Integrating Identity with LDAP for SUSE CaaS Platform...Rapid delivery of new features • External...
Transcript of Integrating Identity with LDAP for SUSE CaaS Platform...Rapid delivery of new features • External...
![Page 1: Integrating Identity with LDAP for SUSE CaaS Platform...Rapid delivery of new features • External Authentication support • LDAP • OIDC • NGINX Ingress Controller • Update](https://reader033.fdocuments.us/reader033/viewer/2022051916/6008480feba80a226b110a76/html5/thumbnails/1.jpg)
Integrating Identity with LDAPfor SUSE CaaS Platform
Rodolfo BejaranoSolutions [email protected]
Michael CarringtonSolutions [email protected]
![Page 2: Integrating Identity with LDAP for SUSE CaaS Platform...Rapid delivery of new features • External Authentication support • LDAP • OIDC • NGINX Ingress Controller • Update](https://reader033.fdocuments.us/reader033/viewer/2022051916/6008480feba80a226b110a76/html5/thumbnails/2.jpg)
2
• What is SUSE Containers-as-a-Service Platform?
• How do we integrate identity with LDAP?
• Demo• Q&A
Agenda
![Page 3: Integrating Identity with LDAP for SUSE CaaS Platform...Rapid delivery of new features • External Authentication support • LDAP • OIDC • NGINX Ingress Controller • Update](https://reader033.fdocuments.us/reader033/viewer/2022051916/6008480feba80a226b110a76/html5/thumbnails/3.jpg)
3
Speed application delivery to improve business agility
SUSE CaaS Platform is an enterprise-class container management solution that enables IT and DevOps professionals to more easily deploy, manage and scale container-based applications and services.
SUSE CaaS Platform
![Page 4: Integrating Identity with LDAP for SUSE CaaS Platform...Rapid delivery of new features • External Authentication support • LDAP • OIDC • NGINX Ingress Controller • Update](https://reader033.fdocuments.us/reader033/viewer/2022051916/6008480feba80a226b110a76/html5/thumbnails/4.jpg)
44
Achieve Faster Time-to-Value
Kubernetes container orchestration
Container runtime and Image registry
SUSE Micro OS Container operating system
Complementary technologies
With everything you need to quickly offer container services
![Page 5: Integrating Identity with LDAP for SUSE CaaS Platform...Rapid delivery of new features • External Authentication support • LDAP • OIDC • NGINX Ingress Controller • Update](https://reader033.fdocuments.us/reader033/viewer/2022051916/6008480feba80a226b110a76/html5/thumbnails/5.jpg)
55
Achieve Faster Time-to-Value
Curated Package
SUSE Enterprise
Hardening & Support
• Meet internal compliance standards• Reliable, scalable and robust
• Maintained holistically• Tested to ensure interoperability
With everything you need to quickly offer container services
![Page 6: Integrating Identity with LDAP for SUSE CaaS Platform...Rapid delivery of new features • External Authentication support • LDAP • OIDC • NGINX Ingress Controller • Update](https://reader033.fdocuments.us/reader033/viewer/2022051916/6008480feba80a226b110a76/html5/thumbnails/6.jpg)
6
SUSE CaaS
Platform
Installation & Configuration
Security
Maintenance
Monitoring
Scaling
Availability
Rapid delivery of new features• External Authentication support
• LDAP• OIDC
• NGINX Ingress Controller• Update to Kubernetes 1.10.11
Exceptional Platform Operator ExperienceWhat’s new in SUSE CaaS Platform 3+?
![Page 7: Integrating Identity with LDAP for SUSE CaaS Platform...Rapid delivery of new features • External Authentication support • LDAP • OIDC • NGINX Ingress Controller • Update](https://reader033.fdocuments.us/reader033/viewer/2022051916/6008480feba80a226b110a76/html5/thumbnails/7.jpg)
7
• Container Host OS• Codebase: SUSE Linux Enterprise 15• Container isolated via virtualization (Kata containers)• Monitoring (Prometheus)
• Orchestration• Network options (Cilium as first plugin)• Kubernetes 1.11
Coming Soon to SUSE CaaSP version 4+
![Page 8: Integrating Identity with LDAP for SUSE CaaS Platform...Rapid delivery of new features • External Authentication support • LDAP • OIDC • NGINX Ingress Controller • Update](https://reader033.fdocuments.us/reader033/viewer/2022051916/6008480feba80a226b110a76/html5/thumbnails/8.jpg)
8
Ready Today!SUSE CaaS Platform Partners
![Page 9: Integrating Identity with LDAP for SUSE CaaS Platform...Rapid delivery of new features • External Authentication support • LDAP • OIDC • NGINX Ingress Controller • Update](https://reader033.fdocuments.us/reader033/viewer/2022051916/6008480feba80a226b110a76/html5/thumbnails/9.jpg)
99
Why Would We Want to Integrate Identitywith LDAP?• Environment isolation without the need for deploying multiple
clusters• Seamless role assignment• Incorporate Single Sign-On (SSO) benefits• Avoid the need for management of another user repository• Security teams will appreciate it
![Page 10: Integrating Identity with LDAP for SUSE CaaS Platform...Rapid delivery of new features • External Authentication support • LDAP • OIDC • NGINX Ingress Controller • Update](https://reader033.fdocuments.us/reader033/viewer/2022051916/6008480feba80a226b110a76/html5/thumbnails/10.jpg)
101010
How Do We Integrate Identity with LDAP?
![Page 11: Integrating Identity with LDAP for SUSE CaaS Platform...Rapid delivery of new features • External Authentication support • LDAP • OIDC • NGINX Ingress Controller • Update](https://reader033.fdocuments.us/reader033/viewer/2022051916/6008480feba80a226b110a76/html5/thumbnails/11.jpg)
1111
• Working LDAP server• An LDAP server and the credentials for a user/service account with permissions to search
the directory.
• Working SUSE Container-as-a-Service Platform cluster• …And you are done! Ready to configure it!
Prerequisites
![Page 12: Integrating Identity with LDAP for SUSE CaaS Platform...Rapid delivery of new features • External Authentication support • LDAP • OIDC • NGINX Ingress Controller • Update](https://reader033.fdocuments.us/reader033/viewer/2022051916/6008480feba80a226b110a76/html5/thumbnails/12.jpg)
1212
Velum LDAP server configuration
![Page 13: Integrating Identity with LDAP for SUSE CaaS Platform...Rapid delivery of new features • External Authentication support • LDAP • OIDC • NGINX Ingress Controller • Update](https://reader033.fdocuments.us/reader033/viewer/2022051916/6008480feba80a226b110a76/html5/thumbnails/13.jpg)
1313
Velum LDAP server configuration
![Page 14: Integrating Identity with LDAP for SUSE CaaS Platform...Rapid delivery of new features • External Authentication support • LDAP • OIDC • NGINX Ingress Controller • Update](https://reader033.fdocuments.us/reader033/viewer/2022051916/6008480feba80a226b110a76/html5/thumbnails/14.jpg)
1414
Velum LDAP server configuration
![Page 15: Integrating Identity with LDAP for SUSE CaaS Platform...Rapid delivery of new features • External Authentication support • LDAP • OIDC • NGINX Ingress Controller • Update](https://reader033.fdocuments.us/reader033/viewer/2022051916/6008480feba80a226b110a76/html5/thumbnails/15.jpg)
1515
Velum LDAP server configuration
![Page 16: Integrating Identity with LDAP for SUSE CaaS Platform...Rapid delivery of new features • External Authentication support • LDAP • OIDC • NGINX Ingress Controller • Update](https://reader033.fdocuments.us/reader033/viewer/2022051916/6008480feba80a226b110a76/html5/thumbnails/16.jpg)
1616
Once Your Config Is Ready…You Can Login
![Page 17: Integrating Identity with LDAP for SUSE CaaS Platform...Rapid delivery of new features • External Authentication support • LDAP • OIDC • NGINX Ingress Controller • Update](https://reader033.fdocuments.us/reader033/viewer/2022051916/6008480feba80a226b110a76/html5/thumbnails/17.jpg)
1717
And You Get a kubeconfig!But…You Need Rights
![Page 18: Integrating Identity with LDAP for SUSE CaaS Platform...Rapid delivery of new features • External Authentication support • LDAP • OIDC • NGINX Ingress Controller • Update](https://reader033.fdocuments.us/reader033/viewer/2022051916/6008480feba80a226b110a76/html5/thumbnails/18.jpg)
181818
USER ROLE RIGHTS
• In enterprise settings, access might be based on the job function or role of the user
• Users authenticate themselves to the system• (Some) Users can activate one or more roles for themselves
SUSE CaaS Platform 3Role Based Access Control (RBAC)
![Page 19: Integrating Identity with LDAP for SUSE CaaS Platform...Rapid delivery of new features • External Authentication support • LDAP • OIDC • NGINX Ingress Controller • Update](https://reader033.fdocuments.us/reader033/viewer/2022051916/6008480feba80a226b110a76/html5/thumbnails/19.jpg)
1919
Cluster-Admin
Manager
19
• Operate the infrastructure • Block access to the infrastructure level• Allow developers to interact with Kubernetes
SUSE CaaS Platform 3RBAC Examples
Cluster-Member • Full access for my team to manage the application• No access to other teams’ work• No access from other teams to our work
• Check the usage• Have an overview of resources
![Page 20: Integrating Identity with LDAP for SUSE CaaS Platform...Rapid delivery of new features • External Authentication support • LDAP • OIDC • NGINX Ingress Controller • Update](https://reader033.fdocuments.us/reader033/viewer/2022051916/6008480feba80a226b110a76/html5/thumbnails/20.jpg)
2020
Cluster-Admin RoleLeap15:/home/rodolfo # kubectl describe clusterrole cluster-adminName: cluster-adminLabels: kubernetes.io/bootstrapping=rbac-defaultsPolicyRule:
Resources Non-Resource URLs Resource Names Verbs------------- -------------------- ----------------- -------
*.* [] [] [*][*] [] [*]
Leap15:/home/rodolfo # kubectl describe clusterrolebinding ldap-administratorsName: suse:caasp:ldap-administratorsLabels: <none>Role:
Kind: ClusterRoleName: cluster-admin
Subjects:Kind Name Namespace---- ---- ---------
Group Administrators
![Page 21: Integrating Identity with LDAP for SUSE CaaS Platform...Rapid delivery of new features • External Authentication support • LDAP • OIDC • NGINX Ingress Controller • Update](https://reader033.fdocuments.us/reader033/viewer/2022051916/6008480feba80a226b110a76/html5/thumbnails/21.jpg)
2121
Cluster-Member RoleLeap15:/home/rodolfo # kubectl describe clusterrole cluster-memberName: cluster-memberLabels: kubernetes.io/bootstrapping=rbac-defaultsAnnotations: rbac.authorization.kubernetes.io/autoupdate=truePolicyRule:
Resources Non-Resource URLs Resource Names Verbs--------- ----------------- -------------- -----nodes.* [] [] [get list watch]persistentvolumes.* [] [] [get list watch]storageclasses.* [] [] [get list watch]namespaces [] [] [get list watch]namespaces/status [] [] [get list watch]persistentvolumeclaims [] [] [create delete deletecollection get list patch update watch]pods [] [] [create delete deletecollection get list patch update watch]pods/attach [] [] [create delete deletecollection get list patch update watch]pods/exec [] [] [create delete deletecollection get list patch update watch]pods/log [] [] [get list watch]pods/portforward [] [] [create delete deletecollection get list patch update watch]pods/proxy [] [] [create delete deletecollection get list patch update watch]pods/status [] [] [get list watch]replicationcontrollers [] [] [create delete deletecollection get list patch update watch]replicationcontrollers/s [] [] [create delete deletecollection get list patch update watch]
![Page 22: Integrating Identity with LDAP for SUSE CaaS Platform...Rapid delivery of new features • External Authentication support • LDAP • OIDC • NGINX Ingress Controller • Update](https://reader033.fdocuments.us/reader033/viewer/2022051916/6008480feba80a226b110a76/html5/thumbnails/22.jpg)
2222
Cluster-Member Rolebinding
Leap15:/home/rodolfo # kubectl describe clusterrolebinding ldap-usersName: suse:caasp:ldap-usersLabels: <none>Role:
Kind: ClusterRoleName: cluster-member
Subjects:Kind Name Namespace---- ---- ---------
Group users
![Page 23: Integrating Identity with LDAP for SUSE CaaS Platform...Rapid delivery of new features • External Authentication support • LDAP • OIDC • NGINX Ingress Controller • Update](https://reader033.fdocuments.us/reader033/viewer/2022051916/6008480feba80a226b110a76/html5/thumbnails/23.jpg)
232323
Demo Time
![Page 24: Integrating Identity with LDAP for SUSE CaaS Platform...Rapid delivery of new features • External Authentication support • LDAP • OIDC • NGINX Ingress Controller • Update](https://reader033.fdocuments.us/reader033/viewer/2022051916/6008480feba80a226b110a76/html5/thumbnails/24.jpg)
242424
Q&A
![Page 25: Integrating Identity with LDAP for SUSE CaaS Platform...Rapid delivery of new features • External Authentication support • LDAP • OIDC • NGINX Ingress Controller • Update](https://reader033.fdocuments.us/reader033/viewer/2022051916/6008480feba80a226b110a76/html5/thumbnails/25.jpg)
2525
Setting up an LDAP serverhttps://www.suse.com/documentation/sles-12/book_security/data/cha_security_ldap.html
External LDAP directoryhttps://www.suse.com/documentation/suse-caasp-3/book_caasp_admin/data/sec_admin_security_external_ldap.html
Internal containerized LDAP directoryhttps://www.suse.com/documentation/suse-caasp-3/book_caasp_admin/data/sec_admin_security_ldap_preparation.htmlhttps://www.suse.com/documentation/suse-caasp-3/book_caasp_admin/data/sec_admin_security_users.html
Role Managementhttps://www.suse.com/documentation/suse-caasp-3/book_caasp_admin/data/sec_admin_security_role.html
Additional Resources
![Page 26: Integrating Identity with LDAP for SUSE CaaS Platform...Rapid delivery of new features • External Authentication support • LDAP • OIDC • NGINX Ingress Controller • Update](https://reader033.fdocuments.us/reader033/viewer/2022051916/6008480feba80a226b110a76/html5/thumbnails/26.jpg)
![Page 27: Integrating Identity with LDAP for SUSE CaaS Platform...Rapid delivery of new features • External Authentication support • LDAP • OIDC • NGINX Ingress Controller • Update](https://reader033.fdocuments.us/reader033/viewer/2022051916/6008480feba80a226b110a76/html5/thumbnails/27.jpg)
27
Unpublished Work of SUSE LLC. All Rights Reserved.This work is an unpublished work and contains confidential, proprietary and trade secret information of SUSE LLC. Access to this work is restricted to SUSE employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of SUSE. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.
General DisclaimerThis document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. SUSE makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for SUSE products remains at the sole discretion of SUSE. Further, SUSE reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All SUSE marks referenced in this presentation are trademarks or registered trademarks of SUSE LLC. in the United States and other countries. All third-party trademarks are the property of their respective owners.