Open Policy Agent with Kubernetes #2

minikubeでOpenPolicyAgentをAPI ServerのAdmissinReview先として利用し、policyのvalidationが行われる様子を確認します。
以下docのtutorialを進めます。
www.openpolicyagent.org

~/S/O/o/ingress-validation-tutorial ❯❯❯ minikube addons list
|-----------------------------|----------|--------------|
|         ADDON NAME          | PROFILE  |    STATUS    |
|-----------------------------|----------|--------------|
| dashboard                   | minikube | disabled     |
| default-storageclass        | minikube | enabled ✅   |
| efk                         | minikube | disabled     |
| freshpod                    | minikube | disabled     |
| gvisor                      | minikube | disabled     |
| helm-tiller                 | minikube | disabled     |
| ingress                     | minikube | disabled     |
| ingress-dns                 | minikube | disabled     |
| istio                       | minikube | disabled     |
| istio-provisioner           | minikube | disabled     |
| logviewer                   | minikube | disabled     |
| metrics-server              | minikube | disabled     |
| nvidia-driver-installer     | minikube | disabled     |
| nvidia-gpu-device-plugin    | minikube | disabled     |
| registry                    | minikube | disabled     |
| registry-aliases            | minikube | disabled     |
| registry-creds              | minikube | disabled     |
| storage-provisioner         | minikube | enabled ✅   |
| storage-provisioner-gluster | minikube | disabled     |
|-----------------------------|----------|--------------|

~/S/O/o/ingress-validation-tutorial ❯❯❯ minikube addons enable ingress
🌟  The 'ingress' addon is enabled
~/S/O/o/ingress-validation-tutorial ❯❯❯ minikube addons list
|-----------------------------|----------|--------------|
|         ADDON NAME          | PROFILE  |    STATUS    |
|-----------------------------|----------|--------------|
| dashboard                   | minikube | disabled     |
| default-storageclass        | minikube | enabled ✅   |
| efk                         | minikube | disabled     |
| freshpod                    | minikube | disabled     |
| gvisor                      | minikube | disabled     |
| helm-tiller                 | minikube | disabled     |
| ingress                     | minikube | enabled ✅   |
| ingress-dns                 | minikube | disabled     |
| istio                       | minikube | disabled     |
| istio-provisioner           | minikube | disabled     |
| logviewer                   | minikube | disabled     |
| metrics-server              | minikube | disabled     |
| nvidia-driver-installer     | minikube | disabled     |
| nvidia-gpu-device-plugin    | minikube | disabled     |
| registry                    | minikube | disabled     |
| registry-aliases            | minikube | disabled     |
| registry-creds              | minikube | disabled     |
| storage-provisioner         | minikube | enabled ✅   |
| storage-provisioner-gluster | minikube | disabled     |
|-----------------------------|----------|--------------|
~/S/O/o/ingress-validation-tutorial ❯❯❯
~/S/O/o/ingress-validation-tutorial ❯❯❯ kubectl create ns opa
namespace/opa created
~/S/O/o/ingress-validation-tutorial ❯❯❯ kubectl get ns  --show-labels
NAME              STATUS   AGE    LABELS
default           Active   6d3h   <none>
kube-node-lease   Active   6d3h   <none>
kube-public       Active   6d3h   <none>
kube-system       Active   6d3h   <none>
opa               Active   3s     <none>
~/S/O/o/ingress-validation-tutorial ❯❯❯

# 3.deploy OPA on top of Kuberentes
KubernetesとOPAの間ではTLS プロトコルを利用します。
TLSを構成するためにopensslコマンドで権威証明書(CA)とOPAのための証明書/鍵ペアを生成します。

~/S/O/o/ingress-validation-tutorial ❯❯❯ openssl genrsa -out ca.key 2048 #CA用秘密鍵を生成
Generating RSA private key, 2048 bit long modulus
.............+++
.................+++
e is 65537 (0x10001)
~/S/O/o/ingress-validation-tutorial ❯❯❯
~/S/O/o/ingress-validation-tutorial ❯❯❯ openssl req -x509 -new -nodes -key ca.key -days 100000 -out ca.crt -subj "/CN=admission_ca" #CA生成
~/S/O/o/ingress-validation-tutorial ❯❯❯ ls
ca.crt                    ca.key                    ingress-validation-opa.md
~/S/O/o/ingress-validation-tutorial ❯❯❯

OPA側が利用する、先ほどのCA証明書に紐づく証明書。
~/S/O/o/ingress-validation-tutorial ❯❯❯ cat > server.conf <<EOF
heredoc else> [req]
heredoc else> req_extensions = v3_req
heredoc else> distinguished_name = req_distinguished_name
heredoc else> [req_distinguished_name]
heredoc else> [v3_req]
heredoc else> basicConstraints = CA:FALSE
heredoc else> keyUsage = nonRepudiation, digitalSignature, keyEncipherment
heredoc else> extendedKeyUsage = clientAuth, serverAuth
heredoc else> EOF

~/S/O/o/ingress-validation-tutorial ❯❯❯ openssl genrsa -out server.key 2048
Generating RSA private key, 2048 bit long modulus
..............+++
....................+++
e is 65537 (0x10001)

#server.confとserver.keyを元に、証明書署名リクエストを生成
~/S/O/o/ingress-validation-tutorial ❯❯❯ openssl req -new -key server.key -out server.csr -subj "/CN=opa.opa.svc" -config server.conf
~/S/O/o/ingress-validation-tutorial ❯❯❯ ls
ca.crt                    ca.key                    ingress-validation-opa.md server.conf               server.csr                server.key
#生成した署名リクエストを、CA側の秘密鍵(とCAの証明書)で署名。
~/S/O/o/ingress-validation-tutorial ❯❯❯ openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 10000 -extensions v3_req -extfile server.conf
Signature ok
subject=/CN=opa.opa.svc
Getting CA Private Key
~/S/O/o/ingress-validation-tutorial ❯❯❯ ls
ca.crt                    ca.srl                    server.conf               server.csr
ca.key                    ingress-validation-opa.md server.crt                server.key
~/S/O/o/ingress-validation-tutorial ❯❯❯
CN(common name)は、のちに作成するOPAのサービスと一致している必要がある。

secretとして登録。

~/S/O/o/ingress-validation-tutorial ❯❯❯ kubectl create secret -n opa tls opaserver --cert=server.crt --key=server.key
secret/opaserver created
~/S/O/o/ingress-validation-tutorial ❯❯❯
~/S/O/o/ingress-validation-tutorial ❯❯❯ kubectl get secret -n opa opaserver
NAME        TYPE                DATA   AGE
opaserver   kubernetes.io/tls   2      74s
~/S/O/o/ingress-validation-tutorial ❯❯❯

必要なマニフェストファイルを適用する。

~/S/O/o/ingress-validation-tutorial ❯❯❯ kubectl apply -n opa -f admission-controller.yaml
clusterrolebinding.rbac.authorization.k8s.io/opa-viewer created
role.rbac.authorization.k8s.io/configmap-modifier created
rolebinding.rbac.authorization.k8s.io/opa-configmap-modifier created
service/opa created
deployment.apps/opa created
configmap/opa-default-system-main created
~/S/O/o/ingress-validation-tutorial ❯❯❯

OPAのインスタンスが起動すると、kube-mgmtコンテナがロードされる。
このサイドカーはKubernetes APIサーバーをwatchし、Kuberentesオブジェクトのキャッシュに一貫性を持って？アクセスする。
次に、OPAをadmission controllerとして登録する。
このwebhookの設定は、openpolicyagent.org/webhook=ignoreのラベルの存在するnsについて検知しない。
>|sh||
~/S/O/o/ingress-validation-tutorial ❯❯❯ cat > webhook-configuration.yaml << EOF
heredoc else> kind: ValidatingWebhookConfiguration
apiVersion: admissionregistration.k8s.io/v1beta1
metadata:
name: opa-validating-webhook
webhooks:
- name: validating-webhook.openpolicyagent.org
namespaceSelector:
matchExpressions:
- key: openpolicyagent.org/webhook
operator: NotIn
values:
- ignore
rules:
- operations: ["CREATE", "UPDATE"]
apiGroups: ["*"]
apiVersions: ["*"]
resources: ["*"]
clientConfig:
caBundle: $(cat ca.crt | base64 | tr -d '\n')
service:
namespace: opa
name: opa
heredoc else> EOF
|