yahoo/k8s-athenz-identity

Name: k8s-athenz-identity

Owner: Yahoo Inc.

Description: null

Created: 2017-10-03 17:14:57.0

Updated: 2018-05-14 09:02:10.0

Pushed: 2018-01-12 21:42:58.0

Homepage: null

Size: 430

Language: Go

GitHub Committers

User	Most Recent Commit	# Commits

Other Committers

User	Email	Most Recent Commit	# Commits

README

k8s-athenz-identity

Proof of concept control plane components to securely provide Athenz identities to Kubernetes application workloads.

This gist provides a high-level overview.

See the design document for a detailed description of the end to end flow. Read the components doc for details on every component.

Works on k8s version 1.8 or above.

Build

dir -p ${GOPATH}/src/github.com/yahoo
 ${GOPATH}/src/github.com/yahoo
t clone <this-repo>
 k8s-athenz-identity
ke

Testing

For my tests, I have set up a single node k8s cluster on a bare-metal box. Cluster created using kubeadm with the Noschedule taint removed from the master and extra alpha flags for new features for the API.

There is a one command setup and teardown in the k8s folder that do everything. Your mileage in getting this to work may vary :)

In any case, you can see all the moving parts by inspecting the setup script and all the YAML files for the configmaps, deployments and daemonsets.

TODOs

• High-availability of initializer using leader election.
• Admission controller that enforces initializer for user apps, does not allow random workloads to use the custom volume driver etc.
• Ordering of initializer configuration and deployment of initializer still matters. Will be an upgrade issue. Investigate.
• Dynamic refresh intervals for both control and data plane SIA