PodSecurityPolicyの廃止に備えて、 一足先にPodSecurity Admissionを試してみよう! / from-psp-to-podsecurity

Transcript

1. Kubernetes Meetup Tokyo #44 (2021/8/26
   )
   
   Shinya Uemura @uesyn
   PodSecurityPolicyͷഇࢭʹඋ͑ͯɺ
   Ұ଍ઌʹPodSecurity AdmissionΛࢼͯ͠ΈΑ͏!
   

   View Slide

2. Shinya Uemura / @uesy
   n
   
   ▶ θοτϥϘגࣜձࣾ ιϑτ΢ΣΞΤϯδχΞ
   ▶ ҎԼͷίϛϡχςΟͷӡӦͯ͠·͢
   + Prometheus Meetup Toky
   o
   
   + Cloud Native Meetup Toky
   o
   
   + Kubernetes มߋ಺༰ڞ༗ձ
   ▶ དྷि9/2(໦)ʹKubernetes v1.22 มߋ಺༰ڞ༗ձΛ։࠵͢ΔͷͰͥͻࢀՃ͍ͩ͘͞ʂ
   + https://kubernetes-updates.connpass.com/event/222915/
   

   View Slide

3. θοτϥϘגࣜձࣾ / Z Lab Corporatio
   n
   
   ▶ 2015೥ʹઃཱ͞ΕͨϠϑʔגࣜձࣾͷ100%ࢠձࣾ
   ▶ Πϯϑϥج൫ٕज़ͷௐࠪɾݚڀ։ൃ
   ▶ Ϡϑʔגࣜձࣾ޲͚ͷϚωʔδυ Kubernetes αʔϏεͷ։ൃ
   ▶ https://zlab.co.jp/
   

   View Slide

4. ΞδΣϯμ
   1. PodSecurityPolicy͕क͍ͬͯͨ΋ͷ
   2. PodSecurityPolicyͷ͓͞Β͍
   3. PodSecurityPolicyͷ໰୊఺ͱഇࢭ
   4. PodSecurityͱ͸ʁ
   5. PodSecurityΛಈ͔ͯ͠ΈΑ͏ʂ
   6. PodSecurityͰࠔΓͦ͏ͳͱ͜Ζ
   7. ·ͱΊ
   

   View Slide

5. PodSecurityPolicy͕क͍ͬͯͨ΋ͷ
   

   View Slide

6. ͦ΋ͦ΋PodSecurityPolicyͰक͍ͬͯͨ΋ͷ͸ʁ(1/2)
   ▶ Podͷ࡞੒ϦΫΤετ͸ҎԼͷਤͷྲྀΕ
   ▶ ૊ΈࠐΈͷೝՄͷ࢓૊ΈͰ͋ΔRBAC͸Podͷ࡞੒ͷڐՄɾڋ൱͢ΔͷΈ
   + Podͷspec͸ߟྀ͠ͳ͍ʂ
   ͜͜ͰRBAC͕࣮ߦ͞ΕΔ
   ը૾: https://kubernetes.io/blog/2019/03/21/a-guide-to-kubernetes-admission-controllers/
   

   View Slide

7. ͦ΋ͦ΋PodSecurityPolicyͰक͍ͬͯͨ΋ͷ͸ʁ(2/2)
   ▶ PodͷspecΛߟྀ͠ͳ͍ͱෆ౎߹ͳύλʔϯ͕͋Δ
   + ྫ͑͹Ϋϥελͷ؅ཧऀͱར༻ऀ͕ҧ͏৔߹Λߟ͑Δͱ
   …
   
   + ίϯςφ͕ಈ࡞͢Δϊʔυͷrootݖݶͱಉ౳ͷcapabilityͷPodͷ࡞੒ΛڐՄͯ͠΋Α͍ʁ
   + ίϯςφ͕Host network΁ͷ઀ଓΛڐՄͯ͠΋Α͍ʁ
   + ίϯςφ͕ϗετͷϘϦϡʔϜΛͳΜͰ΋Ϛ΢ϯτͯ͠ྑ͍͔ʁ Etc
   …
   
   ▶ Podͷ࡞੒ͷೝՄ͚ͩͰ͸ݖݶঢ͕֨ՄೳͳͨΊPodͷϙϦγʔ੍ޚ͸ॏཁ
   + ੍ݶͳ͠ͷPod͸ϊʔυͷroot(৚݅࣍ୈͰcluster-admin)ͱಉ౳
   + ࢀߟ) Securing Clusters with Kubernetes Extensibilit
   y
   
   + https://speakerdeck.com/ladicle/securing-clusters-with-kubernetes-extensibility?slide=27

   ▶ Pod͕ཁٻ͢ΔݖݶͰ࡞੒ΛڐՄ͢Δ͔Ͳ͏੍͔ޚͨ͘͠ͳΔ͸ͣ

   => PodSecurityPolicyͳΒͰ͖·͢ʂ
   

   View Slide

8. PodSecurityPolicyͷ͓͞Β͍
   

   View Slide

9. PodSecurityPolicyͱ͸ʁ
   ▶ Admission ControlͰPodͷηΩϡϦςΟϙϦγʔΛࡉ੍͔͘ޚ͢Δ
   + privilegedͳίϯςφɺར༻Մೳͳvolume΍ωοτϫʔΫɺread onlyͳrootϑΝΠϧγεςϜͷڧ੍ etc
   …
   
   + σϑΥϧτແޮ
   ▶ PodSecurityPolicyϦιʔεͰϙϦγʔΛఆٛ͢Δ
   + PodSecurityPolicyϦιʔε΁verbͰuse͕ೝՄ͞Ε͍ͯΕ͹ɺͦΕΛຬͨ͢Pod͕࡞੒Ͱ͖Δ
   ▶ ڐՄɾڋ൱͚ͩͰͳ͘ɺϙϦγʔͰఆٛ͞Εͨ஋ͷ୅ೖͳͲ΋͢Δ(capabilityͳͲ)
   RBAC͸͜͜
   PSP͸͜͜
   ը૾: https://kubernetes.io/blog/2019/03/21/a-guide-to-kubernetes-admission-controllers/
   

   View Slide

10. PodSecurityPolicyͷ໰୊఺ͱഇࢭ
    

    View Slide

11. PodSecurityPolicyͷഇࢭʹ͍ͭͯ
    ▶ ͦΜͳPSP͕Kubernetes v1.21Ͱඇਪ঑, v1.25Ͱഇࢭ༧ఆͱͳ͍ͬͯ·͢
    ▶ ഇࢭͷܦҢͷৄࡉ͸ҎԼͷϦϯΫΛࢀর͍ͩ͘͞
    + KEP-2579: Pod Security Admission Control - Motivatio
    n
    
    + https://github.com/kubernetes/enhancements/tree/master/keps/sig-auth/2579-psp-replacement#motivation
    + PodSecurityPolicy Deprecation: Past, Present, and Futur
    e
    
    + https://kubernetes.io/blog/2021/04/06/podsecuritypolicy-deprecation-past-present-and-future/#why-is-podsecuritypolicy-going-away
    It is easy to accidentally grant broader permissions than intended, and dif
    fi
    cult to inspect which
    PSP(s) apply in a given situation.
    
    
    The “changing Pod defaults” feature can be handy, but is only supported for certain Pod settings
    and it’s not obvious when they will or will not apply to your Pod
    .
    
    Without a “dry run” or audit mode, it’s impractical to retro
    fi
    t PSP to existing clusters safely, and it’s
    impossible for PSP to ever be enabled by default.
    [PodSecurityPolicy Deprecation: Past, Present, and FutureΑΓҾ༻]
    

    View Slide

12. ᶃҙਤ͠ͳ͍ݖݶͷར༻(1/2)
    ▶ ୭ʹͱͬͯར༻ՄೳͳPSP͕Pod΁ద༻Մೳͳͷ͔ʁ
    + Pod࡞੒ͷϦΫΤετΛ౤͛ͨϢʔβ(·ͨ͸ServiceAccount
    )
    
    + Podͷ .spec.serviceAccountName Ͱࢦఆ͞ΕͨServiceAccount
    User: human
    Request
    apiVersion: v1
    
    
    kind: Pod
    
    
    metadata:
    
    
    name: test
    
    
    spec:
    
    
    containers:
    
    
    - image: test
    
    
    name: i-need-privilege
    
    
    securityContext:
    
    
    privileged: true
    
    
    Create
    PSPͰPrivilegedͳίϯςφ͕࡞Εͳ͍
    

    View Slide

13. ᶃҙਤ͠ͳ͍ݖݶͷར༻(2/2)
    ▶ ୭ʹͱͬͯར༻ՄೳͳPSP͕Pod΁ద༻Մೳͳͷ͔ʁ
    + Pod࡞੒ͷϦΫΤετΛ౤͛ͨϢʔβ(·ͨ͸ServiceAccount
    )
    
    + Podͷ .spec.serviceAccountName Ͱࢦఆ͞ΕͨServiceAccount
    ServiceAccount: robot
    User: human
    Request
    apiVersion: v1
    
    
    kind: Pod
    
    
    metadata:
    
    
    name: test
    
    
    spec:
    
    
    serviceAccountName: robot
    
    
    containers:
    
    
    - image: test
    
    
    name: i-need-privilege
    
    
    securityContext:
    
    
    privileged: true
    
    
    Create
    PSPͰPrivilegedͳίϯςφ΋࡞ΕΔ!
    PSPͰPrivilegedͳίϯςφ͕࡞Εͳ͍
    Ϣʔβͷ༩͑ΒΕͨݖݶΛ
    
    
    ௒͑ͨૢ࡞͕ग़དྷͯ͠·͏!!
    ͲͪΒ͔͕
    PrivilegedͳίϯςφΛ
    ىಈͰ͖Ε͹ྑ͍
    

    View Slide

14. ᶄ୭ͷར༻ՄೳͳPSP͕ద༻͞ΕΔ͔Θ͔ΓͮΒ͍ʂ
    ▶ ReplicaSet΍StatefulSetͳͲΛ࡞੒͢Δ৔߹͸
    …
    
    + PodΛ࡞੒͢Δͷ͸kube-controller-manager(Ͱར༻͞Ε͍ͯΔίϯτϩʔϥͷServiceAccount
    )
    
    + ͦͷͨΊେݩͷϦΫΤετͷϢʔβ(·ͨ͸ServiceAccount)͕ར༻Ͱ͖ΔPSP͸ؔ܎ͳ͍
    ServiceAccount: robot
    User: human
    Request
    StatefulSetΛ࡞͚ͬͨͩ…
    kube-controller-manager
    apiVersion: v1
    
    
    kind: Pod
    
    
    metadata:
    
    
    name: test
    
    
    spec:
    
    
    serviceAccountName: robot
    
    
    containers:
    
    
    - image: test
    
    
    name: i-need-privilege
    
    
    securityContext:
    
    
    privileged: true
    
    
    Watch
    Create
    

    View Slide

15. ᶅͲͷPSP͕ద༻͞ΕΔ͔Θ͔ΓͮΒ͍ʂ
    ▶ ͋ΔϢʔβ/ServiceAccountʹར༻ՄೳͳPSPϦιʔε͕ෳ਺ଘࡏͨ͠৔߹Λߟ͑Δ
    + ىಈ͍ͨ͠Pod͕શͯͷϙϦγʔΛຬͨ͢৔߹ͲΕ͕ར༻͞Ε͔ඇৗʹΘ͔ΓͮΒ͍
    + MutatingΛ͢Δɾ͠ͳ͍ͷҧ͍͕͋Δ৔߹ɺҙਤ͠ͳ͍ݖݶͷPod͕ੜ੒͞ΕΔՄೳੑ͕͋Δ
    User: human
    Request Create
    2ͭͷPSP͕ར༻Ͱ͖Δ
    
    
    ᶃ seccompͷσϑΥϧτ: runtimeDefault
    
    
    ᶄ seccompͷσϑΥϧτ: ࢦఆͳ͠
    seccomp = runtimeDefault? Null?
    

    View Slide

16. ᶆσϑΥϧτͷϙϦγʔ͕༻ҙ͞Ε͍ͯͳ͍
    ▶ PSPʹ͸σϑΥϧτͷϙϦγʔ͕༻ҙ͞Ε͍ͯͳ͍
    + ϙϦγʔΛݸผʹ࡞੒͍ͯ͘͠ඞཁ͕͋Δ
    ▶ PSPΛ༗ޮԽͯ͠΋ར༻ՄೳͳPSPϦιʔε͕ͳ͚Ε͹Pod͕ىಈͰ͖ͳ͍
    + PSPΛॳΊͯ༗ޮԽ͢Δ࣌͸஫ҙ͢Δඞཁ
    ▶ ٖࣅతʹσϑΥϧτͷPSPΛ༻ҙ͢Δ͜ͱ͸Մೳ
    + system:authenticatedάϧʔϓʹରͯ͠ར༻ՄೳͳPSPΛઃఆ͢Δ
    + (system:authenticated: શͯͷೝূࡁΈϢʔβɾServiceAccount͕ॴଐ͢Δάϧʔϓ)
    

    View Slide

17. ᶇPSP͸σϑΥϧτແޮͰ͋Δ
    ▶ σϑΥϧτͷPSP͕ଘࡏ͠ͳ͍ͨΊ؆୯ʹ༗ޮԽͰ͖ͳ͍
    ▶ શͯڐՄ͢ΔσϑΥϧτͷPSPΛ༻ҙͯ͠ɺޙ͔ΒσϑΥϧτͷ੍ݶ͸Ωπ͘͢Ε͹ྑ͍ͷͰ͸ʁ
    + PSPʹ͸dry-run͕ͳ͍ͨΊޙͰ੍ݶΛݫ͘͢͠Δͷ͸೉͍͠
    + ࣮ࡍʹPSPͷઃఆ͕ద੾͔Ͳ͏͔͸ಈ͔ͯ͠Έͳ͍ͱΘ͔Βͳ͍
    

    View Slide

18. PodSecurityͱ͸ʁ
    

    View Slide

19. PodSecurityͷొ৔
    ͜͜Ͱ࣮ߦ͞ΕΔ
    PSPͱҟͳΓMutating͸͠ͳ͍ʂ
    ը૾: https://kubernetes.io/blog/2019/03/21/a-guide-to-kubernetes-admission-controllers/
    ▶ Kubernetes v1.22͔Βalphaػೳͱͯ͠ొ৔ʂ (ॱௐʹ͍͚͹v1.23Ͱbeta
    )
    
    + ݱࡏ͸FeatureGatesͰ໌ࣔతʹઃఆ͢Δ͜ͱͰར༻Ͱ͖Δ
    ▶ Pod Security StandardsΛద༻͢ΔAdmission Contro
    l
    
    + Podʹର͢ΔηΩϡϦςΟϓϩϑΝΠϧͷఆٛ(privileged, baseline, restricted
    )
    
    + ref: https://kubernetes.io/docs/concepts/security/pod-security-standards/
    ▶ ؅ཧ͸Namespace୯Ґ
    + PSPͷΑ͏ʹϢʔβ/ServiceAccountͰ͸ͳ͍
    

    View Slide

20. PodSecurity͸ԿΛͯ͘͠ΕΔʁ
    ▶ Pod Security StandardsͷϙϦγʔΛPod΁ద༻͢Δ
    + privileged, baseline, restricte
    d
    
    ▶ 3ͭͷϞʔυͦΕͧΕʹରͯ͠Pod Security StandardsͷϙϦγʔΛద༻͢Δ
    + enforce: ҧ൓ͨ͠Podͷ࡞੒Λڋ൱͢Δ
    + audit: ҧ൓ͨ͠Βaudit logͷΞϊςʔγϣϯͱͯ͠ه࿥͢Δ (࡞੒ͷڋ൱͸͞Εͳ͍
    )
    
    + warn: ҧ൓ͨ͠Βwarningͱͯ͠දࣔ͢Δ (࡞੒ͷڋ൱͸͞Εͳ͍
    )
    
    ▶ ྫ) enforceͱaudit͕privileged, warn͕restrictedΛࢦఆ
    + => Podͷ࡞੒ʹ੍ݶ͸ͳ͍͕ɺrestrictedΛຬͨ͞ͳ͍৔߹ʹwarning͕දࣔ͞ΕΔ
    

    View Slide

21. PodSecurityͷઃఆํ๏(1/2)
    ▶ PSPͱҟͳΓઐ༻ͷϦιʔε͸ͳ͍
    ▶ NamespaceͷϥϕϧͰઃఆΛߦ͏
    + pod-security.kubernetes.io/xxx ͱ͍͏ϥϕϧ
    + Namespace಺ͷશͯͷPod΁ϙϦγʔ͕ద༻͞ΕΔ
    + PSPͷ৔߹͸Ϣʔβ/ServiceAccount͕ར༻ՄೳͳϙϦγʔͷதͰىಈͰ͖Δ΋ͷ͕બ୒͞Εͨ
    apiVersion: v1
    
    
    kind: Namespace
    
    
    metadata:
    
    
    labels:
    
    
    pod-security.kubernetes.io/enforce: privileged
    
    
    pod-security.kubernetes.io/audit: privileged
    
    
    pod-security.kubernetes.io/warn: baseline
    
    
    name: test
    

    View Slide

22. PodSecurityͷઃఆํ๏(2/2)
    ▶ PodSecurityʹ͸όʔδϣϯ͕͋Δ
    + Կ΋ࢦఆ͠ͳ͍৔߹͸latest͕ར༻͞ΕΔ
    apiVersion: v1
    
    
    kind: Namespace
    
    
    metadata:
    
    
    labels:
    
    
    pod-security.kubernetes.io/enforce: privileged
    
    
    pod-security.kubernetes.io/enforce-version: v1.22
    
    
    name: test
    

    View Slide

23. PodSecurityͷσϑΥϧτ஋
    ▶ PSPͱҟͳΓσϑΥϧτͷઃఆ͕͋Δ
    + enforce, audit, warnશͯprivileged (ͭ·ΓԿ΋੍ݶ͠ͳ͍
    )
    
    + όʔδϣϯ͸latest
    ▶ “Կ΋੍ݶ͠ͳ͍”ͨΊPodSecurity͸σϑΥϧτ༗ޮͳAdmission ControlʹͳΕΔ
    apiVersion: v1
    
    
    kind: Namespace
    
    
    metadata:
    
    
    labels:
    
    
    pod-security.kubernetes.io/enforce: privileged
    
    
    pod-security.kubernetes.io/audit: privileged
    
    
    pod-security.kubernetes.io/warn: privileged
    
    
    pod-security.kubernetes.io/enforce-version: latest
    
    
    pod-security.kubernetes.io/audit-version: latest
    
    
    pod-security.kubernetes.io/warn-version: latest
    
    
    name: test
    apiVersion: v1
    
    
    kind: Namespace
    
    
    metadata:
    
    
    name: test
    

    View Slide

24. PodSecurityͷର৅֎΍σϑΥϧτ஋ͷมߋ(1/2)
    ▶ ҎԼͷ஋Λkube-apiserver΁ઃఆ͢Δ͜ͱͰมߋՄೳ
    + enforce/audit/warnͷσϑΥϧτͷϙϦγʔ
    + enforce/audit/warnͷσϑΥϧτͷόʔδϣϯ
    + PodSecurityͷ੍ݶΛ͔͚ͳ͍Ϣʔβ/ServiceAccoun
    t
    
    + PodSecurityͷ੍ݶΛ͔͚ͳ͍Namespac
    e
    
    + PodSecurityͷ੍ݶΛ͔͚ͳ͍RuntimeClass
    

    View Slide

25. PodSecurityͷର৅֎΍σϑΥϧτ஋ͷมߋ(2/2)
    apiVersion: apiserver.config.k8s.io/v1
    
    
    kind: AdmissionConfiguration
    
    
    plugins:
    
    
    - name: PodSecurity
    
    
    configuration:
    
    
    apiVersion: pod-security.admission.config.k8s.io/v1alpha1
    
    
    kind: PodSecurityConfiguration
    
    
    defaults:
    
    
    enforce: baseline
    
    
    enforce-version: latest
    
    
    audit: baseline
    
    
    audit-version: latest
    
    
    warn: baseline
    
    
    warn-version: latest
    
    
    exemptions:
    
    
    usernames:
    
    
    - system:serviceaccount:test-ps:test-ps
    
    
    runtimeClasses:
    
    
    - kataContainer
    
    
    namespaces:
    
    
    - kube-system
    ▶ ઃఆྫ
    + શͯͷϙϦγʔΛσϑΥϧτΛbaseline΁
    + ϙϦγʔద༻ͷର৅֎Λࢦఆ
    + kube-system namespac
    e
    
    + test-ps namespaceͷtest-ps ServiceAccoun
    t
    
    + Runtime class໊͕kataContainer
    

    View Slide

26. PodSecurityΛಈ͔ͯ͠ΈΑ͏ʂ
    

    View Slide

27. PodSecurity͸dry-run͕Ͱ͖Δʂ(1/2)
    ▶ طʹPod͕ىಈ͍ͯ͠ΔNamespaceͷϙϦγʔΛݫ͍ͨ͘͠͠৔߹ʹ༗༻
    + ىಈͰ͖ͳ͘ͳΔPodΛࣄલʹ֬ೝ͠ରԠͰ͖Δ
    ▶ NamespaceͷϥϕϧΛมߋ͢ΔϦΫΤετΛdry-run͢Δ͜ͱͰ֬ೝͰ͖Δ
    + Կ͕ݪҼͰىಈͰ͖ͳ͍ͷ͔Warningͱͯ͠ग़ྗ͞ΕΔ
    

    View Slide

28. PodSecurity͸dry-run͕Ͱ͖Δʂ(2/2)
    ▶ ΋ͪΖΜPod΋dry-runʹΑΓ֬ೝͰ͖Δ
    + ϙϦγʔ͕ద༻͞ΕͨNamespaceʹରͯ͠Pod࡞੒ͷϦΫΤετΛdry-runͰ࣮ߦ͢Δ
    ▶ KubernetesͷStatefulSet΍DeploymentͳͲͷNative Workloadʹରͯ͠΋dry-runͰ͖Δʂ
    + podTemplateͷத਎͕νΣοΫ͞ΕΔ
    + ࢒೦ͳ͕Βݱ࣌఺Ͱ͸Custom Resource͸ରԠ͍ͯ͠ͳ͍
    

    View Slide

29. PodSecurityͷϙϦγʔద༻ର৅ʹ͍ͭͯ
    ▶ PodSecurity͸Pod࡞੒ͷϙϦγʔΛద༻͢Δ΋ͷ
    + Deployment, ReplicaSet, StatefulSetͳͲPodΛؒ઀తʹ࡞੒͢ΔϦιʔεࣗମͷ࡞੒͸੍ݶ͞Εͳ͍ʂ
    + ্هͷΑ͏ͳϦιʔε͕࡞੒Ͱ͖ͯ΋࠷ऴతʹPod͸࡞੒Ͱ͖ͳ͍
    + dry-runʹΑΓ࠷ऴతʹ࡞੒Ͱ͖Δ͔Ͳ͏͔͸֬ೝՄೳ
    

    View Slide

30. v1.22ΑΓલͷΫϥελͰPodSecurityΛಈ͔͍ͨ͠ʂ
    ▶ PodSecurity͸standaloneͳWebhookʹΑΔ࣮૷΋ਐΊΒΕ͍ͯΔ༷ࢠ
    + KEP-2579: Pod Security Admission ControlͷFlexible Extension Suppor
    t
    
    + https://github.com/kubernetes/enhancements/tree/master/keps/sig-auth/2579-psp-replacement#
    fl
    exible-extension-support
    + Podsecurity webhook #10346
    5
    
    + https://github.com/kubernetes/kubernetes/pull/103465
    

    View Slide

31. PodSecurityͰࠔΓͦ͏ͳͱ͜Ζ
    

    View Slide

32. MutatingΛͯ͘͠Εͳ͍
    ▶ PSPͰ͸seccomp΍capabilityͷσϑΥϧτ஋ΛMutatingʹΑΓ࣮ݱ͍ͯͨ͠
    ▶ PodSecurityͰ͸໌ࣔతʹઃఆ͢Δඞཁ͕͋Δ
    + ྫ͑͹baselineͰ͸seccompͰnull΋ೝΊΒΕ͍ͯΔ
    + PodSecurityPolicy͔ΒҠߦͷࡍ͸஫ҙ͕ඞཁ
    ▶ seccompʹݶͬͯݴ͑͹σϑΥϧτ஋Λ୅ೖ͢Δઐ༻ͷػೳ͕͋Δ
    + v1.22͔Βalphaͱͯ͠ఏڙ͞ΕFeature GateͰ༗ޮԽ͢Δͱར༻Մೳ
    + Enable seccomp for all workloads with a new v1.22 alpha featur
    e
    
    + https://kubernetes.io/blog/2021/08/25/seccomp-default/
    

    View Slide

33. Namespaceͷϥϕϧฤूݖݶͷѻ͍
    ▶ PSPͰ͸PSPϦιʔεͷuseΛRBACͳͲͷೝՄͰ੍ޚ
    ▶ PodSecurityͰ͸Namespaceͷฤूݖݶ͕Pod࡞੒ͷೝՄʹӨڹ
    + Ϋϥελ؅ཧऀͱར༻ऀ͕෼͔Ε͍ͯΔ৔߹Λߟ͑Δͱ
    …
    
    + Namespaceͷϥϕϧฤूݖݶ = ࡞੒Ͱ͖ΔPodͷݖݶঢ͕֨Մೳ
    + ্هΛ੍ݶ͢ΔValidatingWebhook΍MutatingWebhookΛ࣮૷͠ͳ͍ͱ͍͚ͳ͍͔΋…
    

    View Slide

34. PodSecurityͷࣗ༝౓ʹ͍ͭͯ
    ▶ PSPͰ͸Ϣʔβ͕ϙϦγʔͷఆٛΛ͢Δඞཁ͕͋ͬͨ΋ͷͷࣗ༝౓͕͋ͬͨ
    ▶ PodSecurityͰ͸Privileged, Baseline, Restrictedͷ3͔ͭ͠બ୒ࢶ͕ͳ͍
    + Baseline + ಛఆͷhostPath͚ͩڐՄ Έ͍ͨͳ͜ͱ͸Ͱ͖ͳ͍
    ▶ ಠࣗͷϙϦγʔ͸WebhookͰ࣮૷͠ͳ͚Ε͹ͳΒͳ͍͔΋ʁ
    + KEP-2579: Pod Security Admission ControlͷCustom Pro
    fi
    le
    s
    
    + https://github.com/kubernetes/enhancements/tree/master/keps/sig-auth/2579-psp-replacement#custom-pro
    fi
    les
    + ͔͠͠betaͰCustom Pro
    fi
    les͸ແ͘ͳΓͦ͏
    …
    
    + https://github.com/kubernetes/enhancements/pull/2895ɹ(2021/8/25࣌఺Ͱ͸·ͩmerge͞Ε͍ͯͳ͍
    )
    
    + ͦ͏ͳΔͱStandaloneͷPodSecurityΛFork࣮ͯ͠૷͢Δ͔͠ͳ͍…?
    

    View Slide

35. PSP͔ΒPodSecurity΁ͷҠߦ
    ▶ Ҡߦʹؔ͢Δެࣜϖʔδ͕͋Δ
    + Migrate from PodSecurityPolicy to the Built-In PodSecurity Admission Controlle
    r
    
    + https://kubernetes.io/docs/tasks/con
    fi
    gure-pod-container/migrate-from-psp
    /
    
    ▶ ஈ֊తʹ༷ࢠݟ͠ͳ͕ΒҠߦ͠·͠ΐ͏ͱ͍͏಺༰
    + PSPͷMutatingͷػೳΛར༻͍ͯ͠ΔͱҠߦ͕গ͠େม͔΋͠Εͳ͍
    ▶ ҠߦͷͨΊͷπʔϧ͕༻ҙ͞ΕΔ͔΋ʁ
    + ࢀߟ) https://github.com/kubernetes/enhancements/pull/2895
    

    View Slide

36. ·ͱΊ
    

    View Slide

37. PodSecurityPolicyͱPodSecurityͷҧ͍
    PodSecurityPolicy PodSecurity
    σϑΥϧτ༗ޮ? ແޮ
    ༗ޮ
    
    (*v1.22࣌఺Ͱ͸alphaͷͨΊFeatureGateͷઃఆ͕ඞཁ)
    ϙϦγʔద༻ͷઃఆ PodSecurityPolicyϦιʔεͱRBAC Namespaceͷϥϕϧ
    ͲͷϙϦγʔ͕ద༻͞ΕΔʁ
    ϦΫΤετϢʔβ/ServiceAccount
    
    ·ͨ͸.spec.serviceAccountNameͰࢦఆ͞ΕͨServiceAccount
    
    ͕ར༻Ͱ͖ΔϙϦγʔ
    NamespaceͰઃఆ͞ΕͨϙϦγʔ
    ΧελϜϙϦγʔͷ࣮૷
    Մೳ
    
    (ϙϦγʔ͸શͯఆٛ͢Δඞཁ͕͋Δ)
    ෆՄೳ
    
    (fork࣮ͯ͠૷͢Ε͹Ͱ͖ͦ͏)
    dry-runͷ࣮ߦ ෆՄ Մ
    Ͳ͕ͬͪ৽͍͠ʁ چ ৽
    Ͳ͕ͬͪෳࡶʁ ෳࡶ γϯϓϧ
    

    View Slide

38. (એ఻) Kubernetes v1.22 มߋ಺༰ڞ༗ձΛ։࠵͠·͢ʂ
    ▶ ೔࣌: 9/2(໦) 19:00 ~ 21:3
    0
    
    ▶ https://kubernetes-updates.connpass.com/event/222915/
    

    View Slide

39. Question?
    ▶ ͝੩ௌ͋Γ͕ͱ͏͍͟͝·ͨ͠
    ▶ ࣭໰͕͋Ε͹͓ئ͍͠·͢ʂ
    

    View Slide