$30 off During Our Annual Pro Sale. View Details »

Admission Webhookで快適なSecret管理 / Berglas Secret Admission Webhook

go_vargo
December 18, 2019
Programming
5
3k

Admission Webhookで快適なSecret管理 / Berglas Secret Admission Webhook

go_vargo

December 18, 2019
Tweet

More Decks by go_vargo

See All by go_vargo
Kubernetes Internal #9 - Minikube
govargo
0
150
気をつけたいKubernetesとの付き合い方 / Happy Kubernetes Life
govargo
6
2.4k
[CNDT2020]Linux Observability with BPF Performance Tools
govargo
15
2.9k
[CNDK2019]Production Ready Kubernetesに必要な15のこと / Production Ready Kubernetes 15 Rules
govargo
38
14k
ゼロから始めるKubernetes Controller / Under the Kubernetes Controller
govargo
35
11k
Inside of Kubernetes Controller
govargo
20
9.2k
コロプラが実践しているSpinnakerを用いたデプロイ戦略 / Deploy Strategy with Spinnaker at Colopl
govargo
6
3.6k
Improve Docker Image by BuildKit
govargo
4
1.2k
Debugging for MicroService on Kubernetes
govargo
2
450

Other Decks in Programming

See All in Programming
SvelteKitを本番投入してみて
kubotak
0
230
それぞれの特徴から考えるフレームワーク選び
ippey
1
260
Navigating the Streaming Landscape
dunithd
0
230
AWS データベースブログの記事 「Amazon DynamoDBによる CQRSイベントストアの構築」 を勝手に読み解く
j5ik2o
0
230
フロントエンドエコシステムで効率化する組織開発
okmttdhr
4
5.9k
How To 脆弱性対応
cmkomuro
0
280
FlutterKaigi 2022 Keynote
wasabeef
1
240
Hive Distributed Profiling System in Treasure Data - Japanese version #tdtechtalk
okumin
0
120
Blue / Green デプロイと安全性と複雑性と #AWSDevDay
track3jyo
PRO
11
3.9k
やさしく入門するOAuth2.0/easy-entry-oauth
marchin1989
3
460
Symfony & Hotwire: an efficient combo to quickly develop complex applications
florentdestremau
0
110
AWS発デザインシステム「Cloudscape」を使ってUI爆速開発
j_3woo86
1
130

Featured

See All Featured
jQuery: Nuts, Bolts and Bling
dougneiner
57
6.6k
Building an army of robots
kneath
301
40k
Art Directing for the Web. Five minutes with CSS Template Areas
malarkey
196
9.7k
Rebuilding a faster, lazier Slack
samanthasiow
65
7.5k
Streamline your AJAX requests with AmplifyJS and jQuery
dougneiner
127
8.7k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
152
13k
The Cult of Friendly URLs
andyhume
68
5k
Three Pipe Problems
jasonvnalue
89
8.8k
Documentation Writing (for coders)
carmenintech
49
2.8k
GraphQLの誤解/rethinking-graphql
sonatard
36
7.6k
The Brand Is Dead. Long Live the Brand.
mthomps
48
2.9k
WebSockets: Embracing the real-time Web
robhawkes
58
5.9k

Transcript

  1. Admission Webhook ͰշదͳSecret؅ཧ 2019/12/18 Kubernetes Invitational Meetup Tokyo #4

  2. Admission Webhookͱ͸ʁ

  3. Admission Control Admission Control͸ೝূɾೝՄͷޙʹɺAPI RequestΛ มߋ(Mutate)ɾݕূ(Validate)Ͱ͖Δ࢓૊Έ )551 )BOEMFS "VUIFOUJDBUF "VUIPSJ[F

    .VUBUF "ENJTTJPO 4DIFNF 7BMJEBUJPO 7BMJEBUF "ENJTTJPO ɾɾɾ

  4. Admission Control Admission Control͸ೝূɾೝՄͷޙʹɺAPI RequestΛ มߋ(Mutate)ɾݕূ(Validate)Ͱ͖Δ࢓૊Έ )551 )BOEMFS "VUIFOUJDBUF "VUIPSJ[F

    .VUBUF "ENJTTJPO 4DIFNF 7BMJEBUJPO 7BMJEBUF "ENJTTJPO ɾɾɾ

  5. LVCFBQJTFSWFS 3FTPVSDF)BOEMFS .VUBUJOH 8FCIPPL 7BMJEBUJOH 8FCIPPL "ENJTTJPO8FCIPPL ʜ ʜ ʜ

    ʜ "ENJTTJPO ʜ ʜ 7BMJEBUJPO Admission Webhook ೚ҙͷॲཧΛWebServer ΁ͷHookͱͯ͠௥ՃͰ͖Δ

  6. ࠓճ࡞ͬͨAdmission Webhook

  7. Berglas Secret Admission Webhook GCPͷSecret؅ཧπʔϧͰ͋Δ BerglasΛ࢖ͬͯɺಁաతͳSecret؅ཧΛ࣮ݱ

  8. ࡞ͬͨAdmission Webhookͷ໨త ໨త: Secretͷ؅ཧͰɺGit্ʹSecretͷValueΛ࢒͞ͳ͍ Α͏ʹ͍ͨ͠ɻGCP্ͷSecret؅ཧʹBerglasΛ ࢖͍ͬͯΔͷͰɺBerglasΛK8sͰ΋׆༻͍ͨ͠ɻ apiVersion: v1 kind: Secret

    metadata: name: database_secret data: PASS: cGFzc3dvcmQ= $ echo cGFzc3dvcmQ= | base64 --decode password ໰୊఺: ͨͩͷBase64Τϯίʔυͩͱ ͙͢ʹσίʔυͰ͖ͯ͠·͏ ࡞ͬͨAdmission Webhook: Berglas্ʹ࡞ͬͨSecretΛɺK8s্ʹ෮߸ͯ͘͠ΕΔ → YAML͸୭͕ݟͯ΋໰୊ͳ͍Α͏ʹ͢Δ

  9. Berglas Berglas͸Google Cloud Platform্ͰSecret(ൿີ৘ใ)Λ ؅ཧ͢ΔͨΊͷCLIπʔϧɻ Cloud KMSʹ͋Δ伴Λ࢖ͬͯɺBerlgasͰSecretΛ҉߸ Խɾ෮߸ԽͰ͖Δ (※K8s Secretͱ͸ผ෺ͳͷͰ஫ҙ)

    Key Management Service Cloud Storage #FSHMBT ҉߸ʹར༻ Secretσʔλ͕࡞ΒΕΔ berglas create <BUCKET>/<KEY> <VALUE> Encrypt

  10. Berglas Berglas͸Google Cloud Platform্ͰSecret(ൿີ৘ใ)Λ ؅ཧ͢ΔͨΊͷCLIπʔϧɻ Cloud KMSʹ͋Δ伴Λ࢖ͬͯɺBerlgasͰSecretΛ҉߸ Խɾ෮߸ԽͰ͖Δ (※K8s Secretͱ͸ผ෺ͳͷͰ஫ҙ)

    Key Management Service Cloud Storage #FSHMBT ෮߸ʹར༻ SecretσʔλΛࢀর berglas access <BUCKET>/<KEY> Decrypt

  11. Admission Webhook࡞੒ʹ࢖ͬͨ΋ͷ Kubewebhook: Admission WebhookΛ࡞ΔͨΊͷϑϨʔϜϫʔΫ AdmissionReview, AdmissionResponseͱ͍ͬͨɺ Admission Webhookʹඞཁͳ෦෼Λड͚࣋ͬͯ͘ΕΔ ར༻ऀ͸Mutateؔ਺ͱValidateؔ਺ͷ࣮૷ʹूதͰ͖Δ

    Berglas API: https://github.com/slok/kubewebhook https://github.com/GoogleCloudPlatform/berglas SampleͰCloud FunctionΛར༻ͨ͠Admission Webhookͷ ྫ΋͋Δ͕ɺ༻్͕ҟͳͬͨͷͰࠓճ͸WebhookΛࣗ࡞ https://github.com/GoogleCloudPlatform/berglas/tree/master/examples/kubernetes

  12. Berglas Secret Admission Webhook SecretΛ࡞੒͢Δͱɺʮberglas://ʙʯͱ͍͏ϦϑΝϨϯε ͕͋Δ΋ͷ͸ɺಁաతʹ෮߸Խ͢Δ(ͦΕҎ֎͸εΩοϓ) ᶃ kubectl apply -f

    secret.yaml Mutating Webhook Server Validating Webhook Server #FSHMBT apiVersion: v1 kind: Secret metadata: name: database_secret data: PASS: berglas://BUCKET/pass ᶄ Admission Webhook ᶅ Mutate ᶇ Validate ᶆ Decode

  13. ϋϚͬͨͱ͜Ζ

  14. Managed K8sͰಈ͔ͳ͍(ͱצҧ͍ͯͨ͠) Admission Webhook cannot work on private GKE clusters

    https://github.com/elastic/cloud-on-k8s/issues/1437 443ϙʔτҎ֎ͰɺWebhook ServerΛಈ͔͍ͯ͠Δͱɺ Webhook ServerͷPod·ͰAPI Request͕౸ୡ͠ͳ͍ɻ GKEͰ͸ΤϯυϙΠϯτIPʹ௚઀௨৴͢Δ͕ɺ443(HTTPS), 10250(Kubelet)ͷϙʔτ͔͠ڐՄ͞Ε͍ͯͳ͍ͨΊ Webhook Server Master VPC Worker VPC Port: 443 ͸ڐՄ ※443Ҏ֎ͷ৔߹͸ɺϑΝΠΞ΢Υʔϧͷ݀։͚͕ඞཁ

  15. ࢀߟʹ͢Δͱྑ͍΋ͷ Admission Webhooks: Configuration and Debugging Best Practices - Haowei

    Cai, Google https://kccncna19.sched.com/event/UaVt/admission-webhooks-configuration-and-debugging-best- practices-haowei-cai-google

  16. Thank you