臺灣博碩士論文加值系統

服務容器化已經成為現在的流行，許多的組織或機構逐漸開始將服務容器化，服務
的容器化過程中管理容器也是一個很大的議題。Kubernetes 是近年來容器管理的代名
詞，能夠負責調度容器、自動化部署、擴張管理之系統。
當 PaaS 平台結合 Kubernetes 時，將會遇到使用者權限管理的問題，Kubernetes 預設
是使用單一憑證來進行外部機器(PaaS 伺服器)的請求認證，但 PaaS 平台提供的是以使
用者為角度的服務，若 PaaS 平台以 Kubernetes 預設的單一憑證進行 Kubernetes 叢集之
部署請求的認證，則對於叢集來說每個請求都是來自同一個身分，叢集不會辨別 PaaS 個
別使用者的身分，並規範各個使用者在叢集內的權限，導致 PaaS 使用者之間在叢集的
使用上可能會產生資源衝突。
本篇論文設計與實作一套身分識別與授權框架，解決以 Kubernetes 為基礎建構的 PaaS
平台的使用者專案權限管理問題。本框架的身分認證採用基於 OAuth 協定延伸的
OpenID Connect 作為叢集驗證的機制，讓叢集的操作可以依個別使用者身分執行，並且
分配及管理使用者的叢集資源。當使用者部署專案時，本框架會檢查並移除造成資源衝
突與越級權限的部署請求。

Containerized applications rapidly went flourish and are widely adopted by organizations
and institutions. Managing containers have become a significant issue. Kubernetes is one of the
solutions for container orchestration, automated deployment, and scaling management.
Managing user permissions could be problematic when providing Platform as a Service
(PaaS) with Kubernetes. By default, Kubernetes utilizes a single certificate for external
machines to access Kubernetes resources. Consequently, the PaaS server has only one
certificate for the Kubernetes API server to authenticate the requests the PaaS server redirects
on behalf of the PasS users. Sharing a single certificate for all PaaS users could lead to a user
identity problem because the cluster would assume every request is from the same source.
Therefore, the Kubernetes cluster can’t allocate different resources for each user, thus leading
to resource conflicts.
This thesis designs and implements an Identity and Authorization framework that can
solve the user permission management problem in PaaS with Kubernetes. The framework
adopts OpenID Connect, based on OAuth, for user authentication in the Kubernetes cluster.
Thus, the Kubernetes cluster can execute commands and allocate distinguished resources on
behalf of each user. Therefore, upon the user deploying project, the framework would also
eliminate potential resource conflicts or privilege escalations by resource deployment contents.

摘要 I
ABSTRACT II
目錄 III
圖目錄 VI
表目錄 VIII
第1章 緒論 1
1.1 簡介 1
1.2 研究動機 2
1.3 研究目的 2
1.4 問題探討 2
第2章 背景知識 4
2.1 KUBERNETES 簡介 4
2.1.1 Kubernetes 節點元件 4
2.1.2 Kubernetes 資源物件 5
2.1.3 Kubernetes Service 6
2.1.4 Ingress 8
2.1.5 使用者驗證流程 8
第3章 相關研究 11
3.1 帳號驗證機制 11
3.1.1 X509 11
3.1.2 Static Token File 12
3.1.3 Service Account 12
3.1.4 OpenID Connect 13
3.1.5 結論 14
3.2 解決資源衝突的方案 15
3.2.1 開發Operator 15
3.2.2 Kyverno 15
3.2.3 Open Policy Agent 16
3.2.4 結論 17
第4章 需求設計 18
4.1 架構設計 18
4.2 使用者資源規劃 18
4.3 權限管理機制 19
4.4 使用者初次登入 20
4.5 使用者部署服務的類型 20
第5章 實現方法與實作 22
5.1 PEKOS整體架構實現 22
5.2 賦予CSCLOUD PORTAL權限 22
5.3 使用OIDC作為叢集驗證機制 23
5.4 權限綁定的不足之處 24
5.5 OPA POLICY FOR RESOURCE DEFINITION 25
第6章 實驗結果 27
6.1 實驗環境 27
6.2 HOSTNAME CONFLICTION 27
6.3 RESOURCEQUOTA 呈現 29
6.4 專案部署時間 30
6.5 使用者訪談 31
6.6 定性比較 32
第7章 結論與未來展望 33
參考資料 34

The Linux Foundation, “Kubernetes,” 07 2022. [線上]. Available: https://kubernetes.io/.
M. a. N. B. a. P. Boniface, “Platform-as-a-Service Architecture for Real-Time Quality of Service Management in Clouds,” 2010 Fifth International Conference on Internet and Web Applications and Services, pp. 155-160, 2010.
王非、何雄輝, “A method for providing a platform-as-a-service PaaS service, the method comprising”. 中國 專利: WO2018177013A1, 04 10 2018.
Samuel Laurén, M. Reza Memarian, “Analysis of Security in Modern Container Platforms,” Research Advances in Cloud Computing , pp. 351-369, 28 12 2017.
Yifei Wu, Lingguang Lei, Yuewu Wang, Kun Sun & Jingzi Meng , “Evaluation on the Security of Commercial Cloud Container Services,” International Conference on Information Security, pp. 160-177, 25 11 2020.
“Kubernetes Components,” 2022. [線上]. Available: https://kubernetes.io/docs/concepts/overview/components/.
“Understanding Kubernetes Objects,” 2022. [線上]. Available: https://kubernetes.io/docs/concepts/overview/working-with-objects/kubernetes-objects/.
“Operator pattern,” kubernetes.io, [線上]. Available: https://kubernetes.io/docs/concepts/extend-kubernetes/operator/.
“Services-networking,” kubernetes.io, [線上]. Available: https://kubernetes.io/docs/concepts/services-networking/service/.
“Ingress,” kubernetes.io, 2022. [線上]. Available: https://kubernetes.io/docs/concepts/services-networking/ingress/.
“Kubernetes Authenticating,” 07 2022. [線上]. Available: https://kubernetes.io/docs/reference/access-authn-authz/authentication/.
“Using RBAC Authorization,” 07 2022. [線上]. Available: https://kubernetes.io/docs/reference/access-authn-authz/rbac/.
“X.509 : Information technology - Open Systems Interconnection - The Directory: Public-key and attribute certificate frameworks,” International Telecommunication Union (ITU), [線上]. Available: https://web.archive.org/web/20210501134105/https://www.itu.int/rec/T-REC-X.509/. [存取日期: 2022].
OpenID Foundation, “openid,” OpenID Foundation, 2022. [線上]. Available: https://openid.net/connect/.
IETF OAuth Working Group., “OAuth 2.0,” IETF OAuth Working Group., 2022. [線上]. Available: https://oauth.net/2/.
CNCF, “Kyverno,” Kyverno, 2022. [線上]. Available: https://kyverno.io/.
CNCF, “OPA,” open-policy-agent, 2022. [線上]. Available: https://www.openpolicyagent.org/.
“Bringing MySQL to the web,” phpMyAdmin, 07 2022. [線上]. Available: https://www.phpmyadmin.net/.
“Roundcube,” Roundcube, [線上]. Available: https://roundcube.net/. [存取日期: 2022].
Nginx, “NGINX Ingress Controller,” Nginx, [線上]. Available: https://docs.nginx.com/nginx-ingress-controller/. [存取日期: 07 2022].
Traefik, “Traefik & Kubernetes,” Traefik, [線上]. Available: https://doc.traefik.io/traefik/providers/kubernetes-ingress/. [存取日期: 07 2022].
H. I. C. Authors, “HAPROXY INGRESS,” 07 2022. [線上]. Available: https://haproxy-ingress.github.io/.
“Pod Lifecycle,” Kubernetes, 07 2022. [線上]. Available: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/.