaning you have access to the cluster that actually provided to you by the DevOps team and you don't accidentally deploying a class application or with somebody else cluster and breaking their cluster accidentally. So that's where the zero trust application deployment model works. Then you have a separation of duties like app team is responsible for deploying app and the platform team is responsible for deploying the infrastructure for you. Then you have secret management integration then you have centralized policy enforcement drift deduction and blocking and private manifest repository. But today is my focus around if you go to the next two slides around zero trust application deployment and the separation of duties. So now the first things come up how you have to separate the concern between application and deployment and that is I actually added in the next slide. So if you go to the next slide and that's where you that's the summary of the role and permission granted to the team. You have a org team and then you have org admins and might be orgs have read only permissions for the project. Might be you have not one project but you have different projects might be you have let's say you have projects in EKS cluster then you have project in EKS cluster then you have project in GKE clusters and then the project is divided among teams. So that's in high key becomes completely complex and complex but look at the simpler version how look it different. So you have orgs wide permissions for the project and then you have infrastructure and workspace. Workspace is actually is actually give you the access to the cluster you're actually working on that you have a project admin and the project read only permission then you have a workspace and the infrastructure. So infrastructure admins can actually let's say can create the cluster meaning they can install third-party apps for you get-offs policy agents like Kaivorno or open policy agent or then actually deploy third-party like they have bitnami for secret management they're going to add it for you and then the developers what they do is they have access and then they have the access to the cluster and then they deploy application on top of it and remember in a team in an organization there's not a one developer there are 10 and 100,000 of developers and Kubernetes give you the namespace concept meaning there's a namespace you can actually access the same namespace that belong to you the way you actually access the namespace with a permission we call it RBAC role-based access control so basically namespace is actually in a Kubernetes is similar sort of like if you have a house and you have different rooms from your for daughters and let's say if you are in your house owner like dad and you have sister daughters and sons you actually have separate rooms for the daughter and son so basically what son can see only the resources they have in their area of a room and the daughter can see the or resources all they see in the area of room they can actually see it so in the same way Kubernetes have all the permission model and what you can do is that if you want to deploy certain apps we can give you the namespace and that's belong to you and what you do is you actually add your application and all the things that actually application or what actually project you're working on that and the way you can give access to those resources via RBAC RBAC extend for role-based access control and that's where your namespaces comes in handy and we have a in a Kubernetes we have called namespace base permission versus cluster wide base permission so the namespace said like if you have a cube CTL Katanas that's a name namespace orange in a orange namespace sign can only be the person with an organization can deploy application on that namespace if accidentally Sharon access the same namespace he get a permission denied error saying you don't have permission to access the same namespace so the way we can actually stick to it but there are criteria where we have a cluster wide resources so namespace is just belong to the developers but the cluster wide for resources being you have storage you have networking and that is an organization wide resources and that is actually basically the job of the infrastructure team and within the infrastructure team you have storage team you have security team you have networking team we are to give restriction to the infrastructure related domain Pacific needs for those person of the task so now if you go to the next slide please share your so one more yes no no go back yes thank you so right now if you look at you have cluster in geoglophical centers you have some clusters let's say in aws region us east you have some cluster in us region if vast you have some cluster in digitized oceans you have some cluster of myriad sevo kubernetes cluster or sevo cloud or you might have some cluster in let's say azurek s and gke and you want all those cluster to be have a centralized visible location for me to track those in and that's a very small screenshot i've added what i want to see in infra admin as i want to see the permission i granted to the development teams how they are accessing cluster which area of time like if let's say if they access the cluster 8 a.m in the morning and what command he actually wrote in the cluster actually declarative command he used to spend up the cluster if something bad happened to my cluster as an infrastructure admin with responsibility to make sure infrastructure will be visible and will be available for all of the precation team regardless of what area of time we're actually accessing but in order to make the highly available cluster i need a centralized visibility too so basically if you look at i look at the dashboard see who can access the cluster what the latest command that broke the cluster and then i can look at the permission i can what the command actually broke the cluster and then i can drill down in the issues and then actually for do the forenshing and make sure the cluster is back to the normal that is my need i need a single administrative plan for infrastructure is my first area of requirement security access now share now can you go to the next side please yes so in an in an electrical net is cluster we have cluster lifecycle and management you need visibility you need who can access the cluster what time is accessing what command he wrote and then we need trouble shooting and you need enterprise wide dashboard alerting notification and you need Prometheus a Givana for centralized visibility and monitoring now we go back to the next slide share and i see i think if you come with a mindset of not every dev and office team member needs an unrestricted ability to create, delete and modify resources create, delete and modify resources then what's come up with that mindset you spend a lot of time with single administrative pain you spend a lot of time in enterprise dashboard what end up happening is you need less trouble shooting you will come towards the area have you come towards the goal where you have less alerting and monitoring and you look towards the area of adopted integrated monitoring so in the next slide i tell you if you come up with a mindset of not every and dev office team member needs the unrestricted ability to create modify and delete Kubernetes resources this mindset give you less trouble shooting less alerting and monitoring and being prepared for the monitoring and you have visibility in the single administrative pain and enterprise wide dashboard now Sherry I can go to the next few slide and then I straight go to the yes next four and that I think I can get now we come into the place of the challenges associated to the control access how do you access the cluster what are the traditional approaches you have how they actually lack today where they leave where they see some kind of visibility and can you go to the next slide and we start with our journey of access management via bastion what you do is you install some of the bastion controller in front of your Kubernetes private Kubernetes cluster you access into the set that machine and that machine where the Kubernetes cluster is running you will able to access those but the issue the huge issue is everyone has a same cube config file meaning if somebody mess up the cluster the entire organization is in the hand of the recovery team to give back to the previous state of the cluster and you will end up seeing a very much fighting and I see a lot of the in only 2020 a lot of being spending a lot of time in backend recovery tool because this is happened very often and you also have a lot attack surface since entire private network accessible from bastion the next one and that's another challenge with the approach called jump host what you do is you create a jump host meaning let's say you have another machine dedicated in the public area you can access to that machine that machine will eventually access access access to the private cluster where Kubernetes cluster is running but we've done something good in here but the problem is some similar to the previous one you have same cube config file and you have a YAML secret and all the dumping ground of YAML and secret management that you have to take to worry about then there's a large attack surface since the entire network accessible from bastion the same approach different design but the approach but the problem still remains the same the next one is on the next slide and that is access via VPN gateway that is better I see some of the companies some of the people are still using Kubernetes access management during with this approach it's kind of have some of the tool associated in the marketing market right now but the problem is that it will cost to you taller to purchase and operate you need a team dedicated for the VPN and who can actually give you access to the cluster so it's a good one but it's a lack of there's so much cost associated with it remember you are accessing the cluster in the AKS, EKS, GKE if you accidentally create some of the resources in the EKS, EKS, GKE that will pile up your bills so it's a good approach but there are cons associated related to the need of VPN gateway per data center every data center required a one VPN and that's need a huge amount of resources then you have a user need of VPN client on laptop you have a laptop to connect to the VPN and the VPN connect to the data center and as I said there's a taller there's a money and there's a cost associated with this approach and why did AKS since entire private network all IPs all protocol is accessible from the laptop which accessing the VPN so that is another bad way so in the next slide if you go back if you go to the next slide Sharyar you see the manual approaches will fall apart and you can totally understand this because you are not accessing the cluster one you there are tens and hundreds of access cluster that you need to deal with on daily basis I work in a team we're an access cluster in EKS, GKS digital ocean in many different places even on data center and remote and agile locations so we can't rely on the manual solutions to fulfill our need that's where we headed towards the key takeaway from the challenges and heading toward the solution the open source solution that can effectively help you become some of the challenges in the next slide I'm talking about I'm talking about the key takeaways number one you need a cognitive you need to remove the cognitive load from accessing cluster by cluster you need to remove the manually jump host or VPN approaches because entire fleet entire network is actually in the verge of one bad access one bad command to the cluster then you need a dollar to purchase and operate and then you need some kind of custom tooling to audit because the reason why you're auditing is you're spending a lot of time in auditing because you know things going wrong and wrong in a very horrible way so that's where you can actually work with identity providers and auditing mechanism to solve the needs and then all these are human friendlier humans command type and they can actually broke in some way so basically you have this this is actually error prone increase the risk of breaches as the number of cluster grows so let's circle back over communication communications to word an open source solution that's called Parallels and the CNCF Sandbox solution how this serves solve some of the challenges or we can dive in to see what the model where Parallels operate in so Sharyar can you go to the next slide please yes so meanwhile before I'm starting jumping to the open source solution if I if you have some question related to access management because I know you have channel of them don't hesitate to ask and yes don't hesitate to ask and I will let you cover so let me give you some backstory of CNCF Sandbox project because I would like to dive into the intricacies of how the project evolve I work with a lot of the open source project as a community in the past so I would I want to be a very listener around the back storage backstories of the project so I talked to the one of the team who's actually managing this open source solution and this team is called Rafa systems and as talk to some of the team members why there's an why you actually you see a need of an open source solution and why you actually donated to the CNCF and they spoke about in our Rafa Kubernetes operation platform we have multicluster management that the client is using we have GitOps for Kubernetes we have visibility and monitoring tool having a single plane clicky click of a button and then the policy and cover an open policy agent features like add-on and then they have a hung dashboard in their platform then a cluster blueprint drift reduction and all of the features are listed in is actually a part of that platform they're actually providing to the customer and they tell me the one of the features their client is loving about is zero trust access meaning the way they're accessing the cluster is zero trust meaning no rotation of kube config file and there's a no rotation of R back some kind of thing is something handled automatically and they see all of the client and accessing like Rancher cluster OpenShift main upstream Kubernetes EKS, GKE or Azure and all these running in different data center AWS, Azure, Google, remote or Azure locations so they tell me like all the cluster approaches and all of the access management become a very difficult for the our customers and they have a they like our feature around zero trust and what we've done is we'll see if the Blutthorough people have already seen a demand why not make it an open source and other people can use the same feature to solve some of the needs in the next slide I'm talking about how the Parallels model works so basically if you are accessing the cluster today how the this approach works is you have you can access the cluster from kubectl, cli Raffy can so or or or browser based kubectl shell or kube api client what are they happening is you accessing the Parallels server and Parallels server is a monolith comprising a many component having a creatus for user identity meaning if user log into the Parallels we actually preserve their identity user credential and login we use creatus we have we have a bunch of other Parallels core component so we separately combine those and call them as a Parallels server so when you access the cluster the first thing up you talk to the Parallels server so there's a no rotation of anything so then there's a step two you will log in via let's say github or google or any identity provider like Azure AD or anything you would like to access or even you can add a use octa to log into the Parallels dashboard so you log in and then you then you will assign we will assign you a permission what permission this user has in order to access the cluster the next thing that will happen we will create a service account a femoral service account when you boot step the cluster in Parallels dashboard there's a relay agent install in front of your cluster that's this basically install configure service account token for you and then you can access the cluster then the service account token is actually added in the kubernetes server api server what is the next time we do you'll actually access in the command kubectl get pod we can you can see the pod you can see kubectl get deployment you can see the deployment if you don't have permissions to see the deployment it lets say orange namespace that belongs perfectly to me then the access denied error because we have already added some kind of authentication mechanism in Parallels so you don't deal with our back or role-based access control so that's the architecture we have and this architecture gives you the unified trust secured access via network terminal immutable audit logging when you access all these command there's a trial you can see who does what what time it takes for the command to run and all these kind of things are visible in the Parallels dashboard so basically with this tool the promise here and the motivation is toward zero trust model governance capabilities and integration meaning comply with DevOps policies and reduce attack surface with data centers and centralized cloud credential including IAM policy and service principle so now you can go to the next slide please share your yes so now the scenario becomes I want to access the clove kubernetes cluster using web browser base kubectl service account token and a federated RBAC I need centralized visibility centralized audit trail of all kubectl activity so basically what I need is I need a secured access with a clock-based Kubernetes environment meaning I can access the cluster jump in and then I remove and that's I need a service account token for federated and I need to see a centralized visibility of all kubectl activity so that's the scenario of where we think Parallels can best fit in and if you go back to the next few slides and then I go straight jump into the some of the demo spot and tell you how these things look like in real world so share that can you go to the next slide please yes so that is if you look at the Parallels.io website and go jump in there you see all the information available is this an open source product I want to see some of the contribution from the community members because what we like to see how community are dealing with the challenges of access management what's the problem you're facing what feature you want to add in so basically as of today we're giving you the custom roles user and groups if you log into the Parallels we have custom role associated with it and you can actually change and revoke permission on the fly meaning if somebody from the team member leave the team and then join in again there's always a hustle then the not in compliance team came up and manually remove his permissions but that is not with the case with the open source too like Parallels the permission model is actually a very automated one you can actually dashboard and remove and revoke permission then we have a same meaning you can use get as your ad or octa to authenticate it to log into the system and you have an audit log of kubectl command history and a modern we have a GUI we have a PCL tool to access the Kubernetes cluster and we have a API so Sharjah I'm hopping I'm not lost anyone so can I share my screen and give you some demo yes sure sure okay let's wait for some time okay so if you guys have any questions to allow you can just comment it out here I think there are some questions coming up okay let's wait for the speaker so yeah oh sorry guys no I'm sure for disconnecting again so Sharjah just I'm just thank you so Sharjah I'm just sharing my screen so while I'm sharing my screen I previously clicked the wrong button and I disconnected so sorry for that people so actually let me share my screen I'm sharing my entire screen and I want to give user and the listener walk through of how this thing work so unable to so Sharjah can you give me access to share my screen currently it should I think you should you should have the access actually okay can you please try joining yeah using that link yes sure sure sure so I'm actually I'm rejoining yeah sure okay sorry for the issues but I hope you guys wait for the demo part because now Saim will actually show you the demo like how it works basically okay so let's add him the game yeah yeah you can try now yes yes absolutely I think there's a one question in the chat from what is the best tool for managed Kubernetes is it the question Sharjah in the chat there are others as well but yeah there's it has been one question like what tool best best for managed gate is cluster yes absolutely so I think like actually I think right now the motion is there there's a there's a revolution we call it the momentum is towards managed Kubernetes cluster because spinning a Kubernetes cluster locally is taking a lot of our time and effort and all these things we have to do it manually because service Kubernetes is not just about just Kubernetes but the entire ecosystem is built around that so currently I see people are building platforms on Kubernetes infrastructure if you look at the right now there's a go port there is a open shift already in the for a very long time then we have a there's a tool that I know I work with the company got graphic Kubernetes operation platform and then there are a bunch of others who exist what job is to actually give you the Kubernetes inside a dashboard and basically pick and choose the services what you like if you want to use service mesh oh here's a button for you click on service mesh added behind the scene and let's focus on the app the business that you actually working on so that's where the motion is actually helping go on so I think right now there are very overlapping and there are a very overlapping for that so if you want to manage Kubernetes locally and to want to see a centralized with centralized visibility that's because the question is having two angles number one I know the Kubernetes is complex I want to have a managed tool that give everything in a single plane of glass that is what a tool I'm talking about if you're talking about just a tool that give you of visibility and you can see how the pods and replica search and did not set are listed inside the dashboard previously we have the lens open source project but now it's becoming a more of a commercial one to K9S is a really good one as somebody actually chatting over there but the K9S is give you is a terminal base you can try command the terminal base access management then you can look at the dashboard and see how the pod deployment replica set and all these things behave so if the managed Kubernetes go look at the platform tool that people are building on top of Kubernetes for the local development need visibility need go for the K9S yes for the product level yes I already tell about if you want to have a Kubernetes cluster service mesh GitOps Prometheus Grafana ingress controller if you want to lift off this responsibility to somebody else what you do go for the some of the tools I mentioned she already mentioned go to the let's say there are a bunch of them like open shape there's rancher there's a Rafi Kubernetes operation platform there is a co-port then there's Mia platform and there are few others like Weaver's platform few other like you can name it it's very difficult to tell which one is the best but these are the option exist and let me know if you have any question related to that I can answer so any more question before jump into the demo and then we can clue the pod I guess this question parallelist has high availability so how the parallelist is yes so how this how the question is actually late so if you access the cluster there is a lot of the time is actually you access the cluster to configure and your cube config is actually used by all the team members your cube config is members and that's a bad stuff with a fake file in your healthy user utilize server that's certified servers is actually utilize over access the that actually accessing that behind the scene so basically the question around like how do we available how would how does panelist become highly available is a one lacking point and that is accessing the cluster so basically there are some permission we can actually tap in the load and make it three of the past server and then actually access the cluster behind the scene but as I lost somebody you I guess your video is breaking down actually yeah okay so I guess you can start with the demo and if so as we assumed yeah sorry for the issues because our speaker is facing some internal issues I guess so sorry for this issue okay let's wait for him to join in again for the last part like the demo part yeah let's see so yeah he has joined let me add into the stream your screen is free I guess so yeah hello Saif can you hear us yeah this has been an issue I guess let me wait a bit so is it possible to get the slide deck right okay so yeah I will talk to the speaker and if it is possible then I will add these slide deck to the stream basically yeah into the I would say is YouTube live into the description you might see these slide deck okay so yeah awesome okay so yeah as we can't I guess we can't continue the session if this seems like this but you guys can share where are you where have you joined from so yeah in the meanwhile yeah I can see Saif now okay okay so I don't know why but it's actually reloading for a long long time even I'm talking and it's take it's got me disconnected of right now this is my best experience I usually do some kind of hosting on another platform and meanwhile if you want to do some deep dive content I have a YouTube channel called cloud native fm and there's a lot of the chocolate related to Parallels is available there's a question around how does the Parallels give you some kind of availability if we have an entire session on that on the cloud native podcast YouTube so make sure you actually join it and see the discussion there I hope things what work right now I give you a very quick demo and then you actually and thank you very much Neera actually sending this Slack channel in here for so people to join it we have unanswered question here please go here and if you have some wonderful communities building up I'm going to answer those as well so I hope I can have permission to access my screen so I can literally jump in very quickly and give you some very good highlightable so I think I have to rejoin it again because of the I disconnect previously so that that's a design consideration no words I will be very quick and it's a very short demo and I will back okay yeah thank you guys and yeah thanks you know for sharing the Slack channel and in the meanwhile so what you guys can do is there is a actually blog palace dot are you blocked so this what Simon has shared with me let me share check this out okay okay you guys can check this blog I guess okay share okay I've added you to the stream so let me quickly share my screen again and there's a very short demo we hope things work right now sorry people for some kind of I'm still unable to just share my screen no worries what I do is share or can you go to the panelists repository because there's some videos in there we can actually use those as part of our discussion so palace dot IO and there's a GitHub GitHub link there can go there there's a very GIF added there so I can walk through people how this actually work in the real world because that's people who want to we have auction question so if you okay let me yes no worries no worries so guys if you're actually we have while a share I was actually sharing this we go to the parallel's website parallel is now actually listed in AWS marketplace is actually available into the civil cloud we recently added and is also available into the digital ocean why this is actually super cool because sometime we feel like installing and cloning a repo is kind of our helming you install help install and parallel is installed and something bad things and happen with the managed offering like AWS MP marketplace instant gen what you do go to the AWS marketplace click or click on the marketplace is a one click installer basically so basically when you install go to the EKS cluster look at the security in the AWS marketplace security section inside the security say you see a parallel click on that install it on your EKS cluster once you install your EKS cluster you see some of the component related to parallel's added there are some connector there are relay agent relay server is already added so this is a website we're talking about but the next step is share can you go to the get up right now if you go to the get up click on the get up and I can walk you through some of the step in there yeah I think we have added a gif in here somewhere in the down in the repo can you go there quickly contribution author parallel's website let me I share one with you so I can share one with you quickly here so people can look at how this thing work is this the gif we are talking about features yes this one so can you actually make it of make it more bigger like you click on it there is a separate yes so what how does the parallel's work is first thing first you means you log in to this parallel's via get up so the first step is you go to the parallel's dot help install parallel's and then the dashboard you already locally run into the console dot demo dot parallel's and then you actually access access the parallel's dashboard the next thing is you how do you actually log into the parallel's you can actually use get up octa azure or any favorite tool you can do next step is you actually bring on cluster on boarding process click on the cluster and import existing cluster then they import existing cluster remember we adding the relay agent in front of every cluster if we're adding relay agent in every front cluster so when you import the cluster we give you the bootstrap bootstrap.yaml file when the bootstrap.yaml file you downloaded let's say kubectl.yes thank you nirv is also added on the youtube as well this is a talk from nirv on the kcity bangalore is a video is added there so basically let's you and actually download the bootstrap.yaml kubectl bootstrap.yaml and then the relay agent is actually added into the cluster what the relay agent it does is is providing you the service account token for accessing the cluster meaning when the service account token is actually granted added in the cluster you don't need a kubectl file or all of these a roll bus and the manual processes basically you can access the cluster with infameral service account token if you install kubectl catboard the parallel server actually lift off this request to the relay agent relay agent with actually I'll give you the service account token and that service account token has a permission means he has access he can access the cluster as an admin as a read only person or as a a readable writeable person to access the cluster so with that model you can actually access the cluster and list all kind of resources let's say if you want to add more granularity and give me permission or remocking permission go to the parallel dashboard inside these settings and go to the project setting and you actually remove the permission of sign from this cluster and in that way my permission got revoked and everything back to the normal meaning there's no manual steps involved behind the revoking of permissions so that's how parallelism actually works today we have so many new requests coming up there are some issues related to it currently we're working on how you give you the centralized visibility using promises griffana tooling so can I the dashboard like more shinier and for you so we recently added cvo cloud make sure you actually access the cvo cloud cluster and let us know your opinion how this works so over to you now look at if you have any more question and then we wrap up the proceedings and you can see your screen and we can actually give some people of final places to look for some resources for parallelism okay so yeah I guess people can now ask their questions because we have just end up with our sessions right now right okay so yeah I guess there are some questions that you have already asked but yeah few questions that should be that might be added here is I guess I'm going to ask you some questions like yeah how can organizations effectively implement role-based access control in their Kubernetes cluster so what's your opinion on that and can you can you repeat a bit can you repeat again just if I lost a few okay okay so how can organizations effectively implement role-based access control which is basically Arbeck in their Kubernetes cluster so how can yes absolutely there's a manual process a little remember Arbeck why Arbeck permission model is works remember we have a namespaces concepts in Kubernetes namespaces allow you to see the resources that belongs to you how do you actually how do you actually like audit how do you actually control is you need a role-based access control and that is provided to a namespace so what what is so the role-based is actually telling you have a you are let's say I want a read only access to the namespace orange I create a role and then I create a role binding and that role binding belongs to sign because remember in Kubernetes is a no user concepts in Kubernetes like sign is a user gone access to the this for a resource or that that user is not added in Kubernetes as a resource so if that's a limitation it never comes to limitation we need a role-based access control so role-based works like you first create a role saying you can access the cluster and have a read only permission to the orange namespace how do you bind this role to me you create a role binding object and then in a role binding object you say that this is a resource name kind kind is a resource let's say resource is a namespace in that resource name space you can't see a deployment resource and if you see it you can have errors so that is how this manually work it's a lot of moving pieces between them in order to and I think people is moving toward manually accepting manually creating RBAC toward automation approaches like Parallels what the Parallels does is exactly the same what Kubernetes is actually doing is giving you the RBAC model but hiding the RBAC detail from you so basically what it does is you log in via GitHub user or Google account or Google account or any account and you log in when you log in we create a role for you let's say in this project in this resource you can actually access this namespace and you can see a deployment and that is actually added for you on the fly when you actually access the cluster so when you access the cluster being an admin being a developer I don't have any worry like if I'm accessing a bad thing or bad access because I only have permission to what already provided to me by platform engineering team so I think the question right becomes now if you are manually doing it it's great but manual process fall apart it's very complicated it's a hierarchy it's so complex and it's a learning curve behind it so I see people are moving towards some RBAC solution Parallels is one of them there's a CubeScape that give you the RBAC visualizer and there are a bunch of other in the market that give you the automated framework for RBAC management okay that's awesome actually because you have already mentioned about RBAC and right now yeah this is how it works so again there can be another question like regarding this like are there any specific tools or framework that you recommend for simplifying and enhancing Kubernetes access management so from your own opinion or experience like anything you'd like to mention yes I think like there are some different models right now in the Kubernetes we have somebody is using toward the CRD model like you have a life you have a controller installed in the Kubernetes cluster what it does is if somebody access the Kubernetes cluster from a wrong permission model it detects it and it see from the policy like this person don't have permission to do these kind of stuff and it's blocked so meaning in front of Kubernetes and it's front of the Kubernetes door so meaning if you want to bypass this door there's a controller in front of you that is actually preventing you to do some harm in the cluster that's where we tools like in the past we have a dietary tools that's give you some kind of like jammer specific thing like you can't have a bad YAML actually in place in the cluster so they actually block you for doing that instead of waiting for the cluster to applying the cluster and the cluster tells you like there are some misconfiguration here it's telling you beforehand so these are the controller inside the Kubernetes I talk about policy engine like Kaivarno or open policy agent these do this kind of the great keeper thing and there are some tool that is actually apps and DevOps tools like this they create suppression of concern between application team and DevOps team and Parallels is actually one of those and what is Parallels is along you is actually platform teams can actually create permission model in the Parallels dashboard and the app team actually use the same permission model to access the cluster so that is actually overlapping what you call a separation of concern and then there's a gauge keeper tooling in Kubernetes and then remember access management in Kubernetes is as complex as landing as landing something into the into the moon because look at it you are accessing Kubernetes as CSI CNI service mesh GitOps from Mitius Grafana observability so much so having a one bad command typing then the forensic begins oh is it a runtime error is it a CRI error is it a CNI error is it a CSI error is it a service mesh error is it a GitOps error so though so much in place so I think is a better recommendation to be a prepared for security preparedness up front don't rely on day two or day three that's what we call a security preparedness with some of the open source toolie like Cubescape or Parallels and bunch of other available in the marketplace so I think having some of the tooling that provide automation is necessary but if you want to do it manually you can but you end up in a situation where you spend a lot of time configuring managing and deploying and the last time in the business domain like your job is to actually create some application that business consume and therefore do their work so actually you have very small amount of time to think about those things but I think having some automation tool or open source tool give you some good kind of visibility okay yeah that's a good explanation yeah awesome so I would like to add one last question and it would be like how can organizations strike a balance between granting developers the necessary access privileges while maintaining security and minimizing potential rates so yeah yes absolutely I think right now the organization typically need is like I think a lot of the enterprises is building Kubernetes platform and these platform has in big in functionalities like I tell you you have a zero trust security built in policy and enforcement built in GitOps and drift detection tooling built in networking tooling as well what organization is doing right now they adding a tool called zero trust security what this tool does is is similar to the same this tool is actually added in the platform what the platform team is actually do and their job is to actually create permission model for the application team because the platform team's job is to make the life of application team more easy after they actually doing something bad with the cluster they're telling them up front you have these right and if you need more rights let's talk to me I give it to the more criminal and then you work on the security so yes so I think I'll stop so I will repeat again so basically what organization is telling you doing right now you have a platform and then the platform has feature like zero stress security first thing first separate the concern between two teams platform team needs more ownership than development team and remember I tell in the slide as well not every dev and ops team member need an unrestricted ability to create delete and modify resources we all agree what we do we have a and we will tell platform team you have your job is to create permissions for application team today they can do their work best what they does is they can give grantee like let's app team you have a read only access to the resource name called deployment in that deployment anybody can actually list their deployment but if that person is from the next another team he won't access to it so you can first thing first separate the concern so you will actually look at the permission model and hierarchical model where you can give like here is a separation of concern once you identify the separation of concern next thing is that look for the automation tool that you give you the automated RBAC centralized visibility and kubectl trace of all activities like if I type kubectl get pod in a dashboard all of my activities will lock if something bad let's say my last command kubectl apply dash f broke something it's very easy to do a forensic out of it separation of concern number one separation of concern number two automation RBAC automated RBAC number three centralized visibility centralized tracing of all kubectl activity number four is do some kind of and look towards go towards policy and governance for compliance of your organization try to bring in compliance and cultural shift and what you're a virtual organization how your organization set up and then you actually create another loop out of it so I think these are the basic requirement for anybody using it I hope you get this answer to your question and thank you very much people in the chat as well if this information look useful for you yeah yeah awesome awesome thank you so much for these informative answers yeah I guess that's how we can end our session now right if there are any no questions left we can end our session yeah thank you I guess so yeah if you would like to add anything you can just mention right now like something like yeah Slack or something like that yes absolutely thank you absolutely thank you very much for I see a wonderful audience today in the chat today and number one I can tell you like I also have a YouTube channel called cloud native podcast and at the rate cloud native FM is a twitter handle where we have 80 plus episodes and I couldn't really see money to do a forensic of how and research around how other people feel like in the domain of Kubernetes and if somebody watching and we have a same domain they want to share their story do let me know we can conduct some podcasts on my YouTube channel as well also we have a cloud native Islamabad community where you can look if you look type search cloud native Islamabad on YouTube you see a bunch of very informative workshop on Kubernetes so do join those as well and if you're working on some open source project and want it to be a part of CNCF or if you are actually going to the cube gone if you have any interactions if you want to see me I would love to communicate love to hang out want to know your opinion so I can make parallels a better project thank you very much Shariah for inviting me and I really enjoy the time here despite of some difficulties yeah yeah I know issues I think this this does happen in occasionally so there's no problem yeah thank you so much time for your awesome session yeah let's just end our session now okay so yeah let's uh okay let me take you to the next with that thank you so much see you soon say bye bye everyone okay so yeah so thanks everyone for joining the latest episode of cloud native live we enjoyed the interaction and questions from the audience so thanks for joining us today and we hope to see you again