明日から始められるKyvernoを用いたポリシー制御

໌೔͔Β࢝ΊΒΕΔ  KyvernoΛ༻͍ͨϙϦγʔ੍ޚ 2022/11/21 Cloud Native Days Tokyo 2022 15:20 ~
16:00 Track D Ryotaro Uwatsu

Copyright © Dell Inc. All Rights Reserved. of Y 2
ࣗݾ঺հ Name: Ryotaro Uwatsu (@URyo_0213) Title: Solutions Architect Community: • Kubernetes Meetup Novice • Kubenews • Cloud Native Days Tokyo

Table of contents • ϙϦγʔ੍ޚ • Kyvernoͱ͸ • Kyvernoʹ͓͚ΔϙϦγʔ੍ޚ • Kyvernoͷӡ༻

ϙϦγʔ੍ޚ

ϙϦγʔ੍ޚͱ͸ ϙϦγʔ: • (૊৫) ੓ࡦɺํ਑ • (ݸਓ) ͋ͳ͕ͨ৴͡ɺ͋ͳͨͷߦಈʹӨڹΛ༩͑ΔΑ͏ͳݪଇ ex) ʲONE PIECEʳ αϯδ ʮͨͱ͑ࢮΜͰ΋ɺԶ͸ঁ͸ऽΒΜʯͱ͍͏໊ݴ͕͋ΓɺʮঁੑΛઈରʹই͚ͭͳ͍ʯͱ͍͏ϙϦγʔΛ͍࣋ͬͯΔɻ → ͜Ε͸ઈରʹ͠ͳ͍

ϙϦγʔ੍ޚͱ͸ ϙϦγʔ: • (૊৫) ੓ࡦɺํ਑ • (ݸਓ) ͋ͳ͕ͨ৴͡ɺ͋ͳͨͷߦಈʹӨڹΛ༩͑Δݪଇ ex) ʲONE PIECEʳ αϯδ ʮͨͱ͑ࢮΜͰ΋ɺԶ͸ঁ͸ऽΒΜʯͱ͍͏໊ݴ͕͋ΓɺʮঁੑΛઈରʹই͚ͭͳ͍ʯͱ͍͏ϙϦγʔΛ͍࣋ͬͯΔɻ → ͜Ε͸ઈରʹ͠ͳ͍ [Kubernetes] latestλάͷimageΛࢦఆͨ͠Pod͸ઈରʹಈ͔͞ͳ͍

ϙϦγʔ੍ޚͱ͸ ϙϦγʔ: • (૊৫) ੓ࡦɺํ਑ • (ݸਓ) ͋ͳ͕ͨ৴͡ɺ͋ͳͨͷߦಈʹӨڹΛ༩͑Δݪଇ ex) ʲONE PIECEʳ αϯδ ʮͨͱ͑ࢮΜͰ΋ɺԶ͸ঁ͸ऽΒΜʯͱ͍͏໊ݴ͕͋ΓɺʮঁੑΛઈରʹই͚ͭͳ͍ʯͱ͍͏ϙϦγʔΛ͍࣋ͬͯΔɻ → ͜Ε͸ઈରʹ͠ͳ͍ [Kubernetes] latestλάͷimageΛࢦఆͨ͠Pod͸ઈରʹಈ͔͞ͳ͍ ϙϦγʔͱ͸ɺݸਓɺνʔϜɺ΋͘͠͸૊৫ͷதͰઃ͚ͨӡ༻্ͷܾΊࣄͰ͋Γɺ ϙϦγʔ੍ޚͱ͸ɺϙϦγʔΛఆΊͨΒɺͦΕΛඞͣकΔΑ͏ʹ͔͠Δ΂͖ΞΫγϣϯΛͱΔ͜ͱͰ͢ɻ

Kubernetesʹ͓͚ΔجຊతͳϙϦγʔ੍ޚ KubernetesͰ͸ɺҎԼͷΑ͏ͳϙϦγʔ੍ޚ͕Ͱ͖ΔΑ͏ʹͳ͍ͬͯ·͢ɻ • Network Policy – Ingress(Πϯό΢ϯυ)ɺEgress(Ξ΢τό΢ϯυ)ͷ੍ޚΛ͢Δɻ • Pod Security Admission – Pod Security StandardsΛجʹɺ࡞੒Ͱ͖ΔϫʔΫϩʔυϦιʔεΛ੍ݶ͢Δɻ • Resource Quota – Namespace͝ͱͷ૯ϦιʔεফඅྔΛ੍ݶ͢Δɻ • etc…

Kyvernoͱ͸

Kyverno Kyverno͸KubernetesΫϥελʔ಺ͰɺDynamic Admission Controllerͱ࣮ͯ͠ߦ͞ΕΔϙϦγʔΤϯδϯͰ͢ɻ kube-apiserver͔ΒAdmission WebhookΛड͚औΓɺఆٛͨ͠ϙ Ϧγʔʹج੍͍ͮͯޚΛ࣮ߦ͠·͢ɻ Custom ResourceΛ༻͍ͯɺKubernetesͷϚχϑΣετϕʔεͰ ϙϦγʔΛద༻Ͱ͖ΔͨΊɺֶशίετ͕ͱͯ΋௿͘ͳ͍ͬͯ ·͢ɻ όʔδϣϯ: 1.8.0 https://github.com/kyverno/kyverno

Dynamic Admission Control

Dynamic Admission Control Authentication Authorization Mutating Admission Object Schema Admission Validating Admission Persist data to etcd Webhook Webhook Webhook Webhook Kyverno

Mutating ͱ Validating Mutating: ͋Δ৚݅Λجʹɺ࡞੒͠Α͏ͱ͍ͯ͠ΔϦιʔεͷύϥϝʔλʹมߋΛՃ͑·͢ɻ ex) sidecar.istio.io/inject: trueͱ͍͏ϥϕϧͷ෇͘PodʹɺEnvoyΛαΠυΧʔͱͯ͠௥Ճ͢Δɻ Validating: ࡞੒͠Α͏ͱ͍ͯ͠ΔϦιʔε͕ɺ࡞੒ͯ͠ྑ͍͔൱͔Λ৚݅ʹج͍ͮͯ൑அ͠·͢ɻ ex) allowed-by-kyverno: trueͱ͍͏ϥϕϧ͕෇͍ͨPodͷΈ࡞੒ͯ͠Α͍ɻ ຊ൪ະ࢖༻

KyvernoͷΠϯετʔϧ ຊ൪ະ࢖༻

KyvernoͷΠϯετʔϧ Kyverno ͸ɺHelm΋͘͠͸YAMLϚχϑΣετ͔ΒσϓϩΠ͢Δ͜ͱ͕Ͱ͖·͢ɻ [ຊ൪؀ڥ] helm install kyverno kyverno/kyverno -n kyverno --create-namespace --set replicaCount=3 [ݕূ؀ڥ] helm install kyverno kyverno/kyverno -n kyverno --create-namespace ຊ൪ະ࢖༻

ϨϓϦΧ਺ͷࢦఆʹΑͬͯൃੜ͢Δҧ͍ ϨϓϦΧ਺Λ1ΑΓେ͖͍਺ʹ͢Δ͜ͱͰɺPod Disruption Budget͕ద༻͞Ε·͢ɻ (Helm Template) ຊ൪ະ࢖༻

Pod Anti-Affinity Rule Pod Anti-Affinity Rule͕ద༻͞Ε͍ͯΔͷͰɺՄೳͳݶΓϊʔυؒͰ෼ࢄ͞ΕΔΑ͏ʹͳ͍ͬͯ·͢ɻ ຊ൪ະ࢖༻

͜͜·Ͱͷ؆୯ͳ·ͱΊ • ϙϦγʔ͸ɺӡ༻্ͷܾΊࣄͰ͋Γɺ͜ΕΛकΔͨΊʹ͔͠Δ΂͖ߦಈΛͱΔ͜ͱ͕ϙϦ γʔ੍ޚͰ͢ɻ • Kyverno͸ɺkube-apiserver͕Ϧιʔεͷ੍ޚΛ͢ΔࡍͷWebhookͷ౤͛ઌͰ͢ɻ • Kyverno͸ɺWebhookΛड͚औͬͨࡍʹɺϙϦγʔʹج͍ͮͨΞΫγϣϯΛͱΓ·͢ɻ ຊ൪ະ࢖༻

Kyvernoʹ͓͚ΔϙϦγʔ੍ޚ

KyvernoʹΑΔϙϦγʔͷద༻ KyvernoΛ༻͍ͯϙϦγʔΛద༻͢Δࡍʹ༻͍ΔϦιʔε͸2ͭ͋Γ·͢ɻ 1. Cluster Policy: ΫϥελʔશମʹϙϦγʔΛద༻͢Δࡍʹ༻͍Δɻ 2. Policy: Namespace಺ʹดͨ͡ϙϦγʔΛద༻͢Δࡍʹ༻͍Δɻ ஫ҙ఺ͱͯ͠͸ɺϙϦγʔؒͰͷॱংੑ͕ଘࡏ͠ͳ͍ͨΊɺෳ਺ͷϙϦγʔΛ૊Έ߹Θͤͨϧʔ ϧͷ֦ு͔͠Ͱ͖·ͤΜɻ ͢ͳΘͪPolicyؒͰͷ্ॻ͖͕Ͱ͖ͳ͍ͷͰɺCluster PolicyͰݫ͠ΊͷPolicyΛઃఆ͓͍ͯͯ͠ɺ ͋ΔNamespaceʹ͓͍ͯ͸PolicyΛ༻੍͍ͯݶΛ؇ΊΔͱ͍͏͜ͱ͕Ͱ͖·ͤΜɻ

ϙϦγʔߏ଄ Policy Rule Preconditions Match Exclude Validate Resources Mutate Resources Generate Resources Verify Images ର৅ͷܾఆ ΞΫγϣϯ

ϙϦγʔߏ଄

Kyvernoʹ͓͚ΔϙϦγʔ੍ޚ  ~ ର৅ͷܾఆ ~

Validate Resources Mutate Resources Generate Resources Verify Images ΞΫγϣϯ Policy Rule Preconditions Match Exclude ର৅ͷܾఆ ର৅ͷܾఆ

Match Match͸ɺର৅ͷϦιʔεΛબఆ͢ΔͨΊʹ༻͍ΒΕΔϧʔϧͰ͢ɻ rules[*].matchΛ༻͍ͯهड़͍ͯ͘͜͠ͱʹͳΓ·͢ɻ ҎԼͷྫͰ͸ɺDeploymentΛର৅ʹ”ΞΫγϣϯ”Λ࣮ߦ͠·͢ɻ

Exclude Exclude͸ɺMatchʹؚ·ΕΔϦιʔεʹରͯ͠ɺྫ֎Λ࡞Δ৔߹ʹ༻͍·͢ɻ rules[*].excludeΛ༻͍ͯهड़͍ͯ͘͜͠ͱʹͳΓ·͢ɻ ҎԼͷྫͰ͸ɺNamespace(kube-system)Ҏ֎ͷPodΛର৅ʹ”ΞΫγϣϯ”Λ࣮ߦ͠·͢ɻ

All ͱ Any matchͱexclude͸ಉ͡ߏ଄Λ࣋ͪɺҎԼ2ͭͷཁૉͷ͏ͪͷ1ͭΛࢦఆ͢Δ͜ͱ͕Ͱ͖·͢ɻ • any: Ϧιʔεͷબ୒ʹ͓͍ͯOR৚݅Λద༻͢ΔͨΊͷ΋ͷɻ • all: Ϧιʔεͷબ୒࣌ʹAND৚݅Λద༻͢ΔͨΊͷ΋ͷɻ OR AND

Any ͱ All ҎԼͷྫͷΑ͏ʹɺany΋͘͠͸allΛࢦఆͤͣʹɺهड़͢Δ͜ͱ͸ݱঢ়Մೳͱͳ͍ͬͯ·͕͢ɺ deprecatedͱͳ͓ͬͯΓɺকདྷͷϦϦʔεͰαϙʔτ͞Εͳ͘ͳΔ༧ఆͳͷͰɺ஫ҙ͍ͯͩ͘͠͞ɻ

ର৅ͷࢦఆํ๏ ର৅Λબఆ͢Δʹ͋ͨΓɺҎԼͷࢦఆ߲໨Λ༻͍Δ͜ͱ͕Ͱ͖·͢ɻ • resources: – kind(Deployment, Pod, ServiceͳͲ)Λඞਢ߲໨ͱͯ͠ࢦఆ͢Δɻ – Ϧιʔε໊ɺNamespaceɺ Ξϊςʔγϣϯɺϥϕϧ౳ࢦఆ͠ɺ໌֬ʹର৅Λࢦఆ͢Δ͜ͱ͕Ͱ͖Δɻ • subjects: – User, Group, Service AccountΛࢦఆ͢Δɻ • roles/clusterRoles: – Role΋͘͠͸Cluster RoleΛࢦఆ͢Δɻ

ର৅ͷࢦఆํ๏ ҎԼͷྫͰ͸ɺ User(cndt-admin)΋͘͠͸Cluster Role(cluster-admin)ʹΑͬͯ࡞੒͞ΕͨϦιʔεΛআ͖ɺ ϥϕϧʹapp=criticalΛ࣋ͭPod ͕ର৅ͱͳΓ·͢ɻ apiVersion: v1 kind: Pod metadata: name: test1 labels: app: critical apiVersion: v1 kind: Pod metadata: name: test1 labels: app: critical apiVersion: v1 kind: Pod metadata: name: test1 labels: app: critical User: John ClusterRole: cluster-admin User: cndt-admin ClusterRole: admin User: ry ClusterRole: admin ର৅֎ ର৅

resourcesʹ͓͚ΔࢦఆՄೳ߲໨ resourcesͰ͸ɺҎԼͷ߲໨Λࢦఆ͢Δ͜ͱ͕Մೳͱͳ͍ͬͯ·͢ɻ • (Required) kind • (Optional) name • (Optional) selector • (Optional) annotations • (Optional) namespaces • (Optional) namespaceSelector

resourcesʹ͓͚ΔࢦఆՄೳ߲໨ resourcesͰ͸ɺҎԼͷ߲໨Λࢦఆ͢Δ͜ͱ͕Մೳͱͳ͍ͬͯ·͢ɻ • (Required) kind • (Optional) name • (Optional) selector • (Optional) annotations • (Optional) namespaces • (Optional) namespaceSelector [ର৅] શDeploymentϦιʔε

resourcesʹ͓͚ΔࢦఆՄೳ߲໨ resourcesͰ͸ɺҎԼͷ߲໨Λࢦఆ͢Δ͜ͱ͕Մೳͱͳ͍ͬͯ·͢ɻ • (Required) kind • (Optional) name • (Optional) selector • (Optional) annotations • (Optional) namespaces • (Optional) namespaceSelector [ର৅] testͱ͍͏໊લͷDeploymentϦιʔε

resourcesʹ͓͚ΔࢦఆՄೳ߲໨ resourcesͰ͸ɺҎԼͷ߲໨Λࢦఆ͢Δ͜ͱ͕Մೳͱͳ͍ͬͯ·͢ɻ • (Required) kind • (Optional) name • (Optional) selector • (Optional) annotations • (Optional) namespaces • (Optional) namespaceSelector [ର৅] ࢦఆͷϥϕϧΛ࣋ͭDeploymentϦιʔε

resourcesʹ͓͚ΔࢦఆՄೳ߲໨ resourcesͰ͸ɺҎԼͷ߲໨Λࢦఆ͢Δ͜ͱ͕Մೳͱͳ͍ͬͯ·͢ɻ • (Required) kind • (Optional) name • (Optional) selector • (Optional) annotations • (Optional) namespaces • (Optional) namespaceSelector [ର৅] ࢦఆͷΞϊςʔγϣϯΛ࣋ͭDeploymentϦιʔε

resourcesʹ͓͚ΔࢦఆՄೳ߲໨ resourcesͰ͸ɺҎԼͷ߲໨Λࢦఆ͢Δ͜ͱ͕Մೳͱͳ͍ͬͯ·͢ɻ • (Required) kind • (Optional) name • (Optional) selector • (Optional) annotations • (Optional) namespaces • (Optional) namespaceSelector [ର৅] ࢦఆͷNamespaceʹ͓͚ΔDeploymentϦιʔε

resourcesʹ͓͚ΔࢦఆՄೳ߲໨ resourcesͰ͸ɺҎԼͷ߲໨Λࢦఆ͢Δ͜ͱ͕Մೳͱͳ͍ͬͯ·͢ɻ • (Required) kind • (Optional) name • (Optional) selector • (Optional) annotations • (Optional) namespaces • (Optional) namespaceSelector [ର৅] ࢦఆͷNamespaceʹ͓͍ͯɺ ࢦఆͨ͠ϥϕϧΛ࣋ͭDeployment ຊ൪ະ࢖༻

resourcesʹ͓͚ΔࢦఆϑΥʔϚοτ resourcesͷkindͰ͸ɺҎԼͷϑΥʔϚοτΛαϙʔτ͍ͯ͠·͢ɻ • Group/Version/Kind • Version/Kind • Kind ͜Ε͸ɺྫ͑͹Network PolicyʹΛࢦఆ͢Δࡍʹɺಉ͡Ϧιʔε໊Λ࣋ͭΑ͏ͳ΋ͷ͕ෳ਺ଘࡏ͢Δ ৔߹ͳͲʹ༗ޮͰ͢ɻ (Kubernetes) apiVersion: networking.k8s.io/v1   kind: NetworkPolicy (Calico) apiVersion: projectcalico.org/v3   kind: NetworkPolicy ຊ൪ະ࢖༻

ϫΠϧυΧʔυ ϫΠϧυΧʔυͷࢦఆ͸ɺҎԼͷϧʔϧʹ͓͍ͯࢦఆ͕Մೳ ͱͳ͍ͬͯ·͢ɻ • *: ೚ҙͷ௕͞ͷจࣈྻ • ?: ೚ҙͷ1จࣈ [ର৅] ͢΂ͯͷϦιʔε

Preconditions Preconditions͸ɺϧʔϧΛద༻͢ΔλΠϛϯάΛΑΓࡉ੍͔͘ޚͨΊʹ༻͍·͢ɻ AdmissionReviewΛࢀর͠ɺPreconditionsʹهड़ͨ͠ϧʔϧΛجʹɺKyvernoʹΑΔϙϦγʔ ੍ޚΛ࣮ࢪ͢Δ͔Ͳ͏͔Λ൑அ͠·͢ɻ rules[*].preconditionsΛ༻͍ͯهड़͍ͯ͘͜͠ͱʹͳΓ·͢ɻ match΍excludeͱಉ༷ʹɺany ΋͘͠͸ all ͷԼʹϧʔϧΛهड़͠·͢ɻ

AdmissionReview Dynamic Admission ControlͷதͰɺWebbookΛඈ͹͢ࡍɺ Ϧιʔεʹର͢Δ༷ʑͳ৘ใΛૹ৴͢ΔͨΊʹ༻͍Δͷ͕ɺ AdmissionReviewͰ͢ɻ ࠓճͷૢ࡞͕ͲͷΑ͏ͳ͜ͱΛ͠Α͏ͱ͍ͯ͠Δͷ͔Λࣔ͢ request.operation(CREATE, UPDATE, DELETE, CONNECT)΍ɺ ૢ࡞ର৅ͷϦιʔεͷύϥϝʔλ͕֨ೲ͞Ε͍ͯΔ request.object ͳͲͷ৘ใؚ͕·Ε͍ͯ·͢ɻ

Preconditions Example spec.rules.preconditions.(any/all)[*]ԼͰɺ key – operator – value ͷ૊Έ߹ΘͤΛ༻͍ ͯهड़͍ͯ͘͜͠ͱʹͳΓ·͢ɻ ͜ͷྫͰ͸ɺ࡞੒΋͘͠͸ߋ৽ͷ৔߹ʹɺର ৅͕PodͰ͋Ε͹ϙϦγʔ੍ޚΛ࣮ࢪ͢Δͱ ͍͏ڍಈΛ͠·͢ɻ

ԋࢉࢠ Preconditionsʹ͓͍ͯهड़͢Δԋࢉࢠʹ͸ɺҎԼΛઃఆ͢Δ͜ͱ͕Ͱ͖·͢ɻ • Equals • NotEquals • In (deprecated) • AnyIn • AllIn • NotIn (deprecated) • AnyNotIn • AllNotIn • GreaterThan • GreaterThanOrEquals • LessThan • LessThanOrEquals • DurationGreaterThan • DurationGreaterThanOrEquals • DurationLessThan • DurationLessThanOrEquals

“ର৅ͷܾఆ” ͷ·ͱΊ • MatchΛ༻͍ͯɺϙϦγʔ੍ޚΛ࣮ߦ͢Δର৅Λࢦఆ͠·͢ɻ • ExcludeΛ༻͍ͯɺର৅ͷϦιʔεʹରͯ͠ྫ֎Λ࡞Γ·͢ɻ • PreconditionsΛ༻͍Δ͜ͱͰɺલఏ৚݅ΛઃఆͰ͖·͢ɻ • ϧʔϧʹରͯ͠ɺany(OR) ΋͘͠͸ all(AND) Λ༻͍ͯ഑ྻߏ଄ͰࢦఆΛ͠·͠ΐ͏ɻ

Kyvernoʹ͓͚ΔϙϦγʔ੍ޚ  ~ ΞΫγϣϯ ~

Preconditions Match Exclude ର৅ͷܾఆ ϙϦγʔߏ଄ Policy Rule Validate Resources Mutate Resources Generate Resources Verify Images ΞΫγϣϯ

Validate Resources Ϣʔβʔ·ͨ͸ϓϩηεʹΑͬͯ৽͍͠Ϧιʔε͕࡞੒͞ΕΔ৔߹ʹɺͦͷϦιʔεΛ࡞੒͠ ͯΑ͍͔൱͔Λ൑அ͢ΔͨΊʹ༻͍·͢ɻ spec.rules[*].validateΛ༻͍ͯهड़͍ͯ͘͜͠ͱʹͳΓ·͢ɻ ϧʔϧʹҧ൓͢ΔϦιʔεʹର͢Δڍಈ͸spec.validationFailureActionʹΑ੍ͬͯޚ͢Δ͜ͱ ͕ՄೳͰ͢ɻ • enforce – ϧʔϧʹҧ൓ͨ͠৔߹ɺ࡞੒ΛϒϩοΫ͢Δɻ • audit – ϧʔϧʹҧ൓ͨ͠৔߹ʹ࡞੒͸ڐՄ͢Δɻ – ϙϦγʔϨϙʔτʹҧ൓͢ΔϦιʔεͱͯ͠ه࿥͢Δɻ

Validate Resources Example spec.rules[*].validate.patternԼͰɺ ର৅Ϧιʔεʹ͓͚Δ࠷্Ґͷ metadata΋͘͠͸specԼΛهड़͠ɺ ݕূϧʔϧΛઃఆ͠·͢ɻ nginx-with-label͸ɺࢦఆ͞Εͨϥϕϧ Λ͍࣋ͬͯΔͨΊ࡞੒͕ڐՄ͞Εɺ nginx-without-label͸ɺࢦఆͨ͠ϥϕϧ Λ࣋ͨͳ͍ͨΊ࡞੒͕ڋ൱͞Ε·͢ɻ [࣮ߦ݁Ռ]

validationFailureActionOverrides ClusterPolicyͰͷvalidationʹݶΓɺ validationFailureActionOverridesΛ༻ ͍ͯɺNamespaceΛࢦఆ͠ɺݸʑʹ FailuerAction(audit, enforce)Λઃఆ͢ Δ͜ͱ͕Մೳͱͳ͍ͬͯ·͢ɻ લͷεϥΠυͰɺ࡞੒͕ڋ൱͞Εͨ Pod͕Namespace(no-label)ʹ͓͍ͯ ࡞੒͞Εͨ͜ͱ͕֬ೝͰ͖·͢ɻ [࣮ߦ݁Ռ]

Validate৚݅ͷهड़ํ๏ ҎԼͷදݱΛ༻͍ͯɺvalidationͷ৚݅Λهड़͢Δ͜ͱ͕Ͱ͖·͢ɻ • pattern • anyPattern • deny • Foreach • Manifest Validation • Pod Security

Validate৚݅ͷهड़ํ๏ ຊηογϣϯͰ͸ɺҎԼͷ3ͭʹ͍ͭͯղઆ͠·͢ɻ • pattern • anyPattern • deny • Foreach • Manifest Validation • Pod Security

patternͷهड़ํ๏ patternͰ͸ɺmetadata΋͘͠͸specԼΛهड़ ͠ɺϦιʔεͷ৘ใͱൺֱ͢Δ͜ͱͰݕূΛ࣮ ࢪ͠·͢ɻ ͜ͷྫͰ͸ɺDeploymentͷspecԼΛهड़ͯ͠ɺ DeploymentʹΑͬͯੜ੒͞ΕΔPodʹ͓͍ͯɺ ϥϕϧʹʮpermitted-by-kyverno=“true”ʯ͕͋Δ ͜ͱΛඞਢ৚݅ͱ͍ͯ͠·͢ɻ

patternͷهड़ํ๏ patternΛ༻͍ͨ৚݅ͷهड़Ͱ͸ɺҎԼͷදݱΛར༻͢Δ͜ͱ͕Ͱ͖·͢ɻ • ϫΠϧυΧʔυ • ԋࢉࢠ • ΞϯΧʔ

ϫΠϧυΧʔυ ϫΠϧυΧʔυͷࢦఆ͸ɺҎԼͷϧʔϧʹ͓͍ͯࢦఆ͕Մ ೳͱͳ͍ͬͯ·͢ɻ • *: ೚ҙͷ௕͞ͷจࣈྻ • ?: ೚ҙͷ1จࣈ [ϧʔϧ] allowed-byΛΩʔͱͨ͠ϥϕϧΛ࣋ͭඞཁ͕͋ Δɻ

ԋࢉࢠ ԋࢉࢠΛ༻͍Δ͜ͱͰɺ஋ʹରͯ͠ৄࡉͳ৚݅Λهड़Ͱ͖·͢ɻ ԋࢉࢠ ҙຯ > ΑΓେ͖͍ < ະຬ >= Ҏ্ <= ҎԼ ! ࢦఆ஋ͱ౳͘͠ͳ͍ | OR & AND - ൣғ಺ !- ൣғ֎

ԋࢉࢠ $ kubectl create deploy not-enough-replica \ --replicas=2 --image nginx:alpine [਺஋ൺֱ] ԋࢉࢠ ҙຯ > ΑΓେ͖͍ < ະຬ >= Ҏ্ <= ҎԼ ! ࢦఆ஋ͱ౳͘͠ͳ͍ | OR & AND - ൣғ಺ !- ൣғ֎

ԋࢉࢠ [ࢦఆ஋Ҏ֎ͷબ୒] ԋࢉࢠ ҙຯ > ΑΓେ͖͍ < ະຬ >= Ҏ্ <= ҎԼ ! ࢦఆ஋ͱ౳͘͠ͳ͍ | OR & AND - ൣғ಺ !- ൣғ֎ $ kubectl run nginx --image nginx:alpine –n default

ΞϯΧʔ ΞϯΧʔΛ༻͍ͯɺΩʔʹର͢Δ༷ʑͳ৚݅෇͚Λ͢Δ͜ͱ͕Ͱ͖·͢ɻ ΞϯΧʔ λά ҙຯ ৚݅෇͖ () ϐΞཁૉʹର͢Δ৚݅ͷઃఆ ฏ౳ =() ΋͠ଘࡏͨ͠৔߹ʹ… ଘࡏ ^() গͳ͘ͱ΋1ͭଘࡏ͢Δ ൱ఆ X() ର৅ͷڋ൱ άϩʔόϧ <() ೚ҙͷ৔ॴͰ৚݅Λઃఆ

ΞϯΧʔ [() ΞϯΧʔ] ΞϯΧʔ λά ҙຯ ৚݅෇͖ () ϐΞཁૉʹର͢Δ৚݅ͷઃఆ ฏ౳ =() ΋͠ଘࡏͨ͠৔߹ʹ… ଘࡏ ^() গͳ͘ͱ΋1ͭଘࡏ͢Δ ൱ఆ X() ର৅ͷڋ൱ άϩʔόϧ <() ೚ҙͷ৔ॴͰ৚݅Λઃఆ [৚݅] (৚݅: specԼ, ϐΞ: metadata) spec.volumes.hostPath͕ఆٛ͞Εɺpath͕/var/logͩͬͨ ৔߹ʹɺmetadata.labelsʹͯɺallow-log-hostpath: “true”͕ ࢦఆ͞Ε͍ͯͳ͚Ε͹ͳΒͳ͍ɻ

৚݅෇͖ΞϯΧʔʹ͍ͭͯ ৚݅෇͖ΞϯΧʔ͸ɺPeerཁૉʹରͯ͠ͷ৚݅෇͚ͷͨ Ίɺຊདྷͷಈ͖ͱͯ͠͸ɺPeerཁૉͷ֎ʹ͍Δ΋ͷʹؔ͠ ͯ͸ɺΞϯΧʔ෇͖ͷཁૉͷධՁʹӨڹΛड͚·ͤΜɻ Ver1.8.0࣌఺Ͱ͸ɺ͜ͷྫͷΑ͏ʹɺPeerཁૉͰͳ͍΋ͷ ʹؔͯ͠΋ɺϧʔϧʹҰக͠ͳ͍ʹ΋ؔΘΒͣɺΞϯΧʔ ཁૉ͕Ұக͠ͳ͍ࣄʹӨڹΛड͚ɺධՁ͕εΩοϓ͞Εͯ ͠·͏ͷͰ஫ҙΛ͍ͯͩ͘͠͞ɻ ※ ݱঢ়issueΛ։͍ͯରԠΛ͍͍͍ͯͨͩͯ͠·͢ɻ

ΞϯΧʔ [=() ΞϯΧʔ] [৚݅] spec.volumes.hostPath͕ఆٛ͞Ε͍ͯͨ৔߹ʹɺ path͕ /proc ٴͼ /sys Ͱ͋ͬͯ͸ͳΒͳ͍ɻ ΞϯΧʔ λά ҙຯ ৚݅෇͖ () ϐΞཁૉʹର͢Δ৚݅ͷઃఆ ฏ౳ =() ΋͠ଘࡏͨ͠৔߹ʹ… ଘࡏ ^() গͳ͘ͱ΋1ͭଘࡏ͢Δ ൱ఆ X() ର৅ͷڋ൱ άϩʔόϧ <() ೚ҙͷ৔ॴͰ৚݅Λઃఆ

ΞϯΧʔ [^() ΞϯΧʔ] [৚݅] PodΛ࡞੒͢Δ৔߹ʹɺlivenessProveΛઃఆͨ͠ίϯςφ Λগͳ͘ͱ΋1ؚͭ·ͳͯ͘͸ͳΒͳ͍ɻ ΞϯΧʔ λά ҙຯ ৚݅෇͖ () ϐΞཁૉʹର͢Δ৚݅ͷઃఆ ฏ౳ =() ΋͠ଘࡏͨ͠৔߹ʹ… ଘࡏ ^() গͳ͘ͱ΋1ͭଘࡏ͢Δ ൱ఆ X() ର৅ͷڋ൱ άϩʔόϧ <() ೚ҙͷ৔ॴͰ৚݅Λઃఆ

ΞϯΧʔ [X() ΞϯΧʔ] [৚݅] no-ephemeral=“true”ͱ͍͏ϥϕϧΛ࣋ͭPodʹؔͯ͠ɺ ΤϑΣϝϥϧίϯςφͷ࡞੒Λڋ൱͢Δɻ ※ ஋ʹ͸ “null” Λ༻͍Δ ΞϯΧʔ λά ҙຯ ৚݅෇͖ () ϐΞཁૉʹର͢Δ৚݅ͷઃఆ ฏ౳ =() ΋͠ଘࡏͨ͠৔߹ʹ… ଘࡏ ^() গͳ͘ͱ΋1ͭଘࡏ͢Δ ൱ఆ X() ର৅ͷڋ൱ άϩʔόϧ <() ೚ҙͷ৔ॴͰ৚݅Λઃఆ

ΞϯΧʔ [<() ΞϯΧʔ] [৚݅] my-local-reg.com͔Βऔಘ͢ΔΠϝʔδΛ࢖͏ίϯςφ͕͋ Δ৔߹ʹɺmy-registry-secretΛimagePullSecretͱͯ͠࢖Θͳ ͯ͘͸ͳΒͳ͍ɻ ΞϯΧʔ λά ҙຯ ৚݅෇͖ () ϐΞཁૉʹର͢Δ৚݅ͷઃఆ ฏ౳ =() ΋͠ଘࡏͨ͠৔߹ʹ… ଘࡏ ^() গͳ͘ͱ΋1ͭଘࡏ͢Δ ൱ఆ X() ର৅ͷڋ൱ άϩʔόϧ <() ೚ҙͷ৔ॴͰ৚݅Λઃఆ

anyPatternͷهड़ํ๏ anyPatternΛ༻͍Δ͜ͱͰɺෳ਺ͷpatternΛఆٛ ͢Δ͜ͱ͕Ͱ͖·͢ɻ ͜ͷྫͰ͸ɺPodશମʹରͯ͠securityContextsΛ ઃఆ͢Δ͔ɺ֤ίϯςφ(container, init container, ephemeral container)ʹରͯ͠securityContextΛ ઃఆ͢Δ͜ͱΛڧ੍͠·͢ɻ

denyͷهड़ํ๏ denyͰ͸ɺهड़ͨ͠Ұ࿈ͷ৚݅ʹج͍ͮͯ ཁٻΛڋ൱͍ͨ͠৔߹ʹ༻͍·͢ɻ ৚݅͸ɺ௨ৗdeny.conditionsԼͰɺany΋͠ ͘͸allΛࢦఆ͠ɺkey – operator – value ͷ ૊Έ߹ΘͤΛ༻͍ͯهड़͍͖ͯ͠·͢ɻ denyΛ༻͍Δ৔߹validationFailureAction Λenforceʹ͢Δඞཁ͕͋Γ·͢ɻ [ϧʔϧ] ClusterRole(cluster-adminҎ֎)ͷݖݶʹΑΔૢ࡞ʹ͓͍ͯɺ app.kubernetes.iomanaged=“kyverno” ͱ͍͏ϥϕϧΛ΋ͭϦιʔε΁ͷ࡟আૢ࡞Λڋ൱͢Δɻ

ԋࢉࢠ denyʹ͓͍ͯɺconditions಺Ͱهड़͢Δԋࢉࢠʹ͸ɺҎԼΛઃఆ͢Δ͜ͱ͕Ͱ͖·͢ɻ • Equals • NotEquals • In (deprecated) • AnyIn • AllIn • NotIn (deprecated) • AnyNotIn • AllNotIn • GreaterThan • GreaterThanOrEquals • LessThan • LessThanOrEquals • DurationGreaterThan • DurationGreaterThanOrEquals • DurationLessThan • DurationLessThanOrEquals

denyͷهड़ํ๏ denyͰ͸ɺࢦఆϦιʔεʹରͯ͠ɺશͯͷૢ ࡞Λڋ൱͢ΔΑ͏ઃఆ͢Δ͜ͱ΋ՄೳͰ͢ɻ [ϧʔϧ] ClusterRole(cluster-adminҎ֎)ͷݖݶʹΑΔૢ࡞ ʹ͓͍ͯɺNetwork PolicyϦιʔε΁ͷૢ࡞Λશͯ ڋ൱͢Δɻ

Mutate Resources ϧʔϧʹҰகͨ͠Ϧιʔεʹରͯ͠ɺύϥϝʔλʹมߋΛՃ͑Δࡍʹ༻͍·͢ɻ spec.rules[*].mutateΛ༻͍ͯهड़͍ͯ͘͜͠ͱʹͳΓ·͢ɻ ҎԼͷ߲໨Λ༻͍ͯϧʔϧΛద༻͢Δ͜ͱ͕Ͱ͖·͢ɻ • RFC 6902 JSONPatch • Strategic Merge Patch • Foreach

RFC 6902 JSONPatch RFC 6902 JSONPatch͸ɺJSON Patch(https://jsonpatch.com/)ϑΥʔϚοτΛ༻͍ͯର৅Λܾఆ͠ɺ ϦιʔεͷཁૉʹมߋΛՃ͑Δࡍʹ༻͍·͢ɻ spec.rules[*].mutate.patchesJson6902ԼͰɺpath – op – value ͷ૊Έ߹ΘͤΛ༻͍ͯهड़͠·͢ɻ pathʹ͸มߋΛՃ͍͑ͨ৔ॴΛࢦఆ͠ɺopʹ͸ͦͷมߋͷڍಈΛɺvalueʹ͸มߋ࣌ͷ஋ΛೖΕ·͢ɻ opʹ͸ɺҎԼͷ3ͭͷૢ࡞ํ๏͕αϙʔτ͞Ε͍ͯ·͢ɻ • add • replace • remove

RFC 6902 JSONPatch ͜ͷϧʔϧͰ͸ɺadd-tls-secret=“true”ͱ͍͏ ϥϕϧΛ࣋ͭPodʹର͠ɺSecretΛVolumeͱ ͯ͠ૠೖ͢ΔΑ͏manifestʹมߋΛ͠·͢ɻ ஫ҙ఺ͱͯ͠ɺ഑ྻߏ଄Λѻ͏৔߹ɺطଘ஋ ͷࢀর͸ΠϯσοΫεɺ৽ن௥Ճ͸”-”Λ࢖ͬ ͯදݱ͠·͢ɻ path: "/spec/containers/0/volumeMounts/-" 1ͭΊͷίϯςφΛࢀর volumeMountsʹ ഑ྻߏ଄ͰσʔλΛ௥Ճ

RFC 6902 JSONPatch [લϖʔδͷϧʔϧΛmutete6902.yamlʹهड़͠ద༻ͨ͠ࡍͷ࣮ߦྫ] $ kubectl create secret tls tls-cert --cert=server.crt --key=server.key -n default $ kubectl apply -f mutate6902.yaml $ kubectl run nginx-tls --image nginx:alpine -l add-tls-secret="true" $ kubectl exec -it nginx-tls -- ls /cndt tls.crt tls.key

Strategic Merge Patch ཁૉͷϚʔδಈ࡞Λ੍ޚ͢ΔͨΊʹ༻͍ΒΕ·͢ɻ spec.rules[*].mutate.patchStrategicMergeԼʹɺϚχϑΣετͷܗࣜͰهड़ͨ͠΋ͷΛ༻͍ ͯɺࠩ෼ͷൺֱΛ͠ύϥϝʔλͷมߋΛద༻͠·͢ɻ validateϧʔϧಉ༷ʹɺmutateʹ͓͍ͯ΋ΞϯΧʔΛ࢖੍ͬͨޚ΋Մೳͱͳ͍ͬͯ·͢ɻ mutateϧʔϧʹ͓͍ͯɺҎԼͷΞϯΧʔ͕࢖༻Մೳͱͳ͍ͬͯ·͢ɻ ΞϯΧʔ λά ҙຯ ৚݅෇͖ () if৚݅Λઃఆ͠ɺpeerཁૉ͸ͦͷ݁ՌʹมߋͷӨڹΛड͚Δ ௥Ճ +() ΞϯΧʔΛ෇༩ͨ͠Ωʔ͕ଘࡏ͠ͳ͍৔߹ʹɺઃఆͨ͠Ωʔٴͼ஋Λ௥ Ճ͢Δ άϩʔόϧ <() ೚ҙͷ৔ॴʹ৚݅Λઃఆ͠ɺͦͷ΄͔ͷՕॴʹมߋΛՃ͑Δ

Strategic Merge Patch ͜ͷϧʔϧͰ͸ɺcndt-vault-injection: “true” ͱ͍͏ϥϕϧΛ࣋ͭPod͕࡞੒͞Εͨࡍʹɺ Vaultʹొ࿥Λͨ͠ಛఆͷγʔΫϨοτσʔλΛɺ Pod಺ʹࢦఆͷϑΥʔϚοτͰ഑ஔ͢ΔͨΊͷ ΞϊςʔγϣϯͱαʔϏεΞΧ΢ϯτΛ෇༩ͯ͠ ͍·͢ɻ {{ ~~ }} Λ༻͍ͨهड़Λ͠ͳ͚Ε͹ͳΒͳ͍৔߹ɺ Kyvernoʹ͓͍ͯɺෳࡶͳ৚݅Λهड़͢Δࡍʹ ༻͍ΔJMESPathͱ͍͏ه๏ͱޡೝ͞Εͳ͍Α͏ ʹɺ\Λ༻͍ͯΤεέʔϓͤ͞Δඞཁ͕͋Γ·͢ɻ

Strategic Merge Patch [લϖʔδͷϧʔϧΛstrategicMerge.yamlʹهड़͠ద༻ͨ͠ࡍͷ࣮ߦྫ] $ vault secrets enable -path=secret kv-v2 $ vault kv put secret/cndt/config username="static-user" password="static-password" $ vault policy write cndt - <<EOF path "secret/data/cndt/config" { capabilities = ["read"] } EOF $ vault write auth/kubernetes/role/cndt \ bound_service_account_names=cndt \ bound_service_account_namespaces=default \ policies=cndt \ ttl=24h

Strategic Merge Patch [લϖʔδͷϧʔϧΛstrategicMerge.yamlʹهड़͠ద༻ͨ͠ࡍͷ࣮ߦྫ] $ kubectl apply –f strategicMerge.yaml $ kubectl create sa cndt -n default $ kubectl run cndt-app --image nginx:alpine -l cndt-vault-injection="true“ $ kubectl exec -it cndt-app -- cat /vault/secrets/cndt-credentials Defaulted container "cndt-app" out of: cndt-app, vault-agent, vault-agent-init (init) USERNAME=static-user PASSWORD=static-password

Generate Resources ৽͍͠Ϧιʔε͕࡞੒͞Εͨࡍɺ௥ՃͷϦιʔεΛ࡞੒͢Δ৔߹ʹ༻͍·͢ɻ spec.rules[*].generateΛ༻͍ͯهड़͍ͯ͘͜͠ͱʹͳΓ·͢ɻ ࡞੒͢ΔϦιʔεͷ৘ใΛɺҎԼͷ2ͭΛ༻͍ͯهड़͢Δ͜ͱ͕Ͱ͖·͢ɻ • data: ࡞੒͢ΔϦιʔεͷ৘ใΛهड़͢Δ • clone: طʹଘࡏ͢ΔϦιʔεΛΫϩʔϯ͢Δ

Generate Resources with data spec.rules[*].generateԼͰ͸ɺҎԼΛهड़͠ ·͢ɻ • synchronize: ιʔεϦιʔεͱͷಉظ – true: ಉظΛ͠ɺߋ৽΍࡟আ͕Ͱ͖ͳ͍ – false: ಉظ͸ͤͣɺੜ੒͞ΕͨϦιʔεΛ௚ ઀ߋ৽·ͨ͸࡟আͰ͖Δ • ੜ੒͢ΔϦιʔεͷapiVersion, kind, name, namespace • data: metadataٴͼspecΛهड़ [ϧʔϧ] Namespace࡞੒࣌ʹɺIngressͱEgressΛڋ൱͢Δ Network PolicyΛ࡞੒͢Δɻ

Generate Resources with clone spec.rules[*].generateԼͰ͸ɺҎԼΛهड़͠ ·͢ɻ • synchronize: ιʔεϦιʔεͱͷಉظ – true: ಉظΛ͠ɺߋ৽΍࡟আ͕Ͱ͖ͳ͍ – false: ಉظ͸ͤͣɺੜ੒͞ΕͨϦιʔεΛ௚ ઀ߋ৽·ͨ͸࡟আͰ͖Δ • ੜ੒͢ΔϦιʔεͷapiVersion, kind, name, namespace • clone: NamespaceٴͼϦιʔε໊Λهड़ [ϧʔϧ] Namespace࡞੒࣌ʹɺࢦఆͨ͠Namespace(default) ʹଘࡏ͢ΔSecret(regsecret)ΛΫϩʔϯ͢Δɻ

Verify Images CosignΛ࢖༻ͯ͠ɺOCIϨδετϦʹ֨ೲ͞Ε͍ͯΔΠϝʔδͷॺ໊͓Αͼূ໌Λݕূ͠·͢ɻ ݱঢ়ɺϕʔλػೳͰ͋ΓɺϓϩμΫγϣϯ؀ڥͰͷ࢖༻͸ਪ঑͞Ε͍ͯ·ͤΜɻ spec.rules[*].verifyImagesΛ༻͍ͯهड़͍ͯ͘͜͠ͱʹͳΓ·͢ɻ

Verify Images imageReferencesʹ͓͍ͯࢦఆ͞Ε͍ͯ ΔΠϝʔδ͕ɺattestorsԼͰࢦఆ͞Ε͍ͯ ΔΩʔΛ༻͍ͯॺ໊͕͞Ε͍ͯΔͱ͍͏ ͜ͱΛݕূ͠·͢ɻ ॺ໊Λ͞Ε͍ͯͳ͍Πϝʔδٴͼɺࢦఆ ͨ͠ΩʔͱରͰ͸ͳ͍ΩʔʹΑͬͯॺ໊ ͞ΕͨΠϝʔδΛࢦఆͨ͠Pod͕ɺ͜ͷݕ ূʹΑͬͯڋ൱͞ΕΔ͜ͱʹͳΓ·͢ɻ

“ΞΫγϣϯ” ͷ·ͱΊ • Validate ResourcesͰ͸ɺϦιʔεΛ࡞੒ͯ͠Α͍͔൱͔Λ൑அ͠·͢ɻ • Mutating ResourcesͰ͸ɺϦιʔεʹରͯ͠ύϥϝʔλͷมߋΛ࣮ࢪ͠·͢ɻ • Generate ResourcesͰ͸ɺ͋ΔϦιʔεͷ࡞੒ʹඥ͍ͮͯɺผϦιʔεΛ࡞੒͠·͢ɻ • Verify ImageͰ͸ɺΠϝʔδͷ҆શੑΛ֬ೝ͢ΔͨΊʹॺ໊౳Λ֬ೝ͠·͢ɻ

Kyvernoͷӡ༻

ϙϦγʔϨϙʔτ

ϙϦγʔϨϙʔτ ϙϦγʔϨϙʔτ͸ɺద༻ͨ͠validate ResourcesϙϦγʔʹରͯ͠ɺൺֱ݁ՌΛఏڙ͢ΔϦ ιʔεͰ͢ɻ Kyverno͸ɺNamespace͝ͱͷϨϙʔτ͓ΑͼΫϥελʔϨϕϧͷϨϙʔτΛɺKubernetes Policy WGʹΑͬͯൃߦ͞ΕͨϙϦγʔϨϙʔτεΩʔϚΛ༻͍ͯ࡞੒͠·͢ɻ ݁ՌΤϯτϦ͸ɺ֘౰͢Δϧʔϧʹର͠ 1 ͭҎ্ͷϧʔϧʹҧ൓͢ΔϦιʔε͕࡞੒͞ΕΔͨ ͼʹϨϙʔτʹ௥Ճ͞ΕɺϦιʔε͕࡟আ͞ΕΔͱɺಉ࣌ʹϨϙʔτ͔Βফڈ͞Ε·͢ɻ $ kubectl get polr -A

Ϩϙʔτର৅ ର৅ͱͯ͠͸ɺvalidationFailureActionٴͼbackgroundʹ͓͍ͯઃఆͨ͠஋ʹґଘ͠·͢ɻ Background: true Background: false ৽͍͠Ϧιʔε طଘͷϦιʔε validationFailureAction: enforce None Report validationFailureAction: audit Report Report ৽͍͠Ϧιʔε طଘͷϦιʔε validationFailureAction: enforce None None validationFailureAction: audit Report None

Ϩϙʔτ಺༰ ϙϦγʔϨϙʔτͷΤϯτϦʹ͸ɺpassɺskipɺwarnɺerrorɺͦͯ͠failͷ͍ͣΕ͔Ͱใࠂ͞Ε·͢ɻ • pass: ϙϦγʔʹର͢ΔධՁΛ௨աͨ͠Ϧιʔεɻ • skip: Preconditionͷ৚݅Λຬͨͣ͞ɺධՁ͕࣮ߦ͞Εͳ͔ͬͨ΋ͷɻ • fail: ϙϦγʔʹର͢ΔධՁʹରͯ͠ɺҧ൓͍ͯ͠ΔͱΈͳ͞Εͨ΋ͷɻ • warn: ҎԼͷ2ͭͷ৚݅Λຬͨͨ͠৔߹ʹద༻͞ΕΔɻ – PolicyͷΞϊςʔγϣϯʹ policies.kyverno.io/scored: “false“ ͕ηοτ͞Ε͍ͯΔɻ – ϙϦγʔʹର͢ΔධՁʹରͯ͠ɺҧ൓͍ͯ͠ΔͱΈͳ͞Εͨɻ • error: Preconditionsͷ֎ଆͰɺruleͷதʹ͓͍ͯม਺ஔ׵͕ࣦഊͨ͠΋ͷ

ϞχλϦϯά

ϞχλϦϯά KyvernoͰ͸ɺόʔδϣϯ1.4.0͔Βɺద༻༷ͨ͠ʑͳϙϦγʔʹର͢ΔΞΫςΟϏςΟΛ Prometheus༻ͷϝτϦοΫͱͯ͠ల։Ͱ͖ΔΑ͏ʹͳΓ·ͨ͠ɻ kyvernoΛσϓϩΠ͢ΔͱɺService(kyverno-svc-metrics)͕ϝτϦοΫΛެ։͢ΔͨΊʹ࡞੒ ͞Ε·͢ɻ

ϝτϦοΫͷछྨ ҎԼͷϝτϦοΫ͕ఏڙ͞Ε·͢ɻ • Policies and Rule Counts • Policy and Rule Execution • Policy Rule Execution Latency • Admission Review Latency • Admission Requests Counts • Policy Change Counts  

ϝτϦοΫͷछྨ ຊηογϣϯͰ͸ɺҎԼͷ3ͭʹ͍ͭͯղઆ͠·͢ɻ • Policies and Rule Counts • Policy and Rule Execution • Policy Rule Execution Latency • Admission Review Latency • Admission Requests Counts • Policy Change Counts  

Policies and Rule Counts ͜ͷϝτϦοΫ͸ɺΫϥελʔͰݱࡏ࢖༻Մೳͳ͢΂ͯͷϙϦγʔʹՃ͑ɺطʹ࡟আ͞Εͨϙ ϦγʔͳͲͷϙϦγʔͷཤྺ΋อ͍࣋ͯ͠·͢ɻ ϝτϦοΫ໊: kyverno_policy_rule_info_total ஋: • طଘͷϙϦγʔ = 1 • ࡟আ͞ΕͨϙϦγʔ = 0 ※ 1ͭͷϙϦγʔʹෳ਺ϧʔϧΛॻ͍ͨ৔߹͸ɺ֤ϧʔϧຖʹϝτϦοΫ͕࡞੒͞Ε·͢ɻ

Policies and Rule Counts (ෳ਺ͷϙϦγʔ) (طଘ) (࡟আࡁΈ)

Policies and Rule Counts (ෳ਺ͷϧʔϧΛ࣋ͭϙϦγʔ)

Policy and Rule Execution ͜ͷϝτϦοΫ͸ɺϧʔϧʹର͢ΔධՁͷ࣮ߦ݁ՌͱόοΫάϥ΢ϯυͰεΩϟϯͨ݁͠ՌΛ ه࿥͠·͢ɻ ϝτϦοΫ໊: kyverno_policy_results_total ஋: ϧʔϧʹؔ࿈෇͚ΒΕͨ݁Ռ

Policy and Rule Execution $ kubectl get pods -n service-stg $ kubectl get clusterpolicy all-containers-need-requests-and-limits Prometheus metric

Policy Change Counts ͜ͷϝτϦοΫ͸ɺϙϦγʔͷ࡞੒ɺߋ৽ɺ࡟আͳͲɺ͢΂ͯͷϙϦγʔมߋͷཤྺΛه࿥͠ ·͢ɻ ϝτϦοΫ໊: kyverno_policy_changes_total ஋: ϙϦγʔϨϕϧͰͷมߋͷ૯਺

Policy Change Counts (࡞੒௚ޙ) (1ճ໨ɹमਖ਼) (2ճ໨ɹमਖ਼)

“Kyvernoͷӡ༻” ͷ·ͱΊ • Validate Resourcesʹରͯ͠ɺҧ൓͍ͯ͠ΔϦιʔεΛ֬ೝ͢ΔͨΊʹϙϦγʔϨϙʔτͱ͍ ͏΋ͷΛࢀর͢Δ͜ͱ͕Ͱ͖·͢ɻ • ݱࡏద༻͍ͯ͠ΔϙϦγʔ΍ɺͦͷϙϦγʔʹର͢ΔධՁͷ݁ՌɺϙϦγʔͷมߋݕ஌ͳͲ ʹؔ͢Δ৘ใΛఏڙ͢ΔͨΊͷϝτϦοΫ͕ఏڙ͞Ε͍ͯ·͢ɻ

ຊηογϣϯͷ·ͱΊ • KyvernoΛ༻͍Δ͜ͱͰɺ؆୯͔ͭॊೈʹϙϦγʔ੍ޚΛ࣮ࢪ͢Δ͜ͱ͕Ͱ͖·͢ɻ • ϙϦγʔΛॻ্͘Ͱಛ༗ͷݴޠ౳Λ༻͍Δඞཁ͕͋Γ·ͤΜɻ • ϙϦγʔʹର͢ΔϦιʔεͷঢ়ଶΛɺϙϦγʔϨϙʔτ΍ϝτϦοΫΛ༻͍ͯ֬ೝ͢Δ͜ͱ ͕Ͱ͖·͢ɻ (Tips) • Validate ResourcesΛద༻͢Δࡍ͸ɺvalidationFailureActionΛ·ͣauditʹઃఆ͠ɺҙਤͨ͠ ڍಈʹͳΔ͜ͱΛ֬ೝͨ͠ޙenforceʹ੾Γସ͑Δ͜ͱͰɺطଘϦιʔεʹର͢ΔӨڹͳͲΛ ೺Ѳ্ͨ͠ͰϙϦγʔͷద༻͕Ͱ͖·͢ɻ • Mutate Resourcesʹ͓͍ͯɺ1ͭͷϙϦγʔʹෳ਺ͷϧʔϧΛඳ͘৔߹ɺ্͔ΒԼ΁ॲཧ͞ ΕΔ͜ͱʹ஫ҙ͍ͯͩ͘͠͞ɻ

ࢀߟࢿྉ • KyvernoͷϙϦγʔͷॻ͖ํ • https://kyverno.io/docs/writing-policies/ • ຊηογϣϯͰ͸આ໌͍ͯ͠ͳ͍ϙϦγʔͷॻ͖ํͳͲɻ • Kyverno αϯϓϧϙϦγʔ • https://github.com/kyverno/policies • ϕετϓϥΫςΟε΍ɺPod Security Standardsʹ४ڌͨ͠ϙϦγʔͳͲɻ • ͦͷ΄͔༷ʑͳ֎෦πʔϧʹର͢ΔαϯϓϧϙϦγʔ͕༻ҙ͞Ε͍ͯΔɻ

明日から始められるKyvernoを用いたポリシー制御

明日から始められるKyvernoを用いたポリシー制御

More Decks by ry

Other Decks in Technology

Featured

Transcript