Kubernetes Admission Webhook Deep Dive

,VCFSOFUFT"ENJTTJPO8FCIPPL
%FFQ%JWF

αΠϘ΢ζגࣜձࣾ
஑ఴ ໌޺

View Slide

ࣗݾ঺հ
u ஑ఴ ໌޺ ʢUXJUUFS ![PFUSPʣ
u αΠϘ΢ζʹͯ,VCFSOFUFTΛϕʔεͱͨ͠৽͍͠
Πϯϑϥج൫ͷ։ൃͱӡ༻ʹैࣄɻ
u ,VCFSOFUFTؔ࿈ͷهࣄ
u IUUQT[FOOEFW[PFUSP
u IUUQT[PFUSPQFHJUIVCJPLVCFCVJMEFSUSBJOJOH
u ֶͭͬͯ͘Ϳ,VCFCVJMEFSΧελϜίϯτϩʔϥʔͷͭ͘ΓํΛղઆ
u IUUQT[FOOEFWQDZCP[[email protected]
u /FDP8FFLMZ,VCFSOFUFT΍$MPVE/BUJWFؔ࿈ͷؾʹͳΔωλΛຖि঺հ

View Slide

ຊ೔ͷൃද಺༰
u "ENJTTJPO8FCIPPLͱ͸
u "ENJTTJPO8FCIPPLͷ࣮૷
u %FFQ%JWF
n ฒྻ࣮ߦ࣌ͷڝ߹ରࡦ
n ηΩϡϦςΟରࡦ
n Ϛϧνςφϯτ؀ڥ΁ͷରԠ
n ୤"ENJTTJPO8FCIPPL

View Slide

ຊ೔ͷൃද಺༰
u "ENJTTJPO 8FCIPPLͷগ͚ͩ͠σΟʔϓͳ࿩Λ͠·͢ɻ
u ϕετϓϥΫςΟεʹ͍ͭͯ͸ҎԼͷࢿྉ͕͓͢͢Ί
n ެࣜυΩϡϝϯτ%ZOBNJD"ENJTTJPO$POUSPM
l IUUQTLVCFSOFUFTJPEPDTSFGFSFODFBDDFTTBVUIOBVUI[FYUFOTJCMF
BENJTTJPODPOUSPMMFST
n ,VCF$PO $MPVE/BUJWF$PO /""ENJTTJPO8FCIPPLT$POGJHVSBUJPO
BOE%FCVHHJOH#FTU1SBDUJDFT )BPXFJ $BJ (PPHMF
l IUUQTLDDODOBTDIFEDPNFWFOU6B7UBENJTTJPOXFCIPPLTDPOGJHVSBUJPO
BOEEFCVHHJOHCFTUQSBDUJDFTIBPXFJDBJHPPHMF

View Slide

"ENJTTJPO8FCIPPLͱ͸

View Slide

"ENJTTJPO8FCIPPLͱ͸
u ,VCFSOFUFTͷ"1*4FSWFSΛ֦ு͢Δ࢓૊Έ
n Ϧιʔεͷ࡞੒΍มߋɺ࡟আૢ࡞Λ͓͜ͳ͏ࡍʹɺ8FCIPPLΛݺͼग़ͯ͠೚ҙͷϩδοΫ
Λ࣮ߦ͢Δ͜ͱ͕Ͱ͖Δ
n 1PE΍%FQMPZNFOUͳͲͷඪ४Ϧιʔε͚ͩͰͳ͘ɺ೚ҙͷΧελϜϦιʔεʹର͢Δ
8FCIPPLΛ࡞੒͢Δ͜ͱ͕Ͱ͖Δ
u छྨͷ8FCIPPL
n .VUBUJOH8FCIPPLɿϦιʔεͷ಺༰Λॻ͖׵͑Δ͜ͱ͕Ͱ͖Δ
n 7BMJEBUJOH8FCIPPLɿϦιʔεͷ಺༰Λݕূ͢Δ͜ͱ͕Ͱ͖Δ

View Slide

"ENJTTJPO8FCIPPLͷ࣮༻ࣄྫ
u ηΩϡϦςΟϙϦγʔͷڧ੍ʢ1PE4FDVSJUZ"ENJTTJPOͳͲʣ
u αΠυΧʔίϯςφʔͷΠϯδΣΫτʢτϥϑΟοΫ؅ཧɺϩάͷऩूͳͲʣ
u ൚༻ϙϦγʔΤϯδϯʢ(BUFLFFQFS ,ZWFSOP LVCFXBSEFOͳͲʣ
u ޡૢ࡞๷ࢭʢ/BNFTQBDF΍$3%ͷ࡟আېࢭͳͲʣ
u Ϛϧνςφϯτ؀ڥͷ࣮ݱ
u ΧελϜϦιʔεͷόϦσʔγϣϯ

View Slide

"ENJTTJPO8FCIPPLͷ࢓૊Έ
u Ϧιʔεͷ࡞੒ɾߋ৽ɾ࡟আͷλΠϛϯάͰ೚ҙͷ8FCIPPLΛݺͼग़͠ɺ
Ϧιʔεͷॻ͖׵͑΍ݕূΛ͓͜ͳ͏ɻ

Kubernetes
API Server
Admission
Webhook
Webhook
Configuration
Request JSON
Response JSON
HTTPS
User
Create,
Update,
Delete
Mutating or Validating

View Slide

"ENJTTJPO3FWJFX
u "1*4FSWFSͱ8FCIPPLؒ
Ͱ΍ΓͱΓ͢Δ+40/ܗࣜ
u 3FRVFTUʹ͸ɺ8FCIPPLͷ
ର৅ͱͳΔΦϒδΣΫτ΍ɺૢ
࡞Λ͓͜ͳͬͨϢʔβʔͷ৘ใ
ͳͲؚ͕·ΕΔɻ
u .VUBUJOHͷ3FTQPOTF͸ɺ
+40/1BUDIܗࣜͰมߋ಺༰
Λදݱ͢Δɻ

{
"request": {
"uid": "XXXX-YYYY",
"name": "sample",
"namespace": "default",
"operation": "UPDATE",
"userInfo": {
// 省略
},
"object": {
"kind": "Deployment",
"apiVersion": "apps/v1",
"metadata": {
"name": "sample",
"namespace": "default"
},
"spec": {
// 省略
}
},
"oldObject": {
// 省略
},
"dryRun": false,
"options": {
"kind": "UpdateOptions",
"apiVersion": "meta.k8s.io/v1"
}
}
}
Request
{
"response": {
"uid": "XXXX-YYYY",
"allowed": true
}
}
Response (Validating)
Response (Mutating)
{
"response": {
"uid": "XXXX-YYYY",
"allowed": true,
"patchType": "JSONPatch",
"patch":
"W3sib3AiOiAiYWRkIiwgInBhdGgiOiAiL3NwZWM
vcmVwbGljYXMiLCAidmFsdWUiOiAzfV0="
}
}
[{
"op": "add",
"path": "/spec/replicas",
"value": 3
}]
base64

View Slide

8FCIPPL$POGJHVSBUJPO
u "1*4FSWFSʹ఻͑Δ8FCIPPLͷઃఆ
ʢ,VCFSOFUFTͷΫϥελʔϦιʔεʣ
n 8FCIPPLͷݺͼग़͠ํ๏
n 8FCIPPL͕ݺͼग़ͤͳ͔ͬͨ৔߹ͷڍಈ
n 8FCIPPLͷର৅ͱ͢ΔϦιʔεͷछྨ΍
/BNFTQBDFͷߜΓࠐΈ
u छྨͷϦιʔε͕͋Δ
n 7BMJEBUJOH8FCIPPL$POGJHVSBUJPO
n .VUBUJOH8FCIPPL$POGJHVSBUJPO

apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: validating-webhook-configuration
webhooks:
- admissionReviewVersions:
- v1
clientConfig:
service:
name: webhook-service
namespace: system
path: /validate-apps-v1-deployment
caBundle: LS0tLS1CRUdJ
failurePolicy: Fail
name: vdeployment.kb.io
namespaceSelector:
matchExpressions:
- key: kubernetes.io/metadata.name
operator: NotIn
values:
- kube-system
rules:
- apiGroups:
- apps
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- deployments
sideEffects: None

View Slide

Kubernetes
API Server
Mutating
Webhooks
etcd
Mutating
Webhooks
Mutating
Webhooks
Validating
Webhooks
Authentication
Authorization
OpenAPI Schema
Validation
Persist to etcd
par
loop
ෳ਺ͷ8FCIPPLΛॱʹݺͼग़͢ɻ
3FJOWPDBUJPO1PMJDZʹै͍
܁Γฦ͠ݺͼग़͢৔߹͕͋Δɻ
ෳ਺ͷ8FCIPPLΛ
ฒྻʹݺͼग़͢
Create, Update, Delete

View Slide

"ENJTTJPO8FCIPPLͷ࣮૷

View Slide

࣮૷ํ๏
u ͨͩͷ8FCαʔόʔͳͷͰɺೖग़ྗͷϑΥʔϚοτ͍͑͋ͬͯ͞Ε͹
ͲΜͳϓϩάϥϛϯάݴޠͰ΋࣮૷͢Δ͜ͱ͕Ͱ͖Δɻ
u ࣮૷Λखॿ͚͢ΔͨΊͷϑϨʔϜϫʔΫ΋ଟ਺ଘࡏ͢Δ
n ,VCFCVJMEFSDPOUSPMMFSSVOUJNF
n ,VCFXBSEFO
n ,VCFXFCIPPL
n ,OBUJWF

View Slide

,VCFCVJMEFSDPOUSPMMFSSVOUJNF
u ΧελϜίϯτϩʔϥʔΛ։ൃ͢ΔͨΊͷϑϨʔϜϫʔΫ
u "ENJTTJPO8FCIPPLΛ࡞ΔͨΊʹศརͳػೳ͕ͨ͘͞Μ༻ҙ͞Ε͍ͯΔ
n 7BMJEBUJOH.VUBUJOH8FCIPPL༻ͷϑϨʔϜϫʔΫ
n 8FCIPPL$POGJHVSBUJPOͷࣗಈੜ੒ػೳ
n σϓϩΠ͢ΔͨΊͷϚχϑΣετ
n DFSUNBOBHFSΛར༻ͨ͠ূ໌ॻ؅ཧػೳ
n ςετͷͻͳܗ
u "ENJTTJPO8FCIPPLͷ։ൃʹ΋͓͢͢Ί

View Slide

DPOUSPMMFSSVOUJNFʹΑΔ࣮૷
u "ENJTTJPO8FCIPPLͷ࣮૷ํ͕ࣜछྨ༻ҙ͞Ε͍ͯΔ
n %FGBVMUFS7BMJEBUPS
n $VTUPN%FGBVMUFS$VTUPN7BMJEBUPS
n )BOEMFS
u ৄࡉͳ࣮૷ํ๏͸ҎԼͷهࣄΛࢀর
n IUUQT[PFUSPQFHJUIVCJPLVCFCVJMEFSUSBJOJOH
n IUUQT[FOOEFW[PFUSPBSUJDMFTBENJTTJPOXFCIPPLEFFQEJWF

View Slide

ͲͷํࣜΛ࢖͑͹͍͍ͷʁ
%FGBVMUFS7BMJEBUPS $VTUPN%FGBVMUFS
$VTUPN7BMJEBUPS
)BOEMFS
ѻ͑ΔϦιʔεͷछྨ ࣗ࡞ͷΧελϜϦιʔε
ͷΈ
ඪ४ϦιʔεͱΧελϜ
Ϧιʔε
ඪ४ϦιʔεͱΧελϜ
Ϧιʔε
"ENJTTJPO3FWJFX
3FRVFTU΁ͷΞΫηε
ʷ ˓ ˓
3FRVFTUͷ%FDPEFॲཧ
+40/1BUDIͷ࡞੒
ࣗಈ ࣗಈ ࣗ෼Ͱ࣮૷͢Δඞཁ͋Γ
ͭͷ8FCIPPLͰෳ਺छ
ྨͷϦιʔεΛॲཧ
ʷ ʷ ˓
8BSOJOHΛฦ͢ ʷ ʷ ˓

u جຊ͸$VTUPN%FGBVMUFS$VTUPN7BMJEBUPS͕͓͢͢Ίɻ
u ΑΓΧελϚΠζΛ͍ͨ͠৔߹͸)BOEMFSΛར༻͢Δɻ

View Slide

%FFQ%JWF

View Slide

ᶃ ฒྻ࣮ߦ࣌ͷڝ߹ରࡦ
u ಉ͡छྨͷϦιʔε͕ಉ࣌ʹෳ਺࡞੒͞Εͨͱ͖ɺ"ENJTTJPO8FCIPPL͸
ฒྻʹݺͼग़͞ΕΔɻ
u ฒྻ࣮ߦʹΑΔ໰୊
n ଞͷϦιʔεΛࢀরͯ͠ݕূͨ͠Γɺݕূͷ݁Ռʹج͍ͮͯ֎෦ϦιʔεΛߋ৽͢Δ৔߹ɺ
ਖ਼͘͠ݕূ͕͓͜ͳΘΕͳ͍έʔε΍ɺڝ߹໰୊͕ൃੜ͢Δέʔε͕͋Δɻ
n ڝ߹͠ͳ͍Α͏ʹϩοΫΛऔΔͱɺॲཧ͕஗͘ͳΓେྔͷϦΫΤετΛࡹ͚ͳ͘ͳΔɻ
u ࣄྫ঺հ
n ࣄྫ)JFSBSDIJDBM/BNFTQBDF$POUSPMMFS )/$

n ࣄྫ3FTPVSDF2VPUB

View Slide

ࣄྫ)/$
u )/$͸ɺ4VC/BNFTQBDFͱ͍͏ΧελϜϦ
ιʔεΛར༻͢Δ͜ͱͰɺ؅ཧऀݖݶ͕ͳ͍
ϢʔβʔͰ΋/BNFTQBDF͕ͭ͘ΕΔ࢓૊Έɻ
u "ENJTTJPO8FCIPPLͰطଘͷ/BNFTQBDF
ͱ4VC/BNFTQBDFͷ໊લ͕িಥ͠ͳ͍Α͏ʹ
νΣοΫ͍ͯ͠Δɻ

Namespace1
SubNamespace A
ࢠͷ/BNFTQBDF
͕࡞੒͞ΕΔ
NamespaceA
User
࡞੒

View Slide

ࣄྫ)/$Ͱͷڝ߹

Namespace1
SubNamespace B
$POGMJDU
NamespaceB
Namespace2
SubNamespace B
u ҟͳΔ/BNFTQBDFʹಉ͡λΠϛ
ϯάͰಉ໊ͷ4VC/BNFTQBDF
͕࡞੒͞ΕΔͱʜ
u 8FCIPPL͸ฒྻͰݺͼग़͞ΕΔ
ͨΊɺͦΕͧΕνΣοΫͨ࣌͠఺
Ͱ͸ର৅ͷ/BNFTQBDF͕ଘࡏͤ
ͣɺνΣοΫΛ͢Γൈ͚ͯ͠·͏ɻ

View Slide

ࣄྫ)/$ʹ͓͚Δղܾࡦ
u "ENJTTJPO 8FCIPPLʹΑΔνΣοΫΛ·Εʹ͢Γൈ͚Δ͜ͱ͸ڐ༰͢Δɻ
u Ϧιʔεͷεςʔλεʹঢ়ଶҟৗΛه࿥͠Ϣʔβʔʹؾ͔ͮͤΔɻ

ʠ
/PUF5IFSFBSFTPNFSBSFDPSOFSDBTFTUIBUDPVMESFTVMUJOBDZDMFCFJOH
GPSNFE EFTQJUFUIFQSFTFODFTPGUIFWBMJEBUJOHBENJTTJPODPOUSPMMFST'PS
FYBNQMF UXPEJGGFSFOUVTFSTNJHIUNBLFOBNFTQBDFT"BOE#QBSFOUTPGFBDI
PUIFSBUFYBDUMZUIFTBNF UJNFUIFBENJTTJPODPOUSPMMFSXPVMEBMMPXUIJT TJODF
OFJUIFSJTZFUUIFQBSFOUPGUIFPUIFS
MFBEJOHUPBDZDMF"MUFSOBUJWFMZ BOBENJO
NJHIUTJNQMZBDDJEFOUBMMZEJTBCMFUIFBENJTTJPODPOUSPMMFST*OTVDIDBTFT )/$
XJMMQVUBO"DUJWJUJFT)BMUFE DPOEJUJPOPOUIFOBNFTQBDFTVOUJMUIFDZDMFJT
SFTPMWFE
IUUQTHJUIVCDPNLVCFSOFUFTTJHTIJFSBSDIJDBMOBNFTQBDFTCMPCNBTUFSEPDTVTFSHVJEFDPODFQUTNE

View Slide

ࣄྫ3FTPVSDF2VPUB
u 3FTPVSDF2VPUBͱ͸ɺ/BNFTQBDF͝ͱͷ૯Ϧιʔεফඅྔʢྫ͑͹ɺ
1PEʹׂΓ౰ͯΔ$16΍ϝϞϦʣΛ੍ݶ͢ΔͨΊͷػೳ
u "ENJTTJPO8FCIPPLͰ͸ͳ͘,VCFSOFUFTඪ४ͷ"ENJTTJPO
$POUSPMMFSͱ࣮ͯ͠૷͞Ε͍ͯΔ

Namespace1
ResouceQuota
hard: limits.memory: 10Gi
used: limits.memory: 8Gi
Pod A
limits.memory: 5Gi
Pod B
limits.memory: 3Gi
Pod C
limits.memory: 3Gi
2VPUBͷ੍ݶΛ௒͑ͯ
1PEΛ࡞੒͢Δ͜ͱ͸
Ͱ͖ͳ͍

View Slide

ࣄྫ3FTPVSDF2VPUBͰͷڝ߹
u ݕূʹ੒ޭ͢Δͱ3FTPVSDF2VPUBϦιʔεͷVTFEϑΟʔϧυΛߋ৽͢Δ͕ɺ
ಉ࣌ʹෳ਺ͷϦΫΤετΛॲཧ͢Δ৔߹ɺॻ͖ࠐΈ࣌ʹিಥ͕ൃੜ͢Δɻ
u 3FTPVSDF2VPUB͸େྔͷϦΫΤετΛѻ͏ͨΊিಥ͕ൃੜ͠΍͍͢ɻ

Namespace2
Pod X
limits.memory: 5Gi
Pod Z
limits.memory: 3Gi
Pod Y
limits.memory: 3Gi
1PEΛಉ࣌ʹ࡞੒͢Δ
ͱʜ
？
ResouceQuota
hard: limits.memory: 10Gi
used: limits.memory: 5Gi

View Slide

API Server
ࣄྫ3FTPVSDF2VPUBʹ͓͚Δղܾࡦ

Workers
Workers
Workers
Workers
Workers
Queue
PodA
PodB
NS4 PodP PodQ
2VFVF͔Β/BNFTQBDFΛͭऔ
Γग़͢ɻ
ͦͷ/BNFTQBDFͷϦιʔε੍͕
ݶΛ௒͍͑ͯͳ͍͜ͱΛνΣοΫ͠ɺ
2VPUBͷ4UBUVTΛߋ৽͢Δɻ
PodF
NS3
1PEͷ࡞੒
1PEͷ࡞੒
ͭͷHPSPVUJOF͕
ඵपظͰ࣮ߦ
PodX
PodA PodB
NS2
NS1
࡞੒͢ΔϦιʔεΛ
/BNFTQBDF୯ҐͰ2VFVF
ʹొ࿥͢Δɻ
ॲཧ͕׬ྃ͢Δ·Ͱ଴ͭɻ
/BNFTQBDF୯ҐͰܭࢉ͢Δ͜ͱͰɺ
িಥΛݮΒ͢ ˞
͜ͱ͕Ͱ͖Δɻ
͞Βʹɺෳ਺ͷϦιʔεͷܭࢉ݁ՌΛ
Ұ౓Ͱॻ͖ࠐΊΔͨΊɺεϧʔϓοτ
͕޲্͢Δɻ
˞"1*4FSWFS͕৑௕Խ͞Ε͍ͯΔͱॻ͖ࠐΈ࣌ʹিಥ͕ൃੜ͢Δ৔߹͕͋Δɻͦͷ࣌͸ϦτϥΠ͢Δɻ

View Slide

ڝ߹ରࡦͷݸਓతݟղ
u ՄೳͰ͋Ε͹ɺ"ENJTTJPO8FCIPPLͰଞͷϦιʔε΍֎෦ͷঢ়ଶʹґଘ͠
ͳ͍Α͏ʹ͢Δ
u ڝ߹ঢ়ଶΛڐ༰Ͱ͖Δ৔߹
n λΠϛϯάʹΑͬͯݕূΛ͢Γൈ͚ΔέʔεΛ೺Ѳ͓ͯ͘͠
n )/$ͷΑ͏ʹɺڝ߹ঢ়ଶΛఆظతʹνΣοΫ͠Ϣʔβʔʹؾ͔ͮͤΔΑ͏ʹ͢Δ
u ڝ߹Λݫີʹݕূ͍ͨ͠৔߹
n "ENJTTJPO8FCIPPLͰ͸ੑೳ໘΍ɺ࣮ߦॱং੍͕ޚͰ͖ͳ͍͜ͱ͕՝୊ͱͳΔ
n 3FTPVSDF2VPUBͷΑ͏ͳ࣮૷Λ͍ͨ͠৔߹͸ɺ$VTUPN"1*4FSWFSͳͲΛݕ౼͢Δ

View Slide

ᶄ ηΩϡϦςΟରࡦ
u ,VCFSOFUFT"ENJTTJPO$POUSPM5ISFBU.PEFM
n IUUQTHJUIVCDPNLVCFSOFUFTTJHTFDVSJUZCMPCNBJOTJHTFDVSJUZ
EPDTQBQFSTBENJTTJPODPOUSPMLVCFSOFUFTBENJTTJPODPOUSPMUISFBU
NPEFMNE
u ओͳ.JUJHBUJPOT
n ڧ͍ݖݶΛ࣋ͨͤͳ͍Α͏ʹ͠Α͏ʢ3#"$ QSJWJMFHFEͳͲʣ
n 'BJM$MPTFEʹ͠Α͏ʢGBJMVSF1PMJDZΛ'BJMʹઃఆ͢Δʣ
n ௨৴ͷ5-4҉߸Խ ΫϥΠΞϯτೝূ N5-4ͳͲΛ࠾༻͠Α͏
n ઃఆͷϨϏϡʔ΍ςετΛ࣮ࢪ͠Α͏

View Slide

ରࡦ'BJM$MPTFE
u 8FCIPPL͕ར༻Ͱ͖ͳ͍ͱ͖ʹɺϦιʔεͷมߋૢ࡞Λࣦഊͤ͞Δ͜ͱ
n ϙϦγʔΛແࢹͨ͠ϫʔΫϩʔυ͕࡞੒͞ΕΔ͜ͱΛ๷͙͜ͱ͕Ͱ͖Δ
n Ұํɺ8FCIPPLͷো֐͕,VCFSOFUFTΫϥελʔʹӨڹΛ༩͑Δ͜ͱʹͳΔ
u ো֐ͷര෩൒ܘʢ#MBTU3BEJVTʣΛ࠷খԽ͢Δ
n γεςϜͷՔಇʹؔΘΔॏཁͳϫʔΫϩʔυΛ"ENJTTJPO 8FCIPPLͷର৅֎ʹ͢Δ
n 8FCIPPLͷର৅ͱͳΔϦιʔε͸ɺ8FCIPPL಺ͷϩδοΫͰ൑ผ͢ΔͷͰ͸ͳ͘ɺ
8FCIPPL$POGJHVSBUJPOͷઃఆͰߜΓࠐΉɻ

View Slide

ରࡦ5-4҉߸ԽɾΫϥΠΞϯτೝূ
u 5-4҉߸Խ
n ,VCFCVJMEFSͰϓϩδΣΫτΛੜ੒͢ΔͱσϑΥϧτͰ5-4҉߸Խ͕༗ޮԽ͞Ε͍ͯΔ
n DFSUNBOBHFSʹΑΓূ໌ॻͷൃߦ΍ϩʔςʔγϣϯΛࣗಈԽ
n DFSUXBUDIFSͱ͍͏࢓૊ΈʹΑΓɺূ໌ॻͷϩʔςʔγϣϯ࣌ʹ8FCIPPLΛ࠶ىಈ͢Δ
͜ͱͳ͠ʹূ໌ॻ͕࠶ಡΈࠐΈ͞ΕΔ
u ΫϥΠΞϯτೝূ
n ,VCFCVJMEFSͰੜ੒ͨ͠ϓϩδΣΫτͰ͸༗ޮʹͳ͍ͬͯͳ͍
n ,VCFSOFUFTͷ࢓૊Έ্ɺݺͼग़͢8FCIPPLΛ௥Ճͨ͠Γূ໌ॻΛ࠶ൃߦ͢Δͨͼʹ
"1*4FSWFSͷ࠶ىಈ͕ඞཁͱͳΔ

View Slide

DFSUNBOBHFSʹΑΔূ໌ॻͷ؅ཧ

Kubernetes
API Server
Admission
Webhook
Webhook
Configuration
HTTPS
cert
manager
Certificate
Secret
$"ূ໌ॻ αʔόʔ
ূ໌ॻ
ൿີݤ
Inject Generate
DFSUXBUDIFS͕ϑΝΠ
ϧͷมߋΛ؂ࢹ͓ͯ͠Γɺ
ূ໌ॻ͕࠶ൃߦ͞ΕΔͱ
ϑΝΠϧΛಡΈࠐΈ௚͢
༗ޮظݶ͕ۙ͘ͳΔͱ
ࣗಈతʹূ໌ॻΛ࠶ൃߦ
😊DFSUNBOBHFSʹ͓·͔ͤ

View Slide

kubeconfig
ΫϥΠΞϯτূ໌ॻͷઃఆ

Kubernetes
API Server
Admission
Webhook
Admission
Configuration
HTTPS
Secret
$"ূ໌ॻ
ΫϥΠΞϯτ
ূ໌ॻ
ൿີݤ
Generate
"1*4FSWFSͷىಈ࣌ʹ
ίϚϯυϥΠϯΦϓγϣϯ
Ͱࢦఆ͢Δඞཁ͕͋Δɻ
Generate
,VCFSOFUFTΫϥελʔ
Λ্ཱͪ͛Δલʹࣄલʹ
ূ໌ॻΛ࡞੒͓ͯ͘͠
ઃఆΛมߋͨ͠৔߹ɺ
"1*4FSWFSΛ࠶ىಈ
͠ͳ͚Ε͹ͳΒͳ͍ɻ
😥ؾܰʹઃఆมߋͰ͖ͳ͍
˞ৄࡉͳઃఆํ๏͸ิ଍هࣄࢀর

View Slide

ରࡦαϒϦιʔεͷ8FCIPPL
u ,VCFSOFUFTʹ͸ɺαϒϦιʔεͱ͍͏ϦιʔεͷҰ෦ͷϑΟʔϧυͷΈΛ
ૢ࡞͢Δ"1* &OEQPJOU͕༻ҙ͞Ε͍ͯΔ
u 7BMJEBUJOH8FCIPPLͰαϒϦιʔεͷνΣοΫ͕࿙ΕΔͱɺηΩϡϦςΟ
ࣄނʹͭͳ͕ΔՄೳੑ͕͋Δɻ
n 1PEϦιʔεͷ8FCIPPLͰಛݖίϯςφΛ࡞੒Ͱ͖ͳ͍Α͏ʹ੍ݶ͍͕ͯͨ͠ɺ
QIFNFSBMDPOUBJOFSTαϒϦιʔεΛ8FCIPPLͷର৅ʹ͍ͯ͠ͳ͔ͬͨͨΊɺ
ಛݖΛ࣋ͬͨ&QIFNFSBM$POUBJOFSΛ࡞੒Ͱ͖ͯ͠·͏ɻ
n %FQMPZNFOUϦιʔεͷ8FCIPPLͰSFQMJDBTͷ੍ݶΛ͍͕ͯͨ͠ɺTDBMFαϒϦιʔε
Λ8FCIPPLͷର৅ʹ͍ͯ͠ͳ͔ͬͨͨΊɺSFQMJDBTͷ੍ݶΛճආͰ͖ͯ͠·͏ɻ

View Slide

αϒϦιʔεΛ8FCIPPLͷର৅ʹ͢Δ
u ϦΫΤετͰ౉ͬͯ͘ΔPCKFDUͷܕ͕ɺα
ϒϦιʔεʹΑͬͯҟͳΔͷͰ஫ҙɻ
n TUBUVT͸ɺ਌Ϧιʔε͕ͦͷ··౉ͬͯ͘Δɻ
n TDBMF͸ɺBVUPTDBMJOH4DBMFܕ͕౉ͬͯ͘Δɻ

apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: validating-webhook-configuration
webhooks:
- rules:
- apiGroups:
- ""
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- pods
- pods/ephemeralcontainers
SFTPVSDFTʹαϒϦιʔεͷύεΛؚΊͯࢦఆ
͢Δ͜ͱ͕Ͱ͖Δɻ
ͨͩ͠ Λࢦఆͯ͠΋αϒϦιʔε͸ର৅ͱͳ
Βͳ͍ͷͰ஫ҙɻ
શαϒϦιʔεΛࢦఆ͍ͨ͠৔߹͸ QPETͷ
Α͏ʹࢦఆ͢Δ
!
"#$%&$'(")*!
"+,-$.(")*!
"/012")*"3.45$"6
"4708$#'0+1")*"4&(+'.45019:;<"6
"=$(424(4")*!
"14=$")*"'4=75$"6
"14=$'74.$")*"2$>4&5("6
?6
"'7$.")*!
"#$750.4'")*@
?
?
?
?

View Slide

ᶅ Ϛϧνςφϯτ؀ڥ΁ͷରԠ
u "ENJTTJPO8FCIPPL͸جຊతʹ͸Ϋϥελ؅ཧऀ͕؅ཧ͢Δɻ
u ෳ਺ͷνʔϜ͕ͭͷ,VCFSOFUFTΫϥελΛڞ༗͍ͯ͠ΔϚϧνςφϯτ؀
ڥͰ͸ɺ֤νʔϜ͕ࣗ༝ʹ"ENJTTJPO8FCIPPLΛཱͯΔ͜ͱ͕Ͱ͖ͳ͍ɻ
n "ENJTTJPO8FCIPPLʹ͸3#"$͕ద༻͞Εͳ͍ͨΊɺଞͷνʔϜͷϦιʔεΛݟ์୊ɺ
มߋ͠์୊ʹͳͬͯ͠·͏ɻ
n ֤νʔϜͷ"ENJTTJPO8FCIPPLͷੑೳ໰୊΍ෆ҆ఆੑ͕ɺ,VCFSOFUFTΫϥελʔ
શମͷ໰୊ʹͭͳ͕ͬͯ͠·͏ɻ

View Slide

Ϛϧνςφϯτ؀ڥ΁ͷରԠ
u ϙϦγʔΤϯδϯʢ,ZWFSOP ,VCFXBSEFOʣ
n ҰൠϢʔβʔ͕/BNFTQBDF୯ҐͷϙϦγʔΛͭ͘Δ͜ͱ͕Ͱ͖Δɻ
u Ծ૝Ϋϥελʔ
n 7$MVTUFS΍,$1ͳͲΛར༻ͯ͠ɺԾ૝Ϋϥελʔ্Ͱ"ENJTTJPO8FCIPPLΛར༻͢Δɻ
u /BNFTQBDFE "ENJTTJPOʢ&YQFSJNFOUBMʣ
n IUUQTHJUIVCDPN[PFUSPQFOBNFTQBDFEBENJTTJPO
n νʔϜ͝ͱʹ"ENJTTJPO8FCIPPLΛ্ཱͪ͛ΔͨΊͷΧελϜίϯτϩʔϥʔ

View Slide

Team X
/BNFTQBDFE "ENJTTJPO

Namespace B
Namespaced
Admission
Controller
Namespaced
Webhook
Configuration
Admission
Webhook
Webhook
Configuration
ҰൠϢʔβʔ
Service
Account
σϓϩΠ
ੜ੒
ର৅ͱͳΔνʔϜʹଐ͢Δ
/BNFTQBDF͚͕ͩ
8FCIPPLͷର৅ͱͳΔΑ͏ʹ
OBNFTQBDF4FMFDUPSΛઃఆ
Namespace A
4FSWJDF"DDPVOU͕ΞΫηε
ՄೳͳϦιʔεͷΈ͕8FCIPPL
ͷର৅ͱͳ͍ͬͯΔ͜ͱΛ֬ೝ

View Slide

ᶆ ୤"ENJTTJPO8FCIPPL
u "ENJTTJPO8FCIPPLͷ໰୊఺
n 8FCαʔόʔΛ্ཱͪ͛Δඞཁ͕͋Γɺӡ༻ͷෛ୲͕େ͖͍ɻ
n "ENJTTJPO8FCIPPLͷՄ༻ੑ͕ɺ,VCFSOFUFTΫϥελʔશମͷՄ༻ੑʹӨڹ͢Δɻ
n ֎෦ͷ8FCαʔόʔΛݺͼग़ͨ͢Ίɺ"1* 4FSWFSͷϨΠςϯγʔ͕ѱԽ͢Δɻ
u "ENJTTJPO8FCIPPLҎ֎ͷํ๏
n -JOUπʔϧΛར༻ͯ͠ɺ,VCFSOFUFTΫϥελʔ΁ͷద༻લʹνΣοΫ
n ΧελϜϦιʔε͸0QFO"1* W4DIFNBͰνΣοΫͰ͖Δ͜ͱ΋ଟ͍
n কདྷతʹ͸$&-GPS"ENJTTJPO$POUSPMΛ׆༻

View Slide

$&-GPS "ENJTTJPO $POUSPM
u $&-ʢ$PNNPO&YQSFTTJPO-BOHVBHFʣܗࣜͰ7BMJEBUJPOϧʔϧ͕ه
ड़Ͱ͖Δ,VCFSOFUFTͷඪ४ػೳ
n ,VCFSOFUFTWͰΧελϜϦιʔεͷ7BMJEBUJPOػೳ͕Ќ൛Ͱ࢖͑ΔΑ͏ʹͳͬͨɻ
n ,VCFSOFUFTWͰ೚ҙͷϦιʔεʹରͯ͠7BMJEBUJPO͕͓͜ͳ͑Δػೳͷ։ൃ͕ਐ
ΊΒΕ͍ͯΔɻʢ,&1ʣ
u ಛ௃
n "ENJTTJPO8FCIPPLͷΑ͏ʹผαʔόʔΛཱͯΔඞཁ͕ͳ͍ͷͰӡ༻ͷख͕ؒෆཁɻ
n "1*4FSWFSͷΠϯϓϩηεͰ࣮ߦ͞ΕΔͷͰɺϨΠςϯγʔΛ௿͘཈͑ΒΕΔɻ

View Slide

$&-ʹΑΔϧʔϧͷهड़
u ϑΟʔϧυΛมߋͰ͖ͳ͍Α͏ʹ͢Δ
u NBQ΁ͷΩʔͷ௥ՃΛڐՄ͢Δ͕ɺ࡟আ΍มߋΛېࢭ͢Δ
u ίϯςφ໊͕YZ[͔Β࢝·Δ͜ͱΛνΣοΫ͢Δ

x-kubernetes-validations:
- message: Keys may not be removed and their values must stay the same
rule: oldSelf.all(key, key in self && self[key] == oldSelf[key])
validations:
- scopes: [ "spec.containers[*]", "initContainers[*]", "spec.ephemeralContainers[*]" ]
expression: "scope.name.startsWith('xyz-')"
messageExpression: "scope.name + ' does not start with ¥'xyz¥''"
x-kubernetes-validations:
- message: Value is immutable
rule: self == oldSelf

View Slide

·ͱΊ

View Slide

·ͱΊ
u "ENJTTJPO8FCIPPL͸ڧྗͳ,VCFSOFUFT֦ுػೳͷͻͱͭɻ
u ຊൃදͰ঺հͨ͠಺༰ʹ஫ҙͭͭ͠ɺͥͻ͞·͟·ͳ༻్Ͱར༻ͯ͠Έͯͩ͘
͍͞ɻ
u ิ଍هࣄͱαϯϓϧϓϩάϥϜ΋͋Θͤͯ͝ཡ͍ͩ͘͞ɻ
n IUUQT[FOOEFW[PFUSPBSUJDMFTBENJTTJPOXFCIPPLEFFQEJWF
n IUUQTHJUIVCDPN[PFUSPQFTBNQMFXFCIPPL

View Slide

Kubernetes Admission Webhook Deep Dive

Kubernetes Admission Webhook Deep Dive

Akihiro Ikezoe

More Decks by Akihiro Ikezoe

Other Decks in Programming

Featured

Transcript