Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Admission Webhookで快適なSecret管理 / Berglas Secret Admission Webhook

go_vargo
December 18, 2019

Admission Webhookで快適なSecret管理 / Berglas Secret Admission Webhook

go_vargo

December 18, 2019
Tweet

More Decks by go_vargo

Other Decks in Programming

Transcript

  1. Admission Webhook
    ͰշదͳSecret؅ཧ
    2019/12/18
    Kubernetes Invitational Meetup Tokyo #4

    View full-size slide

  2. Admission Webhookͱ͸ʁ

    View full-size slide

  3. Admission Control
    Admission Control͸ೝূɾೝՄͷޙʹɺAPI RequestΛ
    มߋ(Mutate)ɾݕূ(Validate)Ͱ͖Δ࢓૊Έ
    )551
    )BOEMFS
    "VUIFOUJDBUF
    "VUIPSJ[F
    .VUBUF
    "ENJTTJPO
    4DIFNF
    7BMJEBUJPO
    7BMJEBUF
    "ENJTTJPO
    ɾɾɾ

    View full-size slide

  4. Admission Control
    Admission Control͸ೝূɾೝՄͷޙʹɺAPI RequestΛ
    มߋ(Mutate)ɾݕূ(Validate)Ͱ͖Δ࢓૊Έ
    )551
    )BOEMFS
    "VUIFOUJDBUF
    "VUIPSJ[F
    .VUBUF
    "ENJTTJPO
    4DIFNF
    7BMJEBUJPO
    7BMJEBUF
    "ENJTTJPO
    ɾɾɾ

    View full-size slide

  5. LVCFBQJTFSWFS
    3FTPVSDF)BOEMFS
    .VUBUJOH
    8FCIPPL
    7BMJEBUJOH
    8FCIPPL
    "ENJTTJPO8FCIPPL
    ʜ ʜ
    ʜ
    ʜ
    "ENJTTJPO
    ʜ
    ʜ
    7BMJEBUJPO
    Admission Webhook
    ೚ҙͷॲཧΛWebServer
    ΁ͷHookͱͯ͠௥ՃͰ͖Δ

    View full-size slide

  6. ࠓճ࡞ͬͨAdmission Webhook

    View full-size slide

  7. Berglas Secret
    Admission Webhook
    GCPͷSecret؅ཧπʔϧͰ͋Δ
    BerglasΛ࢖ͬͯɺಁաతͳSecret؅ཧΛ࣮ݱ

    View full-size slide

  8. ࡞ͬͨAdmission Webhookͷ໨త
    ໨త:
    Secretͷ؅ཧͰɺGit্ʹSecretͷValueΛ࢒͞ͳ͍
    Α͏ʹ͍ͨ͠ɻGCP্ͷSecret؅ཧʹBerglasΛ
    ࢖͍ͬͯΔͷͰɺBerglasΛK8sͰ΋׆༻͍ͨ͠ɻ
    apiVersion: v1
    kind: Secret
    metadata:
    name: database_secret
    data:
    PASS: cGFzc3dvcmQ=
    $ echo cGFzc3dvcmQ= | base64 --decode
    password
    ໰୊఺: ͨͩͷBase64Τϯίʔυͩͱ
    ͙͢ʹσίʔυͰ͖ͯ͠·͏
    ࡞ͬͨAdmission Webhook:
    Berglas্ʹ࡞ͬͨSecretΛɺK8s্ʹ෮߸ͯ͘͠ΕΔ
    → YAML͸୭͕ݟͯ΋໰୊ͳ͍Α͏ʹ͢Δ

    View full-size slide

  9. Berglas
    Berglas͸Google Cloud Platform্ͰSecret(ൿີ৘ใ)Λ
    ؅ཧ͢ΔͨΊͷCLIπʔϧɻ
    Cloud KMSʹ͋Δ伴Λ࢖ͬͯɺBerlgasͰSecretΛ҉߸
    Խɾ෮߸ԽͰ͖Δ (※K8s Secretͱ͸ผ෺ͳͷͰ஫ҙ)
    Key Management Service Cloud Storage
    #FSHMBT
    ҉߸ʹར༻
    Secretσʔλ͕࡞ΒΕΔ
    berglas create /
    Encrypt

    View full-size slide

  10. Berglas
    Berglas͸Google Cloud Platform্ͰSecret(ൿີ৘ใ)Λ
    ؅ཧ͢ΔͨΊͷCLIπʔϧɻ
    Cloud KMSʹ͋Δ伴Λ࢖ͬͯɺBerlgasͰSecretΛ҉߸
    Խɾ෮߸ԽͰ͖Δ (※K8s Secretͱ͸ผ෺ͳͷͰ஫ҙ)
    Key Management Service Cloud Storage
    #FSHMBT
    ෮߸ʹར༻
    SecretσʔλΛࢀর
    berglas access /
    Decrypt

    View full-size slide

  11. Admission Webhook࡞੒ʹ࢖ͬͨ΋ͷ
    Kubewebhook:
    Admission WebhookΛ࡞ΔͨΊͷϑϨʔϜϫʔΫ
    AdmissionReview, AdmissionResponseͱ͍ͬͨɺ
    Admission Webhookʹඞཁͳ෦෼Λड͚࣋ͬͯ͘ΕΔ
    ར༻ऀ͸Mutateؔ਺ͱValidateؔ਺ͷ࣮૷ʹूதͰ͖Δ
    Berglas API:
    https://github.com/slok/kubewebhook
    https://github.com/GoogleCloudPlatform/berglas
    SampleͰCloud FunctionΛར༻ͨ͠Admission Webhookͷ
    ྫ΋͋Δ͕ɺ༻్͕ҟͳͬͨͷͰࠓճ͸WebhookΛࣗ࡞
    https://github.com/GoogleCloudPlatform/berglas/tree/master/examples/kubernetes

    View full-size slide

  12. Berglas Secret Admission Webhook
    SecretΛ࡞੒͢Δͱɺʮberglas://ʙʯͱ͍͏ϦϑΝϨϯε
    ͕͋Δ΋ͷ͸ɺಁաతʹ෮߸Խ͢Δ(ͦΕҎ֎͸εΩοϓ)
    ᶃ kubectl apply -f secret.yaml
    Mutating
    Webhook
    Server
    Validating
    Webhook
    Server
    #FSHMBT
    apiVersion: v1
    kind: Secret
    metadata:
    name: database_secret
    data:
    PASS: berglas://BUCKET/pass
    ᶄ Admission Webhook
    ᶅ Mutate ᶇ Validate
    ᶆ Decode

    View full-size slide

  13. ϋϚͬͨͱ͜Ζ

    View full-size slide

  14. Managed K8sͰಈ͔ͳ͍(ͱצҧ͍ͯͨ͠)
    Admission Webhook cannot work on private GKE clusters
    https://github.com/elastic/cloud-on-k8s/issues/1437
    443ϙʔτҎ֎ͰɺWebhook ServerΛಈ͔͍ͯ͠Δͱɺ
    Webhook ServerͷPod·ͰAPI Request͕౸ୡ͠ͳ͍ɻ
    GKEͰ͸ΤϯυϙΠϯτIPʹ௚઀௨৴͢Δ͕ɺ443(HTTPS),
    10250(Kubelet)ͷϙʔτ͔͠ڐՄ͞Ε͍ͯͳ͍ͨΊ
    Webhook Server
    Master VPC Worker VPC
    Port: 443
    ͸ڐՄ
    ※443Ҏ֎ͷ৔߹͸ɺϑΝΠΞ΢Υʔϧͷ݀։͚͕ඞཁ

    View full-size slide

  15. ࢀߟʹ͢Δͱྑ͍΋ͷ
    Admission Webhooks: Configuration and Debugging Best
    Practices - Haowei Cai, Google
    https://kccncna19.sched.com/event/UaVt/admission-webhooks-configuration-and-debugging-best-
    practices-haowei-cai-google

    View full-size slide