Tuesday, May 21 • 14:00 - 14:35
Fine-Grained Permissions in Kubernetes: What’s Missing, and How to Fix That - Vallery Lancey, Lyft & Seth McCombs, Triller

Sign up or log in to save this to your schedule and see who's attending!

Feedback form is now closed.
In this talk, we will walk through a number of common scenarios where Kubernetes lacks sufficient access control tools, or where access control is often not properly applied. For example, it is common for a team to own a subset of services in a namespace, yet RBAC permissions grant that team access to other pods within the namespace.

We will demonstrate a number of solutions available for specific problems, such as pod network policies, the open policy agent, custom controllers that gate API functionality.

We will also discuss problems with the namespace permission model, and possible alternatives. Namespaces create an arbitrary boundary around resources, which creates the need to then bridge those boundaries. We will demonstrate ideas for bridging namespace networks, and posix-style objection permissions within a namespace.

avatar for Vallery Lancey

Vallery Lancey

Infrastructure Software Engineer, Lyft
Vallery Lancey is a self-described Systems Witch (more formally, an Infrastructure Software Engineer at Lyft). She works on developing upstream Kubernetes, as well as downstream Kubernetes implementation and platforms. Vallery has spoken about a wide range of Kubernetes content... Read More →
avatar for Seth McCombs

Seth McCombs

Site Reliability Engineer, Triller
Seth McCombs is an SRE at Triller, working to maintain highly available and secure cloud environments in and out of Kubernetes. As an "OpsDev Wizard" (an engineer from a background more IT Ops than Dev), he strives to bring a unique perspective to his work, never afraid to poke fun... Read More →

Tuesday May 21, 2019 14:00 - 14:35
Hall 8.0 B1