Admission Webhookで快適なSecret管理 / Berglas Secret Admission Webhook

C174e1ef0c746f53d989b1902b4e674e?s=47 go_vargo
December 18, 2019
Programming
5
1.2k

Admission Webhookで快適なSecret管理 / Berglas Secret Admission Webhook

C174e1ef0c746f53d989b1902b4e674e?s=128

go_vargo

December 18, 2019
Tweet

More Decks by go_vargo

See All by go_vargo
C174e1ef0c746f53d989b1902b4e674e?s=48 govargo
36
11k
C174e1ef0c746f53d989b1902b4e674e?s=48 govargo
29
6.5k
C174e1ef0c746f53d989b1902b4e674e?s=48 govargo
14
6.1k
C174e1ef0c746f53d989b1902b4e674e?s=48 govargo
6
2.1k
C174e1ef0c746f53d989b1902b4e674e?s=48 govargo
4
740
C174e1ef0c746f53d989b1902b4e674e?s=48 govargo
2
210
C174e1ef0c746f53d989b1902b4e674e?s=48 govargo
3
430
C174e1ef0c746f53d989b1902b4e674e?s=48 govargo
0
1.3k

Other Decks in Programming

See All in Programming
5a065e7ea7c56f4b04c2271771688df3?s=48 raykataoka
34
18k
C302e84057a922dce0ecbe80207e3fcc?s=48 mu_zaru
0
300
0a98ad166f9cdf8d27d92c37438c6e9d?s=48 matsumana
0
350
Aae878e0b108379a60ca627ee262befa?s=48 susanpotter
0
180
Fb1b9f3d7332a7a7e262b70013b5f7dd?s=48 mtsmfm
0
120
3e049ed33195d00a8b745b16c63dce6e?s=48 leew
0
140
60952c750afeecd81999bd62e04d53cd?s=48 pi_chan
1
160
4131d2f57a0db2a2b4d9a62bd389fd44?s=48 tarcieri
0
260
20c5ddcad23304aed77ce8c3aa020562?s=48 tkmru
0
120
B8403d102456248570005ee7fb2ba0f7?s=48 tooppoo
4
480
B1412c9ed55333c1df561f64dfad69d3?s=48 pantuza
1
320
0b26590a0a8b0f1da140ed5de9b68379?s=48 usamik26
0
120

Featured

See All Featured
F68cb25ae3e5c2106997454b13b7737d?s=48 brad_frost
154
6.1k
D83926c323d4f9289f947b4b4e76b939?s=48 jensimmons
205
9.9k
7cbd3f5f922d798cc312eaf596de7ae6?s=48 iamctodd
9
1.3k
C44e1f7e22c3f23cff7bc130871047ef?s=48 eileencodes
110
24k
0c6fd6a08d0f898159cda7cafcacf07f?s=48 afnizarnur
175
14k
C7393b7ba7ec9c8890dd77d209fbb3c9?s=48 maltzj
497
36k
9952dfcd5d338f8a8e7175c8a8f65fb5?s=48 wjessup
333
15k
9cde37f47e4a800ea081ea42de8d749a?s=48 dougneiner
55
5.3k
96270e4c3e5e9806cf7245475c00b275?s=48 addyosmani
494
110k
9375a9529679f1b42b567a640d775e7d?s=48 schacon
144
6.4k
C1daf20e5c49ff910745198ef9869ac2?s=48 hatefulcrawdad
257
16k
B3d6434763caa0ef5dc4b792662c49f7?s=48 smashingmag
281
46k

Transcript

  1. Admission Webhook ͰշదͳSecret؅ཧ 2019/12/18 Kubernetes Invitational Meetup Tokyo #4

  2. Admission Webhookͱ͸ʁ

  3. Admission Control Admission Control͸ೝূɾೝՄͷޙʹɺAPI RequestΛ มߋ(Mutate)ɾݕূ(Validate)Ͱ͖Δ࢓૊Έ )551 )BOEMFS "VUIFOUJDBUF "VUIPSJ[F

    .VUBUF "ENJTTJPO 4DIFNF 7BMJEBUJPO 7BMJEBUF "ENJTTJPO ɾɾɾ

  4. Admission Control Admission Control͸ೝূɾೝՄͷޙʹɺAPI RequestΛ มߋ(Mutate)ɾݕূ(Validate)Ͱ͖Δ࢓૊Έ )551 )BOEMFS "VUIFOUJDBUF "VUIPSJ[F

    .VUBUF "ENJTTJPO 4DIFNF 7BMJEBUJPO 7BMJEBUF "ENJTTJPO ɾɾɾ

  5. LVCFBQJTFSWFS 3FTPVSDF)BOEMFS .VUBUJOH 8FCIPPL 7BMJEBUJOH 8FCIPPL "ENJTTJPO8FCIPPL ʜ ʜ ʜ

    ʜ "ENJTTJPO ʜ ʜ 7BMJEBUJPO Admission Webhook ೚ҙͷॲཧΛWebServer ΁ͷHookͱͯ͠௥ՃͰ͖Δ

  6. ࠓճ࡞ͬͨAdmission Webhook

  7. Berglas Secret Admission Webhook GCPͷSecret؅ཧπʔϧͰ͋Δ BerglasΛ࢖ͬͯɺಁաతͳSecret؅ཧΛ࣮ݱ

  8. ࡞ͬͨAdmission Webhookͷ໨త ໨త: Secretͷ؅ཧͰɺGit্ʹSecretͷValueΛ࢒͞ͳ͍ Α͏ʹ͍ͨ͠ɻGCP্ͷSecret؅ཧʹBerglasΛ ࢖͍ͬͯΔͷͰɺBerglasΛK8sͰ΋׆༻͍ͨ͠ɻ apiVersion: v1 kind: Secret

    metadata: name: database_secret data: PASS: cGFzc3dvcmQ= $ echo cGFzc3dvcmQ= | base64 --decode password ໰୊఺: ͨͩͷBase64Τϯίʔυͩͱ ͙͢ʹσίʔυͰ͖ͯ͠·͏ ࡞ͬͨAdmission Webhook: Berglas্ʹ࡞ͬͨSecretΛɺK8s্ʹ෮߸ͯ͘͠ΕΔ → YAML͸୭͕ݟͯ΋໰୊ͳ͍Α͏ʹ͢Δ

  9. Berglas Berglas͸Google Cloud Platform্ͰSecret(ൿີ৘ใ)Λ ؅ཧ͢ΔͨΊͷCLIπʔϧɻ Cloud KMSʹ͋Δ伴Λ࢖ͬͯɺBerlgasͰSecretΛ҉߸ Խɾ෮߸ԽͰ͖Δ (※K8s Secretͱ͸ผ෺ͳͷͰ஫ҙ)

    Key Management Service Cloud Storage #FSHMBT ҉߸ʹར༻ Secretσʔλ͕࡞ΒΕΔ berglas create <BUCKET>/<KEY> <VALUE> Encrypt

  10. Berglas Berglas͸Google Cloud Platform্ͰSecret(ൿີ৘ใ)Λ ؅ཧ͢ΔͨΊͷCLIπʔϧɻ Cloud KMSʹ͋Δ伴Λ࢖ͬͯɺBerlgasͰSecretΛ҉߸ Խɾ෮߸ԽͰ͖Δ (※K8s Secretͱ͸ผ෺ͳͷͰ஫ҙ)

    Key Management Service Cloud Storage #FSHMBT ෮߸ʹར༻ SecretσʔλΛࢀর berglas access <BUCKET>/<KEY> Decrypt

  11. Admission Webhook࡞੒ʹ࢖ͬͨ΋ͷ Kubewebhook: Admission WebhookΛ࡞ΔͨΊͷϑϨʔϜϫʔΫ AdmissionReview, AdmissionResponseͱ͍ͬͨɺ Admission Webhookʹඞཁͳ෦෼Λड͚࣋ͬͯ͘ΕΔ ར༻ऀ͸Mutateؔ਺ͱValidateؔ਺ͷ࣮૷ʹूதͰ͖Δ

    Berglas API: https://github.com/slok/kubewebhook https://github.com/GoogleCloudPlatform/berglas SampleͰCloud FunctionΛར༻ͨ͠Admission Webhookͷ ྫ΋͋Δ͕ɺ༻్͕ҟͳͬͨͷͰࠓճ͸WebhookΛࣗ࡞ https://github.com/GoogleCloudPlatform/berglas/tree/master/examples/kubernetes

  12. Berglas Secret Admission Webhook SecretΛ࡞੒͢Δͱɺʮberglas://ʙʯͱ͍͏ϦϑΝϨϯε ͕͋Δ΋ͷ͸ɺಁաతʹ෮߸Խ͢Δ(ͦΕҎ֎͸εΩοϓ) ᶃ kubectl apply -f

    secret.yaml Mutating Webhook Server Validating Webhook Server #FSHMBT apiVersion: v1 kind: Secret metadata: name: database_secret data: PASS: berglas://BUCKET/pass ᶄ Admission Webhook ᶅ Mutate ᶇ Validate ᶆ Decode

  13. ϋϚͬͨͱ͜Ζ

  14. Managed K8sͰಈ͔ͳ͍(ͱצҧ͍ͯͨ͠) Admission Webhook cannot work on private GKE clusters

    https://github.com/elastic/cloud-on-k8s/issues/1437 443ϙʔτҎ֎ͰɺWebhook ServerΛಈ͔͍ͯ͠Δͱɺ Webhook ServerͷPod·ͰAPI Request͕౸ୡ͠ͳ͍ɻ GKEͰ͸ΤϯυϙΠϯτIPʹ௚઀௨৴͢Δ͕ɺ443(HTTPS), 10250(Kubelet)ͷϙʔτ͔͠ڐՄ͞Ε͍ͯͳ͍ͨΊ Webhook Server Master VPC Worker VPC Port: 443 ͸ڐՄ ※443Ҏ֎ͷ৔߹͸ɺϑΝΠΞ΢Υʔϧͷ݀։͚͕ඞཁ

  15. ࢀߟʹ͢Δͱྑ͍΋ͷ Admission Webhooks: Configuration and Debugging Best Practices - Haowei

    Cai, Google https://kccncna19.sched.com/event/UaVt/admission-webhooks-configuration-and-debugging-best- practices-haowei-cai-google

  16. Thank you