Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Securing Clusters with Kubernetes Extensibility

71d7f6cdf5b1934a1b69f0624f5a7523?s=47 Aya (Igarashi) Ozawa
October 25, 2018
Technology
5
630

Securing Clusters with Kubernetes Extensibility

@ Kubernetes & Cloud Native Meetup
https://wantedly.connpass.com/event/105371/

71d7f6cdf5b1934a1b69f0624f5a7523?s=128

Aya (Igarashi) Ozawa

October 25, 2018
Tweet

More Decks by Aya (Igarashi) Ozawa

See All by Aya (Igarashi) Ozawa
71d7f6cdf5b1934a1b69f0624f5a7523?s=48 ladicle
0
92
71d7f6cdf5b1934a1b69f0624f5a7523?s=48 ladicle
0
45
71d7f6cdf5b1934a1b69f0624f5a7523?s=48 ladicle
17
6.2k
71d7f6cdf5b1934a1b69f0624f5a7523?s=48 ladicle
3
4k
71d7f6cdf5b1934a1b69f0624f5a7523?s=48 ladicle
5
2.2k
71d7f6cdf5b1934a1b69f0624f5a7523?s=48 ladicle
1
290
71d7f6cdf5b1934a1b69f0624f5a7523?s=48 ladicle
4
1.7k
71d7f6cdf5b1934a1b69f0624f5a7523?s=48 ladicle
31
8.5k
71d7f6cdf5b1934a1b69f0624f5a7523?s=48 ladicle
2
2.3k

Other Decks in Technology

See All in Technology
Cd891a89dfec6ca7bd278b5f5bd87c90?s=48 tzkoba
0
390
E39a62a5c1f1829cc6ce0ec642424947?s=48 cmwatanabeseigo
0
330
Ea29e2b19d11b48f867ae71d6a6de5df?s=48 opelab
2
290
0edbcf49de5aed437e279402dc0c6a7e?s=48 omn
0
570
405fe9ab689473f267e2cfbd95f78c75?s=48 kyonmm
1
2k
Cd823abda454a7a2065fe6fe273ae84b?s=48 viva_tweet_x
5
2.6k
567600e04dbcb14d6bd8f120e6625a27?s=48 tsuyo
0
180
966e29b84ae7dbde170f66b0bc75b7a6?s=48 ishiayaya
PRO
0
330
9e7a653ed313b3da4b263a772bfc5026?s=48 clustervr
0
190
1062ced7020a42219b8f668e14963746?s=48 asaju7142501
0
250
F3c727195d975cf7a4b300e4f5c2c0d1?s=48 am7cinnamon
2
2.7k
0d29d155ce5c5a93ed46363626da3ea7?s=48 ocise
1
1.3k

Featured

See All Featured
Dafc4723e9a1c067796c0fec6f509774?s=48 lemiorhan
626
42k
9cde37f47e4a800ea081ea42de8d749a?s=48 dougneiner
119
7.8k
8081b26e05bb4354f7d65ffc34cbbd67?s=48 chriscoyier
145
19k
282d599b414022eba5096510f675b6e2?s=48 chrislema
231
16k
027d1ebf66cc039a0bd3b55eeadbe75d?s=48 sachag
267
17k
C51b39fa3c79ccb99dcb8a076bc98287?s=48 brianwarren
83
4.7k
A415db3ac9e9668acbc1fb36eead84ac?s=48 mthomps
39
2.3k
E6c6e133e74c3b83f04d2861deaa1c20?s=48 searls
204
35k
96270e4c3e5e9806cf7245475c00b275?s=48 addyosmani
1348
190k
4394ceb8b277f35ee3da7030384efb5d?s=48 davidbonilla
69
3.5k
E837d2996f52008ace055a08fbfff992?s=48 frogandcode
127
20k
D36d2c1821af9249b69ff7f5ed60529b?s=48 tammielis
237
23k

Transcript

  1. 4FDVSJOH$MVTUFSTXJUI ,VCFSOFUFT&YUFOTJCJMJUZ "ZB0[BXB !MBEJDMF 5BLBTIJ,VTVNJ ,VCFSOFUFT$MPVE/BUJWF.FFUVQ

  2.   "CPVUVT "ZB0[BXB!MBEJDMF 4PGUXBSF&OHJOFFS BU;-BC$PSQ 5BLBTIJ,VTVNJ 4PGUXBSF&OHJOFFS BU;-BC$PSQ

  3.   "ZB 5BLBTIJ 5PEBZˏTBHFOEB ,VCFSOFUFTBTB4FSWJDFGPS:BIPP+BQBO )PXTIPVMEXFDPOUSPMBDDFTTUPUIF,VCFSOFUFT"1*TFSWFS  8IBUJT+85BOE3#"$ BOE)PXUPVTFJU

    3#"$JT/05FOPVHI %FNPOTUSBUJPOPGQSJWJMFHFFTDBMBUJPO 4FDVSJOH,VCFSOFUFTXJUI7BMJEBUJOH"ENJTTJPO8FCIPPL

  4. ;-BC,VCFSOFUFTBTB4FSWJDF 4 .BTUFS ,VCFSOFUFT$MVTUFS 6TFS ,VCFSOFUFT$MVTUFS 6TFS ,VCFSOFUFT$MVTUFS 6TFS ,VCFSOFUFT$MVTUFS

    Ӝ4FMGIFBMJOHUIFXIPMF DMVTUFS Ӝ4DBMJOHDMVTUFSFBTJMZ Ӝ;FSPEPXOUJNFVQHSBEF DMVTUFSWFSTJPO .BKPS'FBUVSFT .BTUFS$MVTUFSNBOBHFTNVMUJQMF6TFS ,VCFSOFUFT$MVTUFSBOEJUTFMGVTJOH$3%

  5. )PXTIPVMEXFDPOUSPMBDDFTT 5 .BTUFS ,VCFSOFUFT$MVTUFS 6TFS ,VCFSOFUFT$MVTUFS 6TFS ,VCFSOFUFT$MVTUFS 6TFS ,VCFSOFUFT$MVTUFS

    "QQ %FWFMPQFS "QQ %FWFMPQFS "QQ 0QFSBUPS LT 0QFSBUPS "UUBDLFS ✖%&/:

  6. "DDFTT$POUSPM

  7. TUFQT"DDFTT$POUSPM 7 "VUIFOUJDBUJPO "VUI/ "VUIPSJ[BUJPO "VUI; "ENJTTJPO $POUSPM "1*4FSWFS "DDFTT

  8. "MMPX 8IBUIBQQFOTJOFBDITUFQ 8 "DDFTT 8IPBSFZPV ✔$SFBUF9 ✖%FMFUF:  8IBUDBOZPVEP %FOZ

    %FOZ %FOZ 7BMJEBUJOH .PEJGZJOH ٥٥٥ "MMPX "MMPX "VUI/ "VUI; "ENJTTJPO$POUSPM

  9. "DDFTT$POUSPMNPEVMFT 9 9DMJFOUDFSU 1BTTXPSE +85 1MBOF5PLFO "VUI/ "VUI; "ENJTTJPO$POUSPM "#"$

    3#"$ 8FCIPPL /PEF3PMF 4FSWJDF"DDPVOU 3FTPVSDF2VPUB 1SJPSJUZ 7BMJEBUJOH "ENJTTJPO 8FCIPPL FUD FUD FUD

  10. 8IZEPXFVTF+85 10 9DMJFOUDFSU 1BTTXPSE +85 1MBOF5PLFO "VUI/ "VUI; "ENJTTJPO$POUSPM "#"$

    3#"$ 8FCIPPL /PEF3PMF 4FSWJDF"DDPVOU 3FTPVSDF2VPUB 1SJPSJUZ 7BMJEBUJOH "ENJTTJPO FUD FUD FUD Ӝ %ZOBNJDVTFSBVUIFOUJDBUJPO Ӝ 1BTTXPSEBOE1MBOF5PLFONPEVMFT SFRVJSFUPTFU"VUI/TFUUJOHXIFOCPPUJOH "1*TFSWFS Ӝ 4FWFSBM0*%$*E1TTVQQPSUUIJTNPEVMF

  11. 8IZEPXFVTF3#"$ 11 9DMJFOUDFSU 1BTTXPSE +85 1MBOF5PLFO "VUI/ "VUI; "ENJTTJPO$POUSPM "#"$

    3#"$ 8FCIPPL /PEF3PMF 4FSWJDF"DDPVOU 3FTPVSDF2VPUB 1SJPSJUZ 7BMJEBUJOH "ENJTTJPO FUD FUD FUD Ӝ %ZOBNJDBDDFTTBVUIPSJ[BUJPO Ӝ /PBEEJUJPOBMEFWFMPQNFOU Ӝ 3#"$TFUUJOHTDBOCF DPOSNFECZLVCFDUMMJLFBOZ PUIFSSFTPVSDFT /05&*GZPVBMSFBEZIBWF"VUI;TZTUFN  8FCIPPLJTBHPPEDIPJDF

  12. "VUI/+85 4FSWJDF"DDPVOU0*%$

  13. 5XPDBUFHPSJFTPG6TFST 13 "1*4FSWFS "DDFTT 6TFSNBOBHFECZLT FH#PU /PSNBM6TFS FH"MJDF

  14. #PUI4"BOE0*%$VTJOH+85 14 "1*4FSWFS 6TFSNBOBHFECZLT FH#PU /PSNBM6TFS FH"MJDF +85 +85 (FU+85GSPNB0*%$*E1

    (FU+85GSPN B4FSWJDF"DDPVOU

  15. 4"4FDSFUIBT+85 15 $SFBUFBCPU4" JOUIFTZTUFN/4 %FUFDUUIF DSFBUJPOFWFOU $SFBUFBCPU4"4FDSFU XJUI+85JOUIFTZTUFN/4 5PLFO $POUSPMMFS

    4FSWJDF "DDPVOU 4FDSFU +85

  16. 4"$POUSPMMFSDSFBUFTEFGBVMU4"GPSBMM/4 16 $SFBUFTZTUFN /BNFTQBDF $SFBUFEFGBVMU 4"JOTZTUFN/4 4" $POUSPMMFS 4FSWJDF "DDPVOU

    /BNF TQBDF %FUFDUUIF DSFBUJPOFWFOU

  17. 7PMVNF "MM1PETBTTPDJBUF4FSWJDF"DDPVOU 17 4""ENJTTJPO $POUSPMMFS .PVOU $SFBUF1PE 4FUEFGBVMU/"*GUIF 1PEEPFTOPUIBWF4" 4FDSFU

    +85 1PE 4FU*NBHF1VMM4FDSFUTPG4"*G UIF1PEEPFTOPUIBWFJU 4FU4FDSFUPG4"UPUIF1PEWPMVNF .PEJGZ1PE

  18. %FY0QFO*%$POOFDU*%1SPWJEFS 18 %FY 0*%$*E1 3FEJSFDU +85 6QTUSFBN*E1 FH'BDFCPPL $MJFOU IUUQTHJUIVCDPNEFYJEQEFY

    0*%$JTBTJNQMFJEFOUJUZMBZFSPO UPQPGUIF0"VUIQSPUPDPM

  19. +40/8FC5PLFODPOTJTUTPGQBSUT 19 )FBEFS 1BZMPBE 4JHOBUVSF IUUQTKXUJP

  20. 7FSJGZJOH+85PG0*%$ 20 "1*4FSWFS LVCFDUM +85 $BMM"1*XJUI+85 *T+85TJHOBUVSFWBMJE  )BTUIF+85FYQJSFE 

    MBU FYQ  6TFS"VUIPSJ[FE 3FUVSOSFTVMU "VUIPSJ[BUJPO#FBSFS+85 ⚠/05& 4"ˏT+85EPFTOPUIBWFFYQJSBUJPOEBUF  BOEJUJTOPUSPUBUFE

  21. "VUI;3#"$

  22. 3PMF#BTF"DDFTT$POUSPM 22 "DDFTT %FOZ "MMPX 7JFXFS3PMF 4VCKFDU 3PMF Y $POUSPM

    #PC 7JFXFSDBOHFU SFTPVSDFT IBTSVMFTUIBU #JOEJOH NBOBHFS(SPVQ BOE 7JFXFS3PMF *G#PCJTB NBOBHFS *G#PCJTOPU BNBOBHFS "DDFTT6TFSJT #PC

  23. 3PMF 3PMF #JOEJOHT 3PMF 3#"$JO,VCFSOFUFT 23 Y $POUSPM Ӝ4" Ӝ6TFS

    Ӝ(SPVQ /PSNBM6TFS ,T6TFS "VUIFOUJDBUFE6TFS %FOZ "MMPX ,VCFSOFUFT"1*0CKFDU subjects: - kind: Group name: manager roleRef: kind: Role name: viewer 4VCKFDU "DDFTT

  24. 3PMF 3PMF #JOEJOHT 3PMF 3#"$JO,VCFSOFUFT 24 Y $POUSPM %FOZ "MMPX

    ,VCFSOFUFT"1*0CKFDU metadata: name: viewer rules: - apiGroups: [""] resources: ["pods","pods/exec"] verbs: ["get","list","watch"] - nonResourceURLs: ["/version","/healthz"] verbs: [""] 4VCKFDU Ӝ4" Ӝ6TFS Ӝ(SPVQ /PSNBM6TFS ,T6TFS "VUIFOUJDBUFE6TFS "DDFTT

  25. 8IJDI3#"$SFTPVSDFTTIPVMEZPVVTF 25 #JOEJOHT $MVTUFS3PMF#JOEJOHT 3PMF (SBOUQFSNJTTJPOTUPSFTPVSDFTJOUIF TQFDJDOBNFTQBDF $MVTUFS 3PMF 6TF$MVTUFS3PMFGSPNNVMUJQMF

    OBNFTQBDFT ˖ (SBOUBDDFTTUPOPO"1*SFTPVSDFT ˖ (SBOUBDDFTTQFSNJTTJPOUPSFTPVSDFTPG BMMOBNFTQBDFT $MVTUFS999EPFTOPUCFMPOH UPUIF/BNFTQBDFT

  26. #VU3#"$JT/05FOPVHI

  27. 1SFWFOUQSJWJMFHFFTDBMBUJPO Ӝ  Ӝ  DBOPCUBJOIPTUTSPPUCZNPVOUJOH%PDLFSTPDLFU Ӝ  DBOBDDFTTIPTUTMFTZTUFNWJBQSPD<1*%>SPPU Ӝ

       ☠5IFTFBSFFTFOUJBMMZFRVJWBMFOUUPSPPUPOUIFIPTU

  28. SPOILER ALERT! :PVDBOVTF 1PE4FDVSJUZ1PMJDZ PS 7BMJEBUJOH"ENJTTJPO8FCIPPL UPQSFWFOUJU

  29. %FNP1SJWJMFHFFTDBMBUJPOCZIPTU1BUI 29 IUUQTBTDJJOFNBPSHBG'+X+E4F#S)S%V.

  30. )PXUPQSFWFOUQSJWJMFHFFTDBMBUJPO Ӝ 1PE4FDVSJUZ1PMJDZ %FOFBOENBOBHFTFDVSJUZQPMJDZXJUI3#"$ "EEUPUPVTFJU OFFEUPSFTUBSULVCFBQJTFSWFS $BOOPUDSFBUFBOZQPETXJUIPVUQPMJDZ OPEFGBVMUQSPWJEFE  Ӝ

    7BMJEBUJOH"ENJTTJPO8FCIPPL *NQMFNFOUZPVSPXOQPMJDZ DBOCFEZOBNJDBMMZDPOHVSFECZ /POFFEUPSFTUBSULVCFBQJTFSWFS  

  31. 7BMJEBUJOH"ENJTTJPO8FCIPPL   "1*4FSWFS :PVS8FCIPPL     

              *TUIFPCKFDUBMMPXFE ZFTOP

  32. 4VNNBSZ Ӝ $VTUPN3FTPVSDF%FOJUJPO UPDSFBUF,VCFSOFUFTBTB4FSWJDFJUTFMG Ӝ 0QFO*%$POOFDU"VUIPSJ[BUJPO8FCIPPL UPJOUFHSBUFPVSBVUIOBVUI[TZTUFN Ӝ 7BMJEBUJOH"ENJTTJPO8FCIPPL UPQSFWFOUQSJWJMFHFFTDBMBUJPOBOEJNQMFNFOUDVTUPNQPMJDZ

      ,VCFSOFUFTFYUFOTJCJMJUZBSFBMTPVTFGVMUPTFDVSFDMVTUFST

  33. 8FBSFIJSJOH CJUMZ[MBCDBSFFST