Slide 1

Slide 1 text

Kubernetes Meetup Tokyo #44 (2021/8/26 ) Shinya Uemura @uesyn PodSecurityPolicyͷഇࢭʹඋ͑ͯɺ Ұ଍ઌʹPodSecurity AdmissionΛࢼͯ͠ΈΑ͏!

Slide 2

Slide 2 text

Shinya Uemura / @uesy n ▶ θοτϥϘגࣜձࣾ ιϑτ΢ΣΞΤϯδχΞ ▶ ҎԼͷίϛϡχςΟͷӡӦͯ͠·͢ + Prometheus Meetup Toky o + Cloud Native Meetup Toky o + Kubernetes มߋ಺༰ڞ༗ձ ▶ དྷि9/2(໦)ʹKubernetes v1.22 มߋ಺༰ڞ༗ձΛ։࠵͢ΔͷͰͥͻࢀՃ͍ͩ͘͞ʂ + https://kubernetes-updates.connpass.com/event/222915/

Slide 3

Slide 3 text

θοτϥϘגࣜձࣾ / Z Lab Corporatio n ▶ 2015೥ʹઃཱ͞ΕͨϠϑʔגࣜձࣾͷ100%ࢠձࣾ ▶ Πϯϑϥج൫ٕज़ͷௐࠪɾݚڀ։ൃ ▶ Ϡϑʔגࣜձࣾ޲͚ͷϚωʔδυ Kubernetes αʔϏεͷ։ൃ ▶ https://zlab.co.jp/

Slide 4

Slide 4 text

ΞδΣϯμ 1. PodSecurityPolicy͕क͍ͬͯͨ΋ͷ 2. PodSecurityPolicyͷ͓͞Β͍ 3. PodSecurityPolicyͷ໰୊఺ͱഇࢭ 4. PodSecurityͱ͸ʁ 5. PodSecurityΛಈ͔ͯ͠ΈΑ͏ʂ 6. PodSecurityͰࠔΓͦ͏ͳͱ͜Ζ 7. ·ͱΊ

Slide 5

Slide 5 text

PodSecurityPolicy͕क͍ͬͯͨ΋ͷ

Slide 6

Slide 6 text

ͦ΋ͦ΋PodSecurityPolicyͰक͍ͬͯͨ΋ͷ͸ʁ(1/2) ▶ Podͷ࡞੒ϦΫΤετ͸ҎԼͷਤͷྲྀΕ ▶ ૊ΈࠐΈͷೝՄͷ࢓૊ΈͰ͋ΔRBAC͸Podͷ࡞੒ͷڐՄɾڋ൱͢ΔͷΈ + Podͷspec͸ߟྀ͠ͳ͍ʂ ͜͜ͰRBAC͕࣮ߦ͞ΕΔ ը૾: https://kubernetes.io/blog/2019/03/21/a-guide-to-kubernetes-admission-controllers/

Slide 7

Slide 7 text

ͦ΋ͦ΋PodSecurityPolicyͰक͍ͬͯͨ΋ͷ͸ʁ(2/2) ▶ PodͷspecΛߟྀ͠ͳ͍ͱෆ౎߹ͳύλʔϯ͕͋Δ + ྫ͑͹Ϋϥελͷ؅ཧऀͱར༻ऀ͕ҧ͏৔߹Λߟ͑Δͱ … + ίϯςφ͕ಈ࡞͢Δϊʔυͷrootݖݶͱಉ౳ͷcapabilityͷPodͷ࡞੒ΛڐՄͯ͠΋Α͍ʁ + ίϯςφ͕Host network΁ͷ઀ଓΛڐՄͯ͠΋Α͍ʁ + ίϯςφ͕ϗετͷϘϦϡʔϜΛͳΜͰ΋Ϛ΢ϯτͯ͠ྑ͍͔ʁ Etc … ▶ Podͷ࡞੒ͷೝՄ͚ͩͰ͸ݖݶঢ͕֨ՄೳͳͨΊPodͷϙϦγʔ੍ޚ͸ॏཁ + ੍ݶͳ͠ͷPod͸ϊʔυͷroot(৚݅࣍ୈͰcluster-admin)ͱಉ౳ + ࢀߟ) Securing Clusters with Kubernetes Extensibilit y + https://speakerdeck.com/ladicle/securing-clusters-with-kubernetes-extensibility?slide=27
 ▶ Pod͕ཁٻ͢ΔݖݶͰ࡞੒ΛڐՄ͢Δ͔Ͳ͏੍͔ޚͨ͘͠ͳΔ͸ͣ
 => PodSecurityPolicyͳΒͰ͖·͢ʂ

Slide 8

Slide 8 text

PodSecurityPolicyͷ͓͞Β͍

Slide 9

Slide 9 text

PodSecurityPolicyͱ͸ʁ ▶ Admission ControlͰPodͷηΩϡϦςΟϙϦγʔΛࡉ੍͔͘ޚ͢Δ + privilegedͳίϯςφɺར༻Մೳͳvolume΍ωοτϫʔΫɺread onlyͳrootϑΝΠϧγεςϜͷڧ੍ etc … + σϑΥϧτແޮ ▶ PodSecurityPolicyϦιʔεͰϙϦγʔΛఆٛ͢Δ + PodSecurityPolicyϦιʔε΁verbͰuse͕ೝՄ͞Ε͍ͯΕ͹ɺͦΕΛຬͨ͢Pod͕࡞੒Ͱ͖Δ ▶ ڐՄɾڋ൱͚ͩͰͳ͘ɺϙϦγʔͰఆٛ͞Εͨ஋ͷ୅ೖͳͲ΋͢Δ(capabilityͳͲ) RBAC͸͜͜ PSP͸͜͜ ը૾: https://kubernetes.io/blog/2019/03/21/a-guide-to-kubernetes-admission-controllers/

Slide 10

Slide 10 text

PodSecurityPolicyͷ໰୊఺ͱഇࢭ

Slide 11

Slide 11 text

PodSecurityPolicyͷഇࢭʹ͍ͭͯ ▶ ͦΜͳPSP͕Kubernetes v1.21Ͱඇਪ঑, v1.25Ͱഇࢭ༧ఆͱͳ͍ͬͯ·͢ ▶ ഇࢭͷܦҢͷৄࡉ͸ҎԼͷϦϯΫΛࢀর͍ͩ͘͞ + KEP-2579: Pod Security Admission Control - Motivatio n + https://github.com/kubernetes/enhancements/tree/master/keps/sig-auth/2579-psp-replacement#motivation + PodSecurityPolicy Deprecation: Past, Present, and Futur e + https://kubernetes.io/blog/2021/04/06/podsecuritypolicy-deprecation-past-present-and-future/#why-is-podsecuritypolicy-going-away It is easy to accidentally grant broader permissions than intended, and dif fi cult to inspect which PSP(s) apply in a given situation. The “changing Pod defaults” feature can be handy, but is only supported for certain Pod settings and it’s not obvious when they will or will not apply to your Pod . Without a “dry run” or audit mode, it’s impractical to retro fi t PSP to existing clusters safely, and it’s impossible for PSP to ever be enabled by default. [PodSecurityPolicy Deprecation: Past, Present, and FutureΑΓҾ༻]

Slide 12

Slide 12 text

ᶃҙਤ͠ͳ͍ݖݶͷར༻(1/2) ▶ ୭ʹͱͬͯར༻ՄೳͳPSP͕Pod΁ద༻Մೳͳͷ͔ʁ + Pod࡞੒ͷϦΫΤετΛ౤͛ͨϢʔβ(·ͨ͸ServiceAccount ) + Podͷ .spec.serviceAccountName Ͱࢦఆ͞ΕͨServiceAccount User: human Request apiVersion: v1 kind: Pod metadata: name: test spec: containers: - image: test name: i-need-privilege securityContext: privileged: true Create PSPͰPrivilegedͳίϯςφ͕࡞Εͳ͍

Slide 13

Slide 13 text

ᶃҙਤ͠ͳ͍ݖݶͷར༻(2/2) ▶ ୭ʹͱͬͯར༻ՄೳͳPSP͕Pod΁ద༻Մೳͳͷ͔ʁ + Pod࡞੒ͷϦΫΤετΛ౤͛ͨϢʔβ(·ͨ͸ServiceAccount ) + Podͷ .spec.serviceAccountName Ͱࢦఆ͞ΕͨServiceAccount ServiceAccount: robot User: human Request apiVersion: v1 kind: Pod metadata: name: test spec: serviceAccountName: robot containers: - image: test name: i-need-privilege securityContext: privileged: true Create PSPͰPrivilegedͳίϯςφ΋࡞ΕΔ! PSPͰPrivilegedͳίϯςφ͕࡞Εͳ͍ Ϣʔβͷ༩͑ΒΕͨݖݶΛ ௒͑ͨૢ࡞͕ग़དྷͯ͠·͏!! ͲͪΒ͔͕ PrivilegedͳίϯςφΛ ىಈͰ͖Ε͹ྑ͍

Slide 14

Slide 14 text

ᶄ୭ͷར༻ՄೳͳPSP͕ద༻͞ΕΔ͔Θ͔ΓͮΒ͍ʂ ▶ ReplicaSet΍StatefulSetͳͲΛ࡞੒͢Δ৔߹͸ … + PodΛ࡞੒͢Δͷ͸kube-controller-manager(Ͱར༻͞Ε͍ͯΔίϯτϩʔϥͷServiceAccount ) + ͦͷͨΊେݩͷϦΫΤετͷϢʔβ(·ͨ͸ServiceAccount)͕ར༻Ͱ͖ΔPSP͸ؔ܎ͳ͍ ServiceAccount: robot User: human Request StatefulSetΛ࡞͚ͬͨͩ… kube-controller-manager apiVersion: v1 kind: Pod metadata: name: test spec: serviceAccountName: robot containers: - image: test name: i-need-privilege securityContext: privileged: true Watch Create

Slide 15

Slide 15 text

ᶅͲͷPSP͕ద༻͞ΕΔ͔Θ͔ΓͮΒ͍ʂ ▶ ͋ΔϢʔβ/ServiceAccountʹར༻ՄೳͳPSPϦιʔε͕ෳ਺ଘࡏͨ͠৔߹Λߟ͑Δ + ىಈ͍ͨ͠Pod͕શͯͷϙϦγʔΛຬͨ͢৔߹ͲΕ͕ར༻͞Ε͔ඇৗʹΘ͔ΓͮΒ͍ + MutatingΛ͢Δɾ͠ͳ͍ͷҧ͍͕͋Δ৔߹ɺҙਤ͠ͳ͍ݖݶͷPod͕ੜ੒͞ΕΔՄೳੑ͕͋Δ User: human Request Create 2ͭͷPSP͕ར༻Ͱ͖Δ ᶃ seccompͷσϑΥϧτ: runtimeDefault ᶄ seccompͷσϑΥϧτ: ࢦఆͳ͠ seccomp = runtimeDefault? Null?

Slide 16

Slide 16 text

ᶆσϑΥϧτͷϙϦγʔ͕༻ҙ͞Ε͍ͯͳ͍ ▶ PSPʹ͸σϑΥϧτͷϙϦγʔ͕༻ҙ͞Ε͍ͯͳ͍ + ϙϦγʔΛݸผʹ࡞੒͍ͯ͘͠ඞཁ͕͋Δ ▶ PSPΛ༗ޮԽͯ͠΋ར༻ՄೳͳPSPϦιʔε͕ͳ͚Ε͹Pod͕ىಈͰ͖ͳ͍ + PSPΛॳΊͯ༗ޮԽ͢Δ࣌͸஫ҙ͢Δඞཁ ▶ ٖࣅతʹσϑΥϧτͷPSPΛ༻ҙ͢Δ͜ͱ͸Մೳ + system:authenticatedάϧʔϓʹରͯ͠ར༻ՄೳͳPSPΛઃఆ͢Δ + (system:authenticated: શͯͷೝূࡁΈϢʔβɾServiceAccount͕ॴଐ͢Δάϧʔϓ)

Slide 17

Slide 17 text

ᶇPSP͸σϑΥϧτແޮͰ͋Δ ▶ σϑΥϧτͷPSP͕ଘࡏ͠ͳ͍ͨΊ؆୯ʹ༗ޮԽͰ͖ͳ͍ ▶ શͯڐՄ͢ΔσϑΥϧτͷPSPΛ༻ҙͯ͠ɺޙ͔ΒσϑΥϧτͷ੍ݶ͸Ωπ͘͢Ε͹ྑ͍ͷͰ͸ʁ + PSPʹ͸dry-run͕ͳ͍ͨΊޙͰ੍ݶΛݫ͘͢͠Δͷ͸೉͍͠ + ࣮ࡍʹPSPͷઃఆ͕ద੾͔Ͳ͏͔͸ಈ͔ͯ͠Έͳ͍ͱΘ͔Βͳ͍

Slide 18

Slide 18 text

PodSecurityͱ͸ʁ

Slide 19

Slide 19 text

PodSecurityͷొ৔ ͜͜Ͱ࣮ߦ͞ΕΔ PSPͱҟͳΓMutating͸͠ͳ͍ʂ ը૾: https://kubernetes.io/blog/2019/03/21/a-guide-to-kubernetes-admission-controllers/ ▶ Kubernetes v1.22͔Βalphaػೳͱͯ͠ొ৔ʂ (ॱௐʹ͍͚͹v1.23Ͱbeta ) + ݱࡏ͸FeatureGatesͰ໌ࣔతʹઃఆ͢Δ͜ͱͰར༻Ͱ͖Δ ▶ Pod Security StandardsΛద༻͢ΔAdmission Contro l + Podʹର͢ΔηΩϡϦςΟϓϩϑΝΠϧͷఆٛ(privileged, baseline, restricted ) + ref: https://kubernetes.io/docs/concepts/security/pod-security-standards/ ▶ ؅ཧ͸Namespace୯Ґ + PSPͷΑ͏ʹϢʔβ/ServiceAccountͰ͸ͳ͍

Slide 20

Slide 20 text

PodSecurity͸ԿΛͯ͘͠ΕΔʁ ▶ Pod Security StandardsͷϙϦγʔΛPod΁ద༻͢Δ + privileged, baseline, restricte d ▶ 3ͭͷϞʔυͦΕͧΕʹରͯ͠Pod Security StandardsͷϙϦγʔΛద༻͢Δ + enforce: ҧ൓ͨ͠Podͷ࡞੒Λڋ൱͢Δ + audit: ҧ൓ͨ͠Βaudit logͷΞϊςʔγϣϯͱͯ͠ه࿥͢Δ (࡞੒ͷڋ൱͸͞Εͳ͍ ) + warn: ҧ൓ͨ͠Βwarningͱͯ͠දࣔ͢Δ (࡞੒ͷڋ൱͸͞Εͳ͍ ) ▶ ྫ) enforceͱaudit͕privileged, warn͕restrictedΛࢦఆ + => Podͷ࡞੒ʹ੍ݶ͸ͳ͍͕ɺrestrictedΛຬͨ͞ͳ͍৔߹ʹwarning͕දࣔ͞ΕΔ

Slide 21

Slide 21 text

PodSecurityͷઃఆํ๏(1/2) ▶ PSPͱҟͳΓઐ༻ͷϦιʔε͸ͳ͍ ▶ NamespaceͷϥϕϧͰઃఆΛߦ͏ + pod-security.kubernetes.io/xxx ͱ͍͏ϥϕϧ + Namespace಺ͷશͯͷPod΁ϙϦγʔ͕ద༻͞ΕΔ + PSPͷ৔߹͸Ϣʔβ/ServiceAccount͕ར༻ՄೳͳϙϦγʔͷதͰىಈͰ͖Δ΋ͷ͕બ୒͞Εͨ apiVersion: v1 kind: Namespace metadata: labels: pod-security.kubernetes.io/enforce: privileged pod-security.kubernetes.io/audit: privileged pod-security.kubernetes.io/warn: baseline name: test

Slide 22

Slide 22 text

PodSecurityͷઃఆํ๏(2/2) ▶ PodSecurityʹ͸όʔδϣϯ͕͋Δ + Կ΋ࢦఆ͠ͳ͍৔߹͸latest͕ར༻͞ΕΔ apiVersion: v1 kind: Namespace metadata: labels: pod-security.kubernetes.io/enforce: privileged pod-security.kubernetes.io/enforce-version: v1.22 name: test

Slide 23

Slide 23 text

PodSecurityͷσϑΥϧτ஋ ▶ PSPͱҟͳΓσϑΥϧτͷઃఆ͕͋Δ + enforce, audit, warnશͯprivileged (ͭ·ΓԿ΋੍ݶ͠ͳ͍ ) + όʔδϣϯ͸latest ▶ “Կ΋੍ݶ͠ͳ͍”ͨΊPodSecurity͸σϑΥϧτ༗ޮͳAdmission ControlʹͳΕΔ apiVersion: v1 kind: Namespace metadata: labels: pod-security.kubernetes.io/enforce: privileged pod-security.kubernetes.io/audit: privileged pod-security.kubernetes.io/warn: privileged pod-security.kubernetes.io/enforce-version: latest pod-security.kubernetes.io/audit-version: latest pod-security.kubernetes.io/warn-version: latest name: test apiVersion: v1 kind: Namespace metadata: name: test

Slide 24

Slide 24 text

PodSecurityͷର৅֎΍σϑΥϧτ஋ͷมߋ(1/2) ▶ ҎԼͷ஋Λkube-apiserver΁ઃఆ͢Δ͜ͱͰมߋՄೳ + enforce/audit/warnͷσϑΥϧτͷϙϦγʔ + enforce/audit/warnͷσϑΥϧτͷόʔδϣϯ + PodSecurityͷ੍ݶΛ͔͚ͳ͍Ϣʔβ/ServiceAccoun t + PodSecurityͷ੍ݶΛ͔͚ͳ͍Namespac e + PodSecurityͷ੍ݶΛ͔͚ͳ͍RuntimeClass

Slide 25

Slide 25 text

PodSecurityͷର৅֎΍σϑΥϧτ஋ͷมߋ(2/2) apiVersion: apiserver.config.k8s.io/v1 kind: AdmissionConfiguration plugins: - name: PodSecurity configuration: apiVersion: pod-security.admission.config.k8s.io/v1alpha1 kind: PodSecurityConfiguration defaults: enforce: baseline enforce-version: latest audit: baseline audit-version: latest warn: baseline warn-version: latest exemptions: usernames: - system:serviceaccount:test-ps:test-ps runtimeClasses: - kataContainer namespaces: - kube-system ▶ ઃఆྫ + શͯͷϙϦγʔΛσϑΥϧτΛbaseline΁ + ϙϦγʔద༻ͷର৅֎Λࢦఆ + kube-system namespac e + test-ps namespaceͷtest-ps ServiceAccoun t + Runtime class໊͕kataContainer

Slide 26

Slide 26 text

PodSecurityΛಈ͔ͯ͠ΈΑ͏ʂ

Slide 27

Slide 27 text

PodSecurity͸dry-run͕Ͱ͖Δʂ(1/2) ▶ طʹPod͕ىಈ͍ͯ͠ΔNamespaceͷϙϦγʔΛݫ͍ͨ͘͠͠৔߹ʹ༗༻ + ىಈͰ͖ͳ͘ͳΔPodΛࣄલʹ֬ೝ͠ରԠͰ͖Δ ▶ NamespaceͷϥϕϧΛมߋ͢ΔϦΫΤετΛdry-run͢Δ͜ͱͰ֬ೝͰ͖Δ + Կ͕ݪҼͰىಈͰ͖ͳ͍ͷ͔Warningͱͯ͠ग़ྗ͞ΕΔ

Slide 28

Slide 28 text

PodSecurity͸dry-run͕Ͱ͖Δʂ(2/2) ▶ ΋ͪΖΜPod΋dry-runʹΑΓ֬ೝͰ͖Δ + ϙϦγʔ͕ద༻͞ΕͨNamespaceʹରͯ͠Pod࡞੒ͷϦΫΤετΛdry-runͰ࣮ߦ͢Δ ▶ KubernetesͷStatefulSet΍DeploymentͳͲͷNative Workloadʹରͯ͠΋dry-runͰ͖Δʂ + podTemplateͷத਎͕νΣοΫ͞ΕΔ + ࢒೦ͳ͕Βݱ࣌఺Ͱ͸Custom Resource͸ରԠ͍ͯ͠ͳ͍

Slide 29

Slide 29 text

PodSecurityͷϙϦγʔద༻ର৅ʹ͍ͭͯ ▶ PodSecurity͸Pod࡞੒ͷϙϦγʔΛద༻͢Δ΋ͷ + Deployment, ReplicaSet, StatefulSetͳͲPodΛؒ઀తʹ࡞੒͢ΔϦιʔεࣗମͷ࡞੒͸੍ݶ͞Εͳ͍ʂ + ্هͷΑ͏ͳϦιʔε͕࡞੒Ͱ͖ͯ΋࠷ऴతʹPod͸࡞੒Ͱ͖ͳ͍ + dry-runʹΑΓ࠷ऴతʹ࡞੒Ͱ͖Δ͔Ͳ͏͔͸֬ೝՄೳ

Slide 30

Slide 30 text

v1.22ΑΓલͷΫϥελͰPodSecurityΛಈ͔͍ͨ͠ʂ ▶ PodSecurity͸standaloneͳWebhookʹΑΔ࣮૷΋ਐΊΒΕ͍ͯΔ༷ࢠ + KEP-2579: Pod Security Admission ControlͷFlexible Extension Suppor t + https://github.com/kubernetes/enhancements/tree/master/keps/sig-auth/2579-psp-replacement# fl exible-extension-support + Podsecurity webhook #10346 5 + https://github.com/kubernetes/kubernetes/pull/103465

Slide 31

Slide 31 text

PodSecurityͰࠔΓͦ͏ͳͱ͜Ζ

Slide 32

Slide 32 text

MutatingΛͯ͘͠Εͳ͍ ▶ PSPͰ͸seccomp΍capabilityͷσϑΥϧτ஋ΛMutatingʹΑΓ࣮ݱ͍ͯͨ͠ ▶ PodSecurityͰ͸໌ࣔతʹઃఆ͢Δඞཁ͕͋Δ + ྫ͑͹baselineͰ͸seccompͰnull΋ೝΊΒΕ͍ͯΔ + PodSecurityPolicy͔ΒҠߦͷࡍ͸஫ҙ͕ඞཁ ▶ seccompʹݶͬͯݴ͑͹σϑΥϧτ஋Λ୅ೖ͢Δઐ༻ͷػೳ͕͋Δ + v1.22͔Βalphaͱͯ͠ఏڙ͞ΕFeature GateͰ༗ޮԽ͢Δͱར༻Մೳ + Enable seccomp for all workloads with a new v1.22 alpha featur e + https://kubernetes.io/blog/2021/08/25/seccomp-default/

Slide 33

Slide 33 text

Namespaceͷϥϕϧฤूݖݶͷѻ͍ ▶ PSPͰ͸PSPϦιʔεͷuseΛRBACͳͲͷೝՄͰ੍ޚ ▶ PodSecurityͰ͸Namespaceͷฤूݖݶ͕Pod࡞੒ͷೝՄʹӨڹ + Ϋϥελ؅ཧऀͱར༻ऀ͕෼͔Ε͍ͯΔ৔߹Λߟ͑Δͱ … + Namespaceͷϥϕϧฤूݖݶ = ࡞੒Ͱ͖ΔPodͷݖݶঢ͕֨Մೳ + ্هΛ੍ݶ͢ΔValidatingWebhook΍MutatingWebhookΛ࣮૷͠ͳ͍ͱ͍͚ͳ͍͔΋…

Slide 34

Slide 34 text

PodSecurityͷࣗ༝౓ʹ͍ͭͯ ▶ PSPͰ͸Ϣʔβ͕ϙϦγʔͷఆٛΛ͢Δඞཁ͕͋ͬͨ΋ͷͷࣗ༝౓͕͋ͬͨ ▶ PodSecurityͰ͸Privileged, Baseline, Restrictedͷ3͔ͭ͠બ୒ࢶ͕ͳ͍ + Baseline + ಛఆͷhostPath͚ͩڐՄ Έ͍ͨͳ͜ͱ͸Ͱ͖ͳ͍ ▶ ಠࣗͷϙϦγʔ͸WebhookͰ࣮૷͠ͳ͚Ε͹ͳΒͳ͍͔΋ʁ + KEP-2579: Pod Security Admission ControlͷCustom Pro fi le s + https://github.com/kubernetes/enhancements/tree/master/keps/sig-auth/2579-psp-replacement#custom-pro fi les + ͔͠͠betaͰCustom Pro fi les͸ແ͘ͳΓͦ͏ … + https://github.com/kubernetes/enhancements/pull/2895ɹ(2021/8/25࣌఺Ͱ͸·ͩmerge͞Ε͍ͯͳ͍ ) + ͦ͏ͳΔͱStandaloneͷPodSecurityΛFork࣮ͯ͠૷͢Δ͔͠ͳ͍…?

Slide 35

Slide 35 text

PSP͔ΒPodSecurity΁ͷҠߦ ▶ Ҡߦʹؔ͢Δެࣜϖʔδ͕͋Δ + Migrate from PodSecurityPolicy to the Built-In PodSecurity Admission Controlle r + https://kubernetes.io/docs/tasks/con fi gure-pod-container/migrate-from-psp / ▶ ஈ֊తʹ༷ࢠݟ͠ͳ͕ΒҠߦ͠·͠ΐ͏ͱ͍͏಺༰ + PSPͷMutatingͷػೳΛར༻͍ͯ͠ΔͱҠߦ͕গ͠େม͔΋͠Εͳ͍ ▶ ҠߦͷͨΊͷπʔϧ͕༻ҙ͞ΕΔ͔΋ʁ + ࢀߟ) https://github.com/kubernetes/enhancements/pull/2895

Slide 36

Slide 36 text

·ͱΊ

Slide 37

Slide 37 text

PodSecurityPolicyͱPodSecurityͷҧ͍ PodSecurityPolicy PodSecurity σϑΥϧτ༗ޮ? ແޮ ༗ޮ (*v1.22࣌఺Ͱ͸alphaͷͨΊFeatureGateͷઃఆ͕ඞཁ) ϙϦγʔద༻ͷઃఆ PodSecurityPolicyϦιʔεͱRBAC Namespaceͷϥϕϧ ͲͷϙϦγʔ͕ద༻͞ΕΔʁ ϦΫΤετϢʔβ/ServiceAccount ·ͨ͸.spec.serviceAccountNameͰࢦఆ͞ΕͨServiceAccount ͕ར༻Ͱ͖ΔϙϦγʔ NamespaceͰઃఆ͞ΕͨϙϦγʔ ΧελϜϙϦγʔͷ࣮૷ Մೳ (ϙϦγʔ͸શͯఆٛ͢Δඞཁ͕͋Δ) ෆՄೳ (fork࣮ͯ͠૷͢Ε͹Ͱ͖ͦ͏) dry-runͷ࣮ߦ ෆՄ Մ Ͳ͕ͬͪ৽͍͠ʁ چ ৽ Ͳ͕ͬͪෳࡶʁ ෳࡶ γϯϓϧ

Slide 38

Slide 38 text

(એ఻) Kubernetes v1.22 มߋ಺༰ڞ༗ձΛ։࠵͠·͢ʂ ▶ ೔࣌: 9/2(໦) 19:00 ~ 21:3 0 ▶ https://kubernetes-updates.connpass.com/event/222915/

Slide 39

Slide 39 text

Question? ▶ ͝੩ௌ͋Γ͕ͱ͏͍͟͝·ͨ͠ ▶ ࣭໰͕͋Ε͹͓ئ͍͠·͢ʂ