Admission Webhookで快適なSecret管理 / Berglas Secret Admission Webhook

Transcript

1. Admission Webhook ͰշదͳSecret؅ཧ 2019/12/18 Kubernetes Invitational Meetup Tokyo #4

2. Admission Webhookͱ͸ʁ

3. Admission Control Admission Control͸ೝূɾೝՄͷޙʹɺAPI RequestΛ มߋ(Mutate)ɾݕূ(Validate)Ͱ͖Δ࢓૊Έ )551
   )BOEMFS "VUIFOUJDBUF
   "VUIPSJ[F

   .VUBUF
   "ENJTTJPO 4DIFNF
   7BMJEBUJPO 7BMJEBUF
   "ENJTTJPO ɾɾɾ

4. Admission Control Admission Control͸ೝূɾೝՄͷޙʹɺAPI RequestΛ มߋ(Mutate)ɾݕূ(Validate)Ͱ͖Δ࢓૊Έ )551
   )BOEMFS "VUIFOUJDBUF
   "VUIPSJ[F

   .VUBUF
   "ENJTTJPO 4DIFNF
   7BMJEBUJPO 7BMJEBUF
   "ENJTTJPO ɾɾɾ

5. LVCFBQJTFSWFS 3FTPVSDF
   )BOEMFS .VUBUJOH
   8FCIPPL 7BMJEBUJOH
   8FCIPPL "ENJTTJPO
   8FCIPPL ʜ ʜ ʜ

   ʜ "ENJTTJPO ʜ ʜ 7BMJEBUJPO Admission Webhook ೚ҙͷॲཧΛWebServer ΁ͷHookͱͯ͠௥ՃͰ͖Δ

6. ࠓճ࡞ͬͨAdmission Webhook

7. Berglas Secret Admission Webhook GCPͷSecret؅ཧπʔϧͰ͋Δ BerglasΛ࢖ͬͯɺಁաతͳSecret؅ཧΛ࣮ݱ

8. ࡞ͬͨAdmission Webhookͷ໨త ໨త: Secretͷ؅ཧͰɺGit্ʹSecretͷValueΛ࢒͞ͳ͍ Α͏ʹ͍ͨ͠ɻGCP্ͷSecret؅ཧʹBerglasΛ ࢖͍ͬͯΔͷͰɺBerglasΛK8sͰ΋׆༻͍ͨ͠ɻ apiVersion: v1 kind: Secret

   metadata: name: database_secret data: PASS: cGFzc3dvcmQ= $ echo cGFzc3dvcmQ= | base64 --decode password ໰୊఺: ͨͩͷBase64Τϯίʔυͩͱ ͙͢ʹσίʔυͰ͖ͯ͠·͏ ࡞ͬͨAdmission Webhook: Berglas্ʹ࡞ͬͨSecretΛɺK8s্ʹ෮߸ͯ͘͠ΕΔ → YAML͸୭͕ݟͯ΋໰୊ͳ͍Α͏ʹ͢Δ

9. Berglas Berglas͸Google Cloud Platform্ͰSecret(ൿີ৘ใ)Λ ؅ཧ͢ΔͨΊͷCLIπʔϧɻ Cloud KMSʹ͋Δ伴Λ࢖ͬͯɺBerlgasͰSecretΛ҉߸ Խɾ෮߸ԽͰ͖Δ (※K8s Secretͱ͸ผ෺ͳͷͰ஫ҙ)

   Key Management Service Cloud Storage #FSHMBT ҉߸ʹར༻ Secretσʔλ͕࡞ΒΕΔ berglas create <BUCKET>/<KEY> <VALUE> Encrypt

10. Berglas Berglas͸Google Cloud Platform্ͰSecret(ൿີ৘ใ)Λ ؅ཧ͢ΔͨΊͷCLIπʔϧɻ Cloud KMSʹ͋Δ伴Λ࢖ͬͯɺBerlgasͰSecretΛ҉߸ Խɾ෮߸ԽͰ͖Δ (※K8s Secretͱ͸ผ෺ͳͷͰ஫ҙ)

    Key Management Service Cloud Storage #FSHMBT ෮߸ʹར༻ SecretσʔλΛࢀর berglas access <BUCKET>/<KEY> Decrypt

11. Admission Webhook࡞੒ʹ࢖ͬͨ΋ͷ Kubewebhook: Admission WebhookΛ࡞ΔͨΊͷϑϨʔϜϫʔΫ AdmissionReview, AdmissionResponseͱ͍ͬͨɺ Admission Webhookʹඞཁͳ෦෼Λड͚࣋ͬͯ͘ΕΔ ར༻ऀ͸Mutateؔ਺ͱValidateؔ਺ͷ࣮૷ʹूதͰ͖Δ

    Berglas API: https://github.com/slok/kubewebhook https://github.com/GoogleCloudPlatform/berglas SampleͰCloud FunctionΛར༻ͨ͠Admission Webhookͷ ྫ΋͋Δ͕ɺ༻్͕ҟͳͬͨͷͰࠓճ͸WebhookΛࣗ࡞ https://github.com/GoogleCloudPlatform/berglas/tree/master/examples/kubernetes

12. Berglas Secret Admission Webhook SecretΛ࡞੒͢Δͱɺʮberglas://ʙʯͱ͍͏ϦϑΝϨϯε ͕͋Δ΋ͷ͸ɺಁաతʹ෮߸Խ͢Δ(ͦΕҎ֎͸εΩοϓ) ᶃ kubectl apply -f

    secret.yaml Mutating Webhook Server Validating Webhook Server #FSHMBT apiVersion: v1 kind: Secret metadata: name: database_secret data: PASS: berglas://BUCKET/pass ᶄ Admission Webhook ᶅ Mutate ᶇ Validate ᶆ Decode

13. ϋϚͬͨͱ͜Ζ

14. Managed K8sͰಈ͔ͳ͍(ͱצҧ͍ͯͨ͠) Admission Webhook cannot work on private GKE clusters

    https://github.com/elastic/cloud-on-k8s/issues/1437 443ϙʔτҎ֎ͰɺWebhook ServerΛಈ͔͍ͯ͠Δͱɺ Webhook ServerͷPod·ͰAPI Request͕౸ୡ͠ͳ͍ɻ GKEͰ͸ΤϯυϙΠϯτIPʹ௚઀௨৴͢Δ͕ɺ443(HTTPS), 10250(Kubelet)ͷϙʔτ͔͠ڐՄ͞Ε͍ͯͳ͍ͨΊ Webhook Server Master VPC Worker VPC Port: 443 ͸ڐՄ ※443Ҏ֎ͷ৔߹͸ɺϑΝΠΞ΢Υʔϧͷ݀։͚͕ඞཁ

15. ࢀߟʹ͢Δͱྑ͍΋ͷ Admission Webhooks: Configuration and Debugging Best Practices - Haowei

    Cai, Google https://kccncna19.sched.com/event/UaVt/admission-webhooks-configuration-and-debugging-best- practices-haowei-cai-google

16. Thank you