Slide 1

Slide 1 text

k8sͱOPAͭͳ͛ͯΈͨ - Admission Controllerฤ 2019/03/18 @ken5scal

Slide 2

Slide 2 text

΍Ζ͏ͱͨ͜͠ͱ 1. k8sͷAdmission ControllerΛOPAʹ޲͚Δ 2. k8s APIαʔόʔ΁ͷϦΫΤετʹOPAϙϦγʔΛ ద༻͢Δ

Slide 3

Slide 3 text

k8s Admission Controllerͱ͸ - k8s APIαʔόʔʹର͢ΔೝূɾೝՄ͞ΕͨϦΫΤετ಺ ͷΦϒδΣΫτ͕ӬଓԽ͞ΕΔલʹɺ੍ޚ͢Δػߏ - ϓϥάΠϯʹΑͬͯɺͲͷΑ͏ͳ੍ޚΛ͢Δ͔ܾΊΒΕ Δ

Slide 4

Slide 4 text

OPAʢΦʔύʣͱ͸ - ϦΫΤετͷਖ਼౰ੑΛݕূͯ͠ɺΤʔδΣϯτʹ ݁ՌΛฦ͢ɺ͍ΘΏΔϙϦγʔΤϯδϯ - ʮCloud Native Meetup Tokyo #4ʯͷൃදࢀর https://speakerdeck.com/ken5scal/introduction-to-open-policy-agent

Slide 5

Slide 5 text

- ValidatingAdmissionWebhookʹOPAΛઃఆ - k8s APIαʔόʹର͢ΔͲͷΑ͏ͳΞΫγϣϯΛࢦ ఆ͢Δ͔͸ɺͬͪ͜ʹॻ͘ k8s Admission ControllerͱOPAɹͦͷᶃ

Slide 6

Slide 6 text

cat > webhook-configuration.yaml <

Slide 7

Slide 7 text

- OPAͷϙϦγʔͦͷ΋ͷ͸RegoͰهड़ - k8sͷConfigMapsͱͯ͠औΓࠐΉ k8s Admission ControllerͱOPAɹͦͷᶄ

Slide 8

Slide 8 text

ྫ1: IngressͷFQDNࢦఆ

Slide 9

Slide 9 text

package kubernetes.admission import data.kubernetes.namespaces deny[msg] { input.request.kind.kind = "Ingress" input.request.operation = "CREATE" host = input.request.object.spec.rules[_].host not fqdn_matches_any(host, valid_ingress_hosts) msg = sprintf("invalid ingress host %q", [host]) } valid_ingress_hosts = {host | whitelist = namespaces[input.request.namespace].metadata.annotations["ingress- whitelist"] hosts = split(whitelist, ",") host = hosts[_] } https://www.openpolicyagent.org/docs/kubernetes-admission-control.html

Slide 10

Slide 10 text

% cat ingress-bad.yaml apiVersion: extensions/v1beta1 kind: Ingress metadata: name: ingress-bad spec: rules: - host: acmecorp.com http: paths: - backend: serviceName: nginx servicePort: 80 % kubectl create -f ingress-bad.yaml -n qa Error from server (invalid ingress host "acmecorp.com"): error when creating "ingress- bad.yaml": admission webhook "validating-webhook.openpolicyagent.org" denied the request: invalid ingress host "acmecorp.com" https://www.openpolicyagent.org/docs/kubernetes-admission-control.html

Slide 11

Slide 11 text

ྫ1: ίϯςφϨδετϦͷࢦఆ

Slide 12

Slide 12 text

cat > image_source.rego <

Slide 13

Slide 13 text

% cat nginx.yaml kind: Pod apiVersion: v1 metadata: name: nginx labels: app: nginx namespace: default spec: containers: - image: nginx name: nginx % kubectl apply -f nginx.yaml Error from server (pod "nginx" has invalid registry "nginx"): error when creating "nginx.yaml": admission webhook "validating-webhook.openpolicyagent.org" denied the request: pod "nginx2" has invalid registry "nginx" https://aws.amazon.com/jp/blogs/opensource/using-open-policy-agent-on-amazon-eks/

Slide 14

Slide 14 text

Ͱ͖ͳ͍͜ͱ - Runtime಺ͷ੍ޚ - APIαʔόʔʹର͢Δૢ࡞੍͔͠ޚͰ͖ͳ͍ - “ϙϦγʔ”ͷద༻ͳͷͰ੩తͳݕࠪͩͱ෺଍Γͳ͍ - OPAͦͷ΋ͷͷ੍ޚ - etc

Slide 15

Slide 15 text

͜͜ʹςΩετΛೖΕ·͢ɻ ͻͱͭͷεϥΠυʹ಺༰Λ٧Ί͗͢ ͳ͍Α͏ʹ͠·͠ΐ͏ɻ ʮ̍ຕͷεϥΠυʹ̍ͭͷҙຯʯ͕ εϥΠυ࡞ΓͷجຊͰ͢ɻ ٕज़ॻయͰOPAωλͷബ͍ຊͩ͠·͢

Slide 16

Slide 16 text

@ken5scal

Slide 17

Slide 17 text

Thank you