明日から始められるKyvernoを用いたポリシー制御

Slide 1

Slide 1 text

໌೔͔Β࢝ΊΒΕΔ  KyvernoΛ༻͍ͨϙϦγʔ੍ޚ 2022/11/21 Cloud Native Days Tokyo 2022 15:20 ~ 16:00 Track D Ryotaro Uwatsu

Slide 2

Slide 2 text

Slide 3

Slide 3 text

Slide 4

Slide 4 text

Slide 5

Slide 5 text

Slide 6

Slide 6 text

Slide 7

Slide 7 text

Copyright © Dell Inc. All Rights Reserved. of Y 7 ϙϦγʔ੍ޚͱ͸ ϙϦγʔ: • (૊৫) ੓ࡦɺํ਑ • (ݸਓ) ͋ͳ͕ͨ৴͡ɺ͋ͳͨͷߦಈʹӨڹΛ༩͑Δݪଇ ex) ʲONE PIECEʳ αϯδ ʮͨͱ͑ࢮΜͰ΋ɺԶ͸ঁ͸ऽΒΜʯͱ͍͏໊ݴ͕͋ΓɺʮঁੑΛઈରʹই͚ͭͳ͍ʯͱ͍͏ϙϦγʔΛ͍࣋ͬͯΔɻ → ͜Ε͸ઈରʹ͠ͳ͍ [Kubernetes] latestλάͷimageΛࢦఆͨ͠Pod͸ઈରʹಈ͔͞ͳ͍

Slide 8

Slide 8 text

Copyright © Dell Inc. All Rights Reserved. of Y 8 ϙϦγʔ੍ޚͱ͸ ϙϦγʔ: • (૊৫) ੓ࡦɺํ਑ • (ݸਓ) ͋ͳ͕ͨ৴͡ɺ͋ͳͨͷߦಈʹӨڹΛ༩͑Δݪଇ ex) ʲONE PIECEʳ αϯδ ʮͨͱ͑ࢮΜͰ΋ɺԶ͸ঁ͸ऽΒΜʯͱ͍͏໊ݴ͕͋ΓɺʮঁੑΛઈରʹই͚ͭͳ͍ʯͱ͍͏ϙϦγʔΛ͍࣋ͬͯΔɻ → ͜Ε͸ઈରʹ͠ͳ͍ [Kubernetes] latestλάͷimageΛࢦఆͨ͠Pod͸ઈରʹಈ͔͞ͳ͍ ϙϦγʔͱ͸ɺݸਓɺνʔϜɺ΋͘͠͸૊৫ͷதͰઃ͚ͨӡ༻্ͷܾΊࣄͰ͋Γɺ ϙϦγʔ੍ޚͱ͸ɺϙϦγʔΛఆΊͨΒɺͦΕΛඞͣकΔΑ͏ʹ͔͠Δ΂͖ΞΫγϣϯΛͱΔ͜ͱͰ͢ɻ

Slide 9

Slide 9 text

Copyright © Dell Inc. All Rights Reserved. of Y 9 Kubernetesʹ͓͚ΔجຊతͳϙϦγʔ੍ޚ KubernetesͰ͸ɺҎԼͷΑ͏ͳϙϦγʔ੍ޚ͕Ͱ͖ΔΑ͏ʹͳ͍ͬͯ·͢ɻ • Network Policy – Ingress(Πϯό΢ϯυ)ɺEgress(Ξ΢τό΢ϯυ)ͷ੍ޚΛ͢Δɻ • Pod Security Admission – Pod Security StandardsΛجʹɺ࡞੒Ͱ͖ΔϫʔΫϩʔυϦιʔεΛ੍ݶ͢Δɻ • Resource Quota – Namespace͝ͱͷ૯ϦιʔεফඅྔΛ੍ݶ͢Δɻ • etc…

Slide 10

Slide 10 text

Slide 11

Slide 11 text

Copyright © Dell Inc. All Rights Reserved. of Y 11 Kyverno Kyverno͸KubernetesΫϥελʔ಺ͰɺDynamic Admission Controllerͱ࣮ͯ͠ߦ͞ΕΔϙϦγʔΤϯδϯͰ͢ɻ kube-apiserver͔ΒAdmission WebhookΛड͚औΓɺఆٛͨ͠ϙ Ϧγʔʹج੍͍ͮͯޚΛ࣮ߦ͠·͢ɻ Custom ResourceΛ༻͍ͯɺKubernetesͷϚχϑΣετϕʔεͰ ϙϦγʔΛద༻Ͱ͖ΔͨΊɺֶशίετ͕ͱͯ΋௿͘ͳ͍ͬͯ ·͢ɻ όʔδϣϯ: 1.8.0 https://github.com/kyverno/kyverno

Slide 12

Slide 12 text

Slide 13

Slide 13 text

Copyright © Dell Inc. All Rights Reserved. of Y 13 Dynamic Admission Control Authentication Authorization Mutating Admission Object Schema Admission Validating Admission Persist data to etcd Webhook Webhook Webhook Webhook Kyverno

Slide 14

Slide 14 text

Copyright © Dell Inc. All Rights Reserved. of Y 14 Mutating ͱ Validating Mutating: ͋Δ৚݅Λجʹɺ࡞੒͠Α͏ͱ͍ͯ͠ΔϦιʔεͷύϥϝʔλʹมߋΛՃ͑·͢ɻ ex) sidecar.istio.io/inject: trueͱ͍͏ϥϕϧͷ෇͘PodʹɺEnvoyΛαΠυΧʔͱͯ͠௥Ճ͢Δɻ Validating: ࡞੒͠Α͏ͱ͍ͯ͠ΔϦιʔε͕ɺ࡞੒ͯ͠ྑ͍͔൱͔Λ৚݅ʹج͍ͮͯ൑அ͠·͢ɻ ex) allowed-by-kyverno: trueͱ͍͏ϥϕϧ͕෇͍ͨPodͷΈ࡞੒ͯ͠Α͍ɻ ຊ൪ະ࢖༻

Slide 15

Slide 15 text

Slide 16

Slide 16 text

Copyright © Dell Inc. All Rights Reserved. of Y 16 KyvernoͷΠϯετʔϧ Kyverno ͸ɺHelm΋͘͠͸YAMLϚχϑΣετ͔ΒσϓϩΠ͢Δ͜ͱ͕Ͱ͖·͢ɻ [ຊ൪؀ڥ] helm install kyverno kyverno/kyverno -n kyverno --create-namespace --set replicaCount=3 [ݕূ؀ڥ] helm install kyverno kyverno/kyverno -n kyverno --create-namespace ຊ൪ະ࢖༻

Slide 17

Slide 17 text

Slide 18

Slide 18 text

Slide 19

Slide 19 text

Copyright © Dell Inc. All Rights Reserved. of Y 19 ͜͜·Ͱͷ؆୯ͳ·ͱΊ • ϙϦγʔ͸ɺӡ༻্ͷܾΊࣄͰ͋Γɺ͜ΕΛकΔͨΊʹ͔͠Δ΂͖ߦಈΛͱΔ͜ͱ͕ϙϦ γʔ੍ޚͰ͢ɻ • Kyverno͸ɺkube-apiserver͕Ϧιʔεͷ੍ޚΛ͢ΔࡍͷWebhookͷ౤͛ઌͰ͢ɻ • Kyverno͸ɺWebhookΛड͚औͬͨࡍʹɺϙϦγʔʹج͍ͮͨΞΫγϣϯΛͱΓ·͢ɻ ຊ൪ະ࢖༻

Slide 20

Slide 20 text

Slide 21

Slide 21 text

Copyright © Dell Inc. All Rights Reserved. of Y 21 KyvernoʹΑΔϙϦγʔͷద༻ KyvernoΛ༻͍ͯϙϦγʔΛద༻͢Δࡍʹ༻͍ΔϦιʔε͸2ͭ͋Γ·͢ɻ 1. Cluster Policy: ΫϥελʔશମʹϙϦγʔΛద༻͢Δࡍʹ༻͍Δɻ 2. Policy: Namespace಺ʹดͨ͡ϙϦγʔΛద༻͢Δࡍʹ༻͍Δɻ ஫ҙ఺ͱͯ͠͸ɺϙϦγʔؒͰͷॱংੑ͕ଘࡏ͠ͳ͍ͨΊɺෳ਺ͷϙϦγʔΛ૊Έ߹Θͤͨϧʔ ϧͷ֦ு͔͠Ͱ͖·ͤΜɻ ͢ͳΘͪPolicyؒͰͷ্ॻ͖͕Ͱ͖ͳ͍ͷͰɺCluster PolicyͰݫ͠ΊͷPolicyΛઃఆ͓͍ͯͯ͠ɺ ͋ΔNamespaceʹ͓͍ͯ͸PolicyΛ༻੍͍ͯݶΛ؇ΊΔͱ͍͏͜ͱ͕Ͱ͖·ͤΜɻ

Slide 22

Slide 22 text

Slide 23

Slide 23 text

Slide 24

Slide 24 text

Slide 25

Slide 25 text

Slide 26

Slide 26 text

Slide 27

Slide 27 text

Slide 28

Slide 28 text

Slide 29

Slide 29 text

Slide 30

Slide 30 text

Copyright © Dell Inc. All Rights Reserved. of Y 30 ର৅ͷࢦఆํ๏ ର৅Λબఆ͢Δʹ͋ͨΓɺҎԼͷࢦఆ߲໨Λ༻͍Δ͜ͱ͕Ͱ͖·͢ɻ • resources: – kind(Deployment, Pod, ServiceͳͲ)Λඞਢ߲໨ͱͯ͠ࢦఆ͢Δɻ – Ϧιʔε໊ɺNamespaceɺ Ξϊςʔγϣϯɺϥϕϧ౳ࢦఆ͠ɺ໌֬ʹର৅Λࢦఆ͢Δ͜ͱ͕Ͱ͖Δɻ • subjects: – User, Group, Service AccountΛࢦఆ͢Δɻ • roles/clusterRoles: – Role΋͘͠͸Cluster RoleΛࢦఆ͢Δɻ

Slide 31

Slide 31 text

Copyright © Dell Inc. All Rights Reserved. of Y 31 ର৅ͷࢦఆํ๏ ҎԼͷྫͰ͸ɺ User(cndt-admin)΋͘͠͸Cluster Role(cluster-admin)ʹΑͬͯ࡞੒͞ΕͨϦιʔεΛআ͖ɺ ϥϕϧʹapp=criticalΛ࣋ͭPod ͕ର৅ͱͳΓ·͢ɻ apiVersion: v1 kind: Pod metadata: name: test1 labels: app: critical apiVersion: v1 kind: Pod metadata: name: test1 labels: app: critical apiVersion: v1 kind: Pod metadata: name: test1 labels: app: critical User: John ClusterRole: cluster-admin User: cndt-admin ClusterRole: admin User: ry ClusterRole: admin ର৅֎ ର৅

Slide 32

Slide 32 text

Copyright © Dell Inc. All Rights Reserved. of Y 32 resourcesʹ͓͚ΔࢦఆՄೳ߲໨ resourcesͰ͸ɺҎԼͷ߲໨Λࢦఆ͢Δ͜ͱ͕Մೳͱͳ͍ͬͯ·͢ɻ • (Required) kind • (Optional) name • (Optional) selector • (Optional) annotations • (Optional) namespaces • (Optional) namespaceSelector

Slide 33

Slide 33 text

Copyright © Dell Inc. All Rights Reserved. of Y 33 resourcesʹ͓͚ΔࢦఆՄೳ߲໨ resourcesͰ͸ɺҎԼͷ߲໨Λࢦఆ͢Δ͜ͱ͕Մೳͱͳ͍ͬͯ·͢ɻ • (Required) kind • (Optional) name • (Optional) selector • (Optional) annotations • (Optional) namespaces • (Optional) namespaceSelector [ର৅] શDeploymentϦιʔε

Slide 34

Slide 34 text

Copyright © Dell Inc. All Rights Reserved. of Y 34 resourcesʹ͓͚ΔࢦఆՄೳ߲໨ resourcesͰ͸ɺҎԼͷ߲໨Λࢦఆ͢Δ͜ͱ͕Մೳͱͳ͍ͬͯ·͢ɻ • (Required) kind • (Optional) name • (Optional) selector • (Optional) annotations • (Optional) namespaces • (Optional) namespaceSelector [ର৅] testͱ͍͏໊લͷDeploymentϦιʔε

Slide 35

Slide 35 text

Copyright © Dell Inc. All Rights Reserved. of Y 35 resourcesʹ͓͚ΔࢦఆՄೳ߲໨ resourcesͰ͸ɺҎԼͷ߲໨Λࢦఆ͢Δ͜ͱ͕Մೳͱͳ͍ͬͯ·͢ɻ • (Required) kind • (Optional) name • (Optional) selector • (Optional) annotations • (Optional) namespaces • (Optional) namespaceSelector [ର৅] ࢦఆͷϥϕϧΛ࣋ͭDeploymentϦιʔε

Slide 36

Slide 36 text

Copyright © Dell Inc. All Rights Reserved. of Y 36 resourcesʹ͓͚ΔࢦఆՄೳ߲໨ resourcesͰ͸ɺҎԼͷ߲໨Λࢦఆ͢Δ͜ͱ͕Մೳͱͳ͍ͬͯ·͢ɻ • (Required) kind • (Optional) name • (Optional) selector • (Optional) annotations • (Optional) namespaces • (Optional) namespaceSelector [ର৅] ࢦఆͷϥϕϧΛ࣋ͭDeploymentϦιʔε

Slide 37

Slide 37 text

Copyright © Dell Inc. All Rights Reserved. of Y 37 resourcesʹ͓͚ΔࢦఆՄೳ߲໨ resourcesͰ͸ɺҎԼͷ߲໨Λࢦఆ͢Δ͜ͱ͕Մೳͱͳ͍ͬͯ·͢ɻ • (Required) kind • (Optional) name • (Optional) selector • (Optional) annotations • (Optional) namespaces • (Optional) namespaceSelector [ର৅] ࢦఆͷΞϊςʔγϣϯΛ࣋ͭDeploymentϦιʔε

Slide 38

Slide 38 text

Copyright © Dell Inc. All Rights Reserved. of Y 38 resourcesʹ͓͚ΔࢦఆՄೳ߲໨ resourcesͰ͸ɺҎԼͷ߲໨Λࢦఆ͢Δ͜ͱ͕Մೳͱͳ͍ͬͯ·͢ɻ • (Required) kind • (Optional) name • (Optional) selector • (Optional) annotations • (Optional) namespaces • (Optional) namespaceSelector [ର৅] ࢦఆͷNamespaceʹ͓͚ΔDeploymentϦιʔε

Slide 39

Slide 39 text

Copyright © Dell Inc. All Rights Reserved. of Y 39 resourcesʹ͓͚ΔࢦఆՄೳ߲໨ resourcesͰ͸ɺҎԼͷ߲໨Λࢦఆ͢Δ͜ͱ͕Մೳͱͳ͍ͬͯ·͢ɻ • (Required) kind • (Optional) name • (Optional) selector • (Optional) annotations • (Optional) namespaces • (Optional) namespaceSelector [ର৅] ࢦఆͷNamespaceʹ͓͚ΔDeploymentϦιʔε

Slide 40

Slide 40 text

Copyright © Dell Inc. All Rights Reserved. of Y 40 resourcesʹ͓͚ΔࢦఆՄೳ߲໨ resourcesͰ͸ɺҎԼͷ߲໨Λࢦఆ͢Δ͜ͱ͕Մೳͱͳ͍ͬͯ·͢ɻ • (Required) kind • (Optional) name • (Optional) selector • (Optional) annotations • (Optional) namespaces • (Optional) namespaceSelector [ର৅] ࢦఆͷNamespaceʹ͓͍ͯɺ ࢦఆͨ͠ϥϕϧΛ࣋ͭDeployment ຊ൪ະ࢖༻

Slide 41

Slide 41 text

Copyright © Dell Inc. All Rights Reserved. of Y 41 resourcesʹ͓͚ΔࢦఆϑΥʔϚοτ resourcesͷkindͰ͸ɺҎԼͷϑΥʔϚοτΛαϙʔτ͍ͯ͠·͢ɻ • Group/Version/Kind • Version/Kind • Kind ͜Ε͸ɺྫ͑͹Network PolicyʹΛࢦఆ͢Δࡍʹɺಉ͡Ϧιʔε໊Λ࣋ͭΑ͏ͳ΋ͷ͕ෳ਺ଘࡏ͢Δ ৔߹ͳͲʹ༗ޮͰ͢ɻ (Kubernetes) apiVersion: networking.k8s.io/v1   kind: NetworkPolicy (Calico) apiVersion: projectcalico.org/v3   kind: NetworkPolicy ຊ൪ະ࢖༻

Slide 42

Slide 42 text

Slide 43

Slide 43 text

Copyright © Dell Inc. All Rights Reserved. of Y 43 Preconditions Preconditions͸ɺϧʔϧΛద༻͢ΔλΠϛϯάΛΑΓࡉ੍͔͘ޚͨΊʹ༻͍·͢ɻ AdmissionReviewΛࢀর͠ɺPreconditionsʹهड़ͨ͠ϧʔϧΛجʹɺKyvernoʹΑΔϙϦγʔ ੍ޚΛ࣮ࢪ͢Δ͔Ͳ͏͔Λ൑அ͠·͢ɻ rules[*].preconditionsΛ༻͍ͯهड़͍ͯ͘͜͠ͱʹͳΓ·͢ɻ match΍excludeͱಉ༷ʹɺany ΋͘͠͸ all ͷԼʹϧʔϧΛهड़͠·͢ɻ

Slide 44

Slide 44 text

Copyright © Dell Inc. All Rights Reserved. of Y 44 AdmissionReview Dynamic Admission ControlͷதͰɺWebbookΛඈ͹͢ࡍɺ Ϧιʔεʹର͢Δ༷ʑͳ৘ใΛૹ৴͢ΔͨΊʹ༻͍Δͷ͕ɺ AdmissionReviewͰ͢ɻ ࠓճͷૢ࡞͕ͲͷΑ͏ͳ͜ͱΛ͠Α͏ͱ͍ͯ͠Δͷ͔Λࣔ͢ request.operation(CREATE, UPDATE, DELETE, CONNECT)΍ɺ ૢ࡞ର৅ͷϦιʔεͷύϥϝʔλ͕֨ೲ͞Ε͍ͯΔ request.object ͳͲͷ৘ใؚ͕·Ε͍ͯ·͢ɻ

Slide 45

Slide 45 text

Copyright © Dell Inc. All Rights Reserved. of Y 45 Preconditions Example spec.rules.preconditions.(any/all)[*]ԼͰɺ key – operator – value ͷ૊Έ߹ΘͤΛ༻͍ ͯهड़͍ͯ͘͜͠ͱʹͳΓ·͢ɻ ͜ͷྫͰ͸ɺ࡞੒΋͘͠͸ߋ৽ͷ৔߹ʹɺର ৅͕PodͰ͋Ε͹ϙϦγʔ੍ޚΛ࣮ࢪ͢Δͱ ͍͏ڍಈΛ͠·͢ɻ

Slide 46

Slide 46 text

Copyright © Dell Inc. All Rights Reserved. of Y 46 ԋࢉࢠ Preconditionsʹ͓͍ͯهड़͢Δԋࢉࢠʹ͸ɺҎԼΛઃఆ͢Δ͜ͱ͕Ͱ͖·͢ɻ • Equals • NotEquals • In (deprecated) • AnyIn • AllIn • NotIn (deprecated) • AnyNotIn • AllNotIn • GreaterThan • GreaterThanOrEquals • LessThan • LessThanOrEquals • DurationGreaterThan • DurationGreaterThanOrEquals • DurationLessThan • DurationLessThanOrEquals

Slide 47

Slide 47 text

Copyright © Dell Inc. All Rights Reserved. of Y 47 “ର৅ͷܾఆ” ͷ·ͱΊ • MatchΛ༻͍ͯɺϙϦγʔ੍ޚΛ࣮ߦ͢Δର৅Λࢦఆ͠·͢ɻ • ExcludeΛ༻͍ͯɺର৅ͷϦιʔεʹରͯ͠ྫ֎Λ࡞Γ·͢ɻ • PreconditionsΛ༻͍Δ͜ͱͰɺલఏ৚݅ΛઃఆͰ͖·͢ɻ • ϧʔϧʹରͯ͠ɺany(OR) ΋͘͠͸ all(AND) Λ༻͍ͯ഑ྻߏ଄ͰࢦఆΛ͠·͠ΐ͏ɻ

Slide 48

Slide 48 text

Slide 49

Slide 49 text

Slide 50

Slide 50 text

Copyright © Dell Inc. All Rights Reserved. of Y 50 Validate Resources Ϣʔβʔ·ͨ͸ϓϩηεʹΑͬͯ৽͍͠Ϧιʔε͕࡞੒͞ΕΔ৔߹ʹɺͦͷϦιʔεΛ࡞੒͠ ͯΑ͍͔൱͔Λ൑அ͢ΔͨΊʹ༻͍·͢ɻ spec.rules[*].validateΛ༻͍ͯهड़͍ͯ͘͜͠ͱʹͳΓ·͢ɻ ϧʔϧʹҧ൓͢ΔϦιʔεʹର͢Δڍಈ͸spec.validationFailureActionʹΑ੍ͬͯޚ͢Δ͜ͱ ͕ՄೳͰ͢ɻ • enforce – ϧʔϧʹҧ൓ͨ͠৔߹ɺ࡞੒ΛϒϩοΫ͢Δɻ • audit – ϧʔϧʹҧ൓ͨ͠৔߹ʹ࡞੒͸ڐՄ͢Δɻ – ϙϦγʔϨϙʔτʹҧ൓͢ΔϦιʔεͱͯ͠ه࿥͢Δɻ

Slide 51

Slide 51 text

Copyright © Dell Inc. All Rights Reserved. of Y 51 Validate Resources Example spec.rules[*].validate.patternԼͰɺ ର৅Ϧιʔεʹ͓͚Δ࠷্Ґͷ metadata΋͘͠͸specԼΛهड़͠ɺ ݕূϧʔϧΛઃఆ͠·͢ɻ nginx-with-label͸ɺࢦఆ͞Εͨϥϕϧ Λ͍࣋ͬͯΔͨΊ࡞੒͕ڐՄ͞Εɺ nginx-without-label͸ɺࢦఆͨ͠ϥϕϧ Λ࣋ͨͳ͍ͨΊ࡞੒͕ڋ൱͞Ε·͢ɻ [࣮ߦ݁Ռ]

Slide 52

Slide 52 text

Copyright © Dell Inc. All Rights Reserved. of Y 52 validationFailureActionOverrides ClusterPolicyͰͷvalidationʹݶΓɺ validationFailureActionOverridesΛ༻ ͍ͯɺNamespaceΛࢦఆ͠ɺݸʑʹ FailuerAction(audit, enforce)Λઃఆ͢ Δ͜ͱ͕Մೳͱͳ͍ͬͯ·͢ɻ લͷεϥΠυͰɺ࡞੒͕ڋ൱͞Εͨ Pod͕Namespace(no-label)ʹ͓͍ͯ ࡞੒͞Εͨ͜ͱ͕֬ೝͰ͖·͢ɻ [࣮ߦ݁Ռ]

Slide 53

Slide 53 text

Slide 54

Slide 54 text

Slide 55

Slide 55 text

Copyright © Dell Inc. All Rights Reserved. of Y 55 patternͷهड़ํ๏ patternͰ͸ɺmetadata΋͘͠͸specԼΛهड़ ͠ɺϦιʔεͷ৘ใͱൺֱ͢Δ͜ͱͰݕূΛ࣮ ࢪ͠·͢ɻ ͜ͷྫͰ͸ɺDeploymentͷspecԼΛهड़ͯ͠ɺ DeploymentʹΑͬͯੜ੒͞ΕΔPodʹ͓͍ͯɺ ϥϕϧʹʮpermitted-by-kyverno=“true”ʯ͕͋Δ ͜ͱΛඞਢ৚݅ͱ͍ͯ͠·͢ɻ

Slide 56

Slide 56 text

Slide 57

Slide 57 text

Slide 58

Slide 58 text

Slide 59

Slide 59 text

Copyright © Dell Inc. All Rights Reserved. of Y 59 ԋࢉࢠ $ kubectl create deploy not-enough-replica \ --replicas=2 --image nginx:alpine [਺஋ൺֱ] ԋࢉࢠ ҙຯ > ΑΓେ͖͍ < ະຬ >= Ҏ্ <= ҎԼ ! ࢦఆ஋ͱ౳͘͠ͳ͍ | OR & AND - ൣғ಺ !- ൣғ֎

Slide 60

Slide 60 text

Slide 61

Slide 61 text

Slide 62

Slide 62 text

Copyright © Dell Inc. All Rights Reserved. of Y 62 ΞϯΧʔ [() ΞϯΧʔ] ΞϯΧʔ λά ҙຯ ৚݅෇͖ () ϐΞཁૉʹର͢Δ৚݅ͷઃఆ ฏ౳ =() ΋͠ଘࡏͨ͠৔߹ʹ… ଘࡏ ^() গͳ͘ͱ΋1ͭଘࡏ͢Δ ൱ఆ X() ର৅ͷڋ൱ άϩʔόϧ <() ೚ҙͷ৔ॴͰ৚݅Λઃఆ [৚݅] (৚݅: specԼ, ϐΞ: metadata) spec.volumes.hostPath͕ఆٛ͞Εɺpath͕/var/logͩͬͨ ৔߹ʹɺmetadata.labelsʹͯɺallow-log-hostpath: “true”͕ ࢦఆ͞Ε͍ͯͳ͚Ε͹ͳΒͳ͍ɻ

Slide 63

Slide 63 text

Copyright © Dell Inc. All Rights Reserved. of Y 63 ৚݅෇͖ΞϯΧʔʹ͍ͭͯ ৚݅෇͖ΞϯΧʔ͸ɺPeerཁૉʹରͯ͠ͷ৚݅෇͚ͷͨ Ίɺຊདྷͷಈ͖ͱͯ͠͸ɺPeerཁૉͷ֎ʹ͍Δ΋ͷʹؔ͠ ͯ͸ɺΞϯΧʔ෇͖ͷཁૉͷධՁʹӨڹΛड͚·ͤΜɻ Ver1.8.0࣌఺Ͱ͸ɺ͜ͷྫͷΑ͏ʹɺPeerཁૉͰͳ͍΋ͷ ʹؔͯ͠΋ɺϧʔϧʹҰக͠ͳ͍ʹ΋ؔΘΒͣɺΞϯΧʔ ཁૉ͕Ұக͠ͳ͍ࣄʹӨڹΛड͚ɺධՁ͕εΩοϓ͞Εͯ ͠·͏ͷͰ஫ҙΛ͍ͯͩ͘͠͞ɻ ※ ݱঢ়issueΛ։͍ͯରԠΛ͍͍͍ͯͨͩͯ͠·͢ɻ

Slide 64

Slide 64 text

Copyright © Dell Inc. All Rights Reserved. of Y 64 ΞϯΧʔ [=() ΞϯΧʔ] [৚݅] spec.volumes.hostPath͕ఆٛ͞Ε͍ͯͨ৔߹ʹɺ path͕ /proc ٴͼ /sys Ͱ͋ͬͯ͸ͳΒͳ͍ɻ ΞϯΧʔ λά ҙຯ ৚݅෇͖ () ϐΞཁૉʹର͢Δ৚݅ͷઃఆ ฏ౳ =() ΋͠ଘࡏͨ͠৔߹ʹ… ଘࡏ ^() গͳ͘ͱ΋1ͭଘࡏ͢Δ ൱ఆ X() ର৅ͷڋ൱ άϩʔόϧ <() ೚ҙͷ৔ॴͰ৚݅Λઃఆ

Slide 65

Slide 65 text

Copyright © Dell Inc. All Rights Reserved. of Y 65 ΞϯΧʔ [^() ΞϯΧʔ] [৚݅] PodΛ࡞੒͢Δ৔߹ʹɺlivenessProveΛઃఆͨ͠ίϯςφ Λগͳ͘ͱ΋1ؚͭ·ͳͯ͘͸ͳΒͳ͍ɻ ΞϯΧʔ λά ҙຯ ৚݅෇͖ () ϐΞཁૉʹର͢Δ৚݅ͷઃఆ ฏ౳ =() ΋͠ଘࡏͨ͠৔߹ʹ… ଘࡏ ^() গͳ͘ͱ΋1ͭଘࡏ͢Δ ൱ఆ X() ର৅ͷڋ൱ άϩʔόϧ <() ೚ҙͷ৔ॴͰ৚݅Λઃఆ

Slide 66

Slide 66 text

Copyright © Dell Inc. All Rights Reserved. of Y 66 ΞϯΧʔ [X() ΞϯΧʔ] [৚݅] no-ephemeral=“true”ͱ͍͏ϥϕϧΛ࣋ͭPodʹؔͯ͠ɺ ΤϑΣϝϥϧίϯςφͷ࡞੒Λڋ൱͢Δɻ ※ ஋ʹ͸ “null” Λ༻͍Δ ΞϯΧʔ λά ҙຯ ৚݅෇͖ () ϐΞཁૉʹର͢Δ৚݅ͷઃఆ ฏ౳ =() ΋͠ଘࡏͨ͠৔߹ʹ… ଘࡏ ^() গͳ͘ͱ΋1ͭଘࡏ͢Δ ൱ఆ X() ର৅ͷڋ൱ άϩʔόϧ <() ೚ҙͷ৔ॴͰ৚݅Λઃఆ

Slide 67

Slide 67 text

Copyright © Dell Inc. All Rights Reserved. of Y 67 ΞϯΧʔ [<() ΞϯΧʔ] [৚݅] my-local-reg.com͔Βऔಘ͢ΔΠϝʔδΛ࢖͏ίϯςφ͕͋ Δ৔߹ʹɺmy-registry-secretΛimagePullSecretͱͯ͠࢖Θͳ ͯ͘͸ͳΒͳ͍ɻ ΞϯΧʔ λά ҙຯ ৚݅෇͖ () ϐΞཁૉʹର͢Δ৚݅ͷઃఆ ฏ౳ =() ΋͠ଘࡏͨ͠৔߹ʹ… ଘࡏ ^() গͳ͘ͱ΋1ͭଘࡏ͢Δ ൱ఆ X() ର৅ͷڋ൱ άϩʔόϧ <() ೚ҙͷ৔ॴͰ৚݅Λઃఆ

Slide 68

Slide 68 text

Copyright © Dell Inc. All Rights Reserved. of Y 68 anyPatternͷهड़ํ๏ anyPatternΛ༻͍Δ͜ͱͰɺෳ਺ͷpatternΛఆٛ ͢Δ͜ͱ͕Ͱ͖·͢ɻ ͜ͷྫͰ͸ɺPodશମʹରͯ͠securityContextsΛ ઃఆ͢Δ͔ɺ֤ίϯςφ(container, init container, ephemeral container)ʹରͯ͠securityContextΛ ઃఆ͢Δ͜ͱΛڧ੍͠·͢ɻ

Slide 69

Slide 69 text

Copyright © Dell Inc. All Rights Reserved. of Y 69 denyͷهड़ํ๏ denyͰ͸ɺهड़ͨ͠Ұ࿈ͷ৚݅ʹج͍ͮͯ ཁٻΛڋ൱͍ͨ͠৔߹ʹ༻͍·͢ɻ ৚݅͸ɺ௨ৗdeny.conditionsԼͰɺany΋͠ ͘͸allΛࢦఆ͠ɺkey – operator – value ͷ ૊Έ߹ΘͤΛ༻͍ͯهड़͍͖ͯ͠·͢ɻ denyΛ༻͍Δ৔߹validationFailureAction Λenforceʹ͢Δඞཁ͕͋Γ·͢ɻ [ϧʔϧ] ClusterRole(cluster-adminҎ֎)ͷݖݶʹΑΔૢ࡞ʹ͓͍ͯɺ app.kubernetes.iomanaged=“kyverno” ͱ͍͏ϥϕϧΛ΋ͭϦιʔε΁ͷ࡟আૢ࡞Λڋ൱͢Δɻ

Slide 70

Slide 70 text

Copyright © Dell Inc. All Rights Reserved. of Y 70 ԋࢉࢠ denyʹ͓͍ͯɺconditions಺Ͱهड़͢Δԋࢉࢠʹ͸ɺҎԼΛઃఆ͢Δ͜ͱ͕Ͱ͖·͢ɻ • Equals • NotEquals • In (deprecated) • AnyIn • AllIn • NotIn (deprecated) • AnyNotIn • AllNotIn • GreaterThan • GreaterThanOrEquals • LessThan • LessThanOrEquals • DurationGreaterThan • DurationGreaterThanOrEquals • DurationLessThan • DurationLessThanOrEquals

Slide 71

Slide 71 text

Slide 72

Slide 72 text

Copyright © Dell Inc. All Rights Reserved. of Y 72 Mutate Resources ϧʔϧʹҰகͨ͠Ϧιʔεʹରͯ͠ɺύϥϝʔλʹมߋΛՃ͑Δࡍʹ༻͍·͢ɻ spec.rules[*].mutateΛ༻͍ͯهड़͍ͯ͘͜͠ͱʹͳΓ·͢ɻ ҎԼͷ߲໨Λ༻͍ͯϧʔϧΛద༻͢Δ͜ͱ͕Ͱ͖·͢ɻ • RFC 6902 JSONPatch • Strategic Merge Patch • Foreach

Slide 73

Slide 73 text

Copyright © Dell Inc. All Rights Reserved. of Y 73 RFC 6902 JSONPatch RFC 6902 JSONPatch͸ɺJSON Patch(https://jsonpatch.com/)ϑΥʔϚοτΛ༻͍ͯର৅Λܾఆ͠ɺ ϦιʔεͷཁૉʹมߋΛՃ͑Δࡍʹ༻͍·͢ɻ spec.rules[*].mutate.patchesJson6902ԼͰɺpath – op – value ͷ૊Έ߹ΘͤΛ༻͍ͯهड़͠·͢ɻ pathʹ͸มߋΛՃ͍͑ͨ৔ॴΛࢦఆ͠ɺopʹ͸ͦͷมߋͷڍಈΛɺvalueʹ͸มߋ࣌ͷ஋ΛೖΕ·͢ɻ opʹ͸ɺҎԼͷ3ͭͷૢ࡞ํ๏͕αϙʔτ͞Ε͍ͯ·͢ɻ • add • replace • remove

Slide 74

Slide 74 text

Copyright © Dell Inc. All Rights Reserved. of Y 74 RFC 6902 JSONPatch ͜ͷϧʔϧͰ͸ɺadd-tls-secret=“true”ͱ͍͏ ϥϕϧΛ࣋ͭPodʹର͠ɺSecretΛVolumeͱ ͯ͠ૠೖ͢ΔΑ͏manifestʹมߋΛ͠·͢ɻ ஫ҙ఺ͱͯ͠ɺ഑ྻߏ଄Λѻ͏৔߹ɺطଘ஋ ͷࢀর͸ΠϯσοΫεɺ৽ن௥Ճ͸”-”Λ࢖ͬ ͯදݱ͠·͢ɻ path: "/spec/containers/0/volumeMounts/-" 1ͭΊͷίϯςφΛࢀর volumeMountsʹ ഑ྻߏ଄ͰσʔλΛ௥Ճ

Slide 75

Slide 75 text

Copyright © Dell Inc. All Rights Reserved. of Y 75 RFC 6902 JSONPatch [લϖʔδͷϧʔϧΛmutete6902.yamlʹهड़͠ద༻ͨ͠ࡍͷ࣮ߦྫ] $ kubectl create secret tls tls-cert --cert=server.crt --key=server.key -n default $ kubectl apply -f mutate6902.yaml $ kubectl run nginx-tls --image nginx:alpine -l add-tls-secret="true" $ kubectl exec -it nginx-tls -- ls /cndt tls.crt tls.key

Slide 76

Slide 76 text

Copyright © Dell Inc. All Rights Reserved. of Y 76 Strategic Merge Patch ཁૉͷϚʔδಈ࡞Λ੍ޚ͢ΔͨΊʹ༻͍ΒΕ·͢ɻ spec.rules[*].mutate.patchStrategicMergeԼʹɺϚχϑΣετͷܗࣜͰهड़ͨ͠΋ͷΛ༻͍ ͯɺࠩ෼ͷൺֱΛ͠ύϥϝʔλͷมߋΛద༻͠·͢ɻ validateϧʔϧಉ༷ʹɺmutateʹ͓͍ͯ΋ΞϯΧʔΛ࢖੍ͬͨޚ΋Մೳͱͳ͍ͬͯ·͢ɻ mutateϧʔϧʹ͓͍ͯɺҎԼͷΞϯΧʔ͕࢖༻Մೳͱͳ͍ͬͯ·͢ɻ ΞϯΧʔ λά ҙຯ ৚݅෇͖ () if৚݅Λઃఆ͠ɺpeerཁૉ͸ͦͷ݁ՌʹมߋͷӨڹΛड͚Δ ௥Ճ +() ΞϯΧʔΛ෇༩ͨ͠Ωʔ͕ଘࡏ͠ͳ͍৔߹ʹɺઃఆͨ͠Ωʔٴͼ஋Λ௥ Ճ͢Δ άϩʔόϧ <() ೚ҙͷ৔ॴʹ৚݅Λઃఆ͠ɺͦͷ΄͔ͷՕॴʹมߋΛՃ͑Δ

Slide 77

Slide 77 text

Copyright © Dell Inc. All Rights Reserved. of Y 77 Strategic Merge Patch ͜ͷϧʔϧͰ͸ɺcndt-vault-injection: “true” ͱ͍͏ϥϕϧΛ࣋ͭPod͕࡞੒͞Εͨࡍʹɺ Vaultʹొ࿥Λͨ͠ಛఆͷγʔΫϨοτσʔλΛɺ Pod಺ʹࢦఆͷϑΥʔϚοτͰ഑ஔ͢ΔͨΊͷ ΞϊςʔγϣϯͱαʔϏεΞΧ΢ϯτΛ෇༩ͯ͠ ͍·͢ɻ {{ ~~ }} Λ༻͍ͨهड़Λ͠ͳ͚Ε͹ͳΒͳ͍৔߹ɺ Kyvernoʹ͓͍ͯɺෳࡶͳ৚݅Λهड़͢Δࡍʹ ༻͍ΔJMESPathͱ͍͏ه๏ͱޡೝ͞Εͳ͍Α͏ ʹɺ\Λ༻͍ͯΤεέʔϓͤ͞Δඞཁ͕͋Γ·͢ɻ

Slide 78

Slide 78 text

Copyright © Dell Inc. All Rights Reserved. of Y 78 Strategic Merge Patch [લϖʔδͷϧʔϧΛstrategicMerge.yamlʹهड़͠ద༻ͨ͠ࡍͷ࣮ߦྫ] $ vault secrets enable -path=secret kv-v2 $ vault kv put secret/cndt/config username="static-user" password="static-password" $ vault policy write cndt - <

Slide 79

Slide 79 text

Copyright © Dell Inc. All Rights Reserved. of Y 79 Strategic Merge Patch [લϖʔδͷϧʔϧΛstrategicMerge.yamlʹهड़͠ద༻ͨ͠ࡍͷ࣮ߦྫ] $ kubectl apply –f strategicMerge.yaml $ kubectl create sa cndt -n default $ kubectl run cndt-app --image nginx:alpine -l cndt-vault-injection="true“ $ kubectl exec -it cndt-app -- cat /vault/secrets/cndt-credentials Defaulted container "cndt-app" out of: cndt-app, vault-agent, vault-agent-init (init) USERNAME=static-user PASSWORD=static-password

Slide 80

Slide 80 text

Copyright © Dell Inc. All Rights Reserved. of Y 80 Generate Resources ৽͍͠Ϧιʔε͕࡞੒͞Εͨࡍɺ௥ՃͷϦιʔεΛ࡞੒͢Δ৔߹ʹ༻͍·͢ɻ spec.rules[*].generateΛ༻͍ͯهड़͍ͯ͘͜͠ͱʹͳΓ·͢ɻ ࡞੒͢ΔϦιʔεͷ৘ใΛɺҎԼͷ2ͭΛ༻͍ͯهड़͢Δ͜ͱ͕Ͱ͖·͢ɻ • data: ࡞੒͢ΔϦιʔεͷ৘ใΛهड़͢Δ • clone: طʹଘࡏ͢ΔϦιʔεΛΫϩʔϯ͢Δ

Slide 81

Slide 81 text

Copyright © Dell Inc. All Rights Reserved. of Y 81 Generate Resources with data spec.rules[*].generateԼͰ͸ɺҎԼΛهड़͠ ·͢ɻ • synchronize: ιʔεϦιʔεͱͷಉظ – true: ಉظΛ͠ɺߋ৽΍࡟আ͕Ͱ͖ͳ͍ – false: ಉظ͸ͤͣɺੜ੒͞ΕͨϦιʔεΛ௚ ઀ߋ৽·ͨ͸࡟আͰ͖Δ • ੜ੒͢ΔϦιʔεͷapiVersion, kind, name, namespace • data: metadataٴͼspecΛهड़ [ϧʔϧ] Namespace࡞੒࣌ʹɺIngressͱEgressΛڋ൱͢Δ Network PolicyΛ࡞੒͢Δɻ

Slide 82

Slide 82 text

Copyright © Dell Inc. All Rights Reserved. of Y 82 Generate Resources with clone spec.rules[*].generateԼͰ͸ɺҎԼΛهड़͠ ·͢ɻ • synchronize: ιʔεϦιʔεͱͷಉظ – true: ಉظΛ͠ɺߋ৽΍࡟আ͕Ͱ͖ͳ͍ – false: ಉظ͸ͤͣɺੜ੒͞ΕͨϦιʔεΛ௚ ઀ߋ৽·ͨ͸࡟আͰ͖Δ • ੜ੒͢ΔϦιʔεͷapiVersion, kind, name, namespace • clone: NamespaceٴͼϦιʔε໊Λهड़ [ϧʔϧ] Namespace࡞੒࣌ʹɺࢦఆͨ͠Namespace(default) ʹଘࡏ͢ΔSecret(regsecret)ΛΫϩʔϯ͢Δɻ

Slide 83

Slide 83 text

Slide 84

Slide 84 text

Copyright © Dell Inc. All Rights Reserved. of Y 84 Verify Images imageReferencesʹ͓͍ͯࢦఆ͞Ε͍ͯ ΔΠϝʔδ͕ɺattestorsԼͰࢦఆ͞Ε͍ͯ ΔΩʔΛ༻͍ͯॺ໊͕͞Ε͍ͯΔͱ͍͏ ͜ͱΛݕূ͠·͢ɻ ॺ໊Λ͞Ε͍ͯͳ͍Πϝʔδٴͼɺࢦఆ ͨ͠ΩʔͱରͰ͸ͳ͍ΩʔʹΑͬͯॺ໊ ͞ΕͨΠϝʔδΛࢦఆͨ͠Pod͕ɺ͜ͷݕ ূʹΑͬͯڋ൱͞ΕΔ͜ͱʹͳΓ·͢ɻ

Slide 85

Slide 85 text

Copyright © Dell Inc. All Rights Reserved. of Y 85 “ΞΫγϣϯ” ͷ·ͱΊ • Validate ResourcesͰ͸ɺϦιʔεΛ࡞੒ͯ͠Α͍͔൱͔Λ൑அ͠·͢ɻ • Mutating ResourcesͰ͸ɺϦιʔεʹରͯ͠ύϥϝʔλͷมߋΛ࣮ࢪ͠·͢ɻ • Generate ResourcesͰ͸ɺ͋ΔϦιʔεͷ࡞੒ʹඥ͍ͮͯɺผϦιʔεΛ࡞੒͠·͢ɻ • Verify ImageͰ͸ɺΠϝʔδͷ҆શੑΛ֬ೝ͢ΔͨΊʹॺ໊౳Λ֬ೝ͠·͢ɻ

Slide 86

Slide 86 text

Slide 87

Slide 87 text

Slide 88

Slide 88 text

Copyright © Dell Inc. All Rights Reserved. of Y 88 ϙϦγʔϨϙʔτ ϙϦγʔϨϙʔτ͸ɺద༻ͨ͠validate ResourcesϙϦγʔʹରͯ͠ɺൺֱ݁ՌΛఏڙ͢ΔϦ ιʔεͰ͢ɻ Kyverno͸ɺNamespace͝ͱͷϨϙʔτ͓ΑͼΫϥελʔϨϕϧͷϨϙʔτΛɺKubernetes Policy WGʹΑͬͯൃߦ͞ΕͨϙϦγʔϨϙʔτεΩʔϚΛ༻͍ͯ࡞੒͠·͢ɻ ݁ՌΤϯτϦ͸ɺ֘౰͢Δϧʔϧʹର͠ 1 ͭҎ্ͷϧʔϧʹҧ൓͢ΔϦιʔε͕࡞੒͞ΕΔͨ ͼʹϨϙʔτʹ௥Ճ͞ΕɺϦιʔε͕࡟আ͞ΕΔͱɺಉ࣌ʹϨϙʔτ͔Βফڈ͞Ε·͢ɻ $ kubectl get polr -A

Slide 89

Slide 89 text

Copyright © Dell Inc. All Rights Reserved. of Y 89 Ϩϙʔτର৅ ର৅ͱͯ͠͸ɺvalidationFailureActionٴͼbackgroundʹ͓͍ͯઃఆͨ͠஋ʹґଘ͠·͢ɻ Background: true Background: false ৽͍͠Ϧιʔε طଘͷϦιʔε validationFailureAction: enforce None Report validationFailureAction: audit Report Report ৽͍͠Ϧιʔε طଘͷϦιʔε validationFailureAction: enforce None None validationFailureAction: audit Report None

Slide 90

Slide 90 text

Copyright © Dell Inc. All Rights Reserved. of Y 90 Ϩϙʔτ಺༰ ϙϦγʔϨϙʔτͷΤϯτϦʹ͸ɺpassɺskipɺwarnɺerrorɺͦͯ͠failͷ͍ͣΕ͔Ͱใࠂ͞Ε·͢ɻ • pass: ϙϦγʔʹର͢ΔධՁΛ௨աͨ͠Ϧιʔεɻ • skip: Preconditionͷ৚݅Λຬͨͣ͞ɺධՁ͕࣮ߦ͞Εͳ͔ͬͨ΋ͷɻ • fail: ϙϦγʔʹର͢ΔධՁʹରͯ͠ɺҧ൓͍ͯ͠ΔͱΈͳ͞Εͨ΋ͷɻ • warn: ҎԼͷ2ͭͷ৚݅Λຬͨͨ͠৔߹ʹద༻͞ΕΔɻ – PolicyͷΞϊςʔγϣϯʹ policies.kyverno.io/scored: “false“ ͕ηοτ͞Ε͍ͯΔɻ – ϙϦγʔʹର͢ΔධՁʹରͯ͠ɺҧ൓͍ͯ͠ΔͱΈͳ͞Εͨɻ • error: Preconditionsͷ֎ଆͰɺruleͷதʹ͓͍ͯม਺ஔ׵͕ࣦഊͨ͠΋ͷ

Slide 91

Slide 91 text

Slide 92

Slide 92 text

Copyright © Dell Inc. All Rights Reserved. of Y 92 ϞχλϦϯά KyvernoͰ͸ɺόʔδϣϯ1.4.0͔Βɺద༻༷ͨ͠ʑͳϙϦγʔʹର͢ΔΞΫςΟϏςΟΛ Prometheus༻ͷϝτϦοΫͱͯ͠ల։Ͱ͖ΔΑ͏ʹͳΓ·ͨ͠ɻ kyvernoΛσϓϩΠ͢ΔͱɺService(kyverno-svc-metrics)͕ϝτϦοΫΛެ։͢ΔͨΊʹ࡞੒ ͞Ε·͢ɻ

Slide 93

Slide 93 text

Copyright © Dell Inc. All Rights Reserved. of Y 93 ϝτϦοΫͷछྨ ҎԼͷϝτϦοΫ͕ఏڙ͞Ε·͢ɻ • Policies and Rule Counts • Policy and Rule Execution • Policy Rule Execution Latency • Admission Review Latency • Admission Requests Counts • Policy Change Counts  

Slide 94

Slide 94 text

Copyright © Dell Inc. All Rights Reserved. of Y 94 ϝτϦοΫͷछྨ ຊηογϣϯͰ͸ɺҎԼͷ3ͭʹ͍ͭͯղઆ͠·͢ɻ • Policies and Rule Counts • Policy and Rule Execution • Policy Rule Execution Latency • Admission Review Latency • Admission Requests Counts • Policy Change Counts  

Slide 95

Slide 95 text

Copyright © Dell Inc. All Rights Reserved. of Y 95 Policies and Rule Counts ͜ͷϝτϦοΫ͸ɺΫϥελʔͰݱࡏ࢖༻Մೳͳ͢΂ͯͷϙϦγʔʹՃ͑ɺطʹ࡟আ͞Εͨϙ ϦγʔͳͲͷϙϦγʔͷཤྺ΋อ͍࣋ͯ͠·͢ɻ ϝτϦοΫ໊: kyverno_policy_rule_info_total ஋: • طଘͷϙϦγʔ = 1 • ࡟আ͞ΕͨϙϦγʔ = 0 ※ 1ͭͷϙϦγʔʹෳ਺ϧʔϧΛॻ͍ͨ৔߹͸ɺ֤ϧʔϧຖʹϝτϦοΫ͕࡞੒͞Ε·͢ɻ

Slide 96

Slide 96 text

Slide 97

Slide 97 text

Slide 98

Slide 98 text

Slide 99

Slide 99 text

Slide 100

Slide 100 text

Slide 101

Slide 101 text

Slide 102

Slide 102 text

Copyright © Dell Inc. All Rights Reserved. of Y 102 “Kyvernoͷӡ༻” ͷ·ͱΊ • Validate Resourcesʹରͯ͠ɺҧ൓͍ͯ͠ΔϦιʔεΛ֬ೝ͢ΔͨΊʹϙϦγʔϨϙʔτͱ͍ ͏΋ͷΛࢀর͢Δ͜ͱ͕Ͱ͖·͢ɻ • ݱࡏద༻͍ͯ͠ΔϙϦγʔ΍ɺͦͷϙϦγʔʹର͢ΔධՁͷ݁ՌɺϙϦγʔͷมߋݕ஌ͳͲ ʹؔ͢Δ৘ใΛఏڙ͢ΔͨΊͷϝτϦοΫ͕ఏڙ͞Ε͍ͯ·͢ɻ

Slide 103

Slide 103 text

Copyright © Dell Inc. All Rights Reserved. of Y 103 ຊηογϣϯͷ·ͱΊ • KyvernoΛ༻͍Δ͜ͱͰɺ؆୯͔ͭॊೈʹϙϦγʔ੍ޚΛ࣮ࢪ͢Δ͜ͱ͕Ͱ͖·͢ɻ • ϙϦγʔΛॻ্͘Ͱಛ༗ͷݴޠ౳Λ༻͍Δඞཁ͕͋Γ·ͤΜɻ • ϙϦγʔʹର͢ΔϦιʔεͷঢ়ଶΛɺϙϦγʔϨϙʔτ΍ϝτϦοΫΛ༻͍ͯ֬ೝ͢Δ͜ͱ ͕Ͱ͖·͢ɻ (Tips) • Validate ResourcesΛద༻͢Δࡍ͸ɺvalidationFailureActionΛ·ͣauditʹઃఆ͠ɺҙਤͨ͠ ڍಈʹͳΔ͜ͱΛ֬ೝͨ͠ޙenforceʹ੾Γସ͑Δ͜ͱͰɺطଘϦιʔεʹର͢ΔӨڹͳͲΛ ೺Ѳ্ͨ͠ͰϙϦγʔͷద༻͕Ͱ͖·͢ɻ • Mutate Resourcesʹ͓͍ͯɺ1ͭͷϙϦγʔʹෳ਺ͷϧʔϧΛඳ͘৔߹ɺ্͔ΒԼ΁ॲཧ͞ ΕΔ͜ͱʹ஫ҙ͍ͯͩ͘͠͞ɻ

Slide 104

Slide 104 text

Copyright © Dell Inc. All Rights Reserved. of Y 104 ࢀߟࢿྉ • KyvernoͷϙϦγʔͷॻ͖ํ • https://kyverno.io/docs/writing-policies/ • ຊηογϣϯͰ͸આ໌͍ͯ͠ͳ͍ϙϦγʔͷॻ͖ํͳͲɻ • Kyverno αϯϓϧϙϦγʔ • https://github.com/kyverno/policies • ϕετϓϥΫςΟε΍ɺPod Security Standardsʹ४ڌͨ͠ϙϦγʔͳͲɻ • ͦͷ΄͔༷ʑͳ֎෦πʔϧʹର͢ΔαϯϓϧϙϦγʔ͕༻ҙ͞Ε͍ͯΔɻ

Slide 105

Slide 105 text

No content