Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Admission Webhookで快適なSecret管理 / Berglas Secret Admission Webhook

C174e1ef0c746f53d989b1902b4e674e?s=47 go_vargo
December 18, 2019
Programming
5
2.1k

Admission Webhookで快適なSecret管理 / Berglas Secret Admission Webhook

C174e1ef0c746f53d989b1902b4e674e?s=128

go_vargo

December 18, 2019
Tweet

More Decks by go_vargo

See All by go_vargo
C174e1ef0c746f53d989b1902b4e674e?s=48 govargo
5
1.9k
C174e1ef0c746f53d989b1902b4e674e?s=48 govargo
14
2.4k
C174e1ef0c746f53d989b1902b4e674e?s=48 govargo
38
12k
C174e1ef0c746f53d989b1902b4e674e?s=48 govargo
31
8.4k
C174e1ef0c746f53d989b1902b4e674e?s=48 govargo
16
7.3k
C174e1ef0c746f53d989b1902b4e674e?s=48 govargo
6
2.8k
C174e1ef0c746f53d989b1902b4e674e?s=48 govargo
4
850
C174e1ef0c746f53d989b1902b4e674e?s=48 govargo
2
280
C174e1ef0c746f53d989b1902b4e674e?s=48 govargo
4
470

Other Decks in Programming

See All in Programming
15934fa2aa7b2ce21f091e9b7cffa856?s=48 manfredsteyer
PRO
0
540
9e840766611f942c7c0a9ad6987a5d78?s=48 kishida
1
510
8ffce1486e39ee3f43f52be5580b9966?s=48 luiznasciment0
1
160
72a2082c6a4dd79ad68befb3db911616?s=48 mraible
PRO
0
310
4a290dbd4f1c19bf2f25c2a230faf1bf?s=48 shirotamaki
0
240
85d7f0ae00c0cf1092dffcec966e3ae9?s=48 mattak
27
16k
588a291ce25b07e836ae5df8911eaf18?s=48 tdak
0
250
187099e8b7edf2164b254ccd0a079715?s=48 azukizuki
0
140
Df3a0444cb4726fd231a5d5ea4fe0a34?s=48 hiddenest12
0
290
070d33664df274636dad3da21c9b21fc?s=48 rockname
3
1.7k
9e68acadfe81c2634fae5b8c891f6814?s=48 tamaudon
0
150
A0aae1297a0593c1316abdcdb4131e3a?s=48 toedter
0
220

Featured

See All Featured
96270e4c3e5e9806cf7245475c00b275?s=48 addyosmani
1346
200k
11c84dff30266b907714802088852677?s=48 jasonvnalue
82
8.2k
5ce91fa49a613cbc3e20d5f96856473f?s=48 edds
56
9.4k
Ef32e0b1ac5082450dc8c1fca3a26b5c?s=48 cherdarchuk
73
270k
96270e4c3e5e9806cf7245475c00b275?s=48 addyosmani
495
110k
462dad0dd24c568a32dcdb0ae895ae1b?s=48 rasmusluckow
318
19k
7653c7c449918ff6542880a8c284f5e7?s=48 jponch
103
5.1k
B3d6434763caa0ef5dc4b792662c49f7?s=48 smashingmag
283
47k
8081b26e05bb4354f7d65ffc34cbbd67?s=48 chriscoyier
779
240k
245cee81a9c424266e5e401d844ea881?s=48 lara
172
9.9k
A415db3ac9e9668acbc1fb36eead84ac?s=48 mthomps
40
2.4k
C4de88ea47538e4594750e3861a341c8?s=48 brettharned
93
3.1k

Transcript

  1. Admission Webhook ͰշదͳSecret؅ཧ 2019/12/18 Kubernetes Invitational Meetup Tokyo #4

  2. Admission Webhookͱ͸ʁ

  3. Admission Control Admission Control͸ೝূɾೝՄͷޙʹɺAPI RequestΛ มߋ(Mutate)ɾݕূ(Validate)Ͱ͖Δ࢓૊Έ )551 )BOEMFS "VUIFOUJDBUF "VUIPSJ[F

    .VUBUF "ENJTTJPO 4DIFNF 7BMJEBUJPO 7BMJEBUF "ENJTTJPO ɾɾɾ

  4. Admission Control Admission Control͸ೝূɾೝՄͷޙʹɺAPI RequestΛ มߋ(Mutate)ɾݕূ(Validate)Ͱ͖Δ࢓૊Έ )551 )BOEMFS "VUIFOUJDBUF "VUIPSJ[F

    .VUBUF "ENJTTJPO 4DIFNF 7BMJEBUJPO 7BMJEBUF "ENJTTJPO ɾɾɾ

  5. LVCFBQJTFSWFS 3FTPVSDF)BOEMFS .VUBUJOH 8FCIPPL 7BMJEBUJOH 8FCIPPL "ENJTTJPO8FCIPPL ʜ ʜ ʜ

    ʜ "ENJTTJPO ʜ ʜ 7BMJEBUJPO Admission Webhook ೚ҙͷॲཧΛWebServer ΁ͷHookͱͯ͠௥ՃͰ͖Δ

  6. ࠓճ࡞ͬͨAdmission Webhook

  7. Berglas Secret Admission Webhook GCPͷSecret؅ཧπʔϧͰ͋Δ BerglasΛ࢖ͬͯɺಁաతͳSecret؅ཧΛ࣮ݱ

  8. ࡞ͬͨAdmission Webhookͷ໨త ໨త: Secretͷ؅ཧͰɺGit্ʹSecretͷValueΛ࢒͞ͳ͍ Α͏ʹ͍ͨ͠ɻGCP্ͷSecret؅ཧʹBerglasΛ ࢖͍ͬͯΔͷͰɺBerglasΛK8sͰ΋׆༻͍ͨ͠ɻ apiVersion: v1 kind: Secret

    metadata: name: database_secret data: PASS: cGFzc3dvcmQ= $ echo cGFzc3dvcmQ= | base64 --decode password ໰୊఺: ͨͩͷBase64Τϯίʔυͩͱ ͙͢ʹσίʔυͰ͖ͯ͠·͏ ࡞ͬͨAdmission Webhook: Berglas্ʹ࡞ͬͨSecretΛɺK8s্ʹ෮߸ͯ͘͠ΕΔ → YAML͸୭͕ݟͯ΋໰୊ͳ͍Α͏ʹ͢Δ

  9. Berglas Berglas͸Google Cloud Platform্ͰSecret(ൿີ৘ใ)Λ ؅ཧ͢ΔͨΊͷCLIπʔϧɻ Cloud KMSʹ͋Δ伴Λ࢖ͬͯɺBerlgasͰSecretΛ҉߸ Խɾ෮߸ԽͰ͖Δ (※K8s Secretͱ͸ผ෺ͳͷͰ஫ҙ)

    Key Management Service Cloud Storage #FSHMBT ҉߸ʹར༻ Secretσʔλ͕࡞ΒΕΔ berglas create <BUCKET>/<KEY> <VALUE> Encrypt

  10. Berglas Berglas͸Google Cloud Platform্ͰSecret(ൿີ৘ใ)Λ ؅ཧ͢ΔͨΊͷCLIπʔϧɻ Cloud KMSʹ͋Δ伴Λ࢖ͬͯɺBerlgasͰSecretΛ҉߸ Խɾ෮߸ԽͰ͖Δ (※K8s Secretͱ͸ผ෺ͳͷͰ஫ҙ)

    Key Management Service Cloud Storage #FSHMBT ෮߸ʹར༻ SecretσʔλΛࢀর berglas access <BUCKET>/<KEY> Decrypt

  11. Admission Webhook࡞੒ʹ࢖ͬͨ΋ͷ Kubewebhook: Admission WebhookΛ࡞ΔͨΊͷϑϨʔϜϫʔΫ AdmissionReview, AdmissionResponseͱ͍ͬͨɺ Admission Webhookʹඞཁͳ෦෼Λड͚࣋ͬͯ͘ΕΔ ར༻ऀ͸Mutateؔ਺ͱValidateؔ਺ͷ࣮૷ʹूதͰ͖Δ

    Berglas API: https://github.com/slok/kubewebhook https://github.com/GoogleCloudPlatform/berglas SampleͰCloud FunctionΛར༻ͨ͠Admission Webhookͷ ྫ΋͋Δ͕ɺ༻్͕ҟͳͬͨͷͰࠓճ͸WebhookΛࣗ࡞ https://github.com/GoogleCloudPlatform/berglas/tree/master/examples/kubernetes

  12. Berglas Secret Admission Webhook SecretΛ࡞੒͢Δͱɺʮberglas://ʙʯͱ͍͏ϦϑΝϨϯε ͕͋Δ΋ͷ͸ɺಁաతʹ෮߸Խ͢Δ(ͦΕҎ֎͸εΩοϓ) ᶃ kubectl apply -f

    secret.yaml Mutating Webhook Server Validating Webhook Server #FSHMBT apiVersion: v1 kind: Secret metadata: name: database_secret data: PASS: berglas://BUCKET/pass ᶄ Admission Webhook ᶅ Mutate ᶇ Validate ᶆ Decode

  13. ϋϚͬͨͱ͜Ζ

  14. Managed K8sͰಈ͔ͳ͍(ͱצҧ͍ͯͨ͠) Admission Webhook cannot work on private GKE clusters

    https://github.com/elastic/cloud-on-k8s/issues/1437 443ϙʔτҎ֎ͰɺWebhook ServerΛಈ͔͍ͯ͠Δͱɺ Webhook ServerͷPod·ͰAPI Request͕౸ୡ͠ͳ͍ɻ GKEͰ͸ΤϯυϙΠϯτIPʹ௚઀௨৴͢Δ͕ɺ443(HTTPS), 10250(Kubelet)ͷϙʔτ͔͠ڐՄ͞Ε͍ͯͳ͍ͨΊ Webhook Server Master VPC Worker VPC Port: 443 ͸ڐՄ ※443Ҏ֎ͷ৔߹͸ɺϑΝΠΞ΢Υʔϧͷ݀։͚͕ඞཁ

  15. ࢀߟʹ͢Δͱྑ͍΋ͷ Admission Webhooks: Configuration and Debugging Best Practices - Haowei

    Cai, Google https://kccncna19.sched.com/event/UaVt/admission-webhooks-configuration-and-debugging-best- practices-haowei-cai-google

  16. Thank you