Slide 1

Slide 1 text

໌೔͔Β࢝ΊΒΕΔ
 KyvernoΛ༻͍ͨϙϦγʔ੍ޚ 2022/11/21 Cloud Native Days Tokyo 2022 15:20 ~ 16:00 Track D Ryotaro Uwatsu

Slide 2

Slide 2 text

Copyright © Dell Inc. All Rights Reserved. of Y 2 ࣗݾ঺հ Name: Ryotaro Uwatsu (@URyo_0213) Title: Solutions Architect Community: • Kubernetes Meetup Novice • Kubenews • Cloud Native Days Tokyo

Slide 3

Slide 3 text

Copyright © Dell Inc. All Rights Reserved. of Y 3 Table of contents • ϙϦγʔ੍ޚ • Kyvernoͱ͸ • Kyvernoʹ͓͚ΔϙϦγʔ੍ޚ • Kyvernoͷӡ༻

Slide 4

Slide 4 text

Copyright © Dell Inc. All Rights Reserved. of Y 4 ϙϦγʔ੍ޚ

Slide 5

Slide 5 text

Copyright © Dell Inc. All Rights Reserved. of Y 5 ϙϦγʔ੍ޚͱ͸ ϙϦγʔ: • (૊৫) ੓ࡦɺํ਑ • (ݸਓ) ͋ͳ͕ͨ৴͡ɺ͋ͳͨͷߦಈʹӨڹΛ༩͑ΔΑ͏ͳݪଇ ex) ʲONE PIECEʳ αϯδ ʮͨͱ͑ࢮΜͰ΋ɺԶ͸ঁ͸ऽΒΜʯͱ͍͏໊ݴ͕͋ΓɺʮঁੑΛઈରʹই͚ͭͳ͍ʯͱ͍͏ϙϦγʔΛ͍࣋ͬͯΔɻ → ͜Ε͸ઈରʹ͠ͳ͍

Slide 6

Slide 6 text

Copyright © Dell Inc. All Rights Reserved. of Y 6 ϙϦγʔ੍ޚͱ͸ ϙϦγʔ: • (૊৫) ੓ࡦɺํ਑ • (ݸਓ) ͋ͳ͕ͨ৴͡ɺ͋ͳͨͷߦಈʹӨڹΛ༩͑ΔΑ͏ͳݪଇ ex) ʲONE PIECEʳ αϯδ ʮͨͱ͑ࢮΜͰ΋ɺԶ͸ঁ͸ऽΒΜʯͱ͍͏໊ݴ͕͋ΓɺʮঁੑΛઈରʹই͚ͭͳ͍ʯͱ͍͏ϙϦγʔΛ͍࣋ͬͯΔɻ → ͜Ε͸ઈରʹ͠ͳ͍

Slide 7

Slide 7 text

Copyright © Dell Inc. All Rights Reserved. of Y 7 ϙϦγʔ੍ޚͱ͸ ϙϦγʔ: • (૊৫) ੓ࡦɺํ਑ • (ݸਓ) ͋ͳ͕ͨ৴͡ɺ͋ͳͨͷߦಈʹӨڹΛ༩͑Δݪଇ ex) ʲONE PIECEʳ αϯδ ʮͨͱ͑ࢮΜͰ΋ɺԶ͸ঁ͸ऽΒΜʯͱ͍͏໊ݴ͕͋ΓɺʮঁੑΛઈରʹই͚ͭͳ͍ʯͱ͍͏ϙϦγʔΛ͍࣋ͬͯΔɻ → ͜Ε͸ઈରʹ͠ͳ͍ [Kubernetes] latestλάͷimageΛࢦఆͨ͠Pod͸ઈରʹಈ͔͞ͳ͍

Slide 8

Slide 8 text

Copyright © Dell Inc. All Rights Reserved. of Y 8 ϙϦγʔ੍ޚͱ͸ ϙϦγʔ: • (૊৫) ੓ࡦɺํ਑ • (ݸਓ) ͋ͳ͕ͨ৴͡ɺ͋ͳͨͷߦಈʹӨڹΛ༩͑Δݪଇ ex) ʲONE PIECEʳ αϯδ ʮͨͱ͑ࢮΜͰ΋ɺԶ͸ঁ͸ऽΒΜʯͱ͍͏໊ݴ͕͋ΓɺʮঁੑΛઈରʹই͚ͭͳ͍ʯͱ͍͏ϙϦγʔΛ͍࣋ͬͯΔɻ → ͜Ε͸ઈରʹ͠ͳ͍ [Kubernetes] latestλάͷimageΛࢦఆͨ͠Pod͸ઈରʹಈ͔͞ͳ͍ ϙϦγʔͱ͸ɺݸਓɺνʔϜɺ΋͘͠͸૊৫ͷதͰઃ͚ͨӡ༻্ͷܾΊࣄͰ͋Γɺ ϙϦγʔ੍ޚͱ͸ɺϙϦγʔΛఆΊͨΒɺͦΕΛඞͣकΔΑ͏ʹ͔͠Δ΂͖ΞΫγϣϯΛͱΔ͜ͱͰ͢ɻ

Slide 9

Slide 9 text

Copyright © Dell Inc. All Rights Reserved. of Y 9 Kubernetesʹ͓͚ΔجຊతͳϙϦγʔ੍ޚ KubernetesͰ͸ɺҎԼͷΑ͏ͳϙϦγʔ੍ޚ͕Ͱ͖ΔΑ͏ʹͳ͍ͬͯ·͢ɻ • Network Policy – Ingress(Πϯό΢ϯυ)ɺEgress(Ξ΢τό΢ϯυ)ͷ੍ޚΛ͢Δɻ • Pod Security Admission – Pod Security StandardsΛجʹɺ࡞੒Ͱ͖ΔϫʔΫϩʔυϦιʔεΛ੍ݶ͢Δɻ • Resource Quota – Namespace͝ͱͷ૯ϦιʔεফඅྔΛ੍ݶ͢Δɻ • etc…

Slide 10

Slide 10 text

Copyright © Dell Inc. All Rights Reserved. of Y 10 Kyvernoͱ͸

Slide 11

Slide 11 text

Copyright © Dell Inc. All Rights Reserved. of Y 11 Kyverno Kyverno͸KubernetesΫϥελʔ಺ͰɺDynamic Admission Controllerͱ࣮ͯ͠ߦ͞ΕΔϙϦγʔΤϯδϯͰ͢ɻ kube-apiserver͔ΒAdmission WebhookΛड͚औΓɺఆٛͨ͠ϙ Ϧγʔʹج੍͍ͮͯޚΛ࣮ߦ͠·͢ɻ Custom ResourceΛ༻͍ͯɺKubernetesͷϚχϑΣετϕʔεͰ ϙϦγʔΛద༻Ͱ͖ΔͨΊɺֶशίετ͕ͱͯ΋௿͘ͳ͍ͬͯ ·͢ɻ όʔδϣϯ: 1.8.0 https://github.com/kyverno/kyverno

Slide 12

Slide 12 text

Copyright © Dell Inc. All Rights Reserved. of Y 12 Dynamic Admission Control

Slide 13

Slide 13 text

Copyright © Dell Inc. All Rights Reserved. of Y 13 Dynamic Admission Control Authentication Authorization Mutating Admission Object Schema Admission Validating Admission Persist data to etcd Webhook Webhook Webhook Webhook Kyverno

Slide 14

Slide 14 text

Copyright © Dell Inc. All Rights Reserved. of Y 14 Mutating ͱ Validating Mutating: ͋Δ৚݅Λجʹɺ࡞੒͠Α͏ͱ͍ͯ͠ΔϦιʔεͷύϥϝʔλʹมߋΛՃ͑·͢ɻ ex) sidecar.istio.io/inject: trueͱ͍͏ϥϕϧͷ෇͘PodʹɺEnvoyΛαΠυΧʔͱͯ͠௥Ճ͢Δɻ Validating: ࡞੒͠Α͏ͱ͍ͯ͠ΔϦιʔε͕ɺ࡞੒ͯ͠ྑ͍͔൱͔Λ৚݅ʹج͍ͮͯ൑அ͠·͢ɻ ex) allowed-by-kyverno: trueͱ͍͏ϥϕϧ͕෇͍ͨPodͷΈ࡞੒ͯ͠Α͍ɻ ຊ൪ະ࢖༻

Slide 15

Slide 15 text

Copyright © Dell Inc. All Rights Reserved. of Y 15 KyvernoͷΠϯετʔϧ ຊ൪ະ࢖༻

Slide 16

Slide 16 text

Copyright © Dell Inc. All Rights Reserved. of Y 16 KyvernoͷΠϯετʔϧ Kyverno ͸ɺHelm΋͘͠͸YAMLϚχϑΣετ͔ΒσϓϩΠ͢Δ͜ͱ͕Ͱ͖·͢ɻ [ຊ൪؀ڥ] helm install kyverno kyverno/kyverno -n kyverno --create-namespace --set replicaCount=3 [ݕূ؀ڥ] helm install kyverno kyverno/kyverno -n kyverno --create-namespace ຊ൪ະ࢖༻

Slide 17

Slide 17 text

Copyright © Dell Inc. All Rights Reserved. of Y 17 ϨϓϦΧ਺ͷࢦఆʹΑͬͯൃੜ͢Δҧ͍ ϨϓϦΧ਺Λ1ΑΓେ͖͍਺ʹ͢Δ͜ͱͰɺPod Disruption Budget͕ద༻͞Ε·͢ɻ (Helm Template) ຊ൪ະ࢖༻

Slide 18

Slide 18 text

Copyright © Dell Inc. All Rights Reserved. of Y 18 Pod Anti-Affinity Rule Pod Anti-Affinity Rule͕ద༻͞Ε͍ͯΔͷͰɺՄೳͳݶΓϊʔυؒͰ෼ࢄ͞ΕΔΑ͏ʹͳ͍ͬͯ·͢ɻ ຊ൪ະ࢖༻

Slide 19

Slide 19 text

Copyright © Dell Inc. All Rights Reserved. of Y 19 ͜͜·Ͱͷ؆୯ͳ·ͱΊ • ϙϦγʔ͸ɺӡ༻্ͷܾΊࣄͰ͋Γɺ͜ΕΛकΔͨΊʹ͔͠Δ΂͖ߦಈΛͱΔ͜ͱ͕ϙϦ γʔ੍ޚͰ͢ɻ • Kyverno͸ɺkube-apiserver͕Ϧιʔεͷ੍ޚΛ͢ΔࡍͷWebhookͷ౤͛ઌͰ͢ɻ • Kyverno͸ɺWebhookΛड͚औͬͨࡍʹɺϙϦγʔʹج͍ͮͨΞΫγϣϯΛͱΓ·͢ɻ ຊ൪ະ࢖༻

Slide 20

Slide 20 text

Copyright © Dell Inc. All Rights Reserved. of Y 20 Kyvernoʹ͓͚ΔϙϦγʔ੍ޚ

Slide 21

Slide 21 text

Copyright © Dell Inc. All Rights Reserved. of Y 21 KyvernoʹΑΔϙϦγʔͷద༻ KyvernoΛ༻͍ͯϙϦγʔΛద༻͢Δࡍʹ༻͍ΔϦιʔε͸2ͭ͋Γ·͢ɻ 1. Cluster Policy: ΫϥελʔશମʹϙϦγʔΛద༻͢Δࡍʹ༻͍Δɻ 2. Policy: Namespace಺ʹดͨ͡ϙϦγʔΛద༻͢Δࡍʹ༻͍Δɻ ஫ҙ఺ͱͯ͠͸ɺϙϦγʔؒͰͷॱংੑ͕ଘࡏ͠ͳ͍ͨΊɺෳ਺ͷϙϦγʔΛ૊Έ߹Θͤͨϧʔ ϧͷ֦ு͔͠Ͱ͖·ͤΜɻ ͢ͳΘͪPolicyؒͰͷ্ॻ͖͕Ͱ͖ͳ͍ͷͰɺCluster PolicyͰݫ͠ΊͷPolicyΛઃఆ͓͍ͯͯ͠ɺ ͋ΔNamespaceʹ͓͍ͯ͸PolicyΛ༻੍͍ͯݶΛ؇ΊΔͱ͍͏͜ͱ͕Ͱ͖·ͤΜɻ

Slide 22

Slide 22 text

Copyright © Dell Inc. All Rights Reserved. of Y 22 ϙϦγʔߏ଄ Policy Rule Preconditions Match Exclude Validate Resources Mutate Resources Generate Resources Verify Images ର৅ͷܾఆ ΞΫγϣϯ

Slide 23

Slide 23 text

Copyright © Dell Inc. All Rights Reserved. of Y 23 ϙϦγʔߏ଄

Slide 24

Slide 24 text

Copyright © Dell Inc. All Rights Reserved. of Y 24 Kyvernoʹ͓͚ΔϙϦγʔ੍ޚ
 ~ ର৅ͷܾఆ ~

Slide 25

Slide 25 text

Copyright © Dell Inc. All Rights Reserved. of Y 25 Validate Resources Mutate Resources Generate Resources Verify Images ΞΫγϣϯ Policy Rule Preconditions Match Exclude ର৅ͷܾఆ ର৅ͷܾఆ

Slide 26

Slide 26 text

Copyright © Dell Inc. All Rights Reserved. of Y 26 Match Match͸ɺର৅ͷϦιʔεΛબఆ͢ΔͨΊʹ༻͍ΒΕΔϧʔϧͰ͢ɻ rules[*].matchΛ༻͍ͯهड़͍ͯ͘͜͠ͱʹͳΓ·͢ɻ ҎԼͷྫͰ͸ɺDeploymentΛର৅ʹ”ΞΫγϣϯ”Λ࣮ߦ͠·͢ɻ

Slide 27

Slide 27 text

Copyright © Dell Inc. All Rights Reserved. of Y 27 Exclude Exclude͸ɺMatchʹؚ·ΕΔϦιʔεʹରͯ͠ɺྫ֎Λ࡞Δ৔߹ʹ༻͍·͢ɻ rules[*].excludeΛ༻͍ͯهड़͍ͯ͘͜͠ͱʹͳΓ·͢ɻ ҎԼͷྫͰ͸ɺNamespace(kube-system)Ҏ֎ͷPodΛର৅ʹ”ΞΫγϣϯ”Λ࣮ߦ͠·͢ɻ

Slide 28

Slide 28 text

Copyright © Dell Inc. All Rights Reserved. of Y 28 All ͱ Any matchͱexclude͸ಉ͡ߏ଄Λ࣋ͪɺҎԼ2ͭͷཁૉͷ͏ͪͷ1ͭΛࢦఆ͢Δ͜ͱ͕Ͱ͖·͢ɻ • any: Ϧιʔεͷબ୒ʹ͓͍ͯOR৚݅Λద༻͢ΔͨΊͷ΋ͷɻ • all: Ϧιʔεͷબ୒࣌ʹAND৚݅Λద༻͢ΔͨΊͷ΋ͷɻ OR AND

Slide 29

Slide 29 text

Copyright © Dell Inc. All Rights Reserved. of Y 29 Any ͱ All ҎԼͷྫͷΑ͏ʹɺany΋͘͠͸allΛࢦఆͤͣʹɺهड़͢Δ͜ͱ͸ݱঢ়Մೳͱͳ͍ͬͯ·͕͢ɺ deprecatedͱͳ͓ͬͯΓɺকདྷͷϦϦʔεͰαϙʔτ͞Εͳ͘ͳΔ༧ఆͳͷͰɺ஫ҙ͍ͯͩ͘͠͞ɻ

Slide 30

Slide 30 text

Copyright © Dell Inc. All Rights Reserved. of Y 30 ର৅ͷࢦఆํ๏ ର৅Λબఆ͢Δʹ͋ͨΓɺҎԼͷࢦఆ߲໨Λ༻͍Δ͜ͱ͕Ͱ͖·͢ɻ • resources: – kind(Deployment, Pod, ServiceͳͲ)Λඞਢ߲໨ͱͯ͠ࢦఆ͢Δɻ – Ϧιʔε໊ɺNamespaceɺ Ξϊςʔγϣϯɺϥϕϧ౳ࢦఆ͠ɺ໌֬ʹର৅Λࢦఆ͢Δ͜ͱ͕Ͱ͖Δɻ • subjects: – User, Group, Service AccountΛࢦఆ͢Δɻ • roles/clusterRoles: – Role΋͘͠͸Cluster RoleΛࢦఆ͢Δɻ

Slide 31

Slide 31 text

Copyright © Dell Inc. All Rights Reserved. of Y 31 ର৅ͷࢦఆํ๏ ҎԼͷྫͰ͸ɺ User(cndt-admin)΋͘͠͸Cluster Role(cluster-admin)ʹΑͬͯ࡞੒͞ΕͨϦιʔεΛআ͖ɺ ϥϕϧʹapp=criticalΛ࣋ͭPod ͕ର৅ͱͳΓ·͢ɻ apiVersion: v1 kind: Pod metadata: name: test1 labels: app: critical apiVersion: v1 kind: Pod metadata: name: test1 labels: app: critical apiVersion: v1 kind: Pod metadata: name: test1 labels: app: critical User: John ClusterRole: cluster-admin User: cndt-admin ClusterRole: admin User: ry ClusterRole: admin ର৅֎ ର৅

Slide 32

Slide 32 text

Copyright © Dell Inc. All Rights Reserved. of Y 32 resourcesʹ͓͚ΔࢦఆՄೳ߲໨ resourcesͰ͸ɺҎԼͷ߲໨Λࢦఆ͢Δ͜ͱ͕Մೳͱͳ͍ͬͯ·͢ɻ • (Required) kind • (Optional) name • (Optional) selector • (Optional) annotations • (Optional) namespaces • (Optional) namespaceSelector

Slide 33

Slide 33 text

Copyright © Dell Inc. All Rights Reserved. of Y 33 resourcesʹ͓͚ΔࢦఆՄೳ߲໨ resourcesͰ͸ɺҎԼͷ߲໨Λࢦఆ͢Δ͜ͱ͕Մೳͱͳ͍ͬͯ·͢ɻ • (Required) kind • (Optional) name • (Optional) selector • (Optional) annotations • (Optional) namespaces • (Optional) namespaceSelector [ର৅] શDeploymentϦιʔε

Slide 34

Slide 34 text

Copyright © Dell Inc. All Rights Reserved. of Y 34 resourcesʹ͓͚ΔࢦఆՄೳ߲໨ resourcesͰ͸ɺҎԼͷ߲໨Λࢦఆ͢Δ͜ͱ͕Մೳͱͳ͍ͬͯ·͢ɻ • (Required) kind • (Optional) name • (Optional) selector • (Optional) annotations • (Optional) namespaces • (Optional) namespaceSelector [ର৅] testͱ͍͏໊લͷDeploymentϦιʔε

Slide 35

Slide 35 text

Copyright © Dell Inc. All Rights Reserved. of Y 35 resourcesʹ͓͚ΔࢦఆՄೳ߲໨ resourcesͰ͸ɺҎԼͷ߲໨Λࢦఆ͢Δ͜ͱ͕Մೳͱͳ͍ͬͯ·͢ɻ • (Required) kind • (Optional) name • (Optional) selector • (Optional) annotations • (Optional) namespaces • (Optional) namespaceSelector [ର৅] ࢦఆͷϥϕϧΛ࣋ͭDeploymentϦιʔε

Slide 36

Slide 36 text

Copyright © Dell Inc. All Rights Reserved. of Y 36 resourcesʹ͓͚ΔࢦఆՄೳ߲໨ resourcesͰ͸ɺҎԼͷ߲໨Λࢦఆ͢Δ͜ͱ͕Մೳͱͳ͍ͬͯ·͢ɻ • (Required) kind • (Optional) name • (Optional) selector • (Optional) annotations • (Optional) namespaces • (Optional) namespaceSelector [ର৅] ࢦఆͷϥϕϧΛ࣋ͭDeploymentϦιʔε

Slide 37

Slide 37 text

Copyright © Dell Inc. All Rights Reserved. of Y 37 resourcesʹ͓͚ΔࢦఆՄೳ߲໨ resourcesͰ͸ɺҎԼͷ߲໨Λࢦఆ͢Δ͜ͱ͕Մೳͱͳ͍ͬͯ·͢ɻ • (Required) kind • (Optional) name • (Optional) selector • (Optional) annotations • (Optional) namespaces • (Optional) namespaceSelector [ର৅] ࢦఆͷΞϊςʔγϣϯΛ࣋ͭDeploymentϦιʔε

Slide 38

Slide 38 text

Copyright © Dell Inc. All Rights Reserved. of Y 38 resourcesʹ͓͚ΔࢦఆՄೳ߲໨ resourcesͰ͸ɺҎԼͷ߲໨Λࢦఆ͢Δ͜ͱ͕Մೳͱͳ͍ͬͯ·͢ɻ • (Required) kind • (Optional) name • (Optional) selector • (Optional) annotations • (Optional) namespaces • (Optional) namespaceSelector [ର৅] ࢦఆͷNamespaceʹ͓͚ΔDeploymentϦιʔε

Slide 39

Slide 39 text

Copyright © Dell Inc. All Rights Reserved. of Y 39 resourcesʹ͓͚ΔࢦఆՄೳ߲໨ resourcesͰ͸ɺҎԼͷ߲໨Λࢦఆ͢Δ͜ͱ͕Մೳͱͳ͍ͬͯ·͢ɻ • (Required) kind • (Optional) name • (Optional) selector • (Optional) annotations • (Optional) namespaces • (Optional) namespaceSelector [ର৅] ࢦఆͷNamespaceʹ͓͚ΔDeploymentϦιʔε

Slide 40

Slide 40 text

Copyright © Dell Inc. All Rights Reserved. of Y 40 resourcesʹ͓͚ΔࢦఆՄೳ߲໨ resourcesͰ͸ɺҎԼͷ߲໨Λࢦఆ͢Δ͜ͱ͕Մೳͱͳ͍ͬͯ·͢ɻ • (Required) kind • (Optional) name • (Optional) selector • (Optional) annotations • (Optional) namespaces • (Optional) namespaceSelector [ର৅] ࢦఆͷNamespaceʹ͓͍ͯɺ ࢦఆͨ͠ϥϕϧΛ࣋ͭDeployment ຊ൪ະ࢖༻

Slide 41

Slide 41 text

Copyright © Dell Inc. All Rights Reserved. of Y 41 resourcesʹ͓͚ΔࢦఆϑΥʔϚοτ resourcesͷkindͰ͸ɺҎԼͷϑΥʔϚοτΛαϙʔτ͍ͯ͠·͢ɻ • Group/Version/Kind • Version/Kind • Kind ͜Ε͸ɺྫ͑͹Network PolicyʹΛࢦఆ͢Δࡍʹɺಉ͡Ϧιʔε໊Λ࣋ͭΑ͏ͳ΋ͷ͕ෳ਺ଘࡏ͢Δ ৔߹ͳͲʹ༗ޮͰ͢ɻ (Kubernetes) apiVersion: networking.k8s.io/v1 
 kind: NetworkPolicy (Calico) apiVersion: projectcalico.org/v3 
 kind: NetworkPolicy ຊ൪ະ࢖༻

Slide 42

Slide 42 text

Copyright © Dell Inc. All Rights Reserved. of Y 42 ϫΠϧυΧʔυ ϫΠϧυΧʔυͷࢦఆ͸ɺҎԼͷϧʔϧʹ͓͍ͯࢦఆ͕Մೳ ͱͳ͍ͬͯ·͢ɻ • *: ೚ҙͷ௕͞ͷจࣈྻ • ?: ೚ҙͷ1จࣈ [ର৅] ͢΂ͯͷϦιʔε

Slide 43

Slide 43 text

Copyright © Dell Inc. All Rights Reserved. of Y 43 Preconditions Preconditions͸ɺϧʔϧΛద༻͢ΔλΠϛϯάΛΑΓࡉ੍͔͘ޚͨΊʹ༻͍·͢ɻ AdmissionReviewΛࢀর͠ɺPreconditionsʹهड़ͨ͠ϧʔϧΛجʹɺKyvernoʹΑΔϙϦγʔ ੍ޚΛ࣮ࢪ͢Δ͔Ͳ͏͔Λ൑அ͠·͢ɻ rules[*].preconditionsΛ༻͍ͯهड़͍ͯ͘͜͠ͱʹͳΓ·͢ɻ match΍excludeͱಉ༷ʹɺany ΋͘͠͸ all ͷԼʹϧʔϧΛهड़͠·͢ɻ

Slide 44

Slide 44 text

Copyright © Dell Inc. All Rights Reserved. of Y 44 AdmissionReview Dynamic Admission ControlͷதͰɺWebbookΛඈ͹͢ࡍɺ Ϧιʔεʹର͢Δ༷ʑͳ৘ใΛૹ৴͢ΔͨΊʹ༻͍Δͷ͕ɺ AdmissionReviewͰ͢ɻ ࠓճͷૢ࡞͕ͲͷΑ͏ͳ͜ͱΛ͠Α͏ͱ͍ͯ͠Δͷ͔Λࣔ͢ request.operation(CREATE, UPDATE, DELETE, CONNECT)΍ɺ ૢ࡞ର৅ͷϦιʔεͷύϥϝʔλ͕֨ೲ͞Ε͍ͯΔ request.object ͳͲͷ৘ใؚ͕·Ε͍ͯ·͢ɻ

Slide 45

Slide 45 text

Copyright © Dell Inc. All Rights Reserved. of Y 45 Preconditions Example spec.rules.preconditions.(any/all)[*]ԼͰɺ key – operator – value ͷ૊Έ߹ΘͤΛ༻͍ ͯهड़͍ͯ͘͜͠ͱʹͳΓ·͢ɻ ͜ͷྫͰ͸ɺ࡞੒΋͘͠͸ߋ৽ͷ৔߹ʹɺର ৅͕PodͰ͋Ε͹ϙϦγʔ੍ޚΛ࣮ࢪ͢Δͱ ͍͏ڍಈΛ͠·͢ɻ

Slide 46

Slide 46 text

Copyright © Dell Inc. All Rights Reserved. of Y 46 ԋࢉࢠ Preconditionsʹ͓͍ͯهड़͢Δԋࢉࢠʹ͸ɺҎԼΛઃఆ͢Δ͜ͱ͕Ͱ͖·͢ɻ • Equals • NotEquals • In (deprecated) • AnyIn • AllIn • NotIn (deprecated) • AnyNotIn • AllNotIn • GreaterThan • GreaterThanOrEquals • LessThan • LessThanOrEquals • DurationGreaterThan • DurationGreaterThanOrEquals • DurationLessThan • DurationLessThanOrEquals

Slide 47

Slide 47 text

Copyright © Dell Inc. All Rights Reserved. of Y 47 “ର৅ͷܾఆ” ͷ·ͱΊ • MatchΛ༻͍ͯɺϙϦγʔ੍ޚΛ࣮ߦ͢Δର৅Λࢦఆ͠·͢ɻ • ExcludeΛ༻͍ͯɺର৅ͷϦιʔεʹରͯ͠ྫ֎Λ࡞Γ·͢ɻ • PreconditionsΛ༻͍Δ͜ͱͰɺલఏ৚݅ΛઃఆͰ͖·͢ɻ • ϧʔϧʹରͯ͠ɺany(OR) ΋͘͠͸ all(AND) Λ༻͍ͯ഑ྻߏ଄ͰࢦఆΛ͠·͠ΐ͏ɻ

Slide 48

Slide 48 text

Copyright © Dell Inc. All Rights Reserved. of Y 48 Kyvernoʹ͓͚ΔϙϦγʔ੍ޚ
 ~ ΞΫγϣϯ ~

Slide 49

Slide 49 text

Copyright © Dell Inc. All Rights Reserved. of Y 49 Preconditions Match Exclude ର৅ͷܾఆ ϙϦγʔߏ଄ Policy Rule Validate Resources Mutate Resources Generate Resources Verify Images ΞΫγϣϯ

Slide 50

Slide 50 text

Copyright © Dell Inc. All Rights Reserved. of Y 50 Validate Resources Ϣʔβʔ·ͨ͸ϓϩηεʹΑͬͯ৽͍͠Ϧιʔε͕࡞੒͞ΕΔ৔߹ʹɺͦͷϦιʔεΛ࡞੒͠ ͯΑ͍͔൱͔Λ൑அ͢ΔͨΊʹ༻͍·͢ɻ spec.rules[*].validateΛ༻͍ͯهड़͍ͯ͘͜͠ͱʹͳΓ·͢ɻ ϧʔϧʹҧ൓͢ΔϦιʔεʹର͢Δڍಈ͸spec.validationFailureActionʹΑ੍ͬͯޚ͢Δ͜ͱ ͕ՄೳͰ͢ɻ • enforce – ϧʔϧʹҧ൓ͨ͠৔߹ɺ࡞੒ΛϒϩοΫ͢Δɻ • audit – ϧʔϧʹҧ൓ͨ͠৔߹ʹ࡞੒͸ڐՄ͢Δɻ – ϙϦγʔϨϙʔτʹҧ൓͢ΔϦιʔεͱͯ͠ه࿥͢Δɻ

Slide 51

Slide 51 text

Copyright © Dell Inc. All Rights Reserved. of Y 51 Validate Resources Example spec.rules[*].validate.patternԼͰɺ ର৅Ϧιʔεʹ͓͚Δ࠷্Ґͷ metadata΋͘͠͸specԼΛهड़͠ɺ ݕূϧʔϧΛઃఆ͠·͢ɻ nginx-with-label͸ɺࢦఆ͞Εͨϥϕϧ Λ͍࣋ͬͯΔͨΊ࡞੒͕ڐՄ͞Εɺ nginx-without-label͸ɺࢦఆͨ͠ϥϕϧ Λ࣋ͨͳ͍ͨΊ࡞੒͕ڋ൱͞Ε·͢ɻ [࣮ߦ݁Ռ]

Slide 52

Slide 52 text

Copyright © Dell Inc. All Rights Reserved. of Y 52 validationFailureActionOverrides ClusterPolicyͰͷvalidationʹݶΓɺ validationFailureActionOverridesΛ༻ ͍ͯɺNamespaceΛࢦఆ͠ɺݸʑʹ FailuerAction(audit, enforce)Λઃఆ͢ Δ͜ͱ͕Մೳͱͳ͍ͬͯ·͢ɻ લͷεϥΠυͰɺ࡞੒͕ڋ൱͞Εͨ Pod͕Namespace(no-label)ʹ͓͍ͯ ࡞੒͞Εͨ͜ͱ͕֬ೝͰ͖·͢ɻ [࣮ߦ݁Ռ]

Slide 53

Slide 53 text

Copyright © Dell Inc. All Rights Reserved. of Y 53 Validate৚݅ͷهड़ํ๏ ҎԼͷදݱΛ༻͍ͯɺvalidationͷ৚݅Λهड़͢Δ͜ͱ͕Ͱ͖·͢ɻ • pattern • anyPattern • deny • Foreach • Manifest Validation • Pod Security

Slide 54

Slide 54 text

Copyright © Dell Inc. All Rights Reserved. of Y 54 Validate৚݅ͷهड़ํ๏ ຊηογϣϯͰ͸ɺҎԼͷ3ͭʹ͍ͭͯղઆ͠·͢ɻ • pattern • anyPattern • deny • Foreach • Manifest Validation • Pod Security

Slide 55

Slide 55 text

Copyright © Dell Inc. All Rights Reserved. of Y 55 patternͷهड़ํ๏ patternͰ͸ɺmetadata΋͘͠͸specԼΛهड़ ͠ɺϦιʔεͷ৘ใͱൺֱ͢Δ͜ͱͰݕূΛ࣮ ࢪ͠·͢ɻ ͜ͷྫͰ͸ɺDeploymentͷspecԼΛهड़ͯ͠ɺ DeploymentʹΑͬͯੜ੒͞ΕΔPodʹ͓͍ͯɺ ϥϕϧʹʮpermitted-by-kyverno=“true”ʯ͕͋Δ ͜ͱΛඞਢ৚݅ͱ͍ͯ͠·͢ɻ

Slide 56

Slide 56 text

Copyright © Dell Inc. All Rights Reserved. of Y 56 patternͷهड़ํ๏ patternΛ༻͍ͨ৚݅ͷهड़Ͱ͸ɺҎԼͷදݱΛར༻͢Δ͜ͱ͕Ͱ͖·͢ɻ • ϫΠϧυΧʔυ • ԋࢉࢠ • ΞϯΧʔ

Slide 57

Slide 57 text

Copyright © Dell Inc. All Rights Reserved. of Y 57 ϫΠϧυΧʔυ ϫΠϧυΧʔυͷࢦఆ͸ɺҎԼͷϧʔϧʹ͓͍ͯࢦఆ͕Մ ೳͱͳ͍ͬͯ·͢ɻ • *: ೚ҙͷ௕͞ͷจࣈྻ • ?: ೚ҙͷ1จࣈ [ϧʔϧ] allowed-byΛΩʔͱͨ͠ϥϕϧΛ࣋ͭඞཁ͕͋ Δɻ

Slide 58

Slide 58 text

Copyright © Dell Inc. All Rights Reserved. of Y 58 ԋࢉࢠ ԋࢉࢠΛ༻͍Δ͜ͱͰɺ஋ʹରͯ͠ৄࡉͳ৚݅Λهड़Ͱ͖·͢ɻ ԋࢉࢠ ҙຯ > ΑΓେ͖͍ < ະຬ >= Ҏ্ <= ҎԼ ! ࢦఆ஋ͱ౳͘͠ͳ͍ | OR & AND - ൣғ಺ !- ൣғ֎

Slide 59

Slide 59 text

Copyright © Dell Inc. All Rights Reserved. of Y 59 ԋࢉࢠ $ kubectl create deploy not-enough-replica \ --replicas=2 --image nginx:alpine [਺஋ൺֱ] ԋࢉࢠ ҙຯ > ΑΓେ͖͍ < ະຬ >= Ҏ্ <= ҎԼ ! ࢦఆ஋ͱ౳͘͠ͳ͍ | OR & AND - ൣғ಺ !- ൣғ֎

Slide 60

Slide 60 text

Copyright © Dell Inc. All Rights Reserved. of Y 60 ԋࢉࢠ [ࢦఆ஋Ҏ֎ͷબ୒] ԋࢉࢠ ҙຯ > ΑΓେ͖͍ < ະຬ >= Ҏ্ <= ҎԼ ! ࢦఆ஋ͱ౳͘͠ͳ͍ | OR & AND - ൣғ಺ !- ൣғ֎ $ kubectl run nginx --image nginx:alpine –n default

Slide 61

Slide 61 text

Copyright © Dell Inc. All Rights Reserved. of Y 61 ΞϯΧʔ ΞϯΧʔΛ༻͍ͯɺΩʔʹର͢Δ༷ʑͳ৚݅෇͚Λ͢Δ͜ͱ͕Ͱ͖·͢ɻ ΞϯΧʔ λά ҙຯ ৚݅෇͖ () ϐΞཁૉʹର͢Δ৚݅ͷઃఆ ฏ౳ =() ΋͠ଘࡏͨ͠৔߹ʹ… ଘࡏ ^() গͳ͘ͱ΋1ͭଘࡏ͢Δ ൱ఆ X() ର৅ͷڋ൱ άϩʔόϧ <() ೚ҙͷ৔ॴͰ৚݅Λઃఆ

Slide 62

Slide 62 text

Copyright © Dell Inc. All Rights Reserved. of Y 62 ΞϯΧʔ [() ΞϯΧʔ] ΞϯΧʔ λά ҙຯ ৚݅෇͖ () ϐΞཁૉʹର͢Δ৚݅ͷઃఆ ฏ౳ =() ΋͠ଘࡏͨ͠৔߹ʹ… ଘࡏ ^() গͳ͘ͱ΋1ͭଘࡏ͢Δ ൱ఆ X() ର৅ͷڋ൱ άϩʔόϧ <() ೚ҙͷ৔ॴͰ৚݅Λઃఆ [৚݅] (৚݅: specԼ, ϐΞ: metadata) spec.volumes.hostPath͕ఆٛ͞Εɺpath͕/var/logͩͬͨ ৔߹ʹɺmetadata.labelsʹͯɺallow-log-hostpath: “true”͕ ࢦఆ͞Ε͍ͯͳ͚Ε͹ͳΒͳ͍ɻ

Slide 63

Slide 63 text

Copyright © Dell Inc. All Rights Reserved. of Y 63 ৚݅෇͖ΞϯΧʔʹ͍ͭͯ ৚݅෇͖ΞϯΧʔ͸ɺPeerཁૉʹରͯ͠ͷ৚݅෇͚ͷͨ Ίɺຊདྷͷಈ͖ͱͯ͠͸ɺPeerཁૉͷ֎ʹ͍Δ΋ͷʹؔ͠ ͯ͸ɺΞϯΧʔ෇͖ͷཁૉͷධՁʹӨڹΛड͚·ͤΜɻ Ver1.8.0࣌఺Ͱ͸ɺ͜ͷྫͷΑ͏ʹɺPeerཁૉͰͳ͍΋ͷ ʹؔͯ͠΋ɺϧʔϧʹҰக͠ͳ͍ʹ΋ؔΘΒͣɺΞϯΧʔ ཁૉ͕Ұக͠ͳ͍ࣄʹӨڹΛड͚ɺධՁ͕εΩοϓ͞Εͯ ͠·͏ͷͰ஫ҙΛ͍ͯͩ͘͠͞ɻ ※ ݱঢ়issueΛ։͍ͯରԠΛ͍͍͍ͯͨͩͯ͠·͢ɻ

Slide 64

Slide 64 text

Copyright © Dell Inc. All Rights Reserved. of Y 64 ΞϯΧʔ [=() ΞϯΧʔ] [৚݅] spec.volumes.hostPath͕ఆٛ͞Ε͍ͯͨ৔߹ʹɺ path͕ /proc ٴͼ /sys Ͱ͋ͬͯ͸ͳΒͳ͍ɻ ΞϯΧʔ λά ҙຯ ৚݅෇͖ () ϐΞཁૉʹର͢Δ৚݅ͷઃఆ ฏ౳ =() ΋͠ଘࡏͨ͠৔߹ʹ… ଘࡏ ^() গͳ͘ͱ΋1ͭଘࡏ͢Δ ൱ఆ X() ର৅ͷڋ൱ άϩʔόϧ <() ೚ҙͷ৔ॴͰ৚݅Λઃఆ

Slide 65

Slide 65 text

Copyright © Dell Inc. All Rights Reserved. of Y 65 ΞϯΧʔ [^() ΞϯΧʔ] [৚݅] PodΛ࡞੒͢Δ৔߹ʹɺlivenessProveΛઃఆͨ͠ίϯςφ Λগͳ͘ͱ΋1ؚͭ·ͳͯ͘͸ͳΒͳ͍ɻ ΞϯΧʔ λά ҙຯ ৚݅෇͖ () ϐΞཁૉʹର͢Δ৚݅ͷઃఆ ฏ౳ =() ΋͠ଘࡏͨ͠৔߹ʹ… ଘࡏ ^() গͳ͘ͱ΋1ͭଘࡏ͢Δ ൱ఆ X() ର৅ͷڋ൱ άϩʔόϧ <() ೚ҙͷ৔ॴͰ৚݅Λઃఆ

Slide 66

Slide 66 text

Copyright © Dell Inc. All Rights Reserved. of Y 66 ΞϯΧʔ [X() ΞϯΧʔ] [৚݅] no-ephemeral=“true”ͱ͍͏ϥϕϧΛ࣋ͭPodʹؔͯ͠ɺ ΤϑΣϝϥϧίϯςφͷ࡞੒Λڋ൱͢Δɻ ※ ஋ʹ͸ “null” Λ༻͍Δ ΞϯΧʔ λά ҙຯ ৚݅෇͖ () ϐΞཁૉʹର͢Δ৚݅ͷઃఆ ฏ౳ =() ΋͠ଘࡏͨ͠৔߹ʹ… ଘࡏ ^() গͳ͘ͱ΋1ͭଘࡏ͢Δ ൱ఆ X() ର৅ͷڋ൱ άϩʔόϧ <() ೚ҙͷ৔ॴͰ৚݅Λઃఆ

Slide 67

Slide 67 text

Copyright © Dell Inc. All Rights Reserved. of Y 67 ΞϯΧʔ [<() ΞϯΧʔ] [৚݅] my-local-reg.com͔Βऔಘ͢ΔΠϝʔδΛ࢖͏ίϯςφ͕͋ Δ৔߹ʹɺmy-registry-secretΛimagePullSecretͱͯ͠࢖Θͳ ͯ͘͸ͳΒͳ͍ɻ ΞϯΧʔ λά ҙຯ ৚݅෇͖ () ϐΞཁૉʹର͢Δ৚݅ͷઃఆ ฏ౳ =() ΋͠ଘࡏͨ͠৔߹ʹ… ଘࡏ ^() গͳ͘ͱ΋1ͭଘࡏ͢Δ ൱ఆ X() ର৅ͷڋ൱ άϩʔόϧ <() ೚ҙͷ৔ॴͰ৚݅Λઃఆ

Slide 68

Slide 68 text

Copyright © Dell Inc. All Rights Reserved. of Y 68 anyPatternͷهड़ํ๏ anyPatternΛ༻͍Δ͜ͱͰɺෳ਺ͷpatternΛఆٛ ͢Δ͜ͱ͕Ͱ͖·͢ɻ ͜ͷྫͰ͸ɺPodશମʹରͯ͠securityContextsΛ ઃఆ͢Δ͔ɺ֤ίϯςφ(container, init container, ephemeral container)ʹରͯ͠securityContextΛ ઃఆ͢Δ͜ͱΛڧ੍͠·͢ɻ

Slide 69

Slide 69 text

Copyright © Dell Inc. All Rights Reserved. of Y 69 denyͷهड़ํ๏ denyͰ͸ɺهड़ͨ͠Ұ࿈ͷ৚݅ʹج͍ͮͯ ཁٻΛڋ൱͍ͨ͠৔߹ʹ༻͍·͢ɻ ৚݅͸ɺ௨ৗdeny.conditionsԼͰɺany΋͠ ͘͸allΛࢦఆ͠ɺkey – operator – value ͷ ૊Έ߹ΘͤΛ༻͍ͯهड़͍͖ͯ͠·͢ɻ denyΛ༻͍Δ৔߹validationFailureAction Λenforceʹ͢Δඞཁ͕͋Γ·͢ɻ [ϧʔϧ] ClusterRole(cluster-adminҎ֎)ͷݖݶʹΑΔૢ࡞ʹ͓͍ͯɺ app.kubernetes.iomanaged=“kyverno” ͱ͍͏ϥϕϧΛ΋ͭϦιʔε΁ͷ࡟আૢ࡞Λڋ൱͢Δɻ

Slide 70

Slide 70 text

Copyright © Dell Inc. All Rights Reserved. of Y 70 ԋࢉࢠ denyʹ͓͍ͯɺconditions಺Ͱهड़͢Δԋࢉࢠʹ͸ɺҎԼΛઃఆ͢Δ͜ͱ͕Ͱ͖·͢ɻ • Equals • NotEquals • In (deprecated) • AnyIn • AllIn • NotIn (deprecated) • AnyNotIn • AllNotIn • GreaterThan • GreaterThanOrEquals • LessThan • LessThanOrEquals • DurationGreaterThan • DurationGreaterThanOrEquals • DurationLessThan • DurationLessThanOrEquals

Slide 71

Slide 71 text

Copyright © Dell Inc. All Rights Reserved. of Y 71 denyͷهड़ํ๏ denyͰ͸ɺࢦఆϦιʔεʹରͯ͠ɺશͯͷૢ ࡞Λڋ൱͢ΔΑ͏ઃఆ͢Δ͜ͱ΋ՄೳͰ͢ɻ [ϧʔϧ] ClusterRole(cluster-adminҎ֎)ͷݖݶʹΑΔૢ࡞ ʹ͓͍ͯɺNetwork PolicyϦιʔε΁ͷૢ࡞Λશͯ ڋ൱͢Δɻ

Slide 72

Slide 72 text

Copyright © Dell Inc. All Rights Reserved. of Y 72 Mutate Resources ϧʔϧʹҰகͨ͠Ϧιʔεʹରͯ͠ɺύϥϝʔλʹมߋΛՃ͑Δࡍʹ༻͍·͢ɻ spec.rules[*].mutateΛ༻͍ͯهड़͍ͯ͘͜͠ͱʹͳΓ·͢ɻ ҎԼͷ߲໨Λ༻͍ͯϧʔϧΛద༻͢Δ͜ͱ͕Ͱ͖·͢ɻ • RFC 6902 JSONPatch • Strategic Merge Patch • Foreach

Slide 73

Slide 73 text

Copyright © Dell Inc. All Rights Reserved. of Y 73 RFC 6902 JSONPatch RFC 6902 JSONPatch͸ɺJSON Patch(https://jsonpatch.com/)ϑΥʔϚοτΛ༻͍ͯର৅Λܾఆ͠ɺ ϦιʔεͷཁૉʹมߋΛՃ͑Δࡍʹ༻͍·͢ɻ spec.rules[*].mutate.patchesJson6902ԼͰɺpath – op – value ͷ૊Έ߹ΘͤΛ༻͍ͯهड़͠·͢ɻ pathʹ͸มߋΛՃ͍͑ͨ৔ॴΛࢦఆ͠ɺopʹ͸ͦͷมߋͷڍಈΛɺvalueʹ͸มߋ࣌ͷ஋ΛೖΕ·͢ɻ opʹ͸ɺҎԼͷ3ͭͷૢ࡞ํ๏͕αϙʔτ͞Ε͍ͯ·͢ɻ • add • replace • remove

Slide 74

Slide 74 text

Copyright © Dell Inc. All Rights Reserved. of Y 74 RFC 6902 JSONPatch ͜ͷϧʔϧͰ͸ɺadd-tls-secret=“true”ͱ͍͏ ϥϕϧΛ࣋ͭPodʹର͠ɺSecretΛVolumeͱ ͯ͠ૠೖ͢ΔΑ͏manifestʹมߋΛ͠·͢ɻ ஫ҙ఺ͱͯ͠ɺ഑ྻߏ଄Λѻ͏৔߹ɺطଘ஋ ͷࢀর͸ΠϯσοΫεɺ৽ن௥Ճ͸”-”Λ࢖ͬ ͯදݱ͠·͢ɻ path: "/spec/containers/0/volumeMounts/-" 1ͭΊͷίϯςφΛࢀর volumeMountsʹ ഑ྻߏ଄ͰσʔλΛ௥Ճ

Slide 75

Slide 75 text

Copyright © Dell Inc. All Rights Reserved. of Y 75 RFC 6902 JSONPatch [લϖʔδͷϧʔϧΛmutete6902.yamlʹهड़͠ద༻ͨ͠ࡍͷ࣮ߦྫ] $ kubectl create secret tls tls-cert --cert=server.crt --key=server.key -n default $ kubectl apply -f mutate6902.yaml $ kubectl run nginx-tls --image nginx:alpine -l add-tls-secret="true" $ kubectl exec -it nginx-tls -- ls /cndt tls.crt tls.key

Slide 76

Slide 76 text

Copyright © Dell Inc. All Rights Reserved. of Y 76 Strategic Merge Patch ཁૉͷϚʔδಈ࡞Λ੍ޚ͢ΔͨΊʹ༻͍ΒΕ·͢ɻ spec.rules[*].mutate.patchStrategicMergeԼʹɺϚχϑΣετͷܗࣜͰهड़ͨ͠΋ͷΛ༻͍ ͯɺࠩ෼ͷൺֱΛ͠ύϥϝʔλͷมߋΛద༻͠·͢ɻ validateϧʔϧಉ༷ʹɺmutateʹ͓͍ͯ΋ΞϯΧʔΛ࢖੍ͬͨޚ΋Մೳͱͳ͍ͬͯ·͢ɻ mutateϧʔϧʹ͓͍ͯɺҎԼͷΞϯΧʔ͕࢖༻Մೳͱͳ͍ͬͯ·͢ɻ ΞϯΧʔ λά ҙຯ ৚݅෇͖ () if৚݅Λઃఆ͠ɺpeerཁૉ͸ͦͷ݁ՌʹมߋͷӨڹΛड͚Δ ௥Ճ +() ΞϯΧʔΛ෇༩ͨ͠Ωʔ͕ଘࡏ͠ͳ͍৔߹ʹɺઃఆͨ͠Ωʔٴͼ஋Λ௥ Ճ͢Δ άϩʔόϧ <() ೚ҙͷ৔ॴʹ৚݅Λઃఆ͠ɺͦͷ΄͔ͷՕॴʹมߋΛՃ͑Δ

Slide 77

Slide 77 text

Copyright © Dell Inc. All Rights Reserved. of Y 77 Strategic Merge Patch ͜ͷϧʔϧͰ͸ɺcndt-vault-injection: “true” ͱ͍͏ϥϕϧΛ࣋ͭPod͕࡞੒͞Εͨࡍʹɺ Vaultʹొ࿥Λͨ͠ಛఆͷγʔΫϨοτσʔλΛɺ Pod಺ʹࢦఆͷϑΥʔϚοτͰ഑ஔ͢ΔͨΊͷ ΞϊςʔγϣϯͱαʔϏεΞΧ΢ϯτΛ෇༩ͯ͠ ͍·͢ɻ {{ ~~ }} Λ༻͍ͨهड़Λ͠ͳ͚Ε͹ͳΒͳ͍৔߹ɺ Kyvernoʹ͓͍ͯɺෳࡶͳ৚݅Λهड़͢Δࡍʹ ༻͍ΔJMESPathͱ͍͏ه๏ͱޡೝ͞Εͳ͍Α͏ ʹɺ\Λ༻͍ͯΤεέʔϓͤ͞Δඞཁ͕͋Γ·͢ɻ

Slide 78

Slide 78 text

Copyright © Dell Inc. All Rights Reserved. of Y 78 Strategic Merge Patch [લϖʔδͷϧʔϧΛstrategicMerge.yamlʹهड़͠ద༻ͨ͠ࡍͷ࣮ߦྫ] $ vault secrets enable -path=secret kv-v2 $ vault kv put secret/cndt/config username="static-user" password="static-password" $ vault policy write cndt - <

Slide 79

Slide 79 text

Copyright © Dell Inc. All Rights Reserved. of Y 79 Strategic Merge Patch [લϖʔδͷϧʔϧΛstrategicMerge.yamlʹهड़͠ద༻ͨ͠ࡍͷ࣮ߦྫ] $ kubectl apply –f strategicMerge.yaml $ kubectl create sa cndt -n default $ kubectl run cndt-app --image nginx:alpine -l cndt-vault-injection="true“ $ kubectl exec -it cndt-app -- cat /vault/secrets/cndt-credentials Defaulted container "cndt-app" out of: cndt-app, vault-agent, vault-agent-init (init) USERNAME=static-user PASSWORD=static-password

Slide 80

Slide 80 text

Copyright © Dell Inc. All Rights Reserved. of Y 80 Generate Resources ৽͍͠Ϧιʔε͕࡞੒͞Εͨࡍɺ௥ՃͷϦιʔεΛ࡞੒͢Δ৔߹ʹ༻͍·͢ɻ spec.rules[*].generateΛ༻͍ͯهड़͍ͯ͘͜͠ͱʹͳΓ·͢ɻ ࡞੒͢ΔϦιʔεͷ৘ใΛɺҎԼͷ2ͭΛ༻͍ͯهड़͢Δ͜ͱ͕Ͱ͖·͢ɻ • data: ࡞੒͢ΔϦιʔεͷ৘ใΛهड़͢Δ • clone: طʹଘࡏ͢ΔϦιʔεΛΫϩʔϯ͢Δ

Slide 81

Slide 81 text

Copyright © Dell Inc. All Rights Reserved. of Y 81 Generate Resources with data spec.rules[*].generateԼͰ͸ɺҎԼΛهड़͠ ·͢ɻ • synchronize: ιʔεϦιʔεͱͷಉظ – true: ಉظΛ͠ɺߋ৽΍࡟আ͕Ͱ͖ͳ͍ – false: ಉظ͸ͤͣɺੜ੒͞ΕͨϦιʔεΛ௚ ઀ߋ৽·ͨ͸࡟আͰ͖Δ • ੜ੒͢ΔϦιʔεͷapiVersion, kind, name, namespace • data: metadataٴͼspecΛهड़ [ϧʔϧ] Namespace࡞੒࣌ʹɺIngressͱEgressΛڋ൱͢Δ Network PolicyΛ࡞੒͢Δɻ

Slide 82

Slide 82 text

Copyright © Dell Inc. All Rights Reserved. of Y 82 Generate Resources with clone spec.rules[*].generateԼͰ͸ɺҎԼΛهड़͠ ·͢ɻ • synchronize: ιʔεϦιʔεͱͷಉظ – true: ಉظΛ͠ɺߋ৽΍࡟আ͕Ͱ͖ͳ͍ – false: ಉظ͸ͤͣɺੜ੒͞ΕͨϦιʔεΛ௚ ઀ߋ৽·ͨ͸࡟আͰ͖Δ • ੜ੒͢ΔϦιʔεͷapiVersion, kind, name, namespace • clone: NamespaceٴͼϦιʔε໊Λهड़ [ϧʔϧ] Namespace࡞੒࣌ʹɺࢦఆͨ͠Namespace(default) ʹଘࡏ͢ΔSecret(regsecret)ΛΫϩʔϯ͢Δɻ

Slide 83

Slide 83 text

Copyright © Dell Inc. All Rights Reserved. of Y 83 Verify Images CosignΛ࢖༻ͯ͠ɺOCIϨδετϦʹ֨ೲ͞Ε͍ͯΔΠϝʔδͷॺ໊͓Αͼূ໌Λݕূ͠·͢ɻ ݱঢ়ɺϕʔλػೳͰ͋ΓɺϓϩμΫγϣϯ؀ڥͰͷ࢖༻͸ਪ঑͞Ε͍ͯ·ͤΜɻ spec.rules[*].verifyImagesΛ༻͍ͯهड़͍ͯ͘͜͠ͱʹͳΓ·͢ɻ

Slide 84

Slide 84 text

Copyright © Dell Inc. All Rights Reserved. of Y 84 Verify Images imageReferencesʹ͓͍ͯࢦఆ͞Ε͍ͯ ΔΠϝʔδ͕ɺattestorsԼͰࢦఆ͞Ε͍ͯ ΔΩʔΛ༻͍ͯॺ໊͕͞Ε͍ͯΔͱ͍͏ ͜ͱΛݕূ͠·͢ɻ ॺ໊Λ͞Ε͍ͯͳ͍Πϝʔδٴͼɺࢦఆ ͨ͠ΩʔͱରͰ͸ͳ͍ΩʔʹΑͬͯॺ໊ ͞ΕͨΠϝʔδΛࢦఆͨ͠Pod͕ɺ͜ͷݕ ূʹΑͬͯڋ൱͞ΕΔ͜ͱʹͳΓ·͢ɻ

Slide 85

Slide 85 text

Copyright © Dell Inc. All Rights Reserved. of Y 85 “ΞΫγϣϯ” ͷ·ͱΊ • Validate ResourcesͰ͸ɺϦιʔεΛ࡞੒ͯ͠Α͍͔൱͔Λ൑அ͠·͢ɻ • Mutating ResourcesͰ͸ɺϦιʔεʹରͯ͠ύϥϝʔλͷมߋΛ࣮ࢪ͠·͢ɻ • Generate ResourcesͰ͸ɺ͋ΔϦιʔεͷ࡞੒ʹඥ͍ͮͯɺผϦιʔεΛ࡞੒͠·͢ɻ • Verify ImageͰ͸ɺΠϝʔδͷ҆શੑΛ֬ೝ͢ΔͨΊʹॺ໊౳Λ֬ೝ͠·͢ɻ

Slide 86

Slide 86 text

Copyright © Dell Inc. All Rights Reserved. of Y 86 Kyvernoͷӡ༻

Slide 87

Slide 87 text

Copyright © Dell Inc. All Rights Reserved. of Y 87 ϙϦγʔϨϙʔτ

Slide 88

Slide 88 text

Copyright © Dell Inc. All Rights Reserved. of Y 88 ϙϦγʔϨϙʔτ ϙϦγʔϨϙʔτ͸ɺద༻ͨ͠validate ResourcesϙϦγʔʹରͯ͠ɺൺֱ݁ՌΛఏڙ͢ΔϦ ιʔεͰ͢ɻ Kyverno͸ɺNamespace͝ͱͷϨϙʔτ͓ΑͼΫϥελʔϨϕϧͷϨϙʔτΛɺKubernetes Policy WGʹΑͬͯൃߦ͞ΕͨϙϦγʔϨϙʔτεΩʔϚΛ༻͍ͯ࡞੒͠·͢ɻ ݁ՌΤϯτϦ͸ɺ֘౰͢Δϧʔϧʹର͠ 1 ͭҎ্ͷϧʔϧʹҧ൓͢ΔϦιʔε͕࡞੒͞ΕΔͨ ͼʹϨϙʔτʹ௥Ճ͞ΕɺϦιʔε͕࡟আ͞ΕΔͱɺಉ࣌ʹϨϙʔτ͔Βফڈ͞Ε·͢ɻ $ kubectl get polr -A

Slide 89

Slide 89 text

Copyright © Dell Inc. All Rights Reserved. of Y 89 Ϩϙʔτର৅ ର৅ͱͯ͠͸ɺvalidationFailureActionٴͼbackgroundʹ͓͍ͯઃఆͨ͠஋ʹґଘ͠·͢ɻ Background: true Background: false ৽͍͠Ϧιʔε طଘͷϦιʔε validationFailureAction: enforce None Report validationFailureAction: audit Report Report ৽͍͠Ϧιʔε طଘͷϦιʔε validationFailureAction: enforce None None validationFailureAction: audit Report None

Slide 90

Slide 90 text

Copyright © Dell Inc. All Rights Reserved. of Y 90 Ϩϙʔτ಺༰ ϙϦγʔϨϙʔτͷΤϯτϦʹ͸ɺpassɺskipɺwarnɺerrorɺͦͯ͠failͷ͍ͣΕ͔Ͱใࠂ͞Ε·͢ɻ • pass: ϙϦγʔʹର͢ΔධՁΛ௨աͨ͠Ϧιʔεɻ • skip: Preconditionͷ৚݅Λຬͨͣ͞ɺධՁ͕࣮ߦ͞Εͳ͔ͬͨ΋ͷɻ • fail: ϙϦγʔʹର͢ΔධՁʹରͯ͠ɺҧ൓͍ͯ͠ΔͱΈͳ͞Εͨ΋ͷɻ • warn: ҎԼͷ2ͭͷ৚݅Λຬͨͨ͠৔߹ʹద༻͞ΕΔɻ – PolicyͷΞϊςʔγϣϯʹ policies.kyverno.io/scored: “false“ ͕ηοτ͞Ε͍ͯΔɻ – ϙϦγʔʹର͢ΔධՁʹରͯ͠ɺҧ൓͍ͯ͠ΔͱΈͳ͞Εͨɻ • error: Preconditionsͷ֎ଆͰɺruleͷதʹ͓͍ͯม਺ஔ׵͕ࣦഊͨ͠΋ͷ

Slide 91

Slide 91 text

Copyright © Dell Inc. All Rights Reserved. of Y 91 ϞχλϦϯά

Slide 92

Slide 92 text

Copyright © Dell Inc. All Rights Reserved. of Y 92 ϞχλϦϯά KyvernoͰ͸ɺόʔδϣϯ1.4.0͔Βɺద༻༷ͨ͠ʑͳϙϦγʔʹର͢ΔΞΫςΟϏςΟΛ Prometheus༻ͷϝτϦοΫͱͯ͠ల։Ͱ͖ΔΑ͏ʹͳΓ·ͨ͠ɻ kyvernoΛσϓϩΠ͢ΔͱɺService(kyverno-svc-metrics)͕ϝτϦοΫΛެ։͢ΔͨΊʹ࡞੒ ͞Ε·͢ɻ

Slide 93

Slide 93 text

Copyright © Dell Inc. All Rights Reserved. of Y 93 ϝτϦοΫͷछྨ ҎԼͷϝτϦοΫ͕ఏڙ͞Ε·͢ɻ • Policies and Rule Counts • Policy and Rule Execution • Policy Rule Execution Latency • Admission Review Latency • Admission Requests Counts • Policy Change Counts 


Slide 94

Slide 94 text

Copyright © Dell Inc. All Rights Reserved. of Y 94 ϝτϦοΫͷछྨ ຊηογϣϯͰ͸ɺҎԼͷ3ͭʹ͍ͭͯղઆ͠·͢ɻ • Policies and Rule Counts • Policy and Rule Execution • Policy Rule Execution Latency • Admission Review Latency • Admission Requests Counts • Policy Change Counts 


Slide 95

Slide 95 text

Copyright © Dell Inc. All Rights Reserved. of Y 95 Policies and Rule Counts ͜ͷϝτϦοΫ͸ɺΫϥελʔͰݱࡏ࢖༻Մೳͳ͢΂ͯͷϙϦγʔʹՃ͑ɺطʹ࡟আ͞Εͨϙ ϦγʔͳͲͷϙϦγʔͷཤྺ΋อ͍࣋ͯ͠·͢ɻ ϝτϦοΫ໊: kyverno_policy_rule_info_total ஋: • طଘͷϙϦγʔ = 1 • ࡟আ͞ΕͨϙϦγʔ = 0 ※ 1ͭͷϙϦγʔʹෳ਺ϧʔϧΛॻ͍ͨ৔߹͸ɺ֤ϧʔϧຖʹϝτϦοΫ͕࡞੒͞Ε·͢ɻ

Slide 96

Slide 96 text

Copyright © Dell Inc. All Rights Reserved. of Y 96 Policies and Rule Counts (ෳ਺ͷϙϦγʔ) (طଘ) (࡟আࡁΈ)

Slide 97

Slide 97 text

Copyright © Dell Inc. All Rights Reserved. of Y 97 Policies and Rule Counts (ෳ਺ͷϧʔϧΛ࣋ͭϙϦγʔ)

Slide 98

Slide 98 text

Copyright © Dell Inc. All Rights Reserved. of Y 98 Policy and Rule Execution ͜ͷϝτϦοΫ͸ɺϧʔϧʹର͢ΔධՁͷ࣮ߦ݁ՌͱόοΫάϥ΢ϯυͰεΩϟϯͨ݁͠ՌΛ ه࿥͠·͢ɻ ϝτϦοΫ໊: kyverno_policy_results_total ஋: ϧʔϧʹؔ࿈෇͚ΒΕͨ݁Ռ

Slide 99

Slide 99 text

Copyright © Dell Inc. All Rights Reserved. of Y 99 Policy and Rule Execution $ kubectl get pods -n service-stg $ kubectl get clusterpolicy all-containers-need-requests-and-limits Prometheus metric

Slide 100

Slide 100 text

Copyright © Dell Inc. All Rights Reserved. of Y 100 Policy Change Counts ͜ͷϝτϦοΫ͸ɺϙϦγʔͷ࡞੒ɺߋ৽ɺ࡟আͳͲɺ͢΂ͯͷϙϦγʔมߋͷཤྺΛه࿥͠ ·͢ɻ ϝτϦοΫ໊: kyverno_policy_changes_total ஋: ϙϦγʔϨϕϧͰͷมߋͷ૯਺

Slide 101

Slide 101 text

Copyright © Dell Inc. All Rights Reserved. of Y 101 Policy Change Counts (࡞੒௚ޙ) (1ճ໨ɹमਖ਼) (2ճ໨ɹमਖ਼)

Slide 102

Slide 102 text

Copyright © Dell Inc. All Rights Reserved. of Y 102 “Kyvernoͷӡ༻” ͷ·ͱΊ • Validate Resourcesʹରͯ͠ɺҧ൓͍ͯ͠ΔϦιʔεΛ֬ೝ͢ΔͨΊʹϙϦγʔϨϙʔτͱ͍ ͏΋ͷΛࢀর͢Δ͜ͱ͕Ͱ͖·͢ɻ • ݱࡏద༻͍ͯ͠ΔϙϦγʔ΍ɺͦͷϙϦγʔʹର͢ΔධՁͷ݁ՌɺϙϦγʔͷมߋݕ஌ͳͲ ʹؔ͢Δ৘ใΛఏڙ͢ΔͨΊͷϝτϦοΫ͕ఏڙ͞Ε͍ͯ·͢ɻ

Slide 103

Slide 103 text

Copyright © Dell Inc. All Rights Reserved. of Y 103 ຊηογϣϯͷ·ͱΊ • KyvernoΛ༻͍Δ͜ͱͰɺ؆୯͔ͭॊೈʹϙϦγʔ੍ޚΛ࣮ࢪ͢Δ͜ͱ͕Ͱ͖·͢ɻ • ϙϦγʔΛॻ্͘Ͱಛ༗ͷݴޠ౳Λ༻͍Δඞཁ͕͋Γ·ͤΜɻ • ϙϦγʔʹର͢ΔϦιʔεͷঢ়ଶΛɺϙϦγʔϨϙʔτ΍ϝτϦοΫΛ༻͍ͯ֬ೝ͢Δ͜ͱ ͕Ͱ͖·͢ɻ (Tips) • Validate ResourcesΛద༻͢Δࡍ͸ɺvalidationFailureActionΛ·ͣauditʹઃఆ͠ɺҙਤͨ͠ ڍಈʹͳΔ͜ͱΛ֬ೝͨ͠ޙenforceʹ੾Γସ͑Δ͜ͱͰɺطଘϦιʔεʹର͢ΔӨڹͳͲΛ ೺Ѳ্ͨ͠ͰϙϦγʔͷద༻͕Ͱ͖·͢ɻ • Mutate Resourcesʹ͓͍ͯɺ1ͭͷϙϦγʔʹෳ਺ͷϧʔϧΛඳ͘৔߹ɺ্͔ΒԼ΁ॲཧ͞ ΕΔ͜ͱʹ஫ҙ͍ͯͩ͘͠͞ɻ

Slide 104

Slide 104 text

Copyright © Dell Inc. All Rights Reserved. of Y 104 ࢀߟࢿྉ • KyvernoͷϙϦγʔͷॻ͖ํ • https://kyverno.io/docs/writing-policies/ • ຊηογϣϯͰ͸આ໌͍ͯ͠ͳ͍ϙϦγʔͷॻ͖ํͳͲɻ • Kyverno αϯϓϧϙϦγʔ • https://github.com/kyverno/policies • ϕετϓϥΫςΟε΍ɺPod Security Standardsʹ४ڌͨ͠ϙϦγʔͳͲɻ • ͦͷ΄͔༷ʑͳ֎෦πʔϧʹର͢ΔαϯϓϧϙϦγʔ͕༻ҙ͞Ε͍ͯΔɻ

Slide 105

Slide 105 text

No content