Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Securing Kubernetes Clusters on AWS (Japanese)

KUOKA Yusuke
October 13, 2017
Technology
0
530

Securing Kubernetes Clusters on AWS (Japanese)

Kubernetes Meetup Tokyo #7
https://k8sjp.connpass.com/event/67092

KUOKA Yusuke

October 13, 2017
Tweet

More Decks by KUOKA Yusuke

See All by KUOKA Yusuke
Helmfile: Supercharge your deployment pipeline
mumoshu
4
1.8k
Migrating to EKS
mumoshu
0
390
Kubernetes on AWS/EKSベストプラクティス2019.2 #jawsdays
mumoshu
34
15k
[5 min. LT] Kubernetes on AWS after EKS & Recommendations on production EKS clusters
mumoshu
4
5.1k
Zero to Anomaly Detection with Kubeflow
mumoshu
1
2k
Programming on Kubernetes - Do More With Less
mumoshu
6
1k
Sustainable Kubernetes
mumoshu
16
3.9k
Kubernetesへのデプロイメント 〜進化の過程と展望〜 後半パート
mumoshu
2
8.7k
Helmfile - A declarative way to deploy Helm charts -
mumoshu
5
9.2k

Other Decks in Technology

See All in Technology
AI完全初心者でも最新の生成AIの仕組がわかった気になれるプレゼン
shimap_sampo
1
340
Mirror mirror... what am I typing next?
spinscale
0
150
ChatGPTがもたらす新しいチーム開発の現場
satoshirobatofujimoto
0
150
ユーザーストーリーマッピング
kawaguti
PRO
4
650
初学者が1ヶ月ほどAWS CDKを勉強してみた - AWS CDK Conference Japan 2023
sakaguchi
0
590
20230519_企業でのChatGPT活用と注意点(15min版)_v1.00_共有用
doradora09
0
240
Design insights from unit tests @ itkonekt 2023
victorrentea
0
110
CloudWatch複合アラームでELBの5XXをいい感じに検知しようとしたらうまくいかなかった話 / cloudwatch alarm elb 5xx
gotok365
0
120
Tech Dojo Introduction Of Monitoring
norimuraz
0
260
全AWSエンジニアに捧ぐ、CloudWatch 設計・運用 虎の巻 / CloudWatch design and operation bible
iselegant
8
1.6k
Turbinando Microsserviços com Distributed Cache
jordihofc
0
160
DevSecOpsへの展開〜全てのチームの能力を最大限に引き出す/Expanding to DevSecOps
newrelic2023
0
190

Featured

See All Featured
The Illustrated Children's Guide to Kubernetes
chrisshort
25
44k
Code Reviewing Like a Champion
maltzj
508
38k
What’s in a name? Adding method to the madness
productmarketing
PRO
14
2.1k
How to Ace a Technical Interview
jacobian
271
22k
Building a Modern Day 
E-commerce SEO Strategy
aleyda
9
5.3k
JazzCon 2018 Closing Keynote - Leadership for the Reluctant Leader
reverentgeek
176
9.4k
Making Projects Easy
brettharned
102
5k
Scaling GitHub
holman
453
140k
GraphQLの誤解/rethinking-graphql
sonatard
41
8.2k
Optimizing for Happiness
mojombo
366
66k
Atom: Resistance is Futile
akmur
256
24k
YesSQL, Process and Tooling at Scale
rocio
158
13k

Transcript

  1. Securing Kubernetes Clusters on AWS
    @mumoshu

    View Slide

  2. K8S on AWSͰӡ༻͍ͯ͠ΔαʔϏε͕߈ܸ͞Εͯ΋҆৺
    ͳঢ়ଶʹ͍ͨ͠

    View Slide

  3. ߈ܸͬͯ۩ମతʹ͸?
    ྫ͑͹ɺWebΞϓϦʹରͯ͠
    - ո͛͠ͳΫΤϦετϦϯά
    - ո͛͠ͳHTTP POSTύϥϝʔλ
    - ruby΍shellεχϖοτΈ͍ͨͳͷ͕ࠞͬͯ͟Δ
    ϦΫΤετΛ౤͛ΒΕΔ

    View Slide

  4. ߈ܸͬͯ۩ମతʹ͸?
    • ΞϓϦʹίʔυΠϯδΣΫγϣϯ੬ऑੑ͕͋ͬͯɺಛఆͷϦ
    ΫΤετΛૹΔͱ೚ҙͷ໋ྩΛ࣮ߦ͞ΕͨΓɺͻͲ͍ͱ͖͸
    όοΫυΞΛ࢓ࠐ·ΕΔ
    • ʮΞϓϦͷಈ࡞؀ڥ͔ΒΞΫηεͰ͖Δ΋ͷ͢΂ͯʯʹΞΫ
    ηε͞Εͯ͠·͏
    • !

    View Slide

  5. ߈ܸର৅ͷ͜ͱ

    View Slide

  6. ͓͞Β͍: K8SͰΞϓϦ͸Ͳ͜Ͱಈ͘?
    K8SʹσϓϩΠͨ͠ΞϓϦ͸ʮίϯςφʯͰಈ͘ɻ

    View Slide

  7. ͓͞Β͍: ެ։͞ΕͨΞϓϦ͸Ͳ͏͍͏ܦ࿏ͰΞΫηε͞ΕΔ?
    -> LB (ELB, ALB, NLB)
    -> EC2Πϯελϯε (ServiceͷNodePortܦ༝)
    -> Pod (kube-proxy/iptables͕ServiceͷclusterIPΛpodIPʹม
    ׵)
    —> ίϯςφ (containerPortܦ༝)
    —> ΞϓϦέʔγϣϯϓϩηε
    ͱ͍͏ܦ࿏ͰΞΫηε͞ΕΔɻ

    View Slide

  8. ίϯςφʹೖ͍ͬͯΔ΋ͷ
    • ίϚϯυ
    • bash, curl, etc.
    • ϛυϧ΢ΣΞ
    • apache, nginx, etc.
    • ΞϓϦέʔγϣϯ
    • όΠφϦ(Golang)ɺεΫϦϓτ(ruby, python, etc.)

    View Slide

  9. ίϯςφʹೖ͍ͬͯΔ΋ͷ
    • ࣮ߦ؀ڥ
    • python, rubyϥϯλΠϜ, ruby gems, JDK, …
    • ڞ༗ϥΠϒϥϦ
    • glibc, libssl

    View Slide

  10. ίϯςφʹೖ͍ͬͯΔ΋ͷ
    • Ͳ͜ʹ੬ऑੑ͕͋Δ͔Θ͔Βͳ͍Ͱ͢ΑͶ…
    • ͔ͩΒͦ͜ɺͰ͖Δ͚ͩK8SϨϕϧͰ๷ޚ͍ͨ͠

    View Slide

  11. ྫ͑͹ɺόοΫυΞΛ࢓ࠐ·ΕͨΒԿΛ͞Εͯ͠·͏͔
    • ίϯςφʹଘࡏ͢Δ೚ҙͷίϚϯυΛ࣮ߦͰ͖Δ
    • ྫ: ίϯςφʹcurl͕͋Ε͹೚ҙͷhttp(s)ϦΫΤετΛ஗ΕΔ

    View Slide

  12. ೚ҙͷίϚϯυΛ࣮ߦͰ͖Δͱ…
    • KubernetesͳΒͰ͸ͷ΋ͷ
    • K8S API, Kubelet API(ඇެ։), Podʹcurlͱ͔ͰΞΫηε
    • ίϯςφΦʔέετϨʔγϣϯγεςϜશൠʹ͋ͯ͸·Δ΋
    ͷ
    • ଞͷίϯςφʹΞΫηε
    • localhost΍ϩʔΧϧϘϦϡʔϜܦ༝

    View Slide

  13. ରࡦ
    • όοΫυΞ࢓ࠐΊͳ͍Α͏ʹ͢Δ
    • όοΫυΞ࢓ࠐ·Εͨͱ͖ͷӨڹΛ࠷খݶʹ͢Δ

    View Slide

  14. ۩ମతʹͲ͏ରࡦ͢Δ͔
    • kube2iam
    • KubernetesͷNetwork Policies
    • RBAC
    • TLS Bootstrapping
    • ϊʔυϓʔϧɺΠϯελϯεϓʔϧ
    • coreos/clair

    View Slide

  15. όοΫυΞ࢓ࠐΊͳ͍Α͏ʹ͢Δ
    (1) ੬ऑͳΞϓϦΛ࡞Βͳ͍ !
    • ಛʹޠΕΔ͜ͱͳ͍ɾɾɾ
    • ϑϨʔϜϫʔΫ࢖͍·͠ΐ
    • ݴޠॲཧܥͷ੬ऑੑ͕ݟ͔ͭͬͨΒΞοϓσʔτ͠·͠ΐ͏
    ʢGolang, RubyͳͲͷϨϕϧͰʣ
    • ϢʔβೖྗͷαχςΟνΣοΫ
    • ੬ऑͳίϚϯυ΍ϥΠϒϥϦΛؚΊͳ͍

    View Slide

  16. όοΫυΞ࢓ࠐΊͳ͍Α͏ʹ͢Δ
    (2) CoreOSͷClairͰίϯςφΠϝʔδ੬ऑੑνΣοΫ
    ྫ: ੬ऑͳΠϝʔδ͕σϓϩΠ͞Εͳ͍Α͏ʹɺCIͰDocker
    Build & Pushͷޙʹ
    clair-scanner --clair https://myclaier.example.com --ip $YOUR_LOCAL_IP $IMAGE
    ͦͷ͋ͱK8SʹσϓϩΠ͢ΔΑ͏ʹ͢Δɻ
    ಉछͷπʔϧʹfuture-architect/vuls΋͋Γ·͢Ͷɻ

    View Slide

  17. ࢓ࠐ·Εͨͱ͖ͷӨڹΛ࠷খݶʹ͢Δ
    kube2iam
    kube2iam: EC2ϝλσʔλαʔϏε(http://169.254.169.254)Λ
    ஔ͖׵͑ΔϦόʔεϓϩΩγ
    • EC2Πϯελϯεʹ͸ͦͦ͜͜ڧྗͳIAMϙϦγʔ͕͍ͭͯ
    Δ
    • ΞϓϦ͔ΒͦΕΛར༻Ͱ͖ͳ͍Α͏ʹ͢Δ
    • ௨ৗ͸EC2ϝλσʔλαʔϏεʹcurl͢ΔͱɺΠϯελϯε

    View Slide

  18. Network Policies
    Podؒͷ௨৴ΛϧʔϧϕʔεͰڐՄɾېࢭ͢ΔͨΊͷ࢓૊Έ
    • PodΛෆཁͳΠϯλʔωοτ্ͷαʔϏεͱ௨৴ͤͨ͘͞ͳ
    ͍
    • Pod΁ೖΔ: Ingress
    • Pod͔Βग़Δ: Egress (K8S 1.8͔Β࢖͑Δ)
    • EC2ϝλσʔλαʔϏε(169.254.169.254)͸σϑΥϧτϒ
    ϩοΫͰ͍͍ͷͰ͸

    View Slide

  19. RBAC
    • K8S APIΛPod΍ϢʔβຖʹΞΫηείϯτϩʔϧ͢Δػೳ
    • K8S APIΛݺ΂ͳ͍PodʹόοΫυΞ࢓ࠐ·Εͯ΋҆৺
    • K8S 1.8͔ΒGAʹͳΓ·ͨ͠Ͷ

    View Slide

  20. TLS Bootstrapping
    • K8S API Server͕Kubelet΁ͷ௨৴ͷೝূɾ҉߸Խʹ࢖͏TLS
    ൿີ伴Λࣗಈੜ੒͢Δ
    • ྫ: kube-aws: 伴͕શKubelet=WorkerͰڞ௨ɻ1 Workerͷ伴
    ͕࿙ΕΔͱଞͷWorkerʹ΋Өڹ͕…
    • TLS BootstrappingΛ࢖͏ͱɺWorkerผͷ伴ʹͳΔɻ΋Εͯ
    ΋ͦͷWorker͚ͩʹӨڹ

    View Slide

  21. RotateKubeletClientCertificate
    • K8S 1.8Ͱalphaʹͳͬͨ
    • TLS BootstrappingͰɺ伴Λఆظతʹ(਺ϲ݄ɻͳ͕͍)ʹೖΕ
    ସ͑Δػೳ
    • 伴͕࿙Εͯ΋ظݶ੾ΕʢೖΕସ͑ʣޙͰ͋Ε͹Өڹͳ͠

    View Slide

  22. ϊʔυϓʔϧɺΠϯελϯεϓʔϧ
    • GKE, kops, kube-awsͳͲʹ͋ΔɺNodeͷάϧʔϓʢlabel΍
    αʔόεϖοΫɺGPUͷ༗ແͳͲ͕ҟͳΔʣΛ࢖͍෼͚Δػ

    • ྫ: ઀ଓՄೳͳݸਓ৘ใΛؚΉDBΠϯελϯεผʹϓʔϧΛ
    Θ͚Δ
    • ΍Γ͗͢ΔͱϦιʔεޮ཰͕Լ͕Δʀ

    View Slide

  23. ͓·͚: K8S APIͷೝূ໰୊
    • ΤϯδχΞ͕K8S APIʹΞΫηεͰ͖ΔτʔΫϯΛπΠʔτ͠
    ͯ͠·ͬͨ
    • ΤϯδχΞ͕K8S APIʹΞΫηεͰ͖Δൿີ伴Λ͓࿙Βͯ͠͠
    ͠·ͬͨ
    • !

    View Slide

  24. ରࡦ: ωοτϫʔΫతʹ
    K8S API Endpoint (AWSͷ৔߹ଟ͘͸ELB)͸
    • ࣾ಺ωοτϫʔΫ(IP੍ݶɺͰ͖Ε͹VPN)
    • VPC಺ͷϓϥΠϕʔτωοτϫʔΫ(ྫ: VPC಺ͷCIγεςϜ͔
    ΒK8S APIΛར༻͢Δ)
    ͔ΒͷΈΞΫηεͰ͖ΔΑ͏ʹ͠·͠ΐ͏ɻ

    View Slide

  25. ରࡦ: K8SΫϥελʹGitHubϩάΠϯ
    Using guard, you can log into your Kubernetes cluster using your
    Github or Google authentication token
    https://github.com/appscode/guard
    • ͨͩ͠ɺGitHubͷOAuthτʔΫϯΛK8S APIτʔΫϯ͕ΘΓ
    ʹ࢖͏
    • τʔΫϯͷ༗ޮظݶ͕௕͍ͱͦΕ͸ͦΕͰةͳ͍͔΋
    • GoogleϩάΠϯ΋Ͱ͖Δ

    View Slide

  26. ରࡦ: K8SΫϥελʹAWS IAMͰϩάΠϯ
    kubernetes-aws-authenticator
    A tool for using AWS IAM credentials to authenticate to a
    Kubernetes cluster.
    https://github.com/heptiolabs/kubernetes-aws-authenticator
    • ͨͩ͠ɺAWSΫϨσϯγϟϧͷ༗ޮظݶ͕̍࣌ؒͳͷͰɺ࿙
    ΕͨΒ̍࣌ؒ͸࢖ΘΕͯ͠·͏Մೳੑ
    • ωοτϫʔΫతͳରࡦ΋߹Θͤͯ

    View Slide

  27. TL;DR;
    K8S on AWSΛηΩϡΞʹ͍ͨ͠ͳΒɺ࠷௿ݶ
    • kube2iam
    • Network Policies
    • coreos/clair
    • RBAC
    Ͱ͖Ε͹
    • ϊʔυϓʔϧɺTLS Bootstrapping

    View Slide