Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Speaker Deck
PRO
Sign in
Sign up for free
Admission Webhookで快適なSecret管理 / Berglas Secret Admission Webhook
go_vargo
December 18, 2019
Programming
5
2.8k
Admission Webhookで快適なSecret管理 / Berglas Secret Admission Webhook
go_vargo
December 18, 2019
Tweet
Share
More Decks by go_vargo
See All by go_vargo
Kubernetes Internal #9 - Minikube
govargo
0
120
気をつけたいKubernetesとの付き合い方 / Happy Kubernetes Life
govargo
6
2.3k
[CNDT2020]Linux Observability with BPF Performance Tools
govargo
15
2.8k
[CNDK2019]Production Ready Kubernetesに必要な15のこと / Production Ready Kubernetes 15 Rules
govargo
38
13k
ゼロから始めるKubernetes Controller / Under the Kubernetes Controller
govargo
35
10k
Inside of Kubernetes Controller
govargo
20
8.8k
コロプラが実践しているSpinnakerを用いたデプロイ戦略 / Deploy Strategy with Spinnaker at Colopl
govargo
6
3.4k
Improve Docker Image by BuildKit
govargo
4
1.1k
Debugging for MicroService on Kubernetes
govargo
2
390
Other Decks in Programming
See All in Programming
Micro Frontends with Module Federation: Beyond the Basics @jax2022
manfredsteyer
PRO
1
290
Composing an API with Kotlin (Kotlin Dev Day 2022)
zsmb
0
290
How useEvent would change our applications
koba04
1
1.8k
プログラミングを勉強したいと言われたら
yuba_4
0
430
[RailsConf 2022] The pitfalls of realtime-ification
palkan
0
300
Airflow1=>Airflow2へのupgrade 事例紹介
reizist
0
120
モデリングの費用対効果
masuda220
PRO
4
940
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
3
540
The future of trust stores in Python
sethmlarson
0
180
Kotlin KSP - Intro
taehwandev
1
510
デュアルトラックアジャイル× Agile Testingから 見えてきたQAのミライ
atamaplus
0
450
roadmap to rust 2024
matsu7874
1
890
Featured
See All Featured
Navigating Team Friction
lara
175
11k
How GitHub Uses GitHub to Build GitHub
holman
465
280k
Bash Introduction
62gerente
596
210k
Producing Creativity
orderedlist
PRO
333
37k
YesSQL, Process and Tooling at Scale
rocio
157
12k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
268
11k
Raft: Consensus for Rubyists
vanstee
126
5.4k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
315
19k
Writing Fast Ruby
sferik
612
57k
The Most Common Mistakes in Cover Letters
jrick
PRO
4
24k
Imperfection Machines: The Place of Print at Facebook
scottboms
253
11k
Stop Working from a Prison Cell
hatefulcrawdad
261
17k
Transcript
Admission Webhook ͰշదͳSecretཧ 2019/12/18 Kubernetes Invitational Meetup Tokyo #4
Admission Webhookͱʁ
Admission Control Admission ControlೝূɾೝՄͷޙʹɺAPI RequestΛ มߋ(Mutate)ɾݕূ(Validate)Ͱ͖ΔΈ )551 )BOEMFS "VUIFOUJDBUF "VUIPSJ[F
.VUBUF "ENJTTJPO 4DIFNF 7BMJEBUJPO 7BMJEBUF "ENJTTJPO ɾɾɾ
Admission Control Admission ControlೝূɾೝՄͷޙʹɺAPI RequestΛ มߋ(Mutate)ɾݕূ(Validate)Ͱ͖ΔΈ )551 )BOEMFS "VUIFOUJDBUF "VUIPSJ[F
.VUBUF "ENJTTJPO 4DIFNF 7BMJEBUJPO 7BMJEBUF "ENJTTJPO ɾɾɾ
LVCFBQJTFSWFS 3FTPVSDF)BOEMFS .VUBUJOH 8FCIPPL 7BMJEBUJOH 8FCIPPL "ENJTTJPO8FCIPPL ʜ ʜ ʜ
ʜ "ENJTTJPO ʜ ʜ 7BMJEBUJPO Admission Webhook ҙͷॲཧΛWebServer ͷHookͱͯ͠ՃͰ͖Δ
ࠓճ࡞ͬͨAdmission Webhook
Berglas Secret Admission Webhook GCPͷSecretཧπʔϧͰ͋Δ BerglasΛͬͯɺಁաతͳSecretཧΛ࣮ݱ
࡞ͬͨAdmission Webhookͷత త: SecretͷཧͰɺGit্ʹSecretͷValueΛ͞ͳ͍ Α͏ʹ͍ͨ͠ɻGCP্ͷSecretཧʹBerglasΛ ͍ͬͯΔͷͰɺBerglasΛK8sͰ׆༻͍ͨ͠ɻ apiVersion: v1 kind: Secret
metadata: name: database_secret data: PASS: cGFzc3dvcmQ= $ echo cGFzc3dvcmQ= | base64 --decode password : ͨͩͷBase64Τϯίʔυͩͱ ͙͢ʹσίʔυͰ͖ͯ͠·͏ ࡞ͬͨAdmission Webhook: Berglas্ʹ࡞ͬͨSecretΛɺK8s্ʹ෮߸ͯ͘͠ΕΔ → YAML୭͕ݟͯͳ͍Α͏ʹ͢Δ
Berglas BerglasGoogle Cloud Platform্ͰSecret(ൿີใ)Λ ཧ͢ΔͨΊͷCLIπʔϧɻ Cloud KMSʹ͋Δ伴ΛͬͯɺBerlgasͰSecretΛ҉߸ Խɾ෮߸ԽͰ͖Δ (※K8s SecretͱผͳͷͰҙ)
Key Management Service Cloud Storage #FSHMBT ҉߸ʹར༻ Secretσʔλ͕࡞ΒΕΔ berglas create <BUCKET>/<KEY> <VALUE> Encrypt
Berglas BerglasGoogle Cloud Platform্ͰSecret(ൿີใ)Λ ཧ͢ΔͨΊͷCLIπʔϧɻ Cloud KMSʹ͋Δ伴ΛͬͯɺBerlgasͰSecretΛ҉߸ Խɾ෮߸ԽͰ͖Δ (※K8s SecretͱผͳͷͰҙ)
Key Management Service Cloud Storage #FSHMBT ෮߸ʹར༻ SecretσʔλΛࢀর berglas access <BUCKET>/<KEY> Decrypt
Admission Webhook࡞ʹͬͨͷ Kubewebhook: Admission WebhookΛ࡞ΔͨΊͷϑϨʔϜϫʔΫ AdmissionReview, AdmissionResponseͱ͍ͬͨɺ Admission Webhookʹඞཁͳ෦Λड͚࣋ͬͯ͘ΕΔ ར༻ऀMutateؔͱValidateؔͷ࣮ʹूதͰ͖Δ
Berglas API: https://github.com/slok/kubewebhook https://github.com/GoogleCloudPlatform/berglas SampleͰCloud FunctionΛར༻ͨ͠Admission Webhookͷ ྫ͋Δ͕ɺ༻్͕ҟͳͬͨͷͰࠓճWebhookΛࣗ࡞ https://github.com/GoogleCloudPlatform/berglas/tree/master/examples/kubernetes
Berglas Secret Admission Webhook SecretΛ࡞͢Δͱɺʮberglas://ʙʯͱ͍͏ϦϑΝϨϯε ͕͋Δͷɺಁաతʹ෮߸Խ͢Δ(ͦΕҎ֎εΩοϓ) ᶃ kubectl apply -f
secret.yaml Mutating Webhook Server Validating Webhook Server #FSHMBT apiVersion: v1 kind: Secret metadata: name: database_secret data: PASS: berglas://BUCKET/pass ᶄ Admission Webhook ᶅ Mutate ᶇ Validate ᶆ Decode
ϋϚͬͨͱ͜Ζ
Managed K8sͰಈ͔ͳ͍(ͱצҧ͍ͯͨ͠) Admission Webhook cannot work on private GKE clusters
https://github.com/elastic/cloud-on-k8s/issues/1437 443ϙʔτҎ֎ͰɺWebhook ServerΛಈ͔͍ͯ͠Δͱɺ Webhook ServerͷPod·ͰAPI Request͕౸ୡ͠ͳ͍ɻ GKEͰΤϯυϙΠϯτIPʹ௨৴͢Δ͕ɺ443(HTTPS), 10250(Kubelet)ͷϙʔτ͔͠ڐՄ͞Ε͍ͯͳ͍ͨΊ Webhook Server Master VPC Worker VPC Port: 443 ڐՄ ※443Ҏ֎ͷ߹ɺϑΝΠΞΥʔϧͷ݀։͚͕ඞཁ
ࢀߟʹ͢Δͱྑ͍ͷ Admission Webhooks: Configuration and Debugging Best Practices - Haowei
Cai, Google https://kccncna19.sched.com/event/UaVt/admission-webhooks-configuration-and-debugging-best- practices-haowei-cai-google
Thank you