Upgrade to Pro — share decks privately, control downloads, hide ads and more …

明日から始められるKyvernoを用いたポリシー制御

ry
November 21, 2022

 明日から始められるKyvernoを用いたポリシー制御

CNDT2022登壇資料
Kyvernoとは?
Kyvernoの使い方は?
そんな疑問に答えるような資料になっています。

#Kyverno #kyverno #Policy #OPA #Validation #Mutation #Generation # VerifyImage

ry

November 21, 2022
Tweet

More Decks by ry

Other Decks in Technology

Transcript

  1. ໌೔͔Β࢝ΊΒΕΔ
 KyvernoΛ༻͍ͨϙϦγʔ੍ޚ 2022/11/21 Cloud Native Days Tokyo 2022 15:20 ~

    16:00 Track D Ryotaro Uwatsu
  2. Copyright © Dell Inc. All Rights Reserved. of Y 2

    ࣗݾ঺հ Name: Ryotaro Uwatsu (@URyo_0213) Title: Solutions Architect Community: • Kubernetes Meetup Novice • Kubenews • Cloud Native Days Tokyo
  3. Copyright © Dell Inc. All Rights Reserved. of Y 3

    Table of contents • ϙϦγʔ੍ޚ • Kyvernoͱ͸ • Kyvernoʹ͓͚ΔϙϦγʔ੍ޚ • Kyvernoͷӡ༻
  4. Copyright © Dell Inc. All Rights Reserved. of Y 4

    ϙϦγʔ੍ޚ
  5. Copyright © Dell Inc. All Rights Reserved. of Y 5

    ϙϦγʔ੍ޚͱ͸ ϙϦγʔ: • (૊৫) ੓ࡦɺํ਑ • (ݸਓ) ͋ͳ͕ͨ৴͡ɺ͋ͳͨͷߦಈʹӨڹΛ༩͑ΔΑ͏ͳݪଇ ex) ʲONE PIECEʳ αϯδ ʮͨͱ͑ࢮΜͰ΋ɺԶ͸ঁ͸ऽΒΜʯͱ͍͏໊ݴ͕͋ΓɺʮঁੑΛઈରʹই͚ͭͳ͍ʯͱ͍͏ϙϦγʔΛ͍࣋ͬͯΔɻ → ͜Ε͸ઈରʹ͠ͳ͍
  6. Copyright © Dell Inc. All Rights Reserved. of Y 6

    ϙϦγʔ੍ޚͱ͸ ϙϦγʔ: • (૊৫) ੓ࡦɺํ਑ • (ݸਓ) ͋ͳ͕ͨ৴͡ɺ͋ͳͨͷߦಈʹӨڹΛ༩͑ΔΑ͏ͳݪଇ ex) ʲONE PIECEʳ αϯδ ʮͨͱ͑ࢮΜͰ΋ɺԶ͸ঁ͸ऽΒΜʯͱ͍͏໊ݴ͕͋ΓɺʮঁੑΛઈରʹই͚ͭͳ͍ʯͱ͍͏ϙϦγʔΛ͍࣋ͬͯΔɻ → ͜Ε͸ઈରʹ͠ͳ͍
  7. Copyright © Dell Inc. All Rights Reserved. of Y 7

    ϙϦγʔ੍ޚͱ͸ ϙϦγʔ: • (૊৫) ੓ࡦɺํ਑ • (ݸਓ) ͋ͳ͕ͨ৴͡ɺ͋ͳͨͷߦಈʹӨڹΛ༩͑Δݪଇ ex) ʲONE PIECEʳ αϯδ ʮͨͱ͑ࢮΜͰ΋ɺԶ͸ঁ͸ऽΒΜʯͱ͍͏໊ݴ͕͋ΓɺʮঁੑΛઈରʹই͚ͭͳ͍ʯͱ͍͏ϙϦγʔΛ͍࣋ͬͯΔɻ → ͜Ε͸ઈରʹ͠ͳ͍ [Kubernetes] latestλάͷimageΛࢦఆͨ͠Pod͸ઈରʹಈ͔͞ͳ͍
  8. Copyright © Dell Inc. All Rights Reserved. of Y 8

    ϙϦγʔ੍ޚͱ͸ ϙϦγʔ: • (૊৫) ੓ࡦɺํ਑ • (ݸਓ) ͋ͳ͕ͨ৴͡ɺ͋ͳͨͷߦಈʹӨڹΛ༩͑Δݪଇ ex) ʲONE PIECEʳ αϯδ ʮͨͱ͑ࢮΜͰ΋ɺԶ͸ঁ͸ऽΒΜʯͱ͍͏໊ݴ͕͋ΓɺʮঁੑΛઈରʹই͚ͭͳ͍ʯͱ͍͏ϙϦγʔΛ͍࣋ͬͯΔɻ → ͜Ε͸ઈରʹ͠ͳ͍ [Kubernetes] latestλάͷimageΛࢦఆͨ͠Pod͸ઈରʹಈ͔͞ͳ͍ ϙϦγʔͱ͸ɺݸਓɺνʔϜɺ΋͘͠͸૊৫ͷதͰઃ͚ͨӡ༻্ͷܾΊࣄͰ͋Γɺ ϙϦγʔ੍ޚͱ͸ɺϙϦγʔΛఆΊͨΒɺͦΕΛඞͣकΔΑ͏ʹ͔͠Δ΂͖ΞΫγϣϯΛͱΔ͜ͱͰ͢ɻ
  9. Copyright © Dell Inc. All Rights Reserved. of Y 9

    Kubernetesʹ͓͚ΔجຊతͳϙϦγʔ੍ޚ KubernetesͰ͸ɺҎԼͷΑ͏ͳϙϦγʔ੍ޚ͕Ͱ͖ΔΑ͏ʹͳ͍ͬͯ·͢ɻ • Network Policy – Ingress(Πϯό΢ϯυ)ɺEgress(Ξ΢τό΢ϯυ)ͷ੍ޚΛ͢Δɻ • Pod Security Admission – Pod Security StandardsΛجʹɺ࡞੒Ͱ͖ΔϫʔΫϩʔυϦιʔεΛ੍ݶ͢Δɻ • Resource Quota – Namespace͝ͱͷ૯ϦιʔεফඅྔΛ੍ݶ͢Δɻ • etc…
  10. Copyright © Dell Inc. All Rights Reserved. of Y 10

    Kyvernoͱ͸
  11. Copyright © Dell Inc. All Rights Reserved. of Y 11

    Kyverno Kyverno͸KubernetesΫϥελʔ಺ͰɺDynamic Admission Controllerͱ࣮ͯ͠ߦ͞ΕΔϙϦγʔΤϯδϯͰ͢ɻ kube-apiserver͔ΒAdmission WebhookΛड͚औΓɺఆٛͨ͠ϙ Ϧγʔʹج੍͍ͮͯޚΛ࣮ߦ͠·͢ɻ Custom ResourceΛ༻͍ͯɺKubernetesͷϚχϑΣετϕʔεͰ ϙϦγʔΛద༻Ͱ͖ΔͨΊɺֶशίετ͕ͱͯ΋௿͘ͳ͍ͬͯ ·͢ɻ όʔδϣϯ: 1.8.0 https://github.com/kyverno/kyverno
  12. Copyright © Dell Inc. All Rights Reserved. of Y 12

    Dynamic Admission Control
  13. Copyright © Dell Inc. All Rights Reserved. of Y 13

    Dynamic Admission Control Authentication Authorization Mutating Admission Object Schema Admission Validating Admission Persist data to etcd Webhook Webhook Webhook Webhook Kyverno
  14. Copyright © Dell Inc. All Rights Reserved. of Y 14

    Mutating ͱ Validating Mutating: ͋Δ৚݅Λجʹɺ࡞੒͠Α͏ͱ͍ͯ͠ΔϦιʔεͷύϥϝʔλʹมߋΛՃ͑·͢ɻ ex) sidecar.istio.io/inject: trueͱ͍͏ϥϕϧͷ෇͘PodʹɺEnvoyΛαΠυΧʔͱͯ͠௥Ճ͢Δɻ Validating: ࡞੒͠Α͏ͱ͍ͯ͠ΔϦιʔε͕ɺ࡞੒ͯ͠ྑ͍͔൱͔Λ৚݅ʹج͍ͮͯ൑அ͠·͢ɻ ex) allowed-by-kyverno: trueͱ͍͏ϥϕϧ͕෇͍ͨPodͷΈ࡞੒ͯ͠Α͍ɻ ຊ൪ະ࢖༻
  15. Copyright © Dell Inc. All Rights Reserved. of Y 15

    KyvernoͷΠϯετʔϧ ຊ൪ະ࢖༻
  16. Copyright © Dell Inc. All Rights Reserved. of Y 16

    KyvernoͷΠϯετʔϧ Kyverno ͸ɺHelm΋͘͠͸YAMLϚχϑΣετ͔ΒσϓϩΠ͢Δ͜ͱ͕Ͱ͖·͢ɻ [ຊ൪؀ڥ] helm install kyverno kyverno/kyverno -n kyverno --create-namespace --set replicaCount=3 [ݕূ؀ڥ] helm install kyverno kyverno/kyverno -n kyverno --create-namespace ຊ൪ະ࢖༻
  17. Copyright © Dell Inc. All Rights Reserved. of Y 17

    ϨϓϦΧ਺ͷࢦఆʹΑͬͯൃੜ͢Δҧ͍ ϨϓϦΧ਺Λ1ΑΓେ͖͍਺ʹ͢Δ͜ͱͰɺPod Disruption Budget͕ద༻͞Ε·͢ɻ (Helm Template) ຊ൪ະ࢖༻
  18. Copyright © Dell Inc. All Rights Reserved. of Y 18

    Pod Anti-Affinity Rule Pod Anti-Affinity Rule͕ద༻͞Ε͍ͯΔͷͰɺՄೳͳݶΓϊʔυؒͰ෼ࢄ͞ΕΔΑ͏ʹͳ͍ͬͯ·͢ɻ ຊ൪ະ࢖༻
  19. Copyright © Dell Inc. All Rights Reserved. of Y 19

    ͜͜·Ͱͷ؆୯ͳ·ͱΊ • ϙϦγʔ͸ɺӡ༻্ͷܾΊࣄͰ͋Γɺ͜ΕΛकΔͨΊʹ͔͠Δ΂͖ߦಈΛͱΔ͜ͱ͕ϙϦ γʔ੍ޚͰ͢ɻ • Kyverno͸ɺkube-apiserver͕Ϧιʔεͷ੍ޚΛ͢ΔࡍͷWebhookͷ౤͛ઌͰ͢ɻ • Kyverno͸ɺWebhookΛड͚औͬͨࡍʹɺϙϦγʔʹج͍ͮͨΞΫγϣϯΛͱΓ·͢ɻ ຊ൪ະ࢖༻
  20. Copyright © Dell Inc. All Rights Reserved. of Y 20

    Kyvernoʹ͓͚ΔϙϦγʔ੍ޚ
  21. Copyright © Dell Inc. All Rights Reserved. of Y 21

    KyvernoʹΑΔϙϦγʔͷద༻ KyvernoΛ༻͍ͯϙϦγʔΛద༻͢Δࡍʹ༻͍ΔϦιʔε͸2ͭ͋Γ·͢ɻ 1. Cluster Policy: ΫϥελʔશମʹϙϦγʔΛద༻͢Δࡍʹ༻͍Δɻ 2. Policy: Namespace಺ʹดͨ͡ϙϦγʔΛద༻͢Δࡍʹ༻͍Δɻ ஫ҙ఺ͱͯ͠͸ɺϙϦγʔؒͰͷॱংੑ͕ଘࡏ͠ͳ͍ͨΊɺෳ਺ͷϙϦγʔΛ૊Έ߹Θͤͨϧʔ ϧͷ֦ு͔͠Ͱ͖·ͤΜɻ ͢ͳΘͪPolicyؒͰͷ্ॻ͖͕Ͱ͖ͳ͍ͷͰɺCluster PolicyͰݫ͠ΊͷPolicyΛઃఆ͓͍ͯͯ͠ɺ ͋ΔNamespaceʹ͓͍ͯ͸PolicyΛ༻੍͍ͯݶΛ؇ΊΔͱ͍͏͜ͱ͕Ͱ͖·ͤΜɻ
  22. Copyright © Dell Inc. All Rights Reserved. of Y 22

    ϙϦγʔߏ଄ Policy Rule Preconditions Match Exclude Validate Resources Mutate Resources Generate Resources Verify Images ର৅ͷܾఆ ΞΫγϣϯ
  23. Copyright © Dell Inc. All Rights Reserved. of Y 23

    ϙϦγʔߏ଄
  24. Copyright © Dell Inc. All Rights Reserved. of Y 24

    Kyvernoʹ͓͚ΔϙϦγʔ੍ޚ
 ~ ର৅ͷܾఆ ~
  25. Copyright © Dell Inc. All Rights Reserved. of Y 25

    Validate Resources Mutate Resources Generate Resources Verify Images ΞΫγϣϯ Policy Rule Preconditions Match Exclude ର৅ͷܾఆ ର৅ͷܾఆ
  26. Copyright © Dell Inc. All Rights Reserved. of Y 26

    Match Match͸ɺର৅ͷϦιʔεΛબఆ͢ΔͨΊʹ༻͍ΒΕΔϧʔϧͰ͢ɻ rules[*].matchΛ༻͍ͯهड़͍ͯ͘͜͠ͱʹͳΓ·͢ɻ ҎԼͷྫͰ͸ɺDeploymentΛର৅ʹ”ΞΫγϣϯ”Λ࣮ߦ͠·͢ɻ
  27. Copyright © Dell Inc. All Rights Reserved. of Y 27

    Exclude Exclude͸ɺMatchʹؚ·ΕΔϦιʔεʹରͯ͠ɺྫ֎Λ࡞Δ৔߹ʹ༻͍·͢ɻ rules[*].excludeΛ༻͍ͯهड़͍ͯ͘͜͠ͱʹͳΓ·͢ɻ ҎԼͷྫͰ͸ɺNamespace(kube-system)Ҏ֎ͷPodΛର৅ʹ”ΞΫγϣϯ”Λ࣮ߦ͠·͢ɻ
  28. Copyright © Dell Inc. All Rights Reserved. of Y 28

    All ͱ Any matchͱexclude͸ಉ͡ߏ଄Λ࣋ͪɺҎԼ2ͭͷཁૉͷ͏ͪͷ1ͭΛࢦఆ͢Δ͜ͱ͕Ͱ͖·͢ɻ • any: Ϧιʔεͷબ୒ʹ͓͍ͯOR৚݅Λద༻͢ΔͨΊͷ΋ͷɻ • all: Ϧιʔεͷબ୒࣌ʹAND৚݅Λద༻͢ΔͨΊͷ΋ͷɻ OR AND
  29. Copyright © Dell Inc. All Rights Reserved. of Y 29

    Any ͱ All ҎԼͷྫͷΑ͏ʹɺany΋͘͠͸allΛࢦఆͤͣʹɺهड़͢Δ͜ͱ͸ݱঢ়Մೳͱͳ͍ͬͯ·͕͢ɺ deprecatedͱͳ͓ͬͯΓɺকདྷͷϦϦʔεͰαϙʔτ͞Εͳ͘ͳΔ༧ఆͳͷͰɺ஫ҙ͍ͯͩ͘͠͞ɻ
  30. Copyright © Dell Inc. All Rights Reserved. of Y 30

    ର৅ͷࢦఆํ๏ ର৅Λબఆ͢Δʹ͋ͨΓɺҎԼͷࢦఆ߲໨Λ༻͍Δ͜ͱ͕Ͱ͖·͢ɻ • resources: – kind(Deployment, Pod, ServiceͳͲ)Λඞਢ߲໨ͱͯ͠ࢦఆ͢Δɻ – Ϧιʔε໊ɺNamespaceɺ Ξϊςʔγϣϯɺϥϕϧ౳ࢦఆ͠ɺ໌֬ʹର৅Λࢦఆ͢Δ͜ͱ͕Ͱ͖Δɻ • subjects: – User, Group, Service AccountΛࢦఆ͢Δɻ • roles/clusterRoles: – Role΋͘͠͸Cluster RoleΛࢦఆ͢Δɻ
  31. Copyright © Dell Inc. All Rights Reserved. of Y 31

    ର৅ͷࢦఆํ๏ ҎԼͷྫͰ͸ɺ User(cndt-admin)΋͘͠͸Cluster Role(cluster-admin)ʹΑͬͯ࡞੒͞ΕͨϦιʔεΛআ͖ɺ ϥϕϧʹapp=criticalΛ࣋ͭPod ͕ର৅ͱͳΓ·͢ɻ apiVersion: v1 kind: Pod metadata: name: test1 labels: app: critical apiVersion: v1 kind: Pod metadata: name: test1 labels: app: critical apiVersion: v1 kind: Pod metadata: name: test1 labels: app: critical User: John ClusterRole: cluster-admin User: cndt-admin ClusterRole: admin User: ry ClusterRole: admin ର৅֎ ର৅
  32. Copyright © Dell Inc. All Rights Reserved. of Y 32

    resourcesʹ͓͚ΔࢦఆՄೳ߲໨ resourcesͰ͸ɺҎԼͷ߲໨Λࢦఆ͢Δ͜ͱ͕Մೳͱͳ͍ͬͯ·͢ɻ • (Required) kind • (Optional) name • (Optional) selector • (Optional) annotations • (Optional) namespaces • (Optional) namespaceSelector
  33. Copyright © Dell Inc. All Rights Reserved. of Y 33

    resourcesʹ͓͚ΔࢦఆՄೳ߲໨ resourcesͰ͸ɺҎԼͷ߲໨Λࢦఆ͢Δ͜ͱ͕Մೳͱͳ͍ͬͯ·͢ɻ • (Required) kind • (Optional) name • (Optional) selector • (Optional) annotations • (Optional) namespaces • (Optional) namespaceSelector [ର৅] શDeploymentϦιʔε
  34. Copyright © Dell Inc. All Rights Reserved. of Y 34

    resourcesʹ͓͚ΔࢦఆՄೳ߲໨ resourcesͰ͸ɺҎԼͷ߲໨Λࢦఆ͢Δ͜ͱ͕Մೳͱͳ͍ͬͯ·͢ɻ • (Required) kind • (Optional) name • (Optional) selector • (Optional) annotations • (Optional) namespaces • (Optional) namespaceSelector [ର৅] testͱ͍͏໊લͷDeploymentϦιʔε
  35. Copyright © Dell Inc. All Rights Reserved. of Y 35

    resourcesʹ͓͚ΔࢦఆՄೳ߲໨ resourcesͰ͸ɺҎԼͷ߲໨Λࢦఆ͢Δ͜ͱ͕Մೳͱͳ͍ͬͯ·͢ɻ • (Required) kind • (Optional) name • (Optional) selector • (Optional) annotations • (Optional) namespaces • (Optional) namespaceSelector [ର৅] ࢦఆͷϥϕϧΛ࣋ͭDeploymentϦιʔε
  36. Copyright © Dell Inc. All Rights Reserved. of Y 36

    resourcesʹ͓͚ΔࢦఆՄೳ߲໨ resourcesͰ͸ɺҎԼͷ߲໨Λࢦఆ͢Δ͜ͱ͕Մೳͱͳ͍ͬͯ·͢ɻ • (Required) kind • (Optional) name • (Optional) selector • (Optional) annotations • (Optional) namespaces • (Optional) namespaceSelector [ର৅] ࢦఆͷϥϕϧΛ࣋ͭDeploymentϦιʔε
  37. Copyright © Dell Inc. All Rights Reserved. of Y 37

    resourcesʹ͓͚ΔࢦఆՄೳ߲໨ resourcesͰ͸ɺҎԼͷ߲໨Λࢦఆ͢Δ͜ͱ͕Մೳͱͳ͍ͬͯ·͢ɻ • (Required) kind • (Optional) name • (Optional) selector • (Optional) annotations • (Optional) namespaces • (Optional) namespaceSelector [ର৅] ࢦఆͷΞϊςʔγϣϯΛ࣋ͭDeploymentϦιʔε
  38. Copyright © Dell Inc. All Rights Reserved. of Y 38

    resourcesʹ͓͚ΔࢦఆՄೳ߲໨ resourcesͰ͸ɺҎԼͷ߲໨Λࢦఆ͢Δ͜ͱ͕Մೳͱͳ͍ͬͯ·͢ɻ • (Required) kind • (Optional) name • (Optional) selector • (Optional) annotations • (Optional) namespaces • (Optional) namespaceSelector [ର৅] ࢦఆͷNamespaceʹ͓͚ΔDeploymentϦιʔε
  39. Copyright © Dell Inc. All Rights Reserved. of Y 39

    resourcesʹ͓͚ΔࢦఆՄೳ߲໨ resourcesͰ͸ɺҎԼͷ߲໨Λࢦఆ͢Δ͜ͱ͕Մೳͱͳ͍ͬͯ·͢ɻ • (Required) kind • (Optional) name • (Optional) selector • (Optional) annotations • (Optional) namespaces • (Optional) namespaceSelector [ର৅] ࢦఆͷNamespaceʹ͓͚ΔDeploymentϦιʔε
  40. Copyright © Dell Inc. All Rights Reserved. of Y 40

    resourcesʹ͓͚ΔࢦఆՄೳ߲໨ resourcesͰ͸ɺҎԼͷ߲໨Λࢦఆ͢Δ͜ͱ͕Մೳͱͳ͍ͬͯ·͢ɻ • (Required) kind • (Optional) name • (Optional) selector • (Optional) annotations • (Optional) namespaces • (Optional) namespaceSelector [ର৅] ࢦఆͷNamespaceʹ͓͍ͯɺ ࢦఆͨ͠ϥϕϧΛ࣋ͭDeployment ຊ൪ະ࢖༻
  41. Copyright © Dell Inc. All Rights Reserved. of Y 41

    resourcesʹ͓͚ΔࢦఆϑΥʔϚοτ resourcesͷkindͰ͸ɺҎԼͷϑΥʔϚοτΛαϙʔτ͍ͯ͠·͢ɻ • Group/Version/Kind • Version/Kind • Kind ͜Ε͸ɺྫ͑͹Network PolicyʹΛࢦఆ͢Δࡍʹɺಉ͡Ϧιʔε໊Λ࣋ͭΑ͏ͳ΋ͷ͕ෳ਺ଘࡏ͢Δ ৔߹ͳͲʹ༗ޮͰ͢ɻ (Kubernetes) apiVersion: networking.k8s.io/v1 
 kind: NetworkPolicy (Calico) apiVersion: projectcalico.org/v3 
 kind: NetworkPolicy ຊ൪ະ࢖༻
  42. Copyright © Dell Inc. All Rights Reserved. of Y 42

    ϫΠϧυΧʔυ ϫΠϧυΧʔυͷࢦఆ͸ɺҎԼͷϧʔϧʹ͓͍ͯࢦఆ͕Մೳ ͱͳ͍ͬͯ·͢ɻ • *: ೚ҙͷ௕͞ͷจࣈྻ • ?: ೚ҙͷ1จࣈ [ର৅] ͢΂ͯͷϦιʔε
  43. Copyright © Dell Inc. All Rights Reserved. of Y 43

    Preconditions Preconditions͸ɺϧʔϧΛద༻͢ΔλΠϛϯάΛΑΓࡉ੍͔͘ޚͨΊʹ༻͍·͢ɻ AdmissionReviewΛࢀর͠ɺPreconditionsʹهड़ͨ͠ϧʔϧΛجʹɺKyvernoʹΑΔϙϦγʔ ੍ޚΛ࣮ࢪ͢Δ͔Ͳ͏͔Λ൑அ͠·͢ɻ rules[*].preconditionsΛ༻͍ͯهड़͍ͯ͘͜͠ͱʹͳΓ·͢ɻ match΍excludeͱಉ༷ʹɺany ΋͘͠͸ all ͷԼʹϧʔϧΛهड़͠·͢ɻ
  44. Copyright © Dell Inc. All Rights Reserved. of Y 44

    AdmissionReview Dynamic Admission ControlͷதͰɺWebbookΛඈ͹͢ࡍɺ Ϧιʔεʹର͢Δ༷ʑͳ৘ใΛૹ৴͢ΔͨΊʹ༻͍Δͷ͕ɺ AdmissionReviewͰ͢ɻ ࠓճͷૢ࡞͕ͲͷΑ͏ͳ͜ͱΛ͠Α͏ͱ͍ͯ͠Δͷ͔Λࣔ͢ request.operation(CREATE, UPDATE, DELETE, CONNECT)΍ɺ ૢ࡞ର৅ͷϦιʔεͷύϥϝʔλ͕֨ೲ͞Ε͍ͯΔ request.object ͳͲͷ৘ใؚ͕·Ε͍ͯ·͢ɻ
  45. Copyright © Dell Inc. All Rights Reserved. of Y 45

    Preconditions Example spec.rules.preconditions.(any/all)[*]ԼͰɺ key – operator – value ͷ૊Έ߹ΘͤΛ༻͍ ͯهड़͍ͯ͘͜͠ͱʹͳΓ·͢ɻ ͜ͷྫͰ͸ɺ࡞੒΋͘͠͸ߋ৽ͷ৔߹ʹɺର ৅͕PodͰ͋Ε͹ϙϦγʔ੍ޚΛ࣮ࢪ͢Δͱ ͍͏ڍಈΛ͠·͢ɻ
  46. Copyright © Dell Inc. All Rights Reserved. of Y 46

    ԋࢉࢠ Preconditionsʹ͓͍ͯهड़͢Δԋࢉࢠʹ͸ɺҎԼΛઃఆ͢Δ͜ͱ͕Ͱ͖·͢ɻ • Equals • NotEquals • In (deprecated) • AnyIn • AllIn • NotIn (deprecated) • AnyNotIn • AllNotIn • GreaterThan • GreaterThanOrEquals • LessThan • LessThanOrEquals • DurationGreaterThan • DurationGreaterThanOrEquals • DurationLessThan • DurationLessThanOrEquals
  47. Copyright © Dell Inc. All Rights Reserved. of Y 47

    “ର৅ͷܾఆ” ͷ·ͱΊ • MatchΛ༻͍ͯɺϙϦγʔ੍ޚΛ࣮ߦ͢Δର৅Λࢦఆ͠·͢ɻ • ExcludeΛ༻͍ͯɺର৅ͷϦιʔεʹରͯ͠ྫ֎Λ࡞Γ·͢ɻ • PreconditionsΛ༻͍Δ͜ͱͰɺલఏ৚݅ΛઃఆͰ͖·͢ɻ • ϧʔϧʹରͯ͠ɺany(OR) ΋͘͠͸ all(AND) Λ༻͍ͯ഑ྻߏ଄ͰࢦఆΛ͠·͠ΐ͏ɻ
  48. Copyright © Dell Inc. All Rights Reserved. of Y 48

    Kyvernoʹ͓͚ΔϙϦγʔ੍ޚ
 ~ ΞΫγϣϯ ~
  49. Copyright © Dell Inc. All Rights Reserved. of Y 49

    Preconditions Match Exclude ର৅ͷܾఆ ϙϦγʔߏ଄ Policy Rule Validate Resources Mutate Resources Generate Resources Verify Images ΞΫγϣϯ
  50. Copyright © Dell Inc. All Rights Reserved. of Y 50

    Validate Resources Ϣʔβʔ·ͨ͸ϓϩηεʹΑͬͯ৽͍͠Ϧιʔε͕࡞੒͞ΕΔ৔߹ʹɺͦͷϦιʔεΛ࡞੒͠ ͯΑ͍͔൱͔Λ൑அ͢ΔͨΊʹ༻͍·͢ɻ spec.rules[*].validateΛ༻͍ͯهड़͍ͯ͘͜͠ͱʹͳΓ·͢ɻ ϧʔϧʹҧ൓͢ΔϦιʔεʹର͢Δڍಈ͸spec.validationFailureActionʹΑ੍ͬͯޚ͢Δ͜ͱ ͕ՄೳͰ͢ɻ • enforce – ϧʔϧʹҧ൓ͨ͠৔߹ɺ࡞੒ΛϒϩοΫ͢Δɻ • audit – ϧʔϧʹҧ൓ͨ͠৔߹ʹ࡞੒͸ڐՄ͢Δɻ – ϙϦγʔϨϙʔτʹҧ൓͢ΔϦιʔεͱͯ͠ه࿥͢Δɻ
  51. Copyright © Dell Inc. All Rights Reserved. of Y 51

    Validate Resources Example spec.rules[*].validate.patternԼͰɺ ର৅Ϧιʔεʹ͓͚Δ࠷্Ґͷ metadata΋͘͠͸specԼΛهड़͠ɺ ݕূϧʔϧΛઃఆ͠·͢ɻ nginx-with-label͸ɺࢦఆ͞Εͨϥϕϧ Λ͍࣋ͬͯΔͨΊ࡞੒͕ڐՄ͞Εɺ nginx-without-label͸ɺࢦఆͨ͠ϥϕϧ Λ࣋ͨͳ͍ͨΊ࡞੒͕ڋ൱͞Ε·͢ɻ [࣮ߦ݁Ռ]
  52. Copyright © Dell Inc. All Rights Reserved. of Y 52

    validationFailureActionOverrides ClusterPolicyͰͷvalidationʹݶΓɺ validationFailureActionOverridesΛ༻ ͍ͯɺNamespaceΛࢦఆ͠ɺݸʑʹ FailuerAction(audit, enforce)Λઃఆ͢ Δ͜ͱ͕Մೳͱͳ͍ͬͯ·͢ɻ લͷεϥΠυͰɺ࡞੒͕ڋ൱͞Εͨ Pod͕Namespace(no-label)ʹ͓͍ͯ ࡞੒͞Εͨ͜ͱ͕֬ೝͰ͖·͢ɻ [࣮ߦ݁Ռ]
  53. Copyright © Dell Inc. All Rights Reserved. of Y 53

    Validate৚݅ͷهड़ํ๏ ҎԼͷදݱΛ༻͍ͯɺvalidationͷ৚݅Λهड़͢Δ͜ͱ͕Ͱ͖·͢ɻ • pattern • anyPattern • deny • Foreach • Manifest Validation • Pod Security
  54. Copyright © Dell Inc. All Rights Reserved. of Y 54

    Validate৚݅ͷهड़ํ๏ ຊηογϣϯͰ͸ɺҎԼͷ3ͭʹ͍ͭͯղઆ͠·͢ɻ • pattern • anyPattern • deny • Foreach • Manifest Validation • Pod Security
  55. Copyright © Dell Inc. All Rights Reserved. of Y 55

    patternͷهड़ํ๏ patternͰ͸ɺmetadata΋͘͠͸specԼΛهड़ ͠ɺϦιʔεͷ৘ใͱൺֱ͢Δ͜ͱͰݕূΛ࣮ ࢪ͠·͢ɻ ͜ͷྫͰ͸ɺDeploymentͷspecԼΛهड़ͯ͠ɺ DeploymentʹΑͬͯੜ੒͞ΕΔPodʹ͓͍ͯɺ ϥϕϧʹʮpermitted-by-kyverno=“true”ʯ͕͋Δ ͜ͱΛඞਢ৚݅ͱ͍ͯ͠·͢ɻ
  56. Copyright © Dell Inc. All Rights Reserved. of Y 56

    patternͷهड़ํ๏ patternΛ༻͍ͨ৚݅ͷهड़Ͱ͸ɺҎԼͷදݱΛར༻͢Δ͜ͱ͕Ͱ͖·͢ɻ • ϫΠϧυΧʔυ • ԋࢉࢠ • ΞϯΧʔ
  57. Copyright © Dell Inc. All Rights Reserved. of Y 57

    ϫΠϧυΧʔυ ϫΠϧυΧʔυͷࢦఆ͸ɺҎԼͷϧʔϧʹ͓͍ͯࢦఆ͕Մ ೳͱͳ͍ͬͯ·͢ɻ • *: ೚ҙͷ௕͞ͷจࣈྻ • ?: ೚ҙͷ1จࣈ [ϧʔϧ] allowed-byΛΩʔͱͨ͠ϥϕϧΛ࣋ͭඞཁ͕͋ Δɻ
  58. Copyright © Dell Inc. All Rights Reserved. of Y 58

    ԋࢉࢠ ԋࢉࢠΛ༻͍Δ͜ͱͰɺ஋ʹରͯ͠ৄࡉͳ৚݅Λهड़Ͱ͖·͢ɻ ԋࢉࢠ ҙຯ > ΑΓେ͖͍ < ະຬ >= Ҏ্ <= ҎԼ ! ࢦఆ஋ͱ౳͘͠ͳ͍ | OR & AND - ൣғ಺ !- ൣғ֎
  59. Copyright © Dell Inc. All Rights Reserved. of Y 59

    ԋࢉࢠ $ kubectl create deploy not-enough-replica \ --replicas=2 --image nginx:alpine [਺஋ൺֱ] ԋࢉࢠ ҙຯ > ΑΓେ͖͍ < ະຬ >= Ҏ্ <= ҎԼ ! ࢦఆ஋ͱ౳͘͠ͳ͍ | OR & AND - ൣғ಺ !- ൣғ֎
  60. Copyright © Dell Inc. All Rights Reserved. of Y 60

    ԋࢉࢠ [ࢦఆ஋Ҏ֎ͷબ୒] ԋࢉࢠ ҙຯ > ΑΓେ͖͍ < ະຬ >= Ҏ্ <= ҎԼ ! ࢦఆ஋ͱ౳͘͠ͳ͍ | OR & AND - ൣғ಺ !- ൣғ֎ $ kubectl run nginx --image nginx:alpine –n default
  61. Copyright © Dell Inc. All Rights Reserved. of Y 61

    ΞϯΧʔ ΞϯΧʔΛ༻͍ͯɺΩʔʹର͢Δ༷ʑͳ৚݅෇͚Λ͢Δ͜ͱ͕Ͱ͖·͢ɻ ΞϯΧʔ λά ҙຯ ৚݅෇͖ () ϐΞཁૉʹର͢Δ৚݅ͷઃఆ ฏ౳ =() ΋͠ଘࡏͨ͠৔߹ʹ… ଘࡏ ^() গͳ͘ͱ΋1ͭଘࡏ͢Δ ൱ఆ X() ର৅ͷڋ൱ άϩʔόϧ <() ೚ҙͷ৔ॴͰ৚݅Λઃఆ
  62. Copyright © Dell Inc. All Rights Reserved. of Y 62

    ΞϯΧʔ [() ΞϯΧʔ] ΞϯΧʔ λά ҙຯ ৚݅෇͖ () ϐΞཁૉʹର͢Δ৚݅ͷઃఆ ฏ౳ =() ΋͠ଘࡏͨ͠৔߹ʹ… ଘࡏ ^() গͳ͘ͱ΋1ͭଘࡏ͢Δ ൱ఆ X() ର৅ͷڋ൱ άϩʔόϧ <() ೚ҙͷ৔ॴͰ৚݅Λઃఆ [৚݅] (৚݅: specԼ, ϐΞ: metadata) spec.volumes.hostPath͕ఆٛ͞Εɺpath͕/var/logͩͬͨ ৔߹ʹɺmetadata.labelsʹͯɺallow-log-hostpath: “true”͕ ࢦఆ͞Ε͍ͯͳ͚Ε͹ͳΒͳ͍ɻ
  63. Copyright © Dell Inc. All Rights Reserved. of Y 63

    ৚݅෇͖ΞϯΧʔʹ͍ͭͯ ৚݅෇͖ΞϯΧʔ͸ɺPeerཁૉʹରͯ͠ͷ৚݅෇͚ͷͨ Ίɺຊདྷͷಈ͖ͱͯ͠͸ɺPeerཁૉͷ֎ʹ͍Δ΋ͷʹؔ͠ ͯ͸ɺΞϯΧʔ෇͖ͷཁૉͷධՁʹӨڹΛड͚·ͤΜɻ Ver1.8.0࣌఺Ͱ͸ɺ͜ͷྫͷΑ͏ʹɺPeerཁૉͰͳ͍΋ͷ ʹؔͯ͠΋ɺϧʔϧʹҰக͠ͳ͍ʹ΋ؔΘΒͣɺΞϯΧʔ ཁૉ͕Ұக͠ͳ͍ࣄʹӨڹΛड͚ɺධՁ͕εΩοϓ͞Εͯ ͠·͏ͷͰ஫ҙΛ͍ͯͩ͘͠͞ɻ ※ ݱঢ়issueΛ։͍ͯରԠΛ͍͍͍ͯͨͩͯ͠·͢ɻ
  64. Copyright © Dell Inc. All Rights Reserved. of Y 64

    ΞϯΧʔ [=() ΞϯΧʔ] [৚݅] spec.volumes.hostPath͕ఆٛ͞Ε͍ͯͨ৔߹ʹɺ path͕ /proc ٴͼ /sys Ͱ͋ͬͯ͸ͳΒͳ͍ɻ ΞϯΧʔ λά ҙຯ ৚݅෇͖ () ϐΞཁૉʹର͢Δ৚݅ͷઃఆ ฏ౳ =() ΋͠ଘࡏͨ͠৔߹ʹ… ଘࡏ ^() গͳ͘ͱ΋1ͭଘࡏ͢Δ ൱ఆ X() ର৅ͷڋ൱ άϩʔόϧ <() ೚ҙͷ৔ॴͰ৚݅Λઃఆ
  65. Copyright © Dell Inc. All Rights Reserved. of Y 65

    ΞϯΧʔ [^() ΞϯΧʔ] [৚݅] PodΛ࡞੒͢Δ৔߹ʹɺlivenessProveΛઃఆͨ͠ίϯςφ Λগͳ͘ͱ΋1ؚͭ·ͳͯ͘͸ͳΒͳ͍ɻ ΞϯΧʔ λά ҙຯ ৚݅෇͖ () ϐΞཁૉʹର͢Δ৚݅ͷઃఆ ฏ౳ =() ΋͠ଘࡏͨ͠৔߹ʹ… ଘࡏ ^() গͳ͘ͱ΋1ͭଘࡏ͢Δ ൱ఆ X() ର৅ͷڋ൱ άϩʔόϧ <() ೚ҙͷ৔ॴͰ৚݅Λઃఆ
  66. Copyright © Dell Inc. All Rights Reserved. of Y 66

    ΞϯΧʔ [X() ΞϯΧʔ] [৚݅] no-ephemeral=“true”ͱ͍͏ϥϕϧΛ࣋ͭPodʹؔͯ͠ɺ ΤϑΣϝϥϧίϯςφͷ࡞੒Λڋ൱͢Δɻ ※ ஋ʹ͸ “null” Λ༻͍Δ ΞϯΧʔ λά ҙຯ ৚݅෇͖ () ϐΞཁૉʹର͢Δ৚݅ͷઃఆ ฏ౳ =() ΋͠ଘࡏͨ͠৔߹ʹ… ଘࡏ ^() গͳ͘ͱ΋1ͭଘࡏ͢Δ ൱ఆ X() ର৅ͷڋ൱ άϩʔόϧ <() ೚ҙͷ৔ॴͰ৚݅Λઃఆ
  67. Copyright © Dell Inc. All Rights Reserved. of Y 67

    ΞϯΧʔ [<() ΞϯΧʔ] [৚݅] my-local-reg.com͔Βऔಘ͢ΔΠϝʔδΛ࢖͏ίϯςφ͕͋ Δ৔߹ʹɺmy-registry-secretΛimagePullSecretͱͯ͠࢖Θͳ ͯ͘͸ͳΒͳ͍ɻ ΞϯΧʔ λά ҙຯ ৚݅෇͖ () ϐΞཁૉʹର͢Δ৚݅ͷઃఆ ฏ౳ =() ΋͠ଘࡏͨ͠৔߹ʹ… ଘࡏ ^() গͳ͘ͱ΋1ͭଘࡏ͢Δ ൱ఆ X() ର৅ͷڋ൱ άϩʔόϧ <() ೚ҙͷ৔ॴͰ৚݅Λઃఆ
  68. Copyright © Dell Inc. All Rights Reserved. of Y 68

    anyPatternͷهड़ํ๏ anyPatternΛ༻͍Δ͜ͱͰɺෳ਺ͷpatternΛఆٛ ͢Δ͜ͱ͕Ͱ͖·͢ɻ ͜ͷྫͰ͸ɺPodશମʹରͯ͠securityContextsΛ ઃఆ͢Δ͔ɺ֤ίϯςφ(container, init container, ephemeral container)ʹରͯ͠securityContextΛ ઃఆ͢Δ͜ͱΛڧ੍͠·͢ɻ
  69. Copyright © Dell Inc. All Rights Reserved. of Y 69

    denyͷهड़ํ๏ denyͰ͸ɺهड़ͨ͠Ұ࿈ͷ৚݅ʹج͍ͮͯ ཁٻΛڋ൱͍ͨ͠৔߹ʹ༻͍·͢ɻ ৚݅͸ɺ௨ৗdeny.conditionsԼͰɺany΋͠ ͘͸allΛࢦఆ͠ɺkey – operator – value ͷ ૊Έ߹ΘͤΛ༻͍ͯهड़͍͖ͯ͠·͢ɻ denyΛ༻͍Δ৔߹validationFailureAction Λenforceʹ͢Δඞཁ͕͋Γ·͢ɻ [ϧʔϧ] ClusterRole(cluster-adminҎ֎)ͷݖݶʹΑΔૢ࡞ʹ͓͍ͯɺ app.kubernetes.iomanaged=“kyverno” ͱ͍͏ϥϕϧΛ΋ͭϦιʔε΁ͷ࡟আૢ࡞Λڋ൱͢Δɻ
  70. Copyright © Dell Inc. All Rights Reserved. of Y 70

    ԋࢉࢠ denyʹ͓͍ͯɺconditions಺Ͱهड़͢Δԋࢉࢠʹ͸ɺҎԼΛઃఆ͢Δ͜ͱ͕Ͱ͖·͢ɻ • Equals • NotEquals • In (deprecated) • AnyIn • AllIn • NotIn (deprecated) • AnyNotIn • AllNotIn • GreaterThan • GreaterThanOrEquals • LessThan • LessThanOrEquals • DurationGreaterThan • DurationGreaterThanOrEquals • DurationLessThan • DurationLessThanOrEquals
  71. Copyright © Dell Inc. All Rights Reserved. of Y 71

    denyͷهड़ํ๏ denyͰ͸ɺࢦఆϦιʔεʹରͯ͠ɺશͯͷૢ ࡞Λڋ൱͢ΔΑ͏ઃఆ͢Δ͜ͱ΋ՄೳͰ͢ɻ [ϧʔϧ] ClusterRole(cluster-adminҎ֎)ͷݖݶʹΑΔૢ࡞ ʹ͓͍ͯɺNetwork PolicyϦιʔε΁ͷૢ࡞Λશͯ ڋ൱͢Δɻ
  72. Copyright © Dell Inc. All Rights Reserved. of Y 72

    Mutate Resources ϧʔϧʹҰகͨ͠Ϧιʔεʹରͯ͠ɺύϥϝʔλʹมߋΛՃ͑Δࡍʹ༻͍·͢ɻ spec.rules[*].mutateΛ༻͍ͯهड़͍ͯ͘͜͠ͱʹͳΓ·͢ɻ ҎԼͷ߲໨Λ༻͍ͯϧʔϧΛద༻͢Δ͜ͱ͕Ͱ͖·͢ɻ • RFC 6902 JSONPatch • Strategic Merge Patch • Foreach
  73. Copyright © Dell Inc. All Rights Reserved. of Y 73

    RFC 6902 JSONPatch RFC 6902 JSONPatch͸ɺJSON Patch(https://jsonpatch.com/)ϑΥʔϚοτΛ༻͍ͯର৅Λܾఆ͠ɺ ϦιʔεͷཁૉʹมߋΛՃ͑Δࡍʹ༻͍·͢ɻ spec.rules[*].mutate.patchesJson6902ԼͰɺpath – op – value ͷ૊Έ߹ΘͤΛ༻͍ͯهड़͠·͢ɻ pathʹ͸มߋΛՃ͍͑ͨ৔ॴΛࢦఆ͠ɺopʹ͸ͦͷมߋͷڍಈΛɺvalueʹ͸มߋ࣌ͷ஋ΛೖΕ·͢ɻ opʹ͸ɺҎԼͷ3ͭͷૢ࡞ํ๏͕αϙʔτ͞Ε͍ͯ·͢ɻ • add • replace • remove
  74. Copyright © Dell Inc. All Rights Reserved. of Y 74

    RFC 6902 JSONPatch ͜ͷϧʔϧͰ͸ɺadd-tls-secret=“true”ͱ͍͏ ϥϕϧΛ࣋ͭPodʹର͠ɺSecretΛVolumeͱ ͯ͠ૠೖ͢ΔΑ͏manifestʹมߋΛ͠·͢ɻ ஫ҙ఺ͱͯ͠ɺ഑ྻߏ଄Λѻ͏৔߹ɺطଘ஋ ͷࢀর͸ΠϯσοΫεɺ৽ن௥Ճ͸”-”Λ࢖ͬ ͯදݱ͠·͢ɻ path: "/spec/containers/0/volumeMounts/-" 1ͭΊͷίϯςφΛࢀর volumeMountsʹ ഑ྻߏ଄ͰσʔλΛ௥Ճ
  75. Copyright © Dell Inc. All Rights Reserved. of Y 75

    RFC 6902 JSONPatch [લϖʔδͷϧʔϧΛmutete6902.yamlʹهड़͠ద༻ͨ͠ࡍͷ࣮ߦྫ] $ kubectl create secret tls tls-cert --cert=server.crt --key=server.key -n default $ kubectl apply -f mutate6902.yaml $ kubectl run nginx-tls --image nginx:alpine -l add-tls-secret="true" $ kubectl exec -it nginx-tls -- ls /cndt tls.crt tls.key
  76. Copyright © Dell Inc. All Rights Reserved. of Y 76

    Strategic Merge Patch ཁૉͷϚʔδಈ࡞Λ੍ޚ͢ΔͨΊʹ༻͍ΒΕ·͢ɻ spec.rules[*].mutate.patchStrategicMergeԼʹɺϚχϑΣετͷܗࣜͰهड़ͨ͠΋ͷΛ༻͍ ͯɺࠩ෼ͷൺֱΛ͠ύϥϝʔλͷมߋΛద༻͠·͢ɻ validateϧʔϧಉ༷ʹɺmutateʹ͓͍ͯ΋ΞϯΧʔΛ࢖੍ͬͨޚ΋Մೳͱͳ͍ͬͯ·͢ɻ mutateϧʔϧʹ͓͍ͯɺҎԼͷΞϯΧʔ͕࢖༻Մೳͱͳ͍ͬͯ·͢ɻ ΞϯΧʔ λά ҙຯ ৚݅෇͖ () if৚݅Λઃఆ͠ɺpeerཁૉ͸ͦͷ݁ՌʹมߋͷӨڹΛड͚Δ ௥Ճ +() ΞϯΧʔΛ෇༩ͨ͠Ωʔ͕ଘࡏ͠ͳ͍৔߹ʹɺઃఆͨ͠Ωʔٴͼ஋Λ௥ Ճ͢Δ άϩʔόϧ <() ೚ҙͷ৔ॴʹ৚݅Λઃఆ͠ɺͦͷ΄͔ͷՕॴʹมߋΛՃ͑Δ
  77. Copyright © Dell Inc. All Rights Reserved. of Y 77

    Strategic Merge Patch ͜ͷϧʔϧͰ͸ɺcndt-vault-injection: “true” ͱ͍͏ϥϕϧΛ࣋ͭPod͕࡞੒͞Εͨࡍʹɺ Vaultʹొ࿥Λͨ͠ಛఆͷγʔΫϨοτσʔλΛɺ Pod಺ʹࢦఆͷϑΥʔϚοτͰ഑ஔ͢ΔͨΊͷ ΞϊςʔγϣϯͱαʔϏεΞΧ΢ϯτΛ෇༩ͯ͠ ͍·͢ɻ {{ ~~ }} Λ༻͍ͨهड़Λ͠ͳ͚Ε͹ͳΒͳ͍৔߹ɺ Kyvernoʹ͓͍ͯɺෳࡶͳ৚݅Λهड़͢Δࡍʹ ༻͍ΔJMESPathͱ͍͏ه๏ͱޡೝ͞Εͳ͍Α͏ ʹɺ\Λ༻͍ͯΤεέʔϓͤ͞Δඞཁ͕͋Γ·͢ɻ
  78. Copyright © Dell Inc. All Rights Reserved. of Y 78

    Strategic Merge Patch [લϖʔδͷϧʔϧΛstrategicMerge.yamlʹهड़͠ద༻ͨ͠ࡍͷ࣮ߦྫ] $ vault secrets enable -path=secret kv-v2 $ vault kv put secret/cndt/config username="static-user" password="static-password" $ vault policy write cndt - <<EOF path "secret/data/cndt/config" { capabilities = ["read"] } EOF $ vault write auth/kubernetes/role/cndt \ bound_service_account_names=cndt \ bound_service_account_namespaces=default \ policies=cndt \ ttl=24h
  79. Copyright © Dell Inc. All Rights Reserved. of Y 79

    Strategic Merge Patch [લϖʔδͷϧʔϧΛstrategicMerge.yamlʹهड़͠ద༻ͨ͠ࡍͷ࣮ߦྫ] $ kubectl apply –f strategicMerge.yaml $ kubectl create sa cndt -n default $ kubectl run cndt-app --image nginx:alpine -l cndt-vault-injection="true“ $ kubectl exec -it cndt-app -- cat /vault/secrets/cndt-credentials Defaulted container "cndt-app" out of: cndt-app, vault-agent, vault-agent-init (init) USERNAME=static-user PASSWORD=static-password
  80. Copyright © Dell Inc. All Rights Reserved. of Y 80

    Generate Resources ৽͍͠Ϧιʔε͕࡞੒͞Εͨࡍɺ௥ՃͷϦιʔεΛ࡞੒͢Δ৔߹ʹ༻͍·͢ɻ spec.rules[*].generateΛ༻͍ͯهड़͍ͯ͘͜͠ͱʹͳΓ·͢ɻ ࡞੒͢ΔϦιʔεͷ৘ใΛɺҎԼͷ2ͭΛ༻͍ͯهड़͢Δ͜ͱ͕Ͱ͖·͢ɻ • data: ࡞੒͢ΔϦιʔεͷ৘ใΛهड़͢Δ • clone: طʹଘࡏ͢ΔϦιʔεΛΫϩʔϯ͢Δ
  81. Copyright © Dell Inc. All Rights Reserved. of Y 81

    Generate Resources with data spec.rules[*].generateԼͰ͸ɺҎԼΛهड़͠ ·͢ɻ • synchronize: ιʔεϦιʔεͱͷಉظ – true: ಉظΛ͠ɺߋ৽΍࡟আ͕Ͱ͖ͳ͍ – false: ಉظ͸ͤͣɺੜ੒͞ΕͨϦιʔεΛ௚ ઀ߋ৽·ͨ͸࡟আͰ͖Δ • ੜ੒͢ΔϦιʔεͷapiVersion, kind, name, namespace • data: metadataٴͼspecΛهड़ [ϧʔϧ] Namespace࡞੒࣌ʹɺIngressͱEgressΛڋ൱͢Δ Network PolicyΛ࡞੒͢Δɻ
  82. Copyright © Dell Inc. All Rights Reserved. of Y 82

    Generate Resources with clone spec.rules[*].generateԼͰ͸ɺҎԼΛهड़͠ ·͢ɻ • synchronize: ιʔεϦιʔεͱͷಉظ – true: ಉظΛ͠ɺߋ৽΍࡟আ͕Ͱ͖ͳ͍ – false: ಉظ͸ͤͣɺੜ੒͞ΕͨϦιʔεΛ௚ ઀ߋ৽·ͨ͸࡟আͰ͖Δ • ੜ੒͢ΔϦιʔεͷapiVersion, kind, name, namespace • clone: NamespaceٴͼϦιʔε໊Λهड़ [ϧʔϧ] Namespace࡞੒࣌ʹɺࢦఆͨ͠Namespace(default) ʹଘࡏ͢ΔSecret(regsecret)ΛΫϩʔϯ͢Δɻ
  83. Copyright © Dell Inc. All Rights Reserved. of Y 83

    Verify Images CosignΛ࢖༻ͯ͠ɺOCIϨδετϦʹ֨ೲ͞Ε͍ͯΔΠϝʔδͷॺ໊͓Αͼূ໌Λݕূ͠·͢ɻ ݱঢ়ɺϕʔλػೳͰ͋ΓɺϓϩμΫγϣϯ؀ڥͰͷ࢖༻͸ਪ঑͞Ε͍ͯ·ͤΜɻ spec.rules[*].verifyImagesΛ༻͍ͯهड़͍ͯ͘͜͠ͱʹͳΓ·͢ɻ
  84. Copyright © Dell Inc. All Rights Reserved. of Y 84

    Verify Images imageReferencesʹ͓͍ͯࢦఆ͞Ε͍ͯ ΔΠϝʔδ͕ɺattestorsԼͰࢦఆ͞Ε͍ͯ ΔΩʔΛ༻͍ͯॺ໊͕͞Ε͍ͯΔͱ͍͏ ͜ͱΛݕূ͠·͢ɻ ॺ໊Λ͞Ε͍ͯͳ͍Πϝʔδٴͼɺࢦఆ ͨ͠ΩʔͱରͰ͸ͳ͍ΩʔʹΑͬͯॺ໊ ͞ΕͨΠϝʔδΛࢦఆͨ͠Pod͕ɺ͜ͷݕ ূʹΑͬͯڋ൱͞ΕΔ͜ͱʹͳΓ·͢ɻ
  85. Copyright © Dell Inc. All Rights Reserved. of Y 85

    “ΞΫγϣϯ” ͷ·ͱΊ • Validate ResourcesͰ͸ɺϦιʔεΛ࡞੒ͯ͠Α͍͔൱͔Λ൑அ͠·͢ɻ • Mutating ResourcesͰ͸ɺϦιʔεʹରͯ͠ύϥϝʔλͷมߋΛ࣮ࢪ͠·͢ɻ • Generate ResourcesͰ͸ɺ͋ΔϦιʔεͷ࡞੒ʹඥ͍ͮͯɺผϦιʔεΛ࡞੒͠·͢ɻ • Verify ImageͰ͸ɺΠϝʔδͷ҆શੑΛ֬ೝ͢ΔͨΊʹॺ໊౳Λ֬ೝ͠·͢ɻ
  86. Copyright © Dell Inc. All Rights Reserved. of Y 86

    Kyvernoͷӡ༻
  87. Copyright © Dell Inc. All Rights Reserved. of Y 87

    ϙϦγʔϨϙʔτ
  88. Copyright © Dell Inc. All Rights Reserved. of Y 88

    ϙϦγʔϨϙʔτ ϙϦγʔϨϙʔτ͸ɺద༻ͨ͠validate ResourcesϙϦγʔʹରͯ͠ɺൺֱ݁ՌΛఏڙ͢ΔϦ ιʔεͰ͢ɻ Kyverno͸ɺNamespace͝ͱͷϨϙʔτ͓ΑͼΫϥελʔϨϕϧͷϨϙʔτΛɺKubernetes Policy WGʹΑͬͯൃߦ͞ΕͨϙϦγʔϨϙʔτεΩʔϚΛ༻͍ͯ࡞੒͠·͢ɻ ݁ՌΤϯτϦ͸ɺ֘౰͢Δϧʔϧʹର͠ 1 ͭҎ্ͷϧʔϧʹҧ൓͢ΔϦιʔε͕࡞੒͞ΕΔͨ ͼʹϨϙʔτʹ௥Ճ͞ΕɺϦιʔε͕࡟আ͞ΕΔͱɺಉ࣌ʹϨϙʔτ͔Βফڈ͞Ε·͢ɻ $ kubectl get polr -A
  89. Copyright © Dell Inc. All Rights Reserved. of Y 89

    Ϩϙʔτର৅ ର৅ͱͯ͠͸ɺvalidationFailureActionٴͼbackgroundʹ͓͍ͯઃఆͨ͠஋ʹґଘ͠·͢ɻ Background: true Background: false ৽͍͠Ϧιʔε طଘͷϦιʔε validationFailureAction: enforce None Report validationFailureAction: audit Report Report ৽͍͠Ϧιʔε طଘͷϦιʔε validationFailureAction: enforce None None validationFailureAction: audit Report None
  90. Copyright © Dell Inc. All Rights Reserved. of Y 90

    Ϩϙʔτ಺༰ ϙϦγʔϨϙʔτͷΤϯτϦʹ͸ɺpassɺskipɺwarnɺerrorɺͦͯ͠failͷ͍ͣΕ͔Ͱใࠂ͞Ε·͢ɻ • pass: ϙϦγʔʹର͢ΔධՁΛ௨աͨ͠Ϧιʔεɻ • skip: Preconditionͷ৚݅Λຬͨͣ͞ɺධՁ͕࣮ߦ͞Εͳ͔ͬͨ΋ͷɻ • fail: ϙϦγʔʹର͢ΔධՁʹରͯ͠ɺҧ൓͍ͯ͠ΔͱΈͳ͞Εͨ΋ͷɻ • warn: ҎԼͷ2ͭͷ৚݅Λຬͨͨ͠৔߹ʹద༻͞ΕΔɻ – PolicyͷΞϊςʔγϣϯʹ policies.kyverno.io/scored: “false“ ͕ηοτ͞Ε͍ͯΔɻ – ϙϦγʔʹର͢ΔධՁʹରͯ͠ɺҧ൓͍ͯ͠ΔͱΈͳ͞Εͨɻ • error: Preconditionsͷ֎ଆͰɺruleͷதʹ͓͍ͯม਺ஔ׵͕ࣦഊͨ͠΋ͷ
  91. Copyright © Dell Inc. All Rights Reserved. of Y 91

    ϞχλϦϯά
  92. Copyright © Dell Inc. All Rights Reserved. of Y 92

    ϞχλϦϯά KyvernoͰ͸ɺόʔδϣϯ1.4.0͔Βɺద༻༷ͨ͠ʑͳϙϦγʔʹର͢ΔΞΫςΟϏςΟΛ Prometheus༻ͷϝτϦοΫͱͯ͠ల։Ͱ͖ΔΑ͏ʹͳΓ·ͨ͠ɻ kyvernoΛσϓϩΠ͢ΔͱɺService(kyverno-svc-metrics)͕ϝτϦοΫΛެ։͢ΔͨΊʹ࡞੒ ͞Ε·͢ɻ
  93. Copyright © Dell Inc. All Rights Reserved. of Y 93

    ϝτϦοΫͷछྨ ҎԼͷϝτϦοΫ͕ఏڙ͞Ε·͢ɻ • Policies and Rule Counts • Policy and Rule Execution • Policy Rule Execution Latency • Admission Review Latency • Admission Requests Counts • Policy Change Counts 

  94. Copyright © Dell Inc. All Rights Reserved. of Y 94

    ϝτϦοΫͷछྨ ຊηογϣϯͰ͸ɺҎԼͷ3ͭʹ͍ͭͯղઆ͠·͢ɻ • Policies and Rule Counts • Policy and Rule Execution • Policy Rule Execution Latency • Admission Review Latency • Admission Requests Counts • Policy Change Counts 

  95. Copyright © Dell Inc. All Rights Reserved. of Y 95

    Policies and Rule Counts ͜ͷϝτϦοΫ͸ɺΫϥελʔͰݱࡏ࢖༻Մೳͳ͢΂ͯͷϙϦγʔʹՃ͑ɺطʹ࡟আ͞Εͨϙ ϦγʔͳͲͷϙϦγʔͷཤྺ΋อ͍࣋ͯ͠·͢ɻ ϝτϦοΫ໊: kyverno_policy_rule_info_total ஋: • طଘͷϙϦγʔ = 1 • ࡟আ͞ΕͨϙϦγʔ = 0 ※ 1ͭͷϙϦγʔʹෳ਺ϧʔϧΛॻ͍ͨ৔߹͸ɺ֤ϧʔϧຖʹϝτϦοΫ͕࡞੒͞Ε·͢ɻ
  96. Copyright © Dell Inc. All Rights Reserved. of Y 96

    Policies and Rule Counts (ෳ਺ͷϙϦγʔ) (طଘ) (࡟আࡁΈ)
  97. Copyright © Dell Inc. All Rights Reserved. of Y 97

    Policies and Rule Counts (ෳ਺ͷϧʔϧΛ࣋ͭϙϦγʔ)
  98. Copyright © Dell Inc. All Rights Reserved. of Y 98

    Policy and Rule Execution ͜ͷϝτϦοΫ͸ɺϧʔϧʹର͢ΔධՁͷ࣮ߦ݁ՌͱόοΫάϥ΢ϯυͰεΩϟϯͨ݁͠ՌΛ ه࿥͠·͢ɻ ϝτϦοΫ໊: kyverno_policy_results_total ஋: ϧʔϧʹؔ࿈෇͚ΒΕͨ݁Ռ
  99. Copyright © Dell Inc. All Rights Reserved. of Y 99

    Policy and Rule Execution $ kubectl get pods -n service-stg $ kubectl get clusterpolicy all-containers-need-requests-and-limits Prometheus metric
  100. Copyright © Dell Inc. All Rights Reserved. of Y 100

    Policy Change Counts ͜ͷϝτϦοΫ͸ɺϙϦγʔͷ࡞੒ɺߋ৽ɺ࡟আͳͲɺ͢΂ͯͷϙϦγʔมߋͷཤྺΛه࿥͠ ·͢ɻ ϝτϦοΫ໊: kyverno_policy_changes_total ஋: ϙϦγʔϨϕϧͰͷมߋͷ૯਺
  101. Copyright © Dell Inc. All Rights Reserved. of Y 101

    Policy Change Counts (࡞੒௚ޙ) (1ճ໨ɹमਖ਼) (2ճ໨ɹमਖ਼)
  102. Copyright © Dell Inc. All Rights Reserved. of Y 102

    “Kyvernoͷӡ༻” ͷ·ͱΊ • Validate Resourcesʹରͯ͠ɺҧ൓͍ͯ͠ΔϦιʔεΛ֬ೝ͢ΔͨΊʹϙϦγʔϨϙʔτͱ͍ ͏΋ͷΛࢀর͢Δ͜ͱ͕Ͱ͖·͢ɻ • ݱࡏద༻͍ͯ͠ΔϙϦγʔ΍ɺͦͷϙϦγʔʹର͢ΔධՁͷ݁ՌɺϙϦγʔͷมߋݕ஌ͳͲ ʹؔ͢Δ৘ใΛఏڙ͢ΔͨΊͷϝτϦοΫ͕ఏڙ͞Ε͍ͯ·͢ɻ
  103. Copyright © Dell Inc. All Rights Reserved. of Y 103

    ຊηογϣϯͷ·ͱΊ • KyvernoΛ༻͍Δ͜ͱͰɺ؆୯͔ͭॊೈʹϙϦγʔ੍ޚΛ࣮ࢪ͢Δ͜ͱ͕Ͱ͖·͢ɻ • ϙϦγʔΛॻ্͘Ͱಛ༗ͷݴޠ౳Λ༻͍Δඞཁ͕͋Γ·ͤΜɻ • ϙϦγʔʹର͢ΔϦιʔεͷঢ়ଶΛɺϙϦγʔϨϙʔτ΍ϝτϦοΫΛ༻͍ͯ֬ೝ͢Δ͜ͱ ͕Ͱ͖·͢ɻ (Tips) • Validate ResourcesΛద༻͢Δࡍ͸ɺvalidationFailureActionΛ·ͣauditʹઃఆ͠ɺҙਤͨ͠ ڍಈʹͳΔ͜ͱΛ֬ೝͨ͠ޙenforceʹ੾Γସ͑Δ͜ͱͰɺطଘϦιʔεʹର͢ΔӨڹͳͲΛ ೺Ѳ্ͨ͠ͰϙϦγʔͷద༻͕Ͱ͖·͢ɻ • Mutate Resourcesʹ͓͍ͯɺ1ͭͷϙϦγʔʹෳ਺ͷϧʔϧΛඳ͘৔߹ɺ্͔ΒԼ΁ॲཧ͞ ΕΔ͜ͱʹ஫ҙ͍ͯͩ͘͠͞ɻ
  104. Copyright © Dell Inc. All Rights Reserved. of Y 104

    ࢀߟࢿྉ • KyvernoͷϙϦγʔͷॻ͖ํ • https://kyverno.io/docs/writing-policies/ • ຊηογϣϯͰ͸આ໌͍ͯ͠ͳ͍ϙϦγʔͷॻ͖ํͳͲɻ • Kyverno αϯϓϧϙϦγʔ • https://github.com/kyverno/policies • ϕετϓϥΫςΟε΍ɺPod Security Standardsʹ४ڌͨ͠ϙϦγʔͳͲɻ • ͦͷ΄͔༷ʑͳ֎෦πʔϧʹର͢ΔαϯϓϧϙϦγʔ͕༻ҙ͞Ε͍ͯΔɻ
  105. None