k8sとOPAつなげてみた - Admission Controller編

Transcript

1. k8sͱOPAͭͳ͛ͯΈͨ - Admission Controllerฤ 2019/03/18 @ken5scal

2. ΍Ζ͏ͱͨ͜͠ͱ 1. k8sͷAdmission ControllerΛOPAʹ޲͚Δ 2. k8s APIαʔόʔ΁ͷϦΫΤετʹOPAϙϦγʔΛ ద༻͢Δ

3. k8s Admission Controllerͱ͸ - k8s APIαʔόʔʹର͢ΔೝূɾೝՄ͞ΕͨϦΫΤετ಺ ͷΦϒδΣΫτ͕ӬଓԽ͞ΕΔલʹɺ੍ޚ͢Δػߏ - ϓϥάΠϯʹΑͬͯɺͲͷΑ͏ͳ੍ޚΛ͢Δ͔ܾΊΒΕ Δ

4. OPAʢΦʔύʣͱ͸ - ϦΫΤετͷਖ਼౰ੑΛݕূͯ͠ɺΤʔδΣϯτʹ ݁ՌΛฦ͢ɺ͍ΘΏΔϙϦγʔΤϯδϯ - ʮCloud Native Meetup Tokyo #4ʯͷൃදࢀর

   https://speakerdeck.com/ken5scal/introduction-to-open-policy-agent

5. - ValidatingAdmissionWebhookʹOPAΛઃఆ - k8s APIαʔόʹର͢ΔͲͷΑ͏ͳΞΫγϣϯΛࢦ ఆ͢Δ͔͸ɺͬͪ͜ʹॻ͘ k8s Admission ControllerͱOPAɹͦͷᶃ

6. cat > webhook-configuration.yaml <<EOF kind: ValidatingWebhookConfiguration apiVersion: admissionregistration.k8s.io/v1beta1 metadata: name:

   opa-validating-webhook webhooks: - name: validating-webhook.openpolicyagent.org rules: - operations: ["CREATE", "UPDATE"] apiGroups: ["*"] apiVersions: ["*"] resources: ["*"] clientConfig: caBundle: $(cat ca.crt | base64 | tr -d '\n') service: namespace: opa name: opa EOF https://aws.amazon.com/jp/blogs/opensource/using-open-policy-agent-on-amazon-eks/

7. - OPAͷϙϦγʔͦͷ΋ͷ͸RegoͰهड़ - k8sͷConfigMapsͱͯ͠औΓࠐΉ k8s Admission ControllerͱOPAɹͦͷᶄ

8. ྫ1: IngressͷFQDNࢦఆ

9. package kubernetes.admission import data.kubernetes.namespaces deny[msg] { input.request.kind.kind = "Ingress" input.request.operation

   = "CREATE" host = input.request.object.spec.rules[_].host not fqdn_matches_any(host, valid_ingress_hosts) msg = sprintf("invalid ingress host %q", [host]) } valid_ingress_hosts = {host | whitelist = namespaces[input.request.namespace].metadata.annotations["ingress- whitelist"] hosts = split(whitelist, ",") host = hosts[_] } https://www.openpolicyagent.org/docs/kubernetes-admission-control.html

10. % cat ingress-bad.yaml apiVersion: extensions/v1beta1 kind: Ingress metadata: name: ingress-bad

    spec: rules: - host: acmecorp.com http: paths: - backend: serviceName: nginx servicePort: 80 % kubectl create -f ingress-bad.yaml -n qa Error from server (invalid ingress host "acmecorp.com"): error when creating "ingress- bad.yaml": admission webhook "validating-webhook.openpolicyagent.org" denied the request: invalid ingress host "acmecorp.com" https://www.openpolicyagent.org/docs/kubernetes-admission-control.html

11. ྫ1: ίϯςφϨδετϦͷࢦఆ

12. cat > image_source.rego <<EOF package kubernetes.admission deny[msg] { input.request.kind.kind =

    "Pod" input.request.operation = "CREATE" image = input.request.object.spec.containers[_].image name = input.request.object.metadata.name not registry_whitelisted(image,whitelisted_registries) msg = sprintf("pod %q has invalid registry %q", [name, image]) } whitelisted_registries = {registry | registries = [ “602401143452.dkr.ecr.ap-northeast-1.amazonaws.com" ] registry = registries[_] } registry_whitelisted(str, patterns) { registry_matches(str, patterns[_]) } registry_matches(str, pattern) { contains(str, pattern) } https://aws.amazon.com/jp/blogs/opensource/using-open-policy-agent-on-amazon-eks/

13. % cat nginx.yaml kind: Pod apiVersion: v1 metadata: name: nginx

    labels: app: nginx namespace: default spec: containers: - image: nginx name: nginx % kubectl apply -f nginx.yaml Error from server (pod "nginx" has invalid registry "nginx"): error when creating "nginx.yaml": admission webhook "validating-webhook.openpolicyagent.org" denied the request: pod "nginx2" has invalid registry "nginx" https://aws.amazon.com/jp/blogs/opensource/using-open-policy-agent-on-amazon-eks/

14. Ͱ͖ͳ͍͜ͱ - Runtime಺ͷ੍ޚ - APIαʔόʔʹର͢Δૢ࡞੍͔͠ޚͰ͖ͳ͍ - “ϙϦγʔ”ͷద༻ͳͷͰ੩తͳݕࠪͩͱ෺଍Γͳ͍ - OPAͦͷ΋ͷͷ੍ޚ -

    etc

15. ͜͜ʹςΩετΛೖΕ·͢ɻ ͻͱͭͷεϥΠυʹ಺༰Λ٧Ί͗͢ ͳ͍Α͏ʹ͠·͠ΐ͏ɻ ʮ̍ຕͷεϥΠυʹ̍ͭͷҙຯʯ͕ εϥΠυ࡞ΓͷجຊͰ͢ɻ ٕज़ॻయͰOPAωλͷബ͍ຊͩ͠·͢

16. @ken5scal

17. Thank you