Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Admission Webhookで快適なSecret管理 / Berglas Secret Admission Webhook

go_vargo
December 18, 2019
Programming
5
3.1k

Admission Webhookで快適なSecret管理 / Berglas Secret Admission Webhook

go_vargo

December 18, 2019
Tweet

More Decks by go_vargo

See All by go_vargo
Kubernetes Internal #9 - Minikube
govargo
0
180
気をつけたいKubernetesとの付き合い方 / Happy Kubernetes Life
govargo
6
2.5k
[CNDT2020]Linux Observability with BPF Performance Tools
govargo
15
3k
[CNDK2019]Production Ready Kubernetesに必要な15のこと / Production Ready Kubernetes 15 Rules
govargo
38
14k
ゼロから始めるKubernetes Controller / Under the Kubernetes Controller
govargo
35
12k
Inside of Kubernetes Controller
govargo
20
9.7k
コロプラが実践しているSpinnakerを用いたデプロイ戦略 / Deploy Strategy with Spinnaker at Colopl
govargo
6
3.9k
Improve Docker Image by BuildKit
govargo
4
1.2k
Debugging for MicroService on Kubernetes
govargo
2
480

Other Decks in Programming

See All in Programming
what's new in Material Design で気になったトピック
punchdrunker
1
230
Firebase A/B TestingとRemote Config
を最大限に活用する方法
mukky620
0
250
The Adventure of RedAmber - A data frame library in Ruby
heronshoes
0
220
M5Stack用の指紋認証デバイスを試す
ufoo68
0
110
Multiverse Ruby
shioyama
1
2.4k
Let's write RBS!
pocke
0
1.6k
Compose로 Android&Desktop 멀티플랫폼 만들기
pangmoo
0
110
Writing Greener Java Applications
hollycummins
0
270
RBS meets LLMs - Type inference using LLM
kokuyouwind
0
210
Code readability: Session 1 (ver. 2, En)
munetoshi
0
130
LLMによるプロット生成の試み(スターウォーズ)
hitokun
0
990
ランニングコストやっべぇぞ!ECS/FargateでECRへのアクセスについて
honma12345
0
790

Featured

See All Featured
Designing the Hi-DPI Web
ddemaree
273
33k
GraphQLの誤解/rethinking-graphql
sonatard
41
8.2k
Building Applications with DynamoDB
mza
86
5.1k
A designer walks into a library…
pauljervisheath
199
17k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
270
12k
StorybookのUI Testing Handbookを読んだ
zakiyama
9
3.5k
It's Worth the Effort
3n
179
26k
How To Stay Up To Date on Web Technology
chriscoyier
779
250k
BBQ
matthewcrist
75
8.2k
Intergalactic Javascript Robots from Outer Space
tanoku
262
26k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
152
13k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
16
1.3k

Transcript

  1. Admission Webhook
    ͰշదͳSecret؅ཧ
    2019/12/18
    Kubernetes Invitational Meetup Tokyo #4

    View Slide

  2. Admission Webhookͱ͸ʁ

    View Slide

  3. Admission Control
    Admission Control͸ೝূɾೝՄͷޙʹɺAPI RequestΛ
    มߋ(Mutate)ɾݕূ(Validate)Ͱ͖Δ࢓૊Έ
    )551
    )BOEMFS
    "VUIFOUJDBUF
    "VUIPSJ[F
    .VUBUF
    "ENJTTJPO
    4DIFNF
    7BMJEBUJPO
    7BMJEBUF
    "ENJTTJPO
    ɾɾɾ

    View Slide

  4. Admission Control
    Admission Control͸ೝূɾೝՄͷޙʹɺAPI RequestΛ
    มߋ(Mutate)ɾݕূ(Validate)Ͱ͖Δ࢓૊Έ
    )551
    )BOEMFS
    "VUIFOUJDBUF
    "VUIPSJ[F
    .VUBUF
    "ENJTTJPO
    4DIFNF
    7BMJEBUJPO
    7BMJEBUF
    "ENJTTJPO
    ɾɾɾ

    View Slide

  5. LVCFBQJTFSWFS
    3FTPVSDF)BOEMFS
    .VUBUJOH
    8FCIPPL
    7BMJEBUJOH
    8FCIPPL
    "ENJTTJPO8FCIPPL
    ʜ ʜ
    ʜ
    ʜ
    "ENJTTJPO
    ʜ
    ʜ
    7BMJEBUJPO
    Admission Webhook
    ೚ҙͷॲཧΛWebServer
    ΁ͷHookͱͯ͠௥ՃͰ͖Δ

    View Slide

  6. ࠓճ࡞ͬͨAdmission Webhook

    View Slide

  7. Berglas Secret
    Admission Webhook
    GCPͷSecret؅ཧπʔϧͰ͋Δ
    BerglasΛ࢖ͬͯɺಁաతͳSecret؅ཧΛ࣮ݱ

    View Slide

  8. ࡞ͬͨAdmission Webhookͷ໨త
    ໨త:
    Secretͷ؅ཧͰɺGit্ʹSecretͷValueΛ࢒͞ͳ͍
    Α͏ʹ͍ͨ͠ɻGCP্ͷSecret؅ཧʹBerglasΛ
    ࢖͍ͬͯΔͷͰɺBerglasΛK8sͰ΋׆༻͍ͨ͠ɻ
    apiVersion: v1
    kind: Secret
    metadata:
    name: database_secret
    data:
    PASS: cGFzc3dvcmQ=
    $ echo cGFzc3dvcmQ= | base64 --decode
    password
    ໰୊఺: ͨͩͷBase64Τϯίʔυͩͱ
    ͙͢ʹσίʔυͰ͖ͯ͠·͏
    ࡞ͬͨAdmission Webhook:
    Berglas্ʹ࡞ͬͨSecretΛɺK8s্ʹ෮߸ͯ͘͠ΕΔ
    → YAML͸୭͕ݟͯ΋໰୊ͳ͍Α͏ʹ͢Δ

    View Slide

  9. Berglas
    Berglas͸Google Cloud Platform্ͰSecret(ൿີ৘ใ)Λ
    ؅ཧ͢ΔͨΊͷCLIπʔϧɻ
    Cloud KMSʹ͋Δ伴Λ࢖ͬͯɺBerlgasͰSecretΛ҉߸
    Խɾ෮߸ԽͰ͖Δ (※K8s Secretͱ͸ผ෺ͳͷͰ஫ҙ)
    Key Management Service Cloud Storage
    #FSHMBT
    ҉߸ʹར༻
    Secretσʔλ͕࡞ΒΕΔ
    berglas create /
    Encrypt

    View Slide

  10. Berglas
    Berglas͸Google Cloud Platform্ͰSecret(ൿີ৘ใ)Λ
    ؅ཧ͢ΔͨΊͷCLIπʔϧɻ
    Cloud KMSʹ͋Δ伴Λ࢖ͬͯɺBerlgasͰSecretΛ҉߸
    Խɾ෮߸ԽͰ͖Δ (※K8s Secretͱ͸ผ෺ͳͷͰ஫ҙ)
    Key Management Service Cloud Storage
    #FSHMBT
    ෮߸ʹར༻
    SecretσʔλΛࢀর
    berglas access /
    Decrypt

    View Slide

  11. Admission Webhook࡞੒ʹ࢖ͬͨ΋ͷ
    Kubewebhook:
    Admission WebhookΛ࡞ΔͨΊͷϑϨʔϜϫʔΫ
    AdmissionReview, AdmissionResponseͱ͍ͬͨɺ
    Admission Webhookʹඞཁͳ෦෼Λड͚࣋ͬͯ͘ΕΔ
    ར༻ऀ͸Mutateؔ਺ͱValidateؔ਺ͷ࣮૷ʹूதͰ͖Δ
    Berglas API:
    https://github.com/slok/kubewebhook
    https://github.com/GoogleCloudPlatform/berglas
    SampleͰCloud FunctionΛར༻ͨ͠Admission Webhookͷ
    ྫ΋͋Δ͕ɺ༻్͕ҟͳͬͨͷͰࠓճ͸WebhookΛࣗ࡞
    https://github.com/GoogleCloudPlatform/berglas/tree/master/examples/kubernetes

    View Slide

  12. Berglas Secret Admission Webhook
    SecretΛ࡞੒͢Δͱɺʮberglas://ʙʯͱ͍͏ϦϑΝϨϯε
    ͕͋Δ΋ͷ͸ɺಁաతʹ෮߸Խ͢Δ(ͦΕҎ֎͸εΩοϓ)
    ᶃ kubectl apply -f secret.yaml
    Mutating
    Webhook
    Server
    Validating
    Webhook
    Server
    #FSHMBT
    apiVersion: v1
    kind: Secret
    metadata:
    name: database_secret
    data:
    PASS: berglas://BUCKET/pass
    ᶄ Admission Webhook
    ᶅ Mutate ᶇ Validate
    ᶆ Decode

    View Slide

  13. ϋϚͬͨͱ͜Ζ

    View Slide

  14. Managed K8sͰಈ͔ͳ͍(ͱצҧ͍ͯͨ͠)
    Admission Webhook cannot work on private GKE clusters
    https://github.com/elastic/cloud-on-k8s/issues/1437
    443ϙʔτҎ֎ͰɺWebhook ServerΛಈ͔͍ͯ͠Δͱɺ
    Webhook ServerͷPod·ͰAPI Request͕౸ୡ͠ͳ͍ɻ
    GKEͰ͸ΤϯυϙΠϯτIPʹ௚઀௨৴͢Δ͕ɺ443(HTTPS),
    10250(Kubelet)ͷϙʔτ͔͠ڐՄ͞Ε͍ͯͳ͍ͨΊ
    Webhook Server
    Master VPC Worker VPC
    Port: 443
    ͸ڐՄ
    ※443Ҏ֎ͷ৔߹͸ɺϑΝΠΞ΢Υʔϧͷ݀։͚͕ඞཁ

    View Slide

  15. ࢀߟʹ͢Δͱྑ͍΋ͷ
    Admission Webhooks: Configuration and Debugging Best
    Practices - Haowei Cai, Google
    https://kccncna19.sched.com/event/UaVt/admission-webhooks-configuration-and-debugging-best-
    practices-haowei-cai-google

    View Slide

  16. Thank you

    View Slide