 안녕하세요 여러분, 오늘은 어떻게 지내셨나요? 여기 너무 많이 보이셨어요 왜냐면 이 시즌은 너무 길게 보였어요 많은 사람들이 모르게 보였어요 하지만 저는 정말 기쁘게 보였어요 고맙습니다 시작해볼까요? 이 시즌의 타이틀은 너무 길고 어려운 시즌의 타이틀입니다 그런데 사실 이 타이틀은 케이크락 스위치의 타이틀입니다 아마 많은 분들이 케이크락을 사용하는 기술의 타이틀입니다 하지만 이 시즌은 너무 길게 보였어요 그래서 제가 시작해볼까요 일단 케이크락의 타이틀입니다 타이틀의 타이틀은 너무 길게 보였어요 케이크락의 타이틀은 케이크락의 타이틀입니다 왜냐하면 케이크락과 하우스키의 타이틀입니다 그리고 케이크를 음성시키는 것이 흉내되어 있는 곳입니다 다른 words, if you have a key, you can prove that you're allowed to enter a specific place 케이크락은 피스컬 기술의 타이틀입니다 케이크락은 스페셜 시스템을 입구하는 방식으로 포함하는 소식입니다 제작의 도전은 단계의 프로젝트 프로독을 사용합니다. 1.0과 YDC. 아시기 때문에 옥타, 롤러, 로그인을 사용하실 수 있습니다. K-Clark의 방법은 똑같이 사용합니다. K-Clark의 글씨가 이 드라마의 아키텍터입니다. 첫 사이트가 조금 어려운 것 같지만 어렵지 않습니다. 다음은 어떤 걸 설명할 수 있을까요? 그래서 제가 사랑할 수 있을 것 같아요. 그리고... 제가 이 질문을 드릴 수 있을 것 같아요. 제가 이 질문을 드릴 수 있을 수 있을 것 같아요. 아무튼... 아키텍처에 대해서부터 전화해 주시기 바랍니다. 제 이름은 수진아 리입니다. 제는 클라우드 엔지니어 입니다. 클라우드 릴렉터 콘서팅과 한국과 아시아 파스텍을 제공합니다. 이건 두 번째 큐브콘입니다. 첫 번째 큐브콘은 이 녀석에 왔습니다. 두 번째 큐브콘은 이 녀석에 왔습니다. 저는 큐브콘의 전화의 전화의 전화입니다. surprisingly, I have never expected that moment comes early. So, this is really another time, and meaningful time for me. I hope this session is as meaningful to you, as Keef en Wall's tomorrow's day. Hoon is the CSF ambassador as well as cloud solution architect. He is working at Megazord that makes me. It seems that everyone is familiar to IAM, because most of public and private cloud services dysfunction. 만약에 아는 사람은 아는 사람을 잘 모르게 하는다면 저는 긴 액셀을 드릴게요 아는 사람은 아주 간단하게 아는 사람은 정의자의 정의자와 정의자로서 정의자의 정의자의 process 정의자의 정의자의 정의자는 정의자의 정의자와 정의자의 정의자 정의자의 정의자입니다 정의자의 정의자와 정의자입니다 제안을 사용해 깊은 주의하는 이유로 정신을 구하고 상대의 비례를 다한다는 걸 알고 있습니다. 배경과 기술의 그리고 기술의 기술의 정체를 이해하려면 Hakuna AI와 K-Class의 기술과 이렇게 정체는 잘 어째는 것입니다. 그래서 we first should know authentication and authorization a little more. Let's look at the top. authentication is the left one, Authentication, which is often intro which and the right one is authorization which is as intro which Let me share a very tensile example. Well, you can see贤스 and W181. I hope some of you would guess up on what I want to say now. 지금 뭐라고 할까요? 여기가 룸룸룸버예요 그래서 여기가 이미 있어요 왜냐면 저는 아튼드케이디였어요 저는 큐브쿤에 왔어요 그리고 제 전화의 전화는 여기가 전화의 전화예요 제 전화의 전화는 여기가 전화의 전화예요 이 전화는 회조, 회전의 전화예요 그래서 여기가иной 여기가 이 전화예요 제 전화는 여기가 lub 또떼다 그리고 자, sumerize it. Authentication is like asking, who are you? And authorization is like giving the right permissions and then asking, can you do that? Now, let's expand to the real Kubernetes word. In Kubernetes, authentication is certificate and authorization is RBAC by rule and rule binding. This concept for IAM is not only used in the Venerable Kubernetes. This concept is usually in even managed Kubernetes service. So says GKS IAM and AKS IAM and EKS IAM. If you have a multi-cloud environment, therefore those silo situations could be solved by kicklock. Furthermore, we could constantly date Tencent and Alibaba's Cloud Kubernetes service by using kicklock. This is not the end of kicklock speakers. Kicklock can enhance so many parts of security. Integrating with kicklock enhance naturally so many parts of security. Let me share a very, very funny example. Maybe my jokes failed. Well, yeah. It looks like a very, very bad example for passwords. Nobody uses it like that on production level. If you have a production level, you should change the passwords regularly for security reasons. However, if you have a consolidated or centralized system such as kicklock, you could reduce the work of changing passwords to just one type. Kicklock single sign-on features makes this possible. Okay, so far we have seen what kicklock can do. So it's time for your world demo. Whom will be demonstrating after explaining the topology? Whom could you start from here to the end? Yeah, thank you. Thank you for your presentations. We're gonna be at this demo. You like it. I think it's just for testing or explaining. It's a little bit bored time and before to the lunch, actually. So we're gonna be at the demo. And before to the jumping, the demo, you know that we are already explaining this architecture over there. So there isn't any kind of number or procedure or something like that. So we're gonna be explaining how is this work. We're gonna be explaining how is this work. Yeah. Before that, is this not, I mean, that does not apply for the EKSGK quotes. It is only applied for the EKS. Actually, that's the reason why there's a great area as a GK. So I'm gonna be at what is the differentiation between the EKSGKs later. Later's the presentation. I mean, the next page. First, you know that this, we are the commanditude at the Kubernetes clusters. We're gonna be mostly used at the Kubernetes cluster. That's the reason why there's a number one is the pink is arrows blinking. You're gonna be followed to the pink arrows blinking. So we are Kubernetes cluster command. After that, there are called some reference command is the Kubernetes login. The Kubernetes login is not officially command. It's some convenience purpose to use it in this lab. So customize the command. So I will explain the actual demo, why it's organized that. After Kubernetes login, open the web browser, web browser. After that, this authentication request to the key clock is there. Yeah, authentication request to the key clock. After that, key clocks, there is some web browser show up that there is a Google API. Google's the button is exist. So we are clicked to the Google API button. Google button, it is a request to the Google API. And then Google APIs is there are searching to the user information. After back to the key clocks. Yeah, so key clocks receive that there's those kinds of user information and may get a JOT. You know that the JWT and JSON web token. Yeah, the client is already received at the JOT. So we're gonna be the use of the JOT to request permission to the Kubernetes cluster. Kubernetes clusters perspective there is no any kinds of validation work. How can you trust that? So Kubernetes cluster request to the verification to the key clock. It can't be believed. Yeah, or not. So key clocks will be checking to the validation after that receiving back to the Kubernetes cluster. And Kubernetes cluster yeah, trust is after the order of the procedure and reply back to the client and then client to show up to that. Finally, the Quebecers get pod or Quebecers get deploy or something like this command output. It is kinds of EKS procedure. And if you use that the AKS or on-premise or something like that is very similar mechanism that. However, just little bit different if you use that the GKSI is not first command is not the Kubernetes control. There are some, you know what I already say the Kube login is that there's my customized commands. So when I just learn the Kube login it can create a context first. The context is the minger with the some JOT and now there's a created context first. I think it is someone who cannot figure out this context to previous. So I'm pointing at this the square of the left. So context created first. There is a little bit different between this EKS and GKSI. So first Kube login and then Kube login open the web browser after there is the same mechanism your previous EKS did. Yeah, so is a request request authentication to the key clock and the key clock is Google API API reply back and then client and the JOT after that created context. So is a created the context and then we are using that the Kube country get power something like the command to the Kubernetes cluster is the same as the previous EKS thing. Yeah, like that. I think we are all of the most of them is some engineer and then or some developers. So demo is great to understand or some prove thing is very important. So I'm going to be the shorter demo to understanding further. Here is the context here. You can see that there is some EKS in here and then for convenience purpose that this I use that the PSA in here is a context and then here is the namespace but namespace is not important at this demo and we already checked this current context and I already say that I made it as a customized command which is Kube login Kube login is here it's not a little bit awkward something is there but anyhow this is convenience for this demo yet equal to the some figure out to the some what is the context first? So it is it can be the figure out to buy the graph and then there are some save to the variable as a vendor. So after that this if it is true I mean that this GKE equal to the Kube country YDC login dash dash cluster and dash dash login config So here is the something isn't that familiar to that this muscle person in here or someone who is that's a little bit familiar but I'm not this before I just preparing is one of the CRD for the GKE so you can see it the kind is the client config And then here is authentication authentication and client ID client secret and RAM addresses sort of that this proposes the authentication and also probably everybody know about this the client secret is really really highly important because the it can be the encryption though after result like a shot so it should be the hide but after the session probably afternoon I'll be destroy or wrap so yeah exposure is okay actually yeah So it is kind of some CRD for the authentication for GKE side And the other if it is not GKE it can call to this comment there is only two contacts GKE and EKE So that's the reason why I'm customize this comment So equal to Kube country YDC dash login get token it means that just generated token like a shot if you run this command I receive it at the shot thing So you can be decoded by that this basis basis 64 So the this comment both of comment this call to GKE is that this created context is learn looks like that but I will be sure of that And first it created the context that's the reason why I'm make it as some my own proposes too that the created Kube logins command And here's the directory here's directory some several things but you notice my time is really limited So this reason why this deploy impris already done And I show you to that the EKE as first there is a three file This lab is the association is by the key club but authorization by the Arbex Kubernetes by Arbex So that's the reason why this I need to apply this one this one before I applied it it may need to the chat Yeah You can see that this the cluster role binding is applied but here is that this key club side key club I have I already said that there is a little bit little bit limited time And how the kind group is the key club's role So if I applied it to some of the user get it from the some Google API it automatically some Yeah there is a default group and then it gonna be the the role is the DevOps So the Arbex created first to run this demo And how does the k a is my preference to use that this command is the the earliest thing is that kubic country apply So apply and then created this cluster role role binding and then there's two command more because I have some order this cluster So I can do anything to do in here So demo's purpose is not this So I learn this one for demo is you know probably know that this AWK's updates config And then there is some profile but you know that this profile is really highly confidential So I cannot show that but I use that the profile create a new context new context you can be verified to change the context in here Yes Here is the context change the sujin ctx blah blah blah yeah context change after that I try to kubic country to get part but the the response is the unosulize because I do not authentication yet So I want to be used that authentication by the YDC OpenID connected That's the reason why I use that the number three show is created that some user credential thing So user credential which is that's why this user Here is the point is that kubo login I use that So I already say that kubo login in here if it is some EKS use that this comment So get us some token and then some use that there's some new YDC users and then authentication eventually get us some region So I need to the create this some new user credential And then yeah comment is like that I'm really hopefully this lab is working You know that this yesterday some happened and you know rive demo is sometimes it's really not working so as a pray this I'm working like this comment I think You know we have a viewer screen or something like this so is is automatically yeah sure well but I think something problem or you know that there's some is projectors is never issue and yeah we is pop up by this comment and after that I click it as some Google button and then there is some two user but I use that the Susan and your email address for activated the user account here is the she is the inbox so I'm waiting for the some receive the email from the key clocks hopefully yes yeah got it yeah so see that the some there is the some ring to the email address verification if I don't click it there is a no comment the output but if I click get this this ring authentication authentication authentication 예 예 예 something that's looks like pending yeah and how does it's working like this kinds of mechanism is the EKS or if you use that the AKS AKS a little bit different but on premise is very similar however as I said this GK is a little bit different okay we need to change the some contacts first here is the GK contacts and we need to change the directory people login they will call to the cuba control why did she login cluster it's the and then dash dash she login compute so so yeah call this command create a new context it automatically like this yes is well originally automatically but you know that the project to have an issue authentication success and then create a new context like here is a little bit too long because it is cluster ID cluster name plus the user name that's combination to create it so that's the reason why the context is a little bit longer than I thought and I'm trying to be to some cuba control get part but there is no any applied at RBAC yet that's the reason why the forbidden so see even though to get us some information user information received and authentication some final authentication is done but is not yet to the authorization so I changed the context here there is a full permission so I would like to apply to yeah see that does a key plug and a key plug pz in here there is a to uh yeah to RBAC exist one thing is that that's my uh my user ID and the other thing is a sujin ID first I applied for me yeah apply for that and then trying to be I is you notice I use that that the dash dash context is really convenient to that to do not change that the context and then trying to be get pop but is the same message because it doesn't apply for the the RBAC for the her so I'm trying to change another's some she's RBAC some proper response so I said no okay and how this the back to the presentations so I said this this GK and EKS they are same some mechanism by the OIDC open I connector but a little bit different EKS they are some some using that the just for pictures OIDC directly but GK first create context and how that they are using the same mechanism conclusion is that too long 1st 1st thing is that's very simple to apply this authentication and a solution for application if you using the QCLA as your demo and the other thing is that if you are using that the semiconductor or engine or factory something like it is very highly secure some product or some environment things you can mean you can make us your own identity the the providers those those kinds proposes the the QCuc is really provided so it can how 3rd one is that some QCLA can be very efficient to manage that that the user by the groups so QCLA this is really highly the previous this EKS demo they I use that the some group by the groups as user managed by the group so it is one of the efficient way to manage that the user credentials thing finally is naturally follow actually centralizes manage this or could be more secure your environment so I'm highly recommended to that the QCLA if you that there's really be double yours environment thing the really really rough thing is that there is so many the reference risk thing is this yes so I'm summarizing to the rest so many to the reference risk probably that it this clip will be exposure some one over two months later so if you're curious about or if you want to be to know about the further or self self for to be studying something like that just scan the QR or yeah scan the QR you can see that the all of there's a ring yeah directly yeah thank you very recently people lunch and really hungry time and really thank you for your listening that thank you thank you