Upgrade to Pro — share decks privately, control downloads, hide ads and more …

PodSecurityPolicyの廃止に備えて、 一足先にPodSecurity Admissionを試してみよう! / from-psp-to-podsecurity

uesyn
August 26, 2021
1.5k

PodSecurityPolicyの廃止に備えて、 一足先にPodSecurity Admissionを試してみよう! / from-psp-to-podsecurity

uesyn

August 26, 2021
Tweet

More Decks by uesyn

Transcript

  1. Shinya Uemura / @uesy n ▶ θοτϥϘגࣜձࣾ ιϑτ΢ΣΞΤϯδχΞ ▶ ҎԼͷίϛϡχςΟͷӡӦͯ͠·͢

    + Prometheus Meetup Toky o + Cloud Native Meetup Toky o + Kubernetes มߋ಺༰ڞ༗ձ ▶ དྷि9/2(໦)ʹKubernetes v1.22 มߋ಺༰ڞ༗ձΛ։࠵͢ΔͷͰͥͻࢀՃ͍ͩ͘͞ʂ + https://kubernetes-updates.connpass.com/event/222915/
  2. ͦ΋ͦ΋PodSecurityPolicyͰक͍ͬͯͨ΋ͷ͸ʁ(2/2) ▶ PodͷspecΛߟྀ͠ͳ͍ͱෆ౎߹ͳύλʔϯ͕͋Δ + ྫ͑͹Ϋϥελͷ؅ཧऀͱར༻ऀ͕ҧ͏৔߹Λߟ͑Δͱ … + ίϯςφ͕ಈ࡞͢Δϊʔυͷrootݖݶͱಉ౳ͷcapabilityͷPodͷ࡞੒ΛڐՄͯ͠΋Α͍ʁ + ίϯςφ͕Host

    network΁ͷ઀ଓΛڐՄͯ͠΋Α͍ʁ + ίϯςφ͕ϗετͷϘϦϡʔϜΛͳΜͰ΋Ϛ΢ϯτͯ͠ྑ͍͔ʁ Etc … ▶ Podͷ࡞੒ͷೝՄ͚ͩͰ͸ݖݶঢ͕֨ՄೳͳͨΊPodͷϙϦγʔ੍ޚ͸ॏཁ + ੍ݶͳ͠ͷPod͸ϊʔυͷroot(৚݅࣍ୈͰcluster-admin)ͱಉ౳ + ࢀߟ) Securing Clusters with Kubernetes Extensibilit y + https://speakerdeck.com/ladicle/securing-clusters-with-kubernetes-extensibility?slide=27
 ▶ Pod͕ཁٻ͢ΔݖݶͰ࡞੒ΛڐՄ͢Δ͔Ͳ͏੍͔ޚͨ͘͠ͳΔ͸ͣ
 => PodSecurityPolicyͳΒͰ͖·͢ʂ
  3. PodSecurityPolicyͱ͸ʁ ▶ Admission ControlͰPodͷηΩϡϦςΟϙϦγʔΛࡉ੍͔͘ޚ͢Δ + privilegedͳίϯςφɺར༻Մೳͳvolume΍ωοτϫʔΫɺread onlyͳrootϑΝΠϧγεςϜͷڧ੍ etc … +

    σϑΥϧτແޮ ▶ PodSecurityPolicyϦιʔεͰϙϦγʔΛఆٛ͢Δ + PodSecurityPolicyϦιʔε΁verbͰuse͕ೝՄ͞Ε͍ͯΕ͹ɺͦΕΛຬͨ͢Pod͕࡞੒Ͱ͖Δ ▶ ڐՄɾڋ൱͚ͩͰͳ͘ɺϙϦγʔͰఆٛ͞Εͨ஋ͷ୅ೖͳͲ΋͢Δ(capabilityͳͲ) RBAC͸͜͜ PSP͸͜͜ ը૾: https://kubernetes.io/blog/2019/03/21/a-guide-to-kubernetes-admission-controllers/
  4. PodSecurityPolicyͷഇࢭʹ͍ͭͯ ▶ ͦΜͳPSP͕Kubernetes v1.21Ͱඇਪ঑, v1.25Ͱഇࢭ༧ఆͱͳ͍ͬͯ·͢ ▶ ഇࢭͷܦҢͷৄࡉ͸ҎԼͷϦϯΫΛࢀর͍ͩ͘͞ + KEP-2579: Pod

    Security Admission Control - Motivatio n + https://github.com/kubernetes/enhancements/tree/master/keps/sig-auth/2579-psp-replacement#motivation + PodSecurityPolicy Deprecation: Past, Present, and Futur e + https://kubernetes.io/blog/2021/04/06/podsecuritypolicy-deprecation-past-present-and-future/#why-is-podsecuritypolicy-going-away It is easy to accidentally grant broader permissions than intended, and dif fi cult to inspect which PSP(s) apply in a given situation. The “changing Pod defaults” feature can be handy, but is only supported for certain Pod settings and it’s not obvious when they will or will not apply to your Pod . Without a “dry run” or audit mode, it’s impractical to retro fi t PSP to existing clusters safely, and it’s impossible for PSP to ever be enabled by default. [PodSecurityPolicy Deprecation: Past, Present, and FutureΑΓҾ༻]
  5. ᶃҙਤ͠ͳ͍ݖݶͷར༻(1/2) ▶ ୭ʹͱͬͯར༻ՄೳͳPSP͕Pod΁ద༻Մೳͳͷ͔ʁ + Pod࡞੒ͷϦΫΤετΛ౤͛ͨϢʔβ(·ͨ͸ServiceAccount ) + Podͷ .spec.serviceAccountName Ͱࢦఆ͞ΕͨServiceAccount

    User: human Request apiVersion: v1 kind: Pod metadata: name: test spec: containers: - image: test name: i-need-privilege securityContext: privileged: true Create PSPͰPrivilegedͳίϯςφ͕࡞Εͳ͍
  6. ᶃҙਤ͠ͳ͍ݖݶͷར༻(2/2) ▶ ୭ʹͱͬͯར༻ՄೳͳPSP͕Pod΁ద༻Մೳͳͷ͔ʁ + Pod࡞੒ͷϦΫΤετΛ౤͛ͨϢʔβ(·ͨ͸ServiceAccount ) + Podͷ .spec.serviceAccountName Ͱࢦఆ͞ΕͨServiceAccount

    ServiceAccount: robot User: human Request apiVersion: v1 kind: Pod metadata: name: test spec: serviceAccountName: robot containers: - image: test name: i-need-privilege securityContext: privileged: true Create PSPͰPrivilegedͳίϯςφ΋࡞ΕΔ! PSPͰPrivilegedͳίϯςφ͕࡞Εͳ͍ Ϣʔβͷ༩͑ΒΕͨݖݶΛ ௒͑ͨૢ࡞͕ग़དྷͯ͠·͏!! ͲͪΒ͔͕ PrivilegedͳίϯςφΛ ىಈͰ͖Ε͹ྑ͍
  7. ᶄ୭ͷར༻ՄೳͳPSP͕ద༻͞ΕΔ͔Θ͔ΓͮΒ͍ʂ ▶ ReplicaSet΍StatefulSetͳͲΛ࡞੒͢Δ৔߹͸ … + PodΛ࡞੒͢Δͷ͸kube-controller-manager(Ͱར༻͞Ε͍ͯΔίϯτϩʔϥͷServiceAccount ) + ͦͷͨΊେݩͷϦΫΤετͷϢʔβ(·ͨ͸ServiceAccount)͕ར༻Ͱ͖ΔPSP͸ؔ܎ͳ͍ ServiceAccount:

    robot User: human Request StatefulSetΛ࡞͚ͬͨͩ… kube-controller-manager apiVersion: v1 kind: Pod metadata: name: test spec: serviceAccountName: robot containers: - image: test name: i-need-privilege securityContext: privileged: true Watch Create
  8. ᶆσϑΥϧτͷϙϦγʔ͕༻ҙ͞Ε͍ͯͳ͍ ▶ PSPʹ͸σϑΥϧτͷϙϦγʔ͕༻ҙ͞Ε͍ͯͳ͍ + ϙϦγʔΛݸผʹ࡞੒͍ͯ͘͠ඞཁ͕͋Δ ▶ PSPΛ༗ޮԽͯ͠΋ར༻ՄೳͳPSPϦιʔε͕ͳ͚Ε͹Pod͕ىಈͰ͖ͳ͍ + PSPΛॳΊͯ༗ޮԽ͢Δ࣌͸஫ҙ͢Δඞཁ ▶

    ٖࣅతʹσϑΥϧτͷPSPΛ༻ҙ͢Δ͜ͱ͸Մೳ + system:authenticatedάϧʔϓʹରͯ͠ར༻ՄೳͳPSPΛઃఆ͢Δ + (system:authenticated: શͯͷೝূࡁΈϢʔβɾServiceAccount͕ॴଐ͢Δάϧʔϓ)
  9. PodSecurityͷొ৔ ͜͜Ͱ࣮ߦ͞ΕΔ PSPͱҟͳΓMutating͸͠ͳ͍ʂ ը૾: https://kubernetes.io/blog/2019/03/21/a-guide-to-kubernetes-admission-controllers/ ▶ Kubernetes v1.22͔Βalphaػೳͱͯ͠ొ৔ʂ (ॱௐʹ͍͚͹v1.23Ͱbeta )

    + ݱࡏ͸FeatureGatesͰ໌ࣔతʹઃఆ͢Δ͜ͱͰར༻Ͱ͖Δ ▶ Pod Security StandardsΛద༻͢ΔAdmission Contro l + Podʹର͢ΔηΩϡϦςΟϓϩϑΝΠϧͷఆٛ(privileged, baseline, restricted ) + ref: https://kubernetes.io/docs/concepts/security/pod-security-standards/ ▶ ؅ཧ͸Namespace୯Ґ + PSPͷΑ͏ʹϢʔβ/ServiceAccountͰ͸ͳ͍
  10. PodSecurity͸ԿΛͯ͘͠ΕΔʁ ▶ Pod Security StandardsͷϙϦγʔΛPod΁ద༻͢Δ + privileged, baseline, restricte d

    ▶ 3ͭͷϞʔυͦΕͧΕʹରͯ͠Pod Security StandardsͷϙϦγʔΛద༻͢Δ + enforce: ҧ൓ͨ͠Podͷ࡞੒Λڋ൱͢Δ + audit: ҧ൓ͨ͠Βaudit logͷΞϊςʔγϣϯͱͯ͠ه࿥͢Δ (࡞੒ͷڋ൱͸͞Εͳ͍ ) + warn: ҧ൓ͨ͠Βwarningͱͯ͠දࣔ͢Δ (࡞੒ͷڋ൱͸͞Εͳ͍ ) ▶ ྫ) enforceͱaudit͕privileged, warn͕restrictedΛࢦఆ + => Podͷ࡞੒ʹ੍ݶ͸ͳ͍͕ɺrestrictedΛຬͨ͞ͳ͍৔߹ʹwarning͕දࣔ͞ΕΔ
  11. PodSecurityͷઃఆํ๏(1/2) ▶ PSPͱҟͳΓઐ༻ͷϦιʔε͸ͳ͍ ▶ NamespaceͷϥϕϧͰઃఆΛߦ͏ + pod-security.kubernetes.io/xxx ͱ͍͏ϥϕϧ + Namespace಺ͷશͯͷPod΁ϙϦγʔ͕ద༻͞ΕΔ

    + PSPͷ৔߹͸Ϣʔβ/ServiceAccount͕ར༻ՄೳͳϙϦγʔͷதͰىಈͰ͖Δ΋ͷ͕બ୒͞Εͨ apiVersion: v1 kind: Namespace metadata: labels: pod-security.kubernetes.io/enforce: privileged pod-security.kubernetes.io/audit: privileged pod-security.kubernetes.io/warn: baseline name: test
  12. PodSecurityͷઃఆํ๏(2/2) ▶ PodSecurityʹ͸όʔδϣϯ͕͋Δ + Կ΋ࢦఆ͠ͳ͍৔߹͸latest͕ར༻͞ΕΔ apiVersion: v1 kind: Namespace metadata:

    labels: pod-security.kubernetes.io/enforce: privileged pod-security.kubernetes.io/enforce-version: v1.22 name: test
  13. PodSecurityͷσϑΥϧτ஋ ▶ PSPͱҟͳΓσϑΥϧτͷઃఆ͕͋Δ + enforce, audit, warnશͯprivileged (ͭ·ΓԿ΋੍ݶ͠ͳ͍ ) +

    όʔδϣϯ͸latest ▶ “Կ΋੍ݶ͠ͳ͍”ͨΊPodSecurity͸σϑΥϧτ༗ޮͳAdmission ControlʹͳΕΔ apiVersion: v1 kind: Namespace metadata: labels: pod-security.kubernetes.io/enforce: privileged pod-security.kubernetes.io/audit: privileged pod-security.kubernetes.io/warn: privileged pod-security.kubernetes.io/enforce-version: latest pod-security.kubernetes.io/audit-version: latest pod-security.kubernetes.io/warn-version: latest name: test apiVersion: v1 kind: Namespace metadata: name: test
  14. PodSecurityͷର৅֎΍σϑΥϧτ஋ͷมߋ(2/2) apiVersion: apiserver.config.k8s.io/v1 kind: AdmissionConfiguration plugins: - name: PodSecurity configuration:

    apiVersion: pod-security.admission.config.k8s.io/v1alpha1 kind: PodSecurityConfiguration defaults: enforce: baseline enforce-version: latest audit: baseline audit-version: latest warn: baseline warn-version: latest exemptions: usernames: - system:serviceaccount:test-ps:test-ps runtimeClasses: - kataContainer namespaces: - kube-system ▶ ઃఆྫ + શͯͷϙϦγʔΛσϑΥϧτΛbaseline΁ + ϙϦγʔద༻ͷର৅֎Λࢦఆ + kube-system namespac e + test-ps namespaceͷtest-ps ServiceAccoun t + Runtime class໊͕kataContainer
  15. v1.22ΑΓલͷΫϥελͰPodSecurityΛಈ͔͍ͨ͠ʂ ▶ PodSecurity͸standaloneͳWebhookʹΑΔ࣮૷΋ਐΊΒΕ͍ͯΔ༷ࢠ + KEP-2579: Pod Security Admission ControlͷFlexible Extension

    Suppor t + https://github.com/kubernetes/enhancements/tree/master/keps/sig-auth/2579-psp-replacement# fl exible-extension-support + Podsecurity webhook #10346 5 + https://github.com/kubernetes/kubernetes/pull/103465
  16. MutatingΛͯ͘͠Εͳ͍ ▶ PSPͰ͸seccomp΍capabilityͷσϑΥϧτ஋ΛMutatingʹΑΓ࣮ݱ͍ͯͨ͠ ▶ PodSecurityͰ͸໌ࣔతʹઃఆ͢Δඞཁ͕͋Δ + ྫ͑͹baselineͰ͸seccompͰnull΋ೝΊΒΕ͍ͯΔ + PodSecurityPolicy͔ΒҠߦͷࡍ͸஫ҙ͕ඞཁ ▶

    seccompʹݶͬͯݴ͑͹σϑΥϧτ஋Λ୅ೖ͢Δઐ༻ͷػೳ͕͋Δ + v1.22͔Βalphaͱͯ͠ఏڙ͞ΕFeature GateͰ༗ޮԽ͢Δͱར༻Մೳ + Enable seccomp for all workloads with a new v1.22 alpha featur e + https://kubernetes.io/blog/2021/08/25/seccomp-default/
  17. PodSecurityͷࣗ༝౓ʹ͍ͭͯ ▶ PSPͰ͸Ϣʔβ͕ϙϦγʔͷఆٛΛ͢Δඞཁ͕͋ͬͨ΋ͷͷࣗ༝౓͕͋ͬͨ ▶ PodSecurityͰ͸Privileged, Baseline, Restrictedͷ3͔ͭ͠બ୒ࢶ͕ͳ͍ + Baseline +

    ಛఆͷhostPath͚ͩڐՄ Έ͍ͨͳ͜ͱ͸Ͱ͖ͳ͍ ▶ ಠࣗͷϙϦγʔ͸WebhookͰ࣮૷͠ͳ͚Ε͹ͳΒͳ͍͔΋ʁ + KEP-2579: Pod Security Admission ControlͷCustom Pro fi le s + https://github.com/kubernetes/enhancements/tree/master/keps/sig-auth/2579-psp-replacement#custom-pro fi les + ͔͠͠betaͰCustom Pro fi les͸ແ͘ͳΓͦ͏ … + https://github.com/kubernetes/enhancements/pull/2895ɹ(2021/8/25࣌఺Ͱ͸·ͩmerge͞Ε͍ͯͳ͍ ) + ͦ͏ͳΔͱStandaloneͷPodSecurityΛFork࣮ͯ͠૷͢Δ͔͠ͳ͍…?
  18. PSP͔ΒPodSecurity΁ͷҠߦ ▶ Ҡߦʹؔ͢Δެࣜϖʔδ͕͋Δ + Migrate from PodSecurityPolicy to the Built-In

    PodSecurity Admission Controlle r + https://kubernetes.io/docs/tasks/con fi gure-pod-container/migrate-from-psp / ▶ ஈ֊తʹ༷ࢠݟ͠ͳ͕ΒҠߦ͠·͠ΐ͏ͱ͍͏಺༰ + PSPͷMutatingͷػೳΛར༻͍ͯ͠ΔͱҠߦ͕গ͠େม͔΋͠Εͳ͍ ▶ ҠߦͷͨΊͷπʔϧ͕༻ҙ͞ΕΔ͔΋ʁ + ࢀߟ) https://github.com/kubernetes/enhancements/pull/2895
  19. PodSecurityPolicyͱPodSecurityͷҧ͍ PodSecurityPolicy PodSecurity σϑΥϧτ༗ޮ? ແޮ ༗ޮ (*v1.22࣌఺Ͱ͸alphaͷͨΊFeatureGateͷઃఆ͕ඞཁ) ϙϦγʔద༻ͷઃఆ PodSecurityPolicyϦιʔεͱRBAC Namespaceͷϥϕϧ

    ͲͷϙϦγʔ͕ద༻͞ΕΔʁ ϦΫΤετϢʔβ/ServiceAccount ·ͨ͸.spec.serviceAccountNameͰࢦఆ͞ΕͨServiceAccount ͕ར༻Ͱ͖ΔϙϦγʔ NamespaceͰઃఆ͞ΕͨϙϦγʔ ΧελϜϙϦγʔͷ࣮૷ Մೳ (ϙϦγʔ͸શͯఆٛ͢Δඞཁ͕͋Δ) ෆՄೳ (fork࣮ͯ͠૷͢Ε͹Ͱ͖ͦ͏) dry-runͷ࣮ߦ ෆՄ Մ Ͳ͕ͬͪ৽͍͠ʁ چ ৽ Ͳ͕ͬͪෳࡶʁ ෳࡶ γϯϓϧ
  20. (એ఻) Kubernetes v1.22 มߋ಺༰ڞ༗ձΛ։࠵͠·͢ʂ ▶ ೔࣌: 9/2(໦) 19:00 ~ 21:3

    0 ▶ https://kubernetes-updates.connpass.com/event/222915/