Upgrade to Pro — share decks privately, control downloads, hide ads and more …

PodSecurityPolicyの廃止に備えて、 一足先にPodSecurity Admissionを試してみよう! / from-psp-to-podsecurity

Ce4810046c3b25ff4dfce9cac2dbd4dd?s=47 uesyn
August 26, 2021
540

PodSecurityPolicyの廃止に備えて、 一足先にPodSecurity Admissionを試してみよう! / from-psp-to-podsecurity

Ce4810046c3b25ff4dfce9cac2dbd4dd?s=128

uesyn

August 26, 2021
Tweet

Transcript

  1. Kubernetes Meetup Tokyo #44 (2021/8/26 ) Shinya Uemura @uesyn PodSecurityPolicyͷഇࢭʹඋ͑ͯɺ

    Ұ଍ઌʹPodSecurity AdmissionΛࢼͯ͠ΈΑ͏!
  2. Shinya Uemura / @uesy n ▶ θοτϥϘגࣜձࣾ ιϑτ΢ΣΞΤϯδχΞ ▶ ҎԼͷίϛϡχςΟͷӡӦͯ͠·͢

    + Prometheus Meetup Toky o + Cloud Native Meetup Toky o + Kubernetes มߋ಺༰ڞ༗ձ ▶ དྷि9/2(໦)ʹKubernetes v1.22 มߋ಺༰ڞ༗ձΛ։࠵͢ΔͷͰͥͻࢀՃ͍ͩ͘͞ʂ + https://kubernetes-updates.connpass.com/event/222915/
  3. θοτϥϘגࣜձࣾ / Z Lab Corporatio n ▶ 2015೥ʹઃཱ͞ΕͨϠϑʔגࣜձࣾͷ100%ࢠձࣾ ▶ Πϯϑϥج൫ٕज़ͷௐࠪɾݚڀ։ൃ

    ▶ Ϡϑʔגࣜձࣾ޲͚ͷϚωʔδυ Kubernetes αʔϏεͷ։ൃ ▶ https://zlab.co.jp/
  4. ΞδΣϯμ 1. PodSecurityPolicy͕क͍ͬͯͨ΋ͷ 2. PodSecurityPolicyͷ͓͞Β͍ 3. PodSecurityPolicyͷ໰୊఺ͱഇࢭ 4. PodSecurityͱ͸ʁ 5.

    PodSecurityΛಈ͔ͯ͠ΈΑ͏ʂ 6. PodSecurityͰࠔΓͦ͏ͳͱ͜Ζ 7. ·ͱΊ
  5. PodSecurityPolicy͕क͍ͬͯͨ΋ͷ

  6. ͦ΋ͦ΋PodSecurityPolicyͰक͍ͬͯͨ΋ͷ͸ʁ(1/2) ▶ Podͷ࡞੒ϦΫΤετ͸ҎԼͷਤͷྲྀΕ ▶ ૊ΈࠐΈͷೝՄͷ࢓૊ΈͰ͋ΔRBAC͸Podͷ࡞੒ͷڐՄɾڋ൱͢ΔͷΈ + Podͷspec͸ߟྀ͠ͳ͍ʂ ͜͜ͰRBAC͕࣮ߦ͞ΕΔ ը૾: https://kubernetes.io/blog/2019/03/21/a-guide-to-kubernetes-admission-controllers/

  7. ͦ΋ͦ΋PodSecurityPolicyͰक͍ͬͯͨ΋ͷ͸ʁ(2/2) ▶ PodͷspecΛߟྀ͠ͳ͍ͱෆ౎߹ͳύλʔϯ͕͋Δ + ྫ͑͹Ϋϥελͷ؅ཧऀͱར༻ऀ͕ҧ͏৔߹Λߟ͑Δͱ … + ίϯςφ͕ಈ࡞͢Δϊʔυͷrootݖݶͱಉ౳ͷcapabilityͷPodͷ࡞੒ΛڐՄͯ͠΋Α͍ʁ + ίϯςφ͕Host

    network΁ͷ઀ଓΛڐՄͯ͠΋Α͍ʁ + ίϯςφ͕ϗετͷϘϦϡʔϜΛͳΜͰ΋Ϛ΢ϯτͯ͠ྑ͍͔ʁ Etc … ▶ Podͷ࡞੒ͷೝՄ͚ͩͰ͸ݖݶঢ͕֨ՄೳͳͨΊPodͷϙϦγʔ੍ޚ͸ॏཁ + ੍ݶͳ͠ͷPod͸ϊʔυͷroot(৚݅࣍ୈͰcluster-admin)ͱಉ౳ + ࢀߟ) Securing Clusters with Kubernetes Extensibilit y + https://speakerdeck.com/ladicle/securing-clusters-with-kubernetes-extensibility?slide=27
 ▶ Pod͕ཁٻ͢ΔݖݶͰ࡞੒ΛڐՄ͢Δ͔Ͳ͏੍͔ޚͨ͘͠ͳΔ͸ͣ
 => PodSecurityPolicyͳΒͰ͖·͢ʂ
  8. PodSecurityPolicyͷ͓͞Β͍

  9. PodSecurityPolicyͱ͸ʁ ▶ Admission ControlͰPodͷηΩϡϦςΟϙϦγʔΛࡉ੍͔͘ޚ͢Δ + privilegedͳίϯςφɺར༻Մೳͳvolume΍ωοτϫʔΫɺread onlyͳrootϑΝΠϧγεςϜͷڧ੍ etc … +

    σϑΥϧτແޮ ▶ PodSecurityPolicyϦιʔεͰϙϦγʔΛఆٛ͢Δ + PodSecurityPolicyϦιʔε΁verbͰuse͕ೝՄ͞Ε͍ͯΕ͹ɺͦΕΛຬͨ͢Pod͕࡞੒Ͱ͖Δ ▶ ڐՄɾڋ൱͚ͩͰͳ͘ɺϙϦγʔͰఆٛ͞Εͨ஋ͷ୅ೖͳͲ΋͢Δ(capabilityͳͲ) RBAC͸͜͜ PSP͸͜͜ ը૾: https://kubernetes.io/blog/2019/03/21/a-guide-to-kubernetes-admission-controllers/
  10. PodSecurityPolicyͷ໰୊఺ͱഇࢭ

  11. PodSecurityPolicyͷഇࢭʹ͍ͭͯ ▶ ͦΜͳPSP͕Kubernetes v1.21Ͱඇਪ঑, v1.25Ͱഇࢭ༧ఆͱͳ͍ͬͯ·͢ ▶ ഇࢭͷܦҢͷৄࡉ͸ҎԼͷϦϯΫΛࢀর͍ͩ͘͞ + KEP-2579: Pod

    Security Admission Control - Motivatio n + https://github.com/kubernetes/enhancements/tree/master/keps/sig-auth/2579-psp-replacement#motivation + PodSecurityPolicy Deprecation: Past, Present, and Futur e + https://kubernetes.io/blog/2021/04/06/podsecuritypolicy-deprecation-past-present-and-future/#why-is-podsecuritypolicy-going-away It is easy to accidentally grant broader permissions than intended, and dif fi cult to inspect which PSP(s) apply in a given situation. The “changing Pod defaults” feature can be handy, but is only supported for certain Pod settings and it’s not obvious when they will or will not apply to your Pod . Without a “dry run” or audit mode, it’s impractical to retro fi t PSP to existing clusters safely, and it’s impossible for PSP to ever be enabled by default. [PodSecurityPolicy Deprecation: Past, Present, and FutureΑΓҾ༻]
  12. ᶃҙਤ͠ͳ͍ݖݶͷར༻(1/2) ▶ ୭ʹͱͬͯར༻ՄೳͳPSP͕Pod΁ద༻Մೳͳͷ͔ʁ + Pod࡞੒ͷϦΫΤετΛ౤͛ͨϢʔβ(·ͨ͸ServiceAccount ) + Podͷ .spec.serviceAccountName Ͱࢦఆ͞ΕͨServiceAccount

    User: human Request apiVersion: v1 kind: Pod metadata: name: test spec: containers: - image: test name: i-need-privilege securityContext: privileged: true Create PSPͰPrivilegedͳίϯςφ͕࡞Εͳ͍
  13. ᶃҙਤ͠ͳ͍ݖݶͷར༻(2/2) ▶ ୭ʹͱͬͯར༻ՄೳͳPSP͕Pod΁ద༻Մೳͳͷ͔ʁ + Pod࡞੒ͷϦΫΤετΛ౤͛ͨϢʔβ(·ͨ͸ServiceAccount ) + Podͷ .spec.serviceAccountName Ͱࢦఆ͞ΕͨServiceAccount

    ServiceAccount: robot User: human Request apiVersion: v1 kind: Pod metadata: name: test spec: serviceAccountName: robot containers: - image: test name: i-need-privilege securityContext: privileged: true Create PSPͰPrivilegedͳίϯςφ΋࡞ΕΔ! PSPͰPrivilegedͳίϯςφ͕࡞Εͳ͍ Ϣʔβͷ༩͑ΒΕͨݖݶΛ ௒͑ͨૢ࡞͕ग़དྷͯ͠·͏!! ͲͪΒ͔͕ PrivilegedͳίϯςφΛ ىಈͰ͖Ε͹ྑ͍
  14. ᶄ୭ͷར༻ՄೳͳPSP͕ద༻͞ΕΔ͔Θ͔ΓͮΒ͍ʂ ▶ ReplicaSet΍StatefulSetͳͲΛ࡞੒͢Δ৔߹͸ … + PodΛ࡞੒͢Δͷ͸kube-controller-manager(Ͱར༻͞Ε͍ͯΔίϯτϩʔϥͷServiceAccount ) + ͦͷͨΊେݩͷϦΫΤετͷϢʔβ(·ͨ͸ServiceAccount)͕ར༻Ͱ͖ΔPSP͸ؔ܎ͳ͍ ServiceAccount:

    robot User: human Request StatefulSetΛ࡞͚ͬͨͩ… kube-controller-manager apiVersion: v1 kind: Pod metadata: name: test spec: serviceAccountName: robot containers: - image: test name: i-need-privilege securityContext: privileged: true Watch Create
  15. ᶅͲͷPSP͕ద༻͞ΕΔ͔Θ͔ΓͮΒ͍ʂ ▶ ͋ΔϢʔβ/ServiceAccountʹར༻ՄೳͳPSPϦιʔε͕ෳ਺ଘࡏͨ͠৔߹Λߟ͑Δ + ىಈ͍ͨ͠Pod͕શͯͷϙϦγʔΛຬͨ͢৔߹ͲΕ͕ར༻͞Ε͔ඇৗʹΘ͔ΓͮΒ͍ + MutatingΛ͢Δɾ͠ͳ͍ͷҧ͍͕͋Δ৔߹ɺҙਤ͠ͳ͍ݖݶͷPod͕ੜ੒͞ΕΔՄೳੑ͕͋Δ User: human Request

    Create 2ͭͷPSP͕ར༻Ͱ͖Δ ᶃ seccompͷσϑΥϧτ: runtimeDefault ᶄ seccompͷσϑΥϧτ: ࢦఆͳ͠ seccomp = runtimeDefault? Null?
  16. ᶆσϑΥϧτͷϙϦγʔ͕༻ҙ͞Ε͍ͯͳ͍ ▶ PSPʹ͸σϑΥϧτͷϙϦγʔ͕༻ҙ͞Ε͍ͯͳ͍ + ϙϦγʔΛݸผʹ࡞੒͍ͯ͘͠ඞཁ͕͋Δ ▶ PSPΛ༗ޮԽͯ͠΋ར༻ՄೳͳPSPϦιʔε͕ͳ͚Ε͹Pod͕ىಈͰ͖ͳ͍ + PSPΛॳΊͯ༗ޮԽ͢Δ࣌͸஫ҙ͢Δඞཁ ▶

    ٖࣅతʹσϑΥϧτͷPSPΛ༻ҙ͢Δ͜ͱ͸Մೳ + system:authenticatedάϧʔϓʹରͯ͠ར༻ՄೳͳPSPΛઃఆ͢Δ + (system:authenticated: શͯͷೝূࡁΈϢʔβɾServiceAccount͕ॴଐ͢Δάϧʔϓ)
  17. ᶇPSP͸σϑΥϧτແޮͰ͋Δ ▶ σϑΥϧτͷPSP͕ଘࡏ͠ͳ͍ͨΊ؆୯ʹ༗ޮԽͰ͖ͳ͍ ▶ શͯڐՄ͢ΔσϑΥϧτͷPSPΛ༻ҙͯ͠ɺޙ͔ΒσϑΥϧτͷ੍ݶ͸Ωπ͘͢Ε͹ྑ͍ͷͰ͸ʁ + PSPʹ͸dry-run͕ͳ͍ͨΊޙͰ੍ݶΛݫ͘͢͠Δͷ͸೉͍͠ + ࣮ࡍʹPSPͷઃఆ͕ద੾͔Ͳ͏͔͸ಈ͔ͯ͠Έͳ͍ͱΘ͔Βͳ͍

  18. PodSecurityͱ͸ʁ

  19. PodSecurityͷొ৔ ͜͜Ͱ࣮ߦ͞ΕΔ PSPͱҟͳΓMutating͸͠ͳ͍ʂ ը૾: https://kubernetes.io/blog/2019/03/21/a-guide-to-kubernetes-admission-controllers/ ▶ Kubernetes v1.22͔Βalphaػೳͱͯ͠ొ৔ʂ (ॱௐʹ͍͚͹v1.23Ͱbeta )

    + ݱࡏ͸FeatureGatesͰ໌ࣔతʹઃఆ͢Δ͜ͱͰར༻Ͱ͖Δ ▶ Pod Security StandardsΛద༻͢ΔAdmission Contro l + Podʹର͢ΔηΩϡϦςΟϓϩϑΝΠϧͷఆٛ(privileged, baseline, restricted ) + ref: https://kubernetes.io/docs/concepts/security/pod-security-standards/ ▶ ؅ཧ͸Namespace୯Ґ + PSPͷΑ͏ʹϢʔβ/ServiceAccountͰ͸ͳ͍
  20. PodSecurity͸ԿΛͯ͘͠ΕΔʁ ▶ Pod Security StandardsͷϙϦγʔΛPod΁ద༻͢Δ + privileged, baseline, restricte d

    ▶ 3ͭͷϞʔυͦΕͧΕʹରͯ͠Pod Security StandardsͷϙϦγʔΛద༻͢Δ + enforce: ҧ൓ͨ͠Podͷ࡞੒Λڋ൱͢Δ + audit: ҧ൓ͨ͠Βaudit logͷΞϊςʔγϣϯͱͯ͠ه࿥͢Δ (࡞੒ͷڋ൱͸͞Εͳ͍ ) + warn: ҧ൓ͨ͠Βwarningͱͯ͠දࣔ͢Δ (࡞੒ͷڋ൱͸͞Εͳ͍ ) ▶ ྫ) enforceͱaudit͕privileged, warn͕restrictedΛࢦఆ + => Podͷ࡞੒ʹ੍ݶ͸ͳ͍͕ɺrestrictedΛຬͨ͞ͳ͍৔߹ʹwarning͕දࣔ͞ΕΔ
  21. PodSecurityͷઃఆํ๏(1/2) ▶ PSPͱҟͳΓઐ༻ͷϦιʔε͸ͳ͍ ▶ NamespaceͷϥϕϧͰઃఆΛߦ͏ + pod-security.kubernetes.io/xxx ͱ͍͏ϥϕϧ + Namespace಺ͷશͯͷPod΁ϙϦγʔ͕ద༻͞ΕΔ

    + PSPͷ৔߹͸Ϣʔβ/ServiceAccount͕ར༻ՄೳͳϙϦγʔͷதͰىಈͰ͖Δ΋ͷ͕બ୒͞Εͨ apiVersion: v1 kind: Namespace metadata: labels: pod-security.kubernetes.io/enforce: privileged pod-security.kubernetes.io/audit: privileged pod-security.kubernetes.io/warn: baseline name: test
  22. PodSecurityͷઃఆํ๏(2/2) ▶ PodSecurityʹ͸όʔδϣϯ͕͋Δ + Կ΋ࢦఆ͠ͳ͍৔߹͸latest͕ར༻͞ΕΔ apiVersion: v1 kind: Namespace metadata:

    labels: pod-security.kubernetes.io/enforce: privileged pod-security.kubernetes.io/enforce-version: v1.22 name: test
  23. PodSecurityͷσϑΥϧτ஋ ▶ PSPͱҟͳΓσϑΥϧτͷઃఆ͕͋Δ + enforce, audit, warnશͯprivileged (ͭ·ΓԿ΋੍ݶ͠ͳ͍ ) +

    όʔδϣϯ͸latest ▶ “Կ΋੍ݶ͠ͳ͍”ͨΊPodSecurity͸σϑΥϧτ༗ޮͳAdmission ControlʹͳΕΔ apiVersion: v1 kind: Namespace metadata: labels: pod-security.kubernetes.io/enforce: privileged pod-security.kubernetes.io/audit: privileged pod-security.kubernetes.io/warn: privileged pod-security.kubernetes.io/enforce-version: latest pod-security.kubernetes.io/audit-version: latest pod-security.kubernetes.io/warn-version: latest name: test apiVersion: v1 kind: Namespace metadata: name: test
  24. PodSecurityͷର৅֎΍σϑΥϧτ஋ͷมߋ(1/2) ▶ ҎԼͷ஋Λkube-apiserver΁ઃఆ͢Δ͜ͱͰมߋՄೳ + enforce/audit/warnͷσϑΥϧτͷϙϦγʔ + enforce/audit/warnͷσϑΥϧτͷόʔδϣϯ + PodSecurityͷ੍ݶΛ͔͚ͳ͍Ϣʔβ/ServiceAccoun t

    + PodSecurityͷ੍ݶΛ͔͚ͳ͍Namespac e + PodSecurityͷ੍ݶΛ͔͚ͳ͍RuntimeClass
  25. PodSecurityͷର৅֎΍σϑΥϧτ஋ͷมߋ(2/2) apiVersion: apiserver.config.k8s.io/v1 kind: AdmissionConfiguration plugins: - name: PodSecurity configuration:

    apiVersion: pod-security.admission.config.k8s.io/v1alpha1 kind: PodSecurityConfiguration defaults: enforce: baseline enforce-version: latest audit: baseline audit-version: latest warn: baseline warn-version: latest exemptions: usernames: - system:serviceaccount:test-ps:test-ps runtimeClasses: - kataContainer namespaces: - kube-system ▶ ઃఆྫ + શͯͷϙϦγʔΛσϑΥϧτΛbaseline΁ + ϙϦγʔద༻ͷର৅֎Λࢦఆ + kube-system namespac e + test-ps namespaceͷtest-ps ServiceAccoun t + Runtime class໊͕kataContainer
  26. PodSecurityΛಈ͔ͯ͠ΈΑ͏ʂ

  27. PodSecurity͸dry-run͕Ͱ͖Δʂ(1/2) ▶ طʹPod͕ىಈ͍ͯ͠ΔNamespaceͷϙϦγʔΛݫ͍ͨ͘͠͠৔߹ʹ༗༻ + ىಈͰ͖ͳ͘ͳΔPodΛࣄલʹ֬ೝ͠ରԠͰ͖Δ ▶ NamespaceͷϥϕϧΛมߋ͢ΔϦΫΤετΛdry-run͢Δ͜ͱͰ֬ೝͰ͖Δ + Կ͕ݪҼͰىಈͰ͖ͳ͍ͷ͔Warningͱͯ͠ग़ྗ͞ΕΔ

  28. PodSecurity͸dry-run͕Ͱ͖Δʂ(2/2) ▶ ΋ͪΖΜPod΋dry-runʹΑΓ֬ೝͰ͖Δ + ϙϦγʔ͕ద༻͞ΕͨNamespaceʹରͯ͠Pod࡞੒ͷϦΫΤετΛdry-runͰ࣮ߦ͢Δ ▶ KubernetesͷStatefulSet΍DeploymentͳͲͷNative Workloadʹରͯ͠΋dry-runͰ͖Δʂ + podTemplateͷத਎͕νΣοΫ͞ΕΔ

    + ࢒೦ͳ͕Βݱ࣌఺Ͱ͸Custom Resource͸ରԠ͍ͯ͠ͳ͍
  29. PodSecurityͷϙϦγʔద༻ର৅ʹ͍ͭͯ ▶ PodSecurity͸Pod࡞੒ͷϙϦγʔΛద༻͢Δ΋ͷ + Deployment, ReplicaSet, StatefulSetͳͲPodΛؒ઀తʹ࡞੒͢ΔϦιʔεࣗମͷ࡞੒͸੍ݶ͞Εͳ͍ʂ + ্هͷΑ͏ͳϦιʔε͕࡞੒Ͱ͖ͯ΋࠷ऴతʹPod͸࡞੒Ͱ͖ͳ͍ +

    dry-runʹΑΓ࠷ऴతʹ࡞੒Ͱ͖Δ͔Ͳ͏͔͸֬ೝՄೳ
  30. v1.22ΑΓલͷΫϥελͰPodSecurityΛಈ͔͍ͨ͠ʂ ▶ PodSecurity͸standaloneͳWebhookʹΑΔ࣮૷΋ਐΊΒΕ͍ͯΔ༷ࢠ + KEP-2579: Pod Security Admission ControlͷFlexible Extension

    Suppor t + https://github.com/kubernetes/enhancements/tree/master/keps/sig-auth/2579-psp-replacement# fl exible-extension-support + Podsecurity webhook #10346 5 + https://github.com/kubernetes/kubernetes/pull/103465
  31. PodSecurityͰࠔΓͦ͏ͳͱ͜Ζ

  32. MutatingΛͯ͘͠Εͳ͍ ▶ PSPͰ͸seccomp΍capabilityͷσϑΥϧτ஋ΛMutatingʹΑΓ࣮ݱ͍ͯͨ͠ ▶ PodSecurityͰ͸໌ࣔతʹઃఆ͢Δඞཁ͕͋Δ + ྫ͑͹baselineͰ͸seccompͰnull΋ೝΊΒΕ͍ͯΔ + PodSecurityPolicy͔ΒҠߦͷࡍ͸஫ҙ͕ඞཁ ▶

    seccompʹݶͬͯݴ͑͹σϑΥϧτ஋Λ୅ೖ͢Δઐ༻ͷػೳ͕͋Δ + v1.22͔Βalphaͱͯ͠ఏڙ͞ΕFeature GateͰ༗ޮԽ͢Δͱར༻Մೳ + Enable seccomp for all workloads with a new v1.22 alpha featur e + https://kubernetes.io/blog/2021/08/25/seccomp-default/
  33. Namespaceͷϥϕϧฤूݖݶͷѻ͍ ▶ PSPͰ͸PSPϦιʔεͷuseΛRBACͳͲͷೝՄͰ੍ޚ ▶ PodSecurityͰ͸Namespaceͷฤूݖݶ͕Pod࡞੒ͷೝՄʹӨڹ + Ϋϥελ؅ཧऀͱར༻ऀ͕෼͔Ε͍ͯΔ৔߹Λߟ͑Δͱ … + Namespaceͷϥϕϧฤूݖݶ

    = ࡞੒Ͱ͖ΔPodͷݖݶঢ͕֨Մೳ + ্هΛ੍ݶ͢ΔValidatingWebhook΍MutatingWebhookΛ࣮૷͠ͳ͍ͱ͍͚ͳ͍͔΋…
  34. PodSecurityͷࣗ༝౓ʹ͍ͭͯ ▶ PSPͰ͸Ϣʔβ͕ϙϦγʔͷఆٛΛ͢Δඞཁ͕͋ͬͨ΋ͷͷࣗ༝౓͕͋ͬͨ ▶ PodSecurityͰ͸Privileged, Baseline, Restrictedͷ3͔ͭ͠બ୒ࢶ͕ͳ͍ + Baseline +

    ಛఆͷhostPath͚ͩڐՄ Έ͍ͨͳ͜ͱ͸Ͱ͖ͳ͍ ▶ ಠࣗͷϙϦγʔ͸WebhookͰ࣮૷͠ͳ͚Ε͹ͳΒͳ͍͔΋ʁ + KEP-2579: Pod Security Admission ControlͷCustom Pro fi le s + https://github.com/kubernetes/enhancements/tree/master/keps/sig-auth/2579-psp-replacement#custom-pro fi les + ͔͠͠betaͰCustom Pro fi les͸ແ͘ͳΓͦ͏ … + https://github.com/kubernetes/enhancements/pull/2895ɹ(2021/8/25࣌఺Ͱ͸·ͩmerge͞Ε͍ͯͳ͍ ) + ͦ͏ͳΔͱStandaloneͷPodSecurityΛFork࣮ͯ͠૷͢Δ͔͠ͳ͍…?
  35. PSP͔ΒPodSecurity΁ͷҠߦ ▶ Ҡߦʹؔ͢Δެࣜϖʔδ͕͋Δ + Migrate from PodSecurityPolicy to the Built-In

    PodSecurity Admission Controlle r + https://kubernetes.io/docs/tasks/con fi gure-pod-container/migrate-from-psp / ▶ ஈ֊తʹ༷ࢠݟ͠ͳ͕ΒҠߦ͠·͠ΐ͏ͱ͍͏಺༰ + PSPͷMutatingͷػೳΛར༻͍ͯ͠ΔͱҠߦ͕গ͠େม͔΋͠Εͳ͍ ▶ ҠߦͷͨΊͷπʔϧ͕༻ҙ͞ΕΔ͔΋ʁ + ࢀߟ) https://github.com/kubernetes/enhancements/pull/2895
  36. ·ͱΊ

  37. PodSecurityPolicyͱPodSecurityͷҧ͍ PodSecurityPolicy PodSecurity σϑΥϧτ༗ޮ? ແޮ ༗ޮ (*v1.22࣌఺Ͱ͸alphaͷͨΊFeatureGateͷઃఆ͕ඞཁ) ϙϦγʔద༻ͷઃఆ PodSecurityPolicyϦιʔεͱRBAC Namespaceͷϥϕϧ

    ͲͷϙϦγʔ͕ద༻͞ΕΔʁ ϦΫΤετϢʔβ/ServiceAccount ·ͨ͸.spec.serviceAccountNameͰࢦఆ͞ΕͨServiceAccount ͕ར༻Ͱ͖ΔϙϦγʔ NamespaceͰઃఆ͞ΕͨϙϦγʔ ΧελϜϙϦγʔͷ࣮૷ Մೳ (ϙϦγʔ͸શͯఆٛ͢Δඞཁ͕͋Δ) ෆՄೳ (fork࣮ͯ͠૷͢Ε͹Ͱ͖ͦ͏) dry-runͷ࣮ߦ ෆՄ Մ Ͳ͕ͬͪ৽͍͠ʁ چ ৽ Ͳ͕ͬͪෳࡶʁ ෳࡶ γϯϓϧ
  38. (એ఻) Kubernetes v1.22 มߋ಺༰ڞ༗ձΛ։࠵͠·͢ʂ ▶ ೔࣌: 9/2(໦) 19:00 ~ 21:3

    0 ▶ https://kubernetes-updates.connpass.com/event/222915/
  39. Question? ▶ ͝੩ௌ͋Γ͕ͱ͏͍͟͝·ͨ͠ ▶ ࣭໰͕͋Ε͹͓ئ͍͠·͢ʂ