Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Admission Webhookで快適なSecret管理 / Berglas Secret Admission Webhook

C174e1ef0c746f53d989b1902b4e674e?s=47 go_vargo
December 18, 2019
Programming
5
2.4k

Admission Webhookで快適なSecret管理 / Berglas Secret Admission Webhook

C174e1ef0c746f53d989b1902b4e674e?s=128

go_vargo

December 18, 2019
Tweet

More Decks by go_vargo

See All by go_vargo
C174e1ef0c746f53d989b1902b4e674e?s=48 govargo
0
83
C174e1ef0c746f53d989b1902b4e674e?s=48 govargo
6
2.1k
C174e1ef0c746f53d989b1902b4e674e?s=48 govargo
14
2.6k
C174e1ef0c746f53d989b1902b4e674e?s=48 govargo
38
13k
C174e1ef0c746f53d989b1902b4e674e?s=48 govargo
32
9.1k
C174e1ef0c746f53d989b1902b4e674e?s=48 govargo
18
8k
C174e1ef0c746f53d989b1902b4e674e?s=48 govargo
6
3.1k
C174e1ef0c746f53d989b1902b4e674e?s=48 govargo
4
910
C174e1ef0c746f53d989b1902b4e674e?s=48 govargo
2
320

Other Decks in Programming

See All in Programming
13d64bff196e33cc6b352f226137d16e?s=48 monoqlo
0
230
A2cd163fd3cfca5204b0d8f0c17eea29?s=48 yujif
2
550
575ca492bac55e895d0e1c86f7d709fe?s=48 hschwentner
1
540
B1702643adfb1c2216f6db6fab3e5073?s=48 chocoyama
4
470
8f2c3621c8a56710b8fc8b993f400ef3?s=48 hirokiabe
0
300
Eae7b6aeee72d3081b01d09a2d675f9a?s=48 akkeylab
5
980
583e920a7e9238a1c21e923025f8f641?s=48 elainenaomi
4
170
3925ee6eaa41031bac799de0f4f528ec?s=48 to4iki
1
510
2594ac7ce91fd7d9a3ce71ca7cc2d0c0?s=48 d_date
8
1k
D07d36d7d3263da869c7d030ba4a64a6?s=48 y__mattu
1
430
1a1d418bdf51cbf8fce1317f6c80a907?s=48 satoshi0212
3
270
Afdb8e40066f7939ff82727bc0c892ce?s=48 junk0612
0
110

Featured

See All Featured
78b475797a14c84799063c7cd073962f?s=48 holman
451
140k
C0390e8b11079f8761c0cd3274ed61cb?s=48 productmarketing
11
1.1k
8081b26e05bb4354f7d65ffc34cbbd67?s=48 chriscoyier
147
20k
D36d2c1821af9249b69ff7f5ed60529b?s=48 tammielis
240
23k
E6c6e133e74c3b83f04d2861deaa1c20?s=48 searls
207
38k
027d1ebf66cc039a0bd3b55eeadbe75d?s=48 sachag
270
17k
719435d98d452de7ac367c828266cf01?s=48 erikaheidi
27
5k
E837d2996f52008ace055a08fbfff992?s=48 frogandcode
129
20k
828ace851b606e1206900f26459f55ad?s=48 speakerdeck
PRO
0
310
D8fc2580cfaca035f666d9e4ee79a7f7?s=48 mongodb
25
4.1k
462dad0dd24c568a32dcdb0ae895ae1b?s=48 rasmusluckow
318
19k
Dad095ea7038f89f760419ce475d5d14?s=48 michaelherold
227
8.9k

Transcript

  1. Admission Webhook ͰշదͳSecret؅ཧ 2019/12/18 Kubernetes Invitational Meetup Tokyo #4

  2. Admission Webhookͱ͸ʁ

  3. Admission Control Admission Control͸ೝূɾೝՄͷޙʹɺAPI RequestΛ มߋ(Mutate)ɾݕূ(Validate)Ͱ͖Δ࢓૊Έ )551 )BOEMFS "VUIFOUJDBUF "VUIPSJ[F

    .VUBUF "ENJTTJPO 4DIFNF 7BMJEBUJPO 7BMJEBUF "ENJTTJPO ɾɾɾ

  4. Admission Control Admission Control͸ೝূɾೝՄͷޙʹɺAPI RequestΛ มߋ(Mutate)ɾݕূ(Validate)Ͱ͖Δ࢓૊Έ )551 )BOEMFS "VUIFOUJDBUF "VUIPSJ[F

    .VUBUF "ENJTTJPO 4DIFNF 7BMJEBUJPO 7BMJEBUF "ENJTTJPO ɾɾɾ

  5. LVCFBQJTFSWFS 3FTPVSDF)BOEMFS .VUBUJOH 8FCIPPL 7BMJEBUJOH 8FCIPPL "ENJTTJPO8FCIPPL ʜ ʜ ʜ

    ʜ "ENJTTJPO ʜ ʜ 7BMJEBUJPO Admission Webhook ೚ҙͷॲཧΛWebServer ΁ͷHookͱͯ͠௥ՃͰ͖Δ

  6. ࠓճ࡞ͬͨAdmission Webhook

  7. Berglas Secret Admission Webhook GCPͷSecret؅ཧπʔϧͰ͋Δ BerglasΛ࢖ͬͯɺಁաతͳSecret؅ཧΛ࣮ݱ

  8. ࡞ͬͨAdmission Webhookͷ໨త ໨త: Secretͷ؅ཧͰɺGit্ʹSecretͷValueΛ࢒͞ͳ͍ Α͏ʹ͍ͨ͠ɻGCP্ͷSecret؅ཧʹBerglasΛ ࢖͍ͬͯΔͷͰɺBerglasΛK8sͰ΋׆༻͍ͨ͠ɻ apiVersion: v1 kind: Secret

    metadata: name: database_secret data: PASS: cGFzc3dvcmQ= $ echo cGFzc3dvcmQ= | base64 --decode password ໰୊఺: ͨͩͷBase64Τϯίʔυͩͱ ͙͢ʹσίʔυͰ͖ͯ͠·͏ ࡞ͬͨAdmission Webhook: Berglas্ʹ࡞ͬͨSecretΛɺK8s্ʹ෮߸ͯ͘͠ΕΔ → YAML͸୭͕ݟͯ΋໰୊ͳ͍Α͏ʹ͢Δ

  9. Berglas Berglas͸Google Cloud Platform্ͰSecret(ൿີ৘ใ)Λ ؅ཧ͢ΔͨΊͷCLIπʔϧɻ Cloud KMSʹ͋Δ伴Λ࢖ͬͯɺBerlgasͰSecretΛ҉߸ Խɾ෮߸ԽͰ͖Δ (※K8s Secretͱ͸ผ෺ͳͷͰ஫ҙ)

    Key Management Service Cloud Storage #FSHMBT ҉߸ʹར༻ Secretσʔλ͕࡞ΒΕΔ berglas create <BUCKET>/<KEY> <VALUE> Encrypt

  10. Berglas Berglas͸Google Cloud Platform্ͰSecret(ൿີ৘ใ)Λ ؅ཧ͢ΔͨΊͷCLIπʔϧɻ Cloud KMSʹ͋Δ伴Λ࢖ͬͯɺBerlgasͰSecretΛ҉߸ Խɾ෮߸ԽͰ͖Δ (※K8s Secretͱ͸ผ෺ͳͷͰ஫ҙ)

    Key Management Service Cloud Storage #FSHMBT ෮߸ʹར༻ SecretσʔλΛࢀর berglas access <BUCKET>/<KEY> Decrypt

  11. Admission Webhook࡞੒ʹ࢖ͬͨ΋ͷ Kubewebhook: Admission WebhookΛ࡞ΔͨΊͷϑϨʔϜϫʔΫ AdmissionReview, AdmissionResponseͱ͍ͬͨɺ Admission Webhookʹඞཁͳ෦෼Λड͚࣋ͬͯ͘ΕΔ ར༻ऀ͸Mutateؔ਺ͱValidateؔ਺ͷ࣮૷ʹूதͰ͖Δ

    Berglas API: https://github.com/slok/kubewebhook https://github.com/GoogleCloudPlatform/berglas SampleͰCloud FunctionΛར༻ͨ͠Admission Webhookͷ ྫ΋͋Δ͕ɺ༻్͕ҟͳͬͨͷͰࠓճ͸WebhookΛࣗ࡞ https://github.com/GoogleCloudPlatform/berglas/tree/master/examples/kubernetes

  12. Berglas Secret Admission Webhook SecretΛ࡞੒͢Δͱɺʮberglas://ʙʯͱ͍͏ϦϑΝϨϯε ͕͋Δ΋ͷ͸ɺಁաతʹ෮߸Խ͢Δ(ͦΕҎ֎͸εΩοϓ) ᶃ kubectl apply -f

    secret.yaml Mutating Webhook Server Validating Webhook Server #FSHMBT apiVersion: v1 kind: Secret metadata: name: database_secret data: PASS: berglas://BUCKET/pass ᶄ Admission Webhook ᶅ Mutate ᶇ Validate ᶆ Decode

  13. ϋϚͬͨͱ͜Ζ

  14. Managed K8sͰಈ͔ͳ͍(ͱצҧ͍ͯͨ͠) Admission Webhook cannot work on private GKE clusters

    https://github.com/elastic/cloud-on-k8s/issues/1437 443ϙʔτҎ֎ͰɺWebhook ServerΛಈ͔͍ͯ͠Δͱɺ Webhook ServerͷPod·ͰAPI Request͕౸ୡ͠ͳ͍ɻ GKEͰ͸ΤϯυϙΠϯτIPʹ௚઀௨৴͢Δ͕ɺ443(HTTPS), 10250(Kubelet)ͷϙʔτ͔͠ڐՄ͞Ε͍ͯͳ͍ͨΊ Webhook Server Master VPC Worker VPC Port: 443 ͸ڐՄ ※443Ҏ֎ͷ৔߹͸ɺϑΝΠΞ΢Υʔϧͷ݀։͚͕ඞཁ

  15. ࢀߟʹ͢Δͱྑ͍΋ͷ Admission Webhooks: Configuration and Debugging Best Practices - Haowei

    Cai, Google https://kccncna19.sched.com/event/UaVt/admission-webhooks-configuration-and-debugging-best- practices-haowei-cai-google

  16. Thank you