Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Admission Webhookで快適なSecret管理 / Berglas Secret ...
Search
go_vargo
December 18, 2019
Programming
3.8k
5
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
Admission Webhookで快適なSecret管理 / Berglas Secret Admission Webhook
go_vargo
December 18, 2019
More Decks by go_vargo
See All by go_vargo
Kubernetes Internal #9 - Minikube
govargo
0
350
気をつけたいKubernetesとの付き合い方 / Happy Kubernetes Life
govargo
6
3k
[CNDT2020]Linux Observability with BPF Performance Tools
govargo
15
3.7k
[CNDK2019]Production Ready Kubernetesに必要な15のこと / Production Ready Kubernetes 15 Rules
govargo
38
16k
ゼロから始めるKubernetes Controller / Under the Kubernetes Controller
govargo
40
16k
Inside of Kubernetes Controller
govargo
20
12k
コロプラが実践しているSpinnakerを用いたデプロイ戦略 / Deploy Strategy with Spinnaker at Colopl
govargo
6
5.1k
Improve Docker Image by BuildKit
govargo
4
1.7k
Debugging for MicroService on Kubernetes
govargo
2
810
Other Decks in Programming
See All in Programming
正しくソフトウェアを作る、前提を疑うための認知の視点 / doubt-premise
minodriven
21
7k
Spring Security 実践 ─ GraphQL APIで実務に役立つ 認証・認可 を学ぶ
wagyu
0
260
The NotImplementedError Problem in Ruby
koic
1
920
Datadog × OpenTelemetry 入門と実践のあいだ
kn_to_maxpno
1
180
ローカルLLMでどこまでコードが書けるか -拡張版 / How much code can be written on a local LLM Extended
kishida
12
4.4k
Mujeres en SEO Summit 2026 - Greatest Disaster Hits en Web Performance
guaca
0
200
気圧・高度・GPSを記録&可視化するアプリ「Koudo」を作った話
hjmkth
1
320
AI 時代のソフトウェア設計の学び方
masuda220
PRO
29
13k
Webフレームワークの ベンチマークについて
yusukebe
0
180
AI駆動開発を妨げる技術的負債の解消アプローチ / ai-refactoring-approach
minodriven
12
6.4k
Inside Stream API
skrb
1
770
さぁV100、メモリをお食べ・・・
nilpe
0
150
Featured
See All Featured
Have SEOs Ruined the Internet? - User Awareness of SEO in 2025
akashhashmi
0
370
The Director’s Chair: Orchestrating AI for Truly Effective Learning
tmiket
1
200
Data-driven link building: lessons from a $708K investment (BrightonSEO talk)
szymonslowik
1
1.1k
State of Search Keynote: SEO is Dead Long Live SEO
ryanjones
0
210
Producing Creativity
orderedlist
PRO
348
40k
The Language of Interfaces
destraynor
162
27k
Measuring & Analyzing Core Web Vitals
bluesmoon
9
870
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
55
3.4k
Ruling the World: When Life Gets Gamed
codingconduct
0
260
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
49
10k
Reflections from 52 weeks, 52 projects
jeffersonlam
356
21k
SEO for Brand Visibility & Recognition
aleyda
0
4.6k
Transcript
Admission Webhook ͰշదͳSecretཧ 2019/12/18 Kubernetes Invitational Meetup Tokyo #4
Admission Webhookͱʁ
Admission Control Admission ControlೝূɾೝՄͷޙʹɺAPI RequestΛ มߋ(Mutate)ɾݕূ(Validate)Ͱ͖ΔΈ )551 )BOEMFS "VUIFOUJDBUF "VUIPSJ[F
.VUBUF "ENJTTJPO 4DIFNF 7BMJEBUJPO 7BMJEBUF "ENJTTJPO ɾɾɾ
Admission Control Admission ControlೝূɾೝՄͷޙʹɺAPI RequestΛ มߋ(Mutate)ɾݕূ(Validate)Ͱ͖ΔΈ )551 )BOEMFS "VUIFOUJDBUF "VUIPSJ[F
.VUBUF "ENJTTJPO 4DIFNF 7BMJEBUJPO 7BMJEBUF "ENJTTJPO ɾɾɾ
LVCFBQJTFSWFS 3FTPVSDF)BOEMFS .VUBUJOH 8FCIPPL 7BMJEBUJOH 8FCIPPL "ENJTTJPO8FCIPPL ʜ ʜ ʜ
ʜ "ENJTTJPO ʜ ʜ 7BMJEBUJPO Admission Webhook ҙͷॲཧΛWebServer ͷHookͱͯ͠ՃͰ͖Δ
ࠓճ࡞ͬͨAdmission Webhook
Berglas Secret Admission Webhook GCPͷSecretཧπʔϧͰ͋Δ BerglasΛͬͯɺಁաతͳSecretཧΛ࣮ݱ
࡞ͬͨAdmission Webhookͷత త: SecretͷཧͰɺGit্ʹSecretͷValueΛ͞ͳ͍ Α͏ʹ͍ͨ͠ɻGCP্ͷSecretཧʹBerglasΛ ͍ͬͯΔͷͰɺBerglasΛK8sͰ׆༻͍ͨ͠ɻ apiVersion: v1 kind: Secret
metadata: name: database_secret data: PASS: cGFzc3dvcmQ= $ echo cGFzc3dvcmQ= | base64 --decode password : ͨͩͷBase64Τϯίʔυͩͱ ͙͢ʹσίʔυͰ͖ͯ͠·͏ ࡞ͬͨAdmission Webhook: Berglas্ʹ࡞ͬͨSecretΛɺK8s্ʹ෮߸ͯ͘͠ΕΔ → YAML୭͕ݟͯͳ͍Α͏ʹ͢Δ
Berglas BerglasGoogle Cloud Platform্ͰSecret(ൿີใ)Λ ཧ͢ΔͨΊͷCLIπʔϧɻ Cloud KMSʹ͋Δ伴ΛͬͯɺBerlgasͰSecretΛ҉߸ Խɾ෮߸ԽͰ͖Δ (※K8s SecretͱผͳͷͰҙ)
Key Management Service Cloud Storage #FSHMBT ҉߸ʹར༻ Secretσʔλ͕࡞ΒΕΔ berglas create <BUCKET>/<KEY> <VALUE> Encrypt
Berglas BerglasGoogle Cloud Platform্ͰSecret(ൿີใ)Λ ཧ͢ΔͨΊͷCLIπʔϧɻ Cloud KMSʹ͋Δ伴ΛͬͯɺBerlgasͰSecretΛ҉߸ Խɾ෮߸ԽͰ͖Δ (※K8s SecretͱผͳͷͰҙ)
Key Management Service Cloud Storage #FSHMBT ෮߸ʹར༻ SecretσʔλΛࢀর berglas access <BUCKET>/<KEY> Decrypt
Admission Webhook࡞ʹͬͨͷ Kubewebhook: Admission WebhookΛ࡞ΔͨΊͷϑϨʔϜϫʔΫ AdmissionReview, AdmissionResponseͱ͍ͬͨɺ Admission Webhookʹඞཁͳ෦Λड͚࣋ͬͯ͘ΕΔ ར༻ऀMutateؔͱValidateؔͷ࣮ʹूதͰ͖Δ
Berglas API: https://github.com/slok/kubewebhook https://github.com/GoogleCloudPlatform/berglas SampleͰCloud FunctionΛར༻ͨ͠Admission Webhookͷ ྫ͋Δ͕ɺ༻్͕ҟͳͬͨͷͰࠓճWebhookΛࣗ࡞ https://github.com/GoogleCloudPlatform/berglas/tree/master/examples/kubernetes
Berglas Secret Admission Webhook SecretΛ࡞͢Δͱɺʮberglas://ʙʯͱ͍͏ϦϑΝϨϯε ͕͋Δͷɺಁաతʹ෮߸Խ͢Δ(ͦΕҎ֎εΩοϓ) ᶃ kubectl apply -f
secret.yaml Mutating Webhook Server Validating Webhook Server #FSHMBT apiVersion: v1 kind: Secret metadata: name: database_secret data: PASS: berglas://BUCKET/pass ᶄ Admission Webhook ᶅ Mutate ᶇ Validate ᶆ Decode
ϋϚͬͨͱ͜Ζ
Managed K8sͰಈ͔ͳ͍(ͱצҧ͍ͯͨ͠) Admission Webhook cannot work on private GKE clusters
https://github.com/elastic/cloud-on-k8s/issues/1437 443ϙʔτҎ֎ͰɺWebhook ServerΛಈ͔͍ͯ͠Δͱɺ Webhook ServerͷPod·ͰAPI Request͕౸ୡ͠ͳ͍ɻ GKEͰΤϯυϙΠϯτIPʹ௨৴͢Δ͕ɺ443(HTTPS), 10250(Kubelet)ͷϙʔτ͔͠ڐՄ͞Ε͍ͯͳ͍ͨΊ Webhook Server Master VPC Worker VPC Port: 443 ڐՄ ※443Ҏ֎ͷ߹ɺϑΝΠΞΥʔϧͷ݀։͚͕ඞཁ
ࢀߟʹ͢Δͱྑ͍ͷ Admission Webhooks: Configuration and Debugging Best Practices - Haowei
Cai, Google https://kccncna19.sched.com/event/UaVt/admission-webhooks-configuration-and-debugging-best- practices-haowei-cai-google
Thank you