Slide 1
Slide 1 text
k8sͱOPAͭͳ͛ͯΈͨ
- Admission Controllerฤ
2019/03/18 @ken5scal
Slide 2
Slide 2 text
Ζ͏ͱͨ͜͠ͱ
1. k8sͷAdmission ControllerΛOPAʹ͚Δ
2. k8s APIαʔόʔͷϦΫΤετʹOPAϙϦγʔΛ
ద༻͢Δ
Slide 3
Slide 3 text
k8s Admission Controllerͱ
- k8s APIαʔόʔʹର͢ΔೝূɾೝՄ͞ΕͨϦΫΤετ
ͷΦϒδΣΫτ͕ӬଓԽ͞ΕΔલʹɺ੍ޚ͢Δػߏ
- ϓϥάΠϯʹΑͬͯɺͲͷΑ͏ͳ੍ޚΛ͢Δ͔ܾΊΒΕ
Δ
Slide 4
Slide 4 text
OPAʢΦʔύʣͱ
- ϦΫΤετͷਖ਼ੑΛݕূͯ͠ɺΤʔδΣϯτʹ
݁ՌΛฦ͢ɺ͍ΘΏΔϙϦγʔΤϯδϯ
- ʮCloud Native Meetup Tokyo #4ʯͷൃදࢀর
https://speakerdeck.com/ken5scal/introduction-to-open-policy-agent
Slide 5
Slide 5 text
- ValidatingAdmissionWebhookʹOPAΛઃఆ
- k8s APIαʔόʹର͢ΔͲͷΑ͏ͳΞΫγϣϯΛࢦ
ఆ͢Δ͔ɺͬͪ͜ʹॻ͘
k8s Admission ControllerͱOPAɹͦͷᶃ
Slide 6
Slide 6 text
cat > webhook-configuration.yaml <
Slide 7
Slide 7 text
- OPAͷϙϦγʔͦͷͷRegoͰهड़
- k8sͷConfigMapsͱͯ͠औΓࠐΉ
k8s Admission ControllerͱOPAɹͦͷᶄ
Slide 8
Slide 8 text
ྫ1: IngressͷFQDNࢦఆ
Slide 9
Slide 9 text
package kubernetes.admission
import data.kubernetes.namespaces
deny[msg] {
input.request.kind.kind = "Ingress"
input.request.operation = "CREATE"
host = input.request.object.spec.rules[_].host
not fqdn_matches_any(host, valid_ingress_hosts)
msg = sprintf("invalid ingress host %q", [host])
}
valid_ingress_hosts = {host |
whitelist = namespaces[input.request.namespace].metadata.annotations["ingress-
whitelist"]
hosts = split(whitelist, ",")
host = hosts[_]
}
https://www.openpolicyagent.org/docs/kubernetes-admission-control.html
Slide 10
Slide 10 text
% cat ingress-bad.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-bad
spec:
rules:
- host: acmecorp.com
http:
paths:
- backend:
serviceName: nginx
servicePort: 80
% kubectl create -f ingress-bad.yaml -n qa
Error from server (invalid ingress host "acmecorp.com"): error when creating "ingress-
bad.yaml": admission webhook "validating-webhook.openpolicyagent.org" denied the
request: invalid ingress host "acmecorp.com"
https://www.openpolicyagent.org/docs/kubernetes-admission-control.html
Slide 11
Slide 11 text
ྫ1: ίϯςφϨδετϦͷࢦఆ
Slide 12
Slide 12 text
cat > image_source.rego <
Slide 13
Slide 13 text
% cat nginx.yaml
kind: Pod
apiVersion: v1
metadata:
name: nginx
labels:
app: nginx
namespace: default
spec:
containers:
- image: nginx
name: nginx
% kubectl apply -f nginx.yaml
Error from server (pod "nginx" has invalid registry "nginx"): error when creating
"nginx.yaml": admission webhook "validating-webhook.openpolicyagent.org" denied the
request: pod "nginx2" has invalid registry "nginx"
https://aws.amazon.com/jp/blogs/opensource/using-open-policy-agent-on-amazon-eks/
Slide 14
Slide 14 text
Ͱ͖ͳ͍͜ͱ
- Runtimeͷ੍ޚ
- APIαʔόʔʹର͢Δૢ࡞੍͔͠ޚͰ͖ͳ͍
- “ϙϦγʔ”ͷద༻ͳͷͰ੩తͳݕࠪͩͱΓͳ͍
- OPAͦͷͷͷ੍ޚ
- etc
Slide 15
Slide 15 text
͜͜ʹςΩετΛೖΕ·͢ɻ
ͻͱͭͷεϥΠυʹ༰Λ٧Ί͗͢
ͳ͍Α͏ʹ͠·͠ΐ͏ɻ
ʮ̍ຕͷεϥΠυʹ̍ͭͷҙຯʯ͕
εϥΠυ࡞ΓͷجຊͰ͢ɻ
ٕज़ॻయͰOPAωλͷബ͍ຊͩ͠·͢
Slide 16
Slide 16 text
@ken5scal
Slide 17
Slide 17 text
Thank you