WEBVTT 0:00:02.500000 --> 0:00:06.820000 If you're going to work with Kubernetes in Azure, it's important to understand 0:00:06.820000 --> 0:00:12.180000 what your security options are with Kubernetes. 0:00:12.180000 --> 0:00:15.640000 That's what we're going to cover in two different videos. 0:00:15.640000 --> 0:00:18.180000 This is the first video of two. 0:00:18.180000 --> 0:00:22.640000 In this video, we're going to take a look at the Azure Kubernetes components 0:00:22.640000 --> 0:00:25.920000 and how that relates to security. 0:00:25.920000 --> 0:00:30.500000 In particular, we're going to take a look at Azure role-based authentication 0:00:30.500000 --> 0:00:32.140000 within Kubernetes. 0:00:32.140000 --> 0:00:36.700000 We'll talk about Kubernetes updates and patches and how that's handled. 0:00:36.700000 --> 0:00:43.260000 Then I'm going to demonstrate how to set up and use Azure AD for Kubernetes. 0:00:43.260000 --> 0:00:47.300000 Let's go ahead and let's jump right into this. 0:00:47.300000 --> 0:00:52.060000 First of all, when we're talking about Kubernetes, we want to talk about 0:00:52.060000 --> 0:00:56.320000 the Kubernetes components, because the way we work with these components 0:00:56.320000 --> 0:01:02.200000 from a security standpoint, really makes a pretty significant difference. 0:01:02.200000 --> 0:01:04.940000 You can draw a line down here. 0:01:04.940000 --> 0:01:07.660000 We've got the Kubernetes control plane. 0:01:07.660000 --> 0:01:11.480000 That is really going to be an Azure resource. 0:01:11.480000 --> 0:01:17.400000 The Kubernetes control plane itself is managed by Azure. 0:01:17.400000 --> 0:01:22.540000 Now, we'll take a look and there's a blend of Azure activity that we have 0:01:22.540000 --> 0:01:25.080000 there, and there's also Kubernetes activity we have. 0:01:25.080000 --> 0:01:27.540000 Then you've got the Kubernetes nodes. 0:01:27.540000 --> 0:01:32.880000 Now, these also are standard Azure resources. 0:01:32.880000 --> 0:01:38.140000 Your nodes are either VMs or their instances in a virtual machine scale 0:01:38.140000 --> 0:01:42.340000 set, and they are in a network. 0:01:42.340000 --> 0:01:52.240000 I've got one or more networks here. 0:01:52.240000 --> 0:01:56.840000 Then the actual workload is in something called a pod, which again, you 0:01:56.840000 --> 0:02:00.420000 can see in other videos in terms of what pods are. 0:02:00.420000 --> 0:02:03.780000 They're not really containers because they could be more, but I think 0:02:03.780000 --> 0:02:06.460000 of them like containers. 0:02:06.460000 --> 0:02:09.600000 Now, when we have this architecture, there's a couple of things to keep 0:02:09.600000 --> 0:02:14.100000 in mind when you're using the Azure Kubernetes service. 0:02:14.100000 --> 0:02:19.180000 That is really again, that line that you've got on the one hand, you've 0:02:19.180000 --> 0:02:26.420000 got the control plane, and that's really being managed through Azure itself. 0:02:26.420000 --> 0:02:30.360000 You're not really doing much, certainly directly with the networking, 0:02:30.360000 --> 0:02:36.660000 but then you've got the actual nodes, which are doing your execution. 0:02:36.660000 --> 0:02:43.200000 Now, let's talk about this in terms of role-based access control, because 0:02:43.200000 --> 0:02:50.780000 if you are working with Azure Kubernetes service, it is generally recommended 0:02:50.780000 --> 0:02:52.680000 that you go ahead and use RBAC. 0:02:52.680000 --> 0:02:59.920000 Now, there are two primary approaches to accessing the Kubernetes control 0:02:59.920000 --> 0:03:04.220000 plane, and they both have to do with Kubernetes API calls. 0:03:04.220000 --> 0:03:09.000000 On the one hand, there is going to be an Azure Kubernetes administrator 0:03:09.000000 --> 0:03:14.840000 account that will be created for you when you provision an Azure Kubernetes 0:03:14.840000 --> 0:03:19.740000 service. However, that's really not what you want to use to make your 0:03:19.740000 --> 0:03:21.460000 Kubernetes API calls. 0:03:21.460000 --> 0:03:24.100000 Now, regardless of what you do there, are going to be service accounts, 0:03:24.100000 --> 0:03:28.240000 and the service accounts are going to interact with the Kubernetes API. 0:03:28.240000 --> 0:03:30.840000 And that's part of security, but that's not really what is of interest 0:03:30.840000 --> 0:03:36.440000 to us. What is of more interest to us is the idea of user accounts. 0:03:36.440000 --> 0:03:41.220000 And there's a couple of different ways that you can assign rights via 0:03:41.220000 --> 0:03:46.080000 user accounts. One is to use what are called cluster roles. 0:03:46.080000 --> 0:03:48.380000 And there are essentially two different cluster roles. 0:03:48.380000 --> 0:03:52.900000 There's an admin role, and there is also a user role. 0:03:52.900000 --> 0:03:55.880000 And they're fairly well defined, and I think fairly obvious as to what 0:03:55.880000 --> 0:03:57.420000 you can do with those. 0:03:57.420000 --> 0:04:04.280000 Now, with the cluster roles, and the user accounts, two options for the 0:04:04.280000 --> 0:04:07.480000 user accounts, and we'll talk about Azure AD. 0:04:07.480000 --> 0:04:16.320000 Kubernetes itself has a basic control plane outside of Azure AD, and you 0:04:16.320000 --> 0:04:20.180000 can use that really just through, as I said, the administrator account. 0:04:20.180000 --> 0:04:21.200000 You usually don't want to do that. 0:04:21.200000 --> 0:04:22.720000 You want to be a little more precise. 0:04:22.720000 --> 0:04:28.080000 And one way that you can add precision is through something called namespaces. 0:04:28.080000 --> 0:04:34.640000 Namespaces are really just a way to parse out the resources that you've 0:04:34.640000 --> 0:04:38.740000 got. And so I can create a namespace over specific nodes, and then rather 0:04:38.740000 --> 0:04:47.080000 than give you an entire Kubernetes cluster role, I can give you a role 0:04:47.080000 --> 0:04:48.720000 within the namespace. 0:04:48.720000 --> 0:04:51.560000 Now, when you have that role within a namespace, what that means is that 0:04:51.560000 --> 0:04:57.060000 you're going to have the rights to make Kubernetes API calls against specific 0:04:57.060000 --> 0:04:59.460000 resources within Kubernetes. 0:04:59.460000 --> 0:05:04.540000 Now, the Kubernetes role and the Kubernetes namespace role, those are 0:05:04.540000 --> 0:05:11.380000 all actually controlled through Kubernetes CLI, CUBE CTL. 0:05:11.380000 --> 0:05:17.560000 Now, the other thing you can do, as I said, is you can plug in Azure AD 0:05:17.560000 --> 0:05:19.880000 authentication to manage the user accounts. 0:05:19.880000 --> 0:05:24.060000 So rather than just having that administrative account, you've got an 0:05:24.060000 --> 0:05:28.700000 extension for Kubernetes running in Azure Kubernetes service that allows 0:05:28.700000 --> 0:05:35.600000 it to integrate with Azure AD, meaning that you can then easily integrate 0:05:35.600000 --> 0:05:39.060000 your users that are set up in Azure AD and give the appropriate users 0:05:39.060000 --> 0:05:43.260000 the appropriate rights, whether it's at the control plane level or if 0:05:43.260000 --> 0:05:46.000000 it's at the namespace level. 0:05:46.000000 --> 0:05:48.880000 Now, how would you go about setting that up? 0:05:48.880000 --> 0:05:51.660000 And I'm going to go through this process and I'll tell you already, have 0:05:51.660000 --> 0:05:53.680000 the process set up because it takes a long time. 0:05:53.680000 --> 0:05:57.260000 But I'm going to walk you through what has been done, what I've done and 0:05:57.260000 --> 0:05:59.420000 show you a few of the parts of that, right? 0:05:59.420000 --> 0:06:04.200000 But it is right now a rather detailed process. 0:06:04.200000 --> 0:06:07.260000 Fortunately, you've got to see a link down here at the bottom of this 0:06:07.260000 --> 0:06:12.580000 page. And that is literally the step-by -step in addition to being a tutorial. 0:06:12.580000 --> 0:06:16.560000 It's really your checklist of what you need to do whenever you're going 0:06:16.560000 --> 0:06:19.340000 to set up Kubernetes. 0:06:19.340000 --> 0:06:21.160000 For working with Azure AD. 0:06:21.160000 --> 0:06:23.600000 Now, there's a couple things you have to do first. 0:06:23.600000 --> 0:06:28.460000 First, you have to create a couple of Azure AD application registrations. 0:06:28.460000 --> 0:06:31.620000 The first one is for the service itself. 0:06:31.620000 --> 0:06:33.300000 You're always going to need that. 0:06:33.300000 --> 0:06:37.320000 But then the second one is for the client. 0:06:37.320000 --> 0:06:42.740000 And the client is really what allows you to interact with Azure AD, or 0:06:42.740000 --> 0:06:46.200000 to use your Azure AD account, I should say, to interact with Kubernetes. 0:06:46.200000 --> 0:06:49.560000 Now, once you've got that set up, then you're going to deploy the cluster. 0:06:49.560000 --> 0:06:53.440000 And right now, at the time of this recording, to do that properly and 0:06:53.440000 --> 0:06:57.320000 be sure it's right, you're going to have to go to the CLI. 0:06:57.320000 --> 0:07:02.580000 And I've got the CLI call, and that is literally the CLI call I use to 0:07:02.580000 --> 0:07:06.600000 generate the Kubernetes cluster that I'm going to show you. 0:07:06.600000 --> 0:07:12.420000 But again, I got that honestly directly out of that link that I've got 0:07:12.420000 --> 0:07:16.200000 at the bottom. So when you're creating it, you're setting it up and you're 0:07:16.200000 --> 0:07:23.340000 saying, okay, we want to go ahead with the, creating the cluster, setting 0:07:23.340000 --> 0:07:27.740000 the server app ID, and also setting the client app ID. 0:07:27.740000 --> 0:07:29.260000 And those are really the key. 0:07:29.260000 --> 0:07:35.040000 Now, once you do that, you're going to actually configure Kubernetes itself. 0:07:35.040000 --> 0:07:43.480000 You're going to configure the cluster for an RBAC binding. 0:07:43.480000 --> 0:07:46.100000 And you're going to use YAML for that. 0:07:46.100000 --> 0:07:50.640000 And again, fortunately, great little YAML example right there in that 0:07:50.640000 --> 0:07:52.240000 docs. Cannot stress enough. 0:07:52.240000 --> 0:07:55.200000 If you're going to do this, open up that doc, just walk your way through 0:07:55.200000 --> 0:07:59.600000 it. All right. And then of course, once you have that, then you can access 0:07:59.600000 --> 0:08:01.360000 a cluster with your Azure AD. 0:08:01.360000 --> 0:08:10.460000 The cluster will essentially defer to Azure AD for authentication purposes. 0:08:10.460000 --> 0:08:16.760000 Now, in addition to setting up authentication, you also want to think 0:08:16.760000 --> 0:08:21.460000 about updating the actual nodes within Kubernetes. 0:08:21.460000 --> 0:08:25.300000 Now, Kubernetes itself is going to be maintained, the cluster itself is 0:08:25.300000 --> 0:08:27.320000 going to be maintained by Azure. 0:08:27.320000 --> 0:08:32.600000 You can change which version of Kubernetes you want to use. 0:08:32.600000 --> 0:08:33.820000 There's an upgrade option. 0:08:33.820000 --> 0:08:35.760000 You can do that through the portal. 0:08:35.760000 --> 0:08:37.400000 Right. But what about the nodes themselves? 0:08:37.400000 --> 0:08:39.740000 Right. What about these guys right here? 0:08:39.740000 --> 0:08:41.440000 How are you going to update these guys? 0:08:41.440000 --> 0:08:44.320000 Well, a couple of options there. 0:08:44.320000 --> 0:08:49.640000 As I said, they control planes managed directly by Azure. 0:08:49.640000 --> 0:08:55.300000 If you've got Linux-based nodes, then they're going to have auto patching. 0:08:55.300000 --> 0:08:57.060000 So it's going to automatically happen for you. 0:08:57.060000 --> 0:09:01.140000 However, if a patch requires a reboot that is not automatically going 0:09:01.140000 --> 0:09:06.400000 to happen. And unfortunately, if you're using Windows-based clusters, 0:09:06.400000 --> 0:09:08.100000 there isn't even any auto patching. 0:09:08.100000 --> 0:09:10.660000 That's really going to be completely on you. 0:09:10.660000 --> 0:09:15.020000 Now, what I'd like to do to finish out this video is I would like to run 0:09:15.020000 --> 0:09:18.580000 a demonstration of Azure AD for Kubernetes. 0:09:18.580000 --> 0:09:22.220000 I'm going to show you the actual tutorial slash, what I would consider 0:09:22.220000 --> 0:09:26.000000 checklist, that you can go down to successfully go through this. 0:09:26.000000 --> 0:09:30.500000 And any time I set up a Kubernetes cluster for Azure AD, I am using this. 0:09:30.500000 --> 0:09:35.400000 Then I'll just kind of show you the parts of that, what was created. 0:09:35.400000 --> 0:09:38.700000 I'll show you the Azure AD cluster. 0:09:38.700000 --> 0:09:40.980000 And then I'm going to go ahead and use it. 0:09:40.980000 --> 0:09:43.200000 So let's go ahead without further ado. 0:09:43.200000 --> 0:09:47.440000 And let's get into this demonstration. 0:09:47.440000 --> 0:09:57.000000 All right. Here is that vaunted document that I was talking about. 0:09:57.000000 --> 0:10:00.280000 And it goes through integrate Azure Directory service with Azure Kubernetes 0:10:00.280000 --> 0:10:04.220000 service. And it really got links to everything. 0:10:04.220000 --> 0:10:05.760000 And then it goes through the process. 0:10:05.760000 --> 0:10:09.480000 So the first thing you're going to do is create the server application. 0:10:09.480000 --> 0:10:12.220000 And it goes through the process of creating a server application. 0:10:12.220000 --> 0:10:14.500000 Now, there is one thing that's pretty interesting. 0:10:14.500000 --> 0:10:15.820000 You actually have to go in. 0:10:15.820000 --> 0:10:19.080000 I think this is the only time I've had to go into the actual manifest 0:10:19.080000 --> 0:10:22.180000 of an application and change a setting. 0:10:22.180000 --> 0:10:24.600000 But again, it's very well documented. 0:10:24.600000 --> 0:10:26.400000 You add a client secret. 0:10:26.400000 --> 0:10:29.760000 You're going to need that because the other app that you're going to use 0:10:29.760000 --> 0:10:33.540000 needs to be able to authenticate into this. 0:10:33.540000 --> 0:10:36.440000 And then you add specific permissions. 0:10:36.440000 --> 0:10:39.780000 And these are permissions under the Microsoft Graph. 0:10:39.780000 --> 0:10:41.200000 A couple of them are delegated. 0:10:41.200000 --> 0:10:42.900000 One of them is an application. 0:10:42.900000 --> 0:10:46.160000 And you're going to grant admin consent to all of them. 0:10:46.160000 --> 0:10:48.400000 Then you're going to expose an API. 0:10:48.400000 --> 0:10:52.520000 And again, really what this is, is this makes it so that the client app 0:10:52.520000 --> 0:10:58.700000 that you're about to create can communicate with this particular service. 0:10:58.700000 --> 0:11:00.640000 All right. So you do that, and it's good and set up. 0:11:00.640000 --> 0:11:03.060000 Then you create the client app. 0:11:03.060000 --> 0:11:05.900000 And you register. 0:11:05.900000 --> 0:11:07.440000 You add a permission. 0:11:07.440000 --> 0:11:13.580000 And you actually add the API of the other app. 0:11:13.580000 --> 0:11:15.940000 And you grant it permission. 0:11:15.940000 --> 0:11:21.440000 Okay. Then the rest is, we'll get to in a second. 0:11:21.440000 --> 0:11:27.540000 Let me go ahead and show you those two services. 0:11:27.540000 --> 0:11:30.820000 Those two app registrations really. 0:11:30.820000 --> 0:11:34.800000 So I've quite a number of app registrations too that matter. 0:11:34.800000 --> 0:11:43.520000 Here's my I-NE-K8S. 0:11:43.520000 --> 0:11:55.100000 So here I've got display name, I-NE-K -E-S, K8S, and this is not the right 0:11:55.100000 --> 0:11:57.520000 one. That's the one. 0:11:57.520000 --> 0:11:58.740000 I'm not sure why I created the other one. 0:11:58.740000 --> 0:12:00.900000 Okay. It doesn't matter. 0:12:00.900000 --> 0:12:02.060000 Pretend you didn't see that. 0:12:02.060000 --> 0:12:12.360000 There we go. Here is the permissions that are. 0:12:12.360000 --> 0:12:17.800000 Require. Okay. So I've got myself graph directory read all, both delegated 0:12:17.800000 --> 0:12:22.120000 and application and then user read delegated, which is standard. 0:12:22.120000 --> 0:12:28.120000 And then I've granted administrative access for all of those. 0:12:28.120000 --> 0:12:33.320000 I have also exposed an API. 0:12:33.320000 --> 0:12:41.440000 Okay. And I have created multiple client secrets because I was having 0:12:41.440000 --> 0:12:44.460000 trouble getting this actually running correctly. 0:12:44.460000 --> 0:12:47.440000 Okay. There we go. 0:12:47.440000 --> 0:12:53.500000 That is the service app, none of the client app. 0:12:53.500000 --> 0:13:01.020000 And the client app, go no secrets, no secrets here, no certificates. 0:13:01.020000 --> 0:13:05.620000 Okay. But if I go to API permissions, so it's got the user read permission, 0:13:05.620000 --> 0:13:09.060000 which pretty much always have, plus I actually have the read permission 0:13:09.060000 --> 0:13:11.580000 on the service account. 0:13:11.580000 --> 0:13:13.900000 And that's delegated. 0:13:13.900000 --> 0:13:24.360000 All right. So those are my service accounts, my service principles, really, 0:13:24.360000 --> 0:13:29.280000 is what I'm creating there, or my app IDs, then app registrations, right? 0:13:29.280000 --> 0:13:32.320000 Then you deploy the AKS cluster. 0:13:32.320000 --> 0:13:34.860000 And this is literally exactly what I just said. 0:13:34.860000 --> 0:13:37.120000 This is an example of it. 0:13:37.120000 --> 0:13:41.660000 And you can see that you're re deploying to some resource group, giving 0:13:41.660000 --> 0:13:44.740000 it a name, you're generating SSH keys for it. 0:13:44.740000 --> 0:13:49.720000 And then you're setting the server ID, the client ID and the tenant ID. 0:13:49.720000 --> 0:13:52.540000 You can set other options as well. 0:13:52.540000 --> 0:13:55.260000 But those are the ones that matter for this. 0:13:55.260000 --> 0:13:59.520000 Okay. And then you create an RBAC binding. 0:13:59.520000 --> 0:14:04.680000 Now it's interesting to create the RBAC binding first, because we don't 0:14:04.680000 --> 0:14:09.580000 have any RBAC, you have to initially log in as admin. 0:14:09.580000 --> 0:14:15.040000 And what the AZAKS get credentials does is it stores your credentials 0:14:15.040000 --> 0:14:17.760000 for the Kubernetes CLI. 0:14:17.760000 --> 0:14:24.300000 So that goes and grabs the admin credentials. 0:14:24.300000 --> 0:14:29.480000 Then what you have to do is you have to create a YAML file. 0:14:29.480000 --> 0:14:32.420000 And I'll just show you this YAML file here. 0:14:32.420000 --> 0:14:40.300000 If I go LS, and if I actually just go code, it would bring that up. 0:14:40.300000 --> 0:14:47.140000 There we go. Now, unfortunately, this isn't, oh, there we go. 0:14:47.140000 --> 0:14:48.060000 Actually, let me do it. 0:14:48.060000 --> 0:14:54.480000 Awesome. So this is my, which one is this? 0:14:54.480000 --> 0:14:55.660000 This is the user. 0:14:55.660000 --> 0:14:56.740000 Oh, that's a group. 0:14:56.740000 --> 0:14:58.300000 There's a user. Okay. 0:14:58.300000 --> 0:14:59.780000 So this is what I used for the user. 0:14:59.780000 --> 0:15:01.980000 And this is literally what I did. 0:15:01.980000 --> 0:15:05.340000 I found a user account and I added it. 0:15:05.340000 --> 0:15:08.420000 You can do the same thing with a group account. 0:15:08.420000 --> 0:15:15.180000 And that user in group, if I go to user, that user is me. 0:15:15.180000 --> 0:15:17.500000 This guy right here. 0:15:17.500000 --> 0:15:23.620000 And the group that I added is my Kedus admins. 0:15:23.620000 --> 0:15:30.200000 Kedus is a goofy shorthand for Kubernetes that once you start using, you 0:15:30.200000 --> 0:15:32.220000 just use all the time, or at least I do. 0:15:32.220000 --> 0:15:37.240000 Okay. So that gets me up to where I can log in. 0:15:37.240000 --> 0:15:43.620000 And then after I apply those, the next step would be to simply log in. 0:15:43.620000 --> 0:15:46.100000 And I'm going to show you that process. 0:15:46.100000 --> 0:15:48.900000 And I know, you know, a lot of this has just been kind of walking through 0:15:48.900000 --> 0:15:56.060000 it here a bit that things that are already done, but be able to pull this 0:15:56.060000 --> 0:15:59.520000 up here. Here we go. 0:15:59.520000 --> 0:16:04.840000 Now here I've got AZ AKS get credentials, specifying resource group, specifying 0:16:04.840000 --> 0:16:08.820000 the name of the Kubernetes cluster. 0:16:08.820000 --> 0:16:12.260000 Now I've already done this before. 0:16:12.260000 --> 0:16:15.140000 So in this case, it's saying you've already got that. 0:16:15.140000 --> 0:16:16.560000 Are you sure that's what you want? 0:16:16.560000 --> 0:16:18.100000 And the answer is yes. 0:16:18.100000 --> 0:16:19.420000 All right. Excellent. 0:16:19.420000 --> 0:16:27.280000 Now the next thing I'm going to do is I'm going to retrieve the nodes 0:16:27.280000 --> 0:16:30.140000 that are part of Kubernetes. 0:16:30.140000 --> 0:16:35.320000 Now, again, what's really important here is that AZ AKS get credentials. 0:16:35.320000 --> 0:16:39.380000 I did not specify the admin account, which means by definition it's basing 0:16:39.380000 --> 0:16:42.080000 it on whoever I'm logged in as. 0:16:42.080000 --> 0:16:47.240000 And what's pretty cool about that is it's not going to give me that. 0:16:47.240000 --> 0:16:50.600000 So I have to go and actually log in. 0:16:50.600000 --> 0:17:00.880000 And now to do that, I'm going to take this code, copy that code, and go 0:17:00.880000 --> 0:17:03.380000 through the process of logging in. 0:17:03.380000 --> 0:17:08.800000 And that code in, choose my account that I'm already logged in as. 0:17:08.800000 --> 0:17:12.020000 And there we go. 0:17:12.020000 --> 0:17:15.600000 When I come back, it has returned the list of nodes. 0:17:15.600000 --> 0:17:22.180000 So now I am interacting with my Azure Kubernetes service. 0:17:22.180000 --> 0:17:29.680000 And I am interacting with it based on my Azure AD identity. 0:17:29.680000 --> 0:17:34.100000 So first part of Azure Kubernetes, getting it installed, understanding 0:17:34.100000 --> 0:17:39.460000 how you can set security both at the cluster level, as well as at the 0:17:39.460000 --> 0:17:44.480000 namespace level, understanding the different parts to activating and working 0:17:44.480000 --> 0:17:50.180000 with Azure AD authentication for an Azure Kubernetes service.