Admission Webhookで快適なSecret管理 / Berglas Secret Admission Webhook

C174e1ef0c746f53d989b1902b4e674e?s=47 go_vargo
December 18, 2019

Admission Webhookで快適なSecret管理 / Berglas Secret Admission Webhook

C174e1ef0c746f53d989b1902b4e674e?s=128

go_vargo

December 18, 2019
Tweet

Transcript

  1. Admission Webhook ͰշదͳSecret؅ཧ 2019/12/18 Kubernetes Invitational Meetup Tokyo #4

  2. Admission Webhookͱ͸ʁ

  3. Admission Control Admission Control͸ೝূɾೝՄͷޙʹɺAPI RequestΛ มߋ(Mutate)ɾݕূ(Validate)Ͱ͖Δ࢓૊Έ )551 )BOEMFS "VUIFOUJDBUF "VUIPSJ[F

    .VUBUF "ENJTTJPO 4DIFNF 7BMJEBUJPO 7BMJEBUF "ENJTTJPO ɾɾɾ
  4. Admission Control Admission Control͸ೝূɾೝՄͷޙʹɺAPI RequestΛ มߋ(Mutate)ɾݕূ(Validate)Ͱ͖Δ࢓૊Έ )551 )BOEMFS "VUIFOUJDBUF "VUIPSJ[F

    .VUBUF "ENJTTJPO 4DIFNF 7BMJEBUJPO 7BMJEBUF "ENJTTJPO ɾɾɾ
  5. LVCFBQJTFSWFS 3FTPVSDF)BOEMFS .VUBUJOH 8FCIPPL 7BMJEBUJOH 8FCIPPL "ENJTTJPO8FCIPPL ʜ ʜ ʜ

    ʜ "ENJTTJPO ʜ ʜ 7BMJEBUJPO Admission Webhook ೚ҙͷॲཧΛWebServer ΁ͷHookͱͯ͠௥ՃͰ͖Δ
  6. ࠓճ࡞ͬͨAdmission Webhook

  7. Berglas Secret Admission Webhook GCPͷSecret؅ཧπʔϧͰ͋Δ BerglasΛ࢖ͬͯɺಁաతͳSecret؅ཧΛ࣮ݱ

  8. ࡞ͬͨAdmission Webhookͷ໨త ໨త: Secretͷ؅ཧͰɺGit্ʹSecretͷValueΛ࢒͞ͳ͍ Α͏ʹ͍ͨ͠ɻGCP্ͷSecret؅ཧʹBerglasΛ ࢖͍ͬͯΔͷͰɺBerglasΛK8sͰ΋׆༻͍ͨ͠ɻ apiVersion: v1 kind: Secret

    metadata: name: database_secret data: PASS: cGFzc3dvcmQ= $ echo cGFzc3dvcmQ= | base64 --decode password ໰୊఺: ͨͩͷBase64Τϯίʔυͩͱ ͙͢ʹσίʔυͰ͖ͯ͠·͏ ࡞ͬͨAdmission Webhook: Berglas্ʹ࡞ͬͨSecretΛɺK8s্ʹ෮߸ͯ͘͠ΕΔ → YAML͸୭͕ݟͯ΋໰୊ͳ͍Α͏ʹ͢Δ
  9. Berglas Berglas͸Google Cloud Platform্ͰSecret(ൿີ৘ใ)Λ ؅ཧ͢ΔͨΊͷCLIπʔϧɻ Cloud KMSʹ͋Δ伴Λ࢖ͬͯɺBerlgasͰSecretΛ҉߸ Խɾ෮߸ԽͰ͖Δ (※K8s Secretͱ͸ผ෺ͳͷͰ஫ҙ)

    Key Management Service Cloud Storage #FSHMBT ҉߸ʹར༻ Secretσʔλ͕࡞ΒΕΔ berglas create <BUCKET>/<KEY> <VALUE> Encrypt
  10. Berglas Berglas͸Google Cloud Platform্ͰSecret(ൿີ৘ใ)Λ ؅ཧ͢ΔͨΊͷCLIπʔϧɻ Cloud KMSʹ͋Δ伴Λ࢖ͬͯɺBerlgasͰSecretΛ҉߸ Խɾ෮߸ԽͰ͖Δ (※K8s Secretͱ͸ผ෺ͳͷͰ஫ҙ)

    Key Management Service Cloud Storage #FSHMBT ෮߸ʹར༻ SecretσʔλΛࢀর berglas access <BUCKET>/<KEY> Decrypt
  11. Admission Webhook࡞੒ʹ࢖ͬͨ΋ͷ Kubewebhook: Admission WebhookΛ࡞ΔͨΊͷϑϨʔϜϫʔΫ AdmissionReview, AdmissionResponseͱ͍ͬͨɺ Admission Webhookʹඞཁͳ෦෼Λड͚࣋ͬͯ͘ΕΔ ར༻ऀ͸Mutateؔ਺ͱValidateؔ਺ͷ࣮૷ʹूதͰ͖Δ

    Berglas API: https://github.com/slok/kubewebhook https://github.com/GoogleCloudPlatform/berglas SampleͰCloud FunctionΛར༻ͨ͠Admission Webhookͷ ྫ΋͋Δ͕ɺ༻్͕ҟͳͬͨͷͰࠓճ͸WebhookΛࣗ࡞ https://github.com/GoogleCloudPlatform/berglas/tree/master/examples/kubernetes
  12. Berglas Secret Admission Webhook SecretΛ࡞੒͢Δͱɺʮberglas://ʙʯͱ͍͏ϦϑΝϨϯε ͕͋Δ΋ͷ͸ɺಁաతʹ෮߸Խ͢Δ(ͦΕҎ֎͸εΩοϓ) ᶃ kubectl apply -f

    secret.yaml Mutating Webhook Server Validating Webhook Server #FSHMBT apiVersion: v1 kind: Secret metadata: name: database_secret data: PASS: berglas://BUCKET/pass ᶄ Admission Webhook ᶅ Mutate ᶇ Validate ᶆ Decode
  13. ϋϚͬͨͱ͜Ζ

  14. Managed K8sͰಈ͔ͳ͍(ͱצҧ͍ͯͨ͠) Admission Webhook cannot work on private GKE clusters

    https://github.com/elastic/cloud-on-k8s/issues/1437 443ϙʔτҎ֎ͰɺWebhook ServerΛಈ͔͍ͯ͠Δͱɺ Webhook ServerͷPod·ͰAPI Request͕౸ୡ͠ͳ͍ɻ GKEͰ͸ΤϯυϙΠϯτIPʹ௚઀௨৴͢Δ͕ɺ443(HTTPS), 10250(Kubelet)ͷϙʔτ͔͠ڐՄ͞Ε͍ͯͳ͍ͨΊ Webhook Server Master VPC Worker VPC Port: 443 ͸ڐՄ ※443Ҏ֎ͷ৔߹͸ɺϑΝΠΞ΢Υʔϧͷ݀։͚͕ඞཁ
  15. ࢀߟʹ͢Δͱྑ͍΋ͷ Admission Webhooks: Configuration and Debugging Best Practices - Haowei

    Cai, Google https://kccncna19.sched.com/event/UaVt/admission-webhooks-configuration-and-debugging-best- practices-haowei-cai-google
  16. Thank you