Kubernetes Meetup Tokyo #64 Ryuma Yoshida (@ryysud), Z Lab Corporation KubeCon EU 2024 Recap “Kubernetes Policy Time Machine: Where to Next?”

Ryuma Yoshida Software Engineer at Z Lab Corporation Twitter / GitHub / Qiita / Speakerdeck : @ryysud

θοτϥϘגࣜձࣾ ▶ LINEϠϑʔגࣜձࣾͷ100%ࢠձࣾ + LINEϠϑʔͷେن໛ΠϯϑϥΛࢧ͑Δج൫։ൃͱ R&D Λ࣮ࢪ ▶ ୅දతͳϓϩμΫτ + Kubernetes as a ServiceʢKaaSʣ + Platform as a ServiceʢPaaSʣ + KaaS ϕʔεͷΞϓϦέʔγϣϯ࣮ߦج൫ ▶ ͜Ε·ͰͷऔΓ૊Έ͸ձࣾϗʔϜϖʔδͷ News Λࢀর + https://zlab.co.jp ▶ ۀ຿ͰಘΒΕͨφϨοδ͸ Qiita Ͱ֎෦ൃ৴ + https://qiita.com/organizations/zlab

Pod Security (Validating Admission Webhook) Exporters Prometheus Grafana Ingress Controller CoreDNS Install Cluster Addons Addon Manager ộ Create / Upgrade Kubernetes Cluster KaaS User KaaS Run workloads on Kubernetes Cluster Kubernetes Cluster ۀ຿಺༰ ▶ Kubernetes ͷόʔδϣϯΞοϓରԠ + ৽͍͠ϚΠφʔόʔδϣϯͷมߋ಺༰ͷௐࠪ + όʔδϣϯΞοϓʹ൐͏Өڹͷௐࠪ ▶ ΞυΦϯϚωʔδϟʔͷϝϯςφϯε + ΫϥελΞυΦϯΛΠϯετʔϧ͢Δίϯϙʔωϯτ ▶ ΫϥελΞυΦϯͷϝϯςφϯε + νʔϜ಺Ͱ֤छΞυΦϯͷ୲౰ΛܾΊ͍ͯΔ + ࣗ෼͕୲౰͍ͯ͠ΔΞυΦϯͷ1ͭʹ Pod Security ͕͋Δ + ཁ݅ʹରԠ͢ΔͨΊʹಠࣗʹ࣮૷ ▶ KaaS ར༻ऀͷαϙʔτ + ར༻ऀ͔Βͷ໰͍߹ΘͤରԠ + ඞཁʹԠͯ͡ΞυΦϯͳͲ΋վળ KaaS Ͱ෷͍ग़͞ΕͨΫϥελͷ಺෦

Pod Security (Validating Admission Webhook) Exporters Prometheus Grafana Ingress Controller CoreDNS Install Cluster Addons Addon Manager ộ Create / Upgrade Kubernetes Cluster KaaS User KaaS Run workloads on Kubernetes Cluster Kubernetes Cluster ۀ຿಺༰ ▶ Kubernetes ͷόʔδϣϯΞοϓରԠ + ৽͍͠ϚΠφʔόʔδϣϯͷมߋ಺༰ͷௐࠪ + όʔδϣϯΞοϓʹ൐͏Өڹͷௐࠪ ▶ ΞυΦϯϚωʔδϟʔͷϝϯςφϯε + ΫϥελΞυΦϯΛΠϯετʔϧ͢Δίϯϙʔωϯτ ▶ ΫϥελΞυΦϯͷϝϯςφϯε + νʔϜ಺Ͱ֤छΞυΦϯͷ୲౰ΛܾΊ͍ͯΔ + ࣗ෼͕୲౰͍ͯ͠ΔΞυΦϯͷ1ͭʹ Pod Security ͕͋Δ + ཁ݅ʹରԠ͢ΔͨΊʹಠࣗʹ࣮૷ ▶ KaaS ར༻ऀͷαϙʔτ + ར༻ऀ͔Βͷ໰͍߹ΘͤରԠ + ඞཁʹԠͯ͡ΞυΦϯͳͲ΋վળ ΫϥελΛ҆શʹӡ༻͢ΔͨΊͷ ηΩϡϦςΟؔ࿈ͷٕज़ʹڵຯ͕͋Δ 👀 KaaS Ͱ෷͍ग़͞ΕͨΫϥελͷ಺෦

Kubernetes ʹϙϦγʔΛద༻͢ΔͨΊͷػೳͷશମ૾ͱ৽ػೳΛ঺հ͢Δηογϣϯ εϐʔΧʔ͸ Kubernetes Policy WG ͷ Co-Chair ͷํʑ (಺1ਓ͸ Kyverno ͷϝϯςφ) https://sched.co/1YhhD

Kubernetes ʹ͓͚ΔϙϦγʔͷఆٛ ▶ ϙϦγʔҎ֎ͷઃఆ΍ϥϯλΠϜͷಈ࡞Λ੍ޚ͢Δઃఆʢ௚༁ʣ + “ظ଴͢ΔৼΔ෣͍Λఆٛͨ͠΋ͷ” ͱ΋ݴ͑Δ + ΫϥελΛ҆શʹӡ༻͍ͯͨ͘͠Ίʹ͸ෆద੾ͳઃఆ΍ৼΔ෣͍Λ๷͙͜ͱ͕ॏཁ https://kubernetes.io/docs/concepts/policy/

Kubernetes ΫϥελʹϙϦγʔΛద༻͢ΔͨΊͷओཁͳػೳ ▶ Built-in API Objects + Network Policy, RBAC, ResourceQuota ͳͲ ▶ Admission Controls + ϓϥάΠϯͱͯ͠͸ DefaultIngressClass, LimitRanger ͳͲ + Pod Security Standard ͷެ࣮ࣜ૷Ͱ͋Δ Pod Security Admission ΋ϓϥάΠϯͷ1ͭ ▶ Dynamic Admission ControlsʢValidating / Mutating Admission Webhookʣ + API Server ͕ड͚ͨϦΫΤετΦϒδΣΫτͷ੍ޚΛ֎෦αʔϏεͰߦ͑Δػೳ + ࣮૷ྫͱͯ͠͸ Kyverno, OPA / Gatekeeper ͳͲ ▶ Validating Admission Policyʢv1.29 ࣌఺ͰσϑΥϧτແޮͷ Beta ػೳʣ + Common Expression Language (CEL) Ͱ೚ҙͷϙϦγʔΛఆٛͰ͖Δػೳ + CEL ͸࣮ߦ଎౓ͱҠ২ੑ͕ߴ͍͜ͱ͕ಛ௃ͷݴޠ + Validating Admission Webhook ͷ୅ସػೳ + API Server Ͱॲཧ͕׬݁͢ΔͨΊར఺΋େ͖͍

ϙϦγʔΛద༻͢Δ࢓૊Έͷྺ࢙ ▶ 2016೥Ҏલ͔Β2024೥·ͰͷϙϦγʔΛద༻͢Δ࢓૊Έͷྺ࢙͕঺հ͞Ε͍ͯͨ + Kubernetes ͚ͩͰͳ͘ CNCF ΍ Policy WG Ͱͷಈ͖΋঺հ͞Ε͍ͯͯ໘ന͍ʂ

2024೥ʹ༧ఆ͞Ε͍ͯΔ͜ͱ ▶ Validating Admission Policy ͕ Stable ʹͳΔ + v1.29 ࣌఺ͰσϑΥϧτແޮͷ Beta ػೳ + v1.30 Ͱ Stable ػೳʹঢ֨ͯ͠σϑΥϧτ༗ޮʹͳͬͨʂ ▶ Mutating Admission Policy Λ Alpha Ͱಋೖ͢Δ + Validating Admission Policy ͷ Mutating ൛ ▶ Policy Report API ΛެࣜϓϩδΣΫτʹ͢Δ + ϙϦγʔͷධՁ݁ՌΛఏڙ͢ΔͨΊͷ CRD + 2020೥ʹ Policy WG ʹΑͬͯఏҊ͞Εͨ΋ͷ

ηογϣϯͰ͸ৄࡉͳઆ໌͕ͳ͔ͬͨͷͰ ޙ೔ௐࠪ͠·ͨ͠ʂ ▶ Validating Admission Policy ͕ Stable ʹͳΔ + v1.29 ࣌఺ͰσϑΥϧτແޮͷ Beta ػೳ + v1.30 Ͱ Stable ػೳʹঢ֨ͯ͠σϑΥϧτ༗ޮʹͳͬͨʂ ▶ Mutating Admission Policy Λ Alpha Ͱಋೖ͢Δ + Validating Admission Policy ͷ Mutating ൛ ▶ Policy Report API ΛެࣜϓϩδΣΫτʹ͢Δ + ϙϦγʔͷධՁ݁ՌΛఏڙ͢ΔͨΊͷ CRD + 2020೥ʹ Policy WG ʹΑͬͯఏҊ͞Εͨ΋ͷ 2024೥ʹ༧ఆ͞Ε͍ͯΔ͜ͱ

Mutating Admission Policy ▶ KEP-3962 Mutating Admission Policies ͰఏҊ͞Εͨ΋ͷ + https://github.com/kubernetes/enhancements/tree/master/keps/sig-api-machinery/3962-mutating- admission-policies ▶ Mutating Admission Webhook ͷ୅ସػೳΛ໨ࢦ͍ͯ͠Δ + Validating Admission Policy ͱಉ͡Α͏ʹ Mutating ͷઃఆ͸ CEL Ͱఆٛ + Server Side Apply ͷϚʔδΞϧΰϦζϜͰϦΫΤετΦϒδΣΫτΛมߋ + Ϧιʔε΋ VAP ͱࣅͨ΋ͷΛఏڙ + MutatingAdmissionPolicy + MutatingAdmissionPolicyBinding ▶ v1.31 ͔ v1.32 Ͱ Alpha ͱͯ͠ϦϦʔε༧ఆ + v1.30 Ͱ Alpha ͱͯ͠ϦϦʔε͞Εͨʂ ৽ػೳ

Pod Ϧιʔεʹ Sidecar Proxy Λ௥Ճ͢Δઃఆྫ ஫: KEP ʹهࡌ͞Ε͍ͯΔྫͰ·ͩ Alpha ػೳͳͷͰ࢓༷͕มΘΔՄೳੑ͋Γ

Pod Ϧιʔεʹ Sidecar Proxy Λ௥Ճ͢Δઃఆྫ Mutating Admission Policy ʹΑͬͯ ϦΫΤετΦϒδΣΫτ͕มߋ͞ΕΔ ஫: KEP ʹهࡌ͞Ε͍ͯΔྫͰ·ͩ Alpha ػೳͳͷͰ࢓༷͕มΘΔՄೳੑ͋Γ

Policy Report APIʢCRDʣ ▶ ϙϦγʔͷධՁ݁ՌΛఏڙ͢ΔͨΊͷ CRD + 2020೥ʹ Kubernetes Policy WG ʹΑͬͯఏҊ͞Εͨ + Ҿ͖ଓ͖ Policy WG ʹΑͬͯઃܭɾ։ൃ͕ਐΊΒΕ͍ͯΔ ▶ 2024೥4݄࣌఺Ͱ࠷৽ͷ API όʔδϣϯ͸ reports.x-k8s.io/v1beta2 + ΫϥελશମͷධՁ݁ՌΛ֨ೲ͢Δ ClusterPolicyReport Ϧιʔε + Namespace ୯ҐͰͷධՁ݁ՌΛ֨ೲ͢Δ PolicyReport Ϧιʔε ▶ Policy Report API ͰධՁ݁ՌΛग़ྗՄೳͳιϑτ΢ΣΞ + Kube-bench, KubeArmor, Trivy, Kyvenro, Falco ▶ KEP-4447 Promote PolicyReport API to a Kubernetes SIG API + Policy Report API Λ Kubernetes SIG ͷެࣜϓϩδΣΫτʹ͢Δಈ͖͕͋Δ + KEP ಺Ͱ͸ Policy Report API ͷ׆༻Λଅਐͤ͞Δ͜ͱΛ໨తͱ͍ͯ͠Δ + ެࣜϓϩδΣΫτʹͳΕ͹ࠓޙ׆༻ࣄྫ΋ग़ͯ͘Δ͔΋ʁ ৽͍͠΋ͷͰ͸ͳ͍͕஌Βͳ͍ํ΋ଟ͍͔΋ʁ

https://qiita.com/ryysud/items/240b9d9eda68b54a2e9c

Pod ͷηΩϡϦςΟઃఆΛ੍ޚ͢Δػೳͱͯ͠ԿΛ࠾༻͢΂͖͔ʁ ▶ ՄೳͳݶΓ Kubernetes ͷඪ४ػೳΛར༻͢Δ + Pod Security Admission ΍ Validating Admission Policy + Mutating Admission Policy ͸·ͩ Alpha ͳͷͰ༷ࢠݟ͕͍͍͔΋ + API Server Ͱॲཧ͕׬݁͢ΔϝϦοτ͸େ͖͍ ▶ ཁ݅Λຬͨͤͳ͍৔߹͸ Dynamic Admission Controls Λར༻͢Δ + Kyverno, OPA / Gatekeeper ͳͲཁ݅ʹ͋ͬͨ΋ͷΛબͿ + Z Lab ੡ͷ KaaS Ͱ͸ಠࣗͷϙϦγʔΤϯδϯΛ࠾༻ + PSA ΍ VAP ͷ࠾༻͸ݟૹΓ + ৄࡉ͸࠷ऴεϥΠυͷࢀߟ৘ใΛࢀর ▶ Dynamic Admission Controls ͷϕετϓϥΫςΟε + HA ߏ੒ͱ௿ϨΠςϯγʔ + ແବͳίʔϧΛݮΒͨ͢Ίʹ Selector Λద੾ʹઃఆ + Failure Policy ΍ Timeout ΋ద੾ʹઃఆ

ੋඇɺຊՈͷηογϣϯ΋νΣοΫͯ͠Έ͍ͯͩ͘͞ʂ https://sched.co/1YhhD

Thank you!

ʲࢀߟ৘ใʳZ Lab ͕࠾༻͍ͯ͠Δ Pod ͷηΩϡϦςΟઃఆΛ੍ޚ͢Δ࢓૊Έ https://speakerdeck.com/uesyn/on-the-safe-migration-of-podsecuritypolicy

ʲࢀߟ৘ใʳϝϧησεɾϕϯπͰͷ Pod ͷηΩϡϦςΟઃఆΛ੍ޚ͢Δ࢓૊Έͷࣄྫ ϝϧησεɾϕϯπ͸ Validating / Mutating Admission Policy ͳͲͷඪ४ػೳΛར༻͢Δํ਑ͱͷ͜ͱ https://sched.co/1YePd