policy
APIã°ã«ãŒãã®use
åè©ãä»ããæ¿èªãèš±å¯ããŸãïŒäžå®æéãããããã®ã°ã«ãŒããä»ããŠèš±å¯ããå¿
èŠããããŸãïŒã¢ãããã·ã§ã³ã³ã³ãããŒã©ãŒã³ãŒãã¯ã https ïŒ//github.com/kubernetes/kubernetes/pull/24600ã§ç¢ºèªäžã§ãã
ãã®æ©èœã¯ãOpenShiftã§æåã«å ¬éããããããããŒã¿çã«çŽæ¥ã¹ããããããŸãã
kubernetes / kubernetesïŒ24600ã§ã¯ããã©ã«ãã§ç¡å¹ã«ãªã£ãŠããŸãã ãã®åŸãPSPããŠãŒã¶ãŒã«ãªã³ã¯ããããã«ã¢ãããã·ã§ã³ã³ã³ãããŒã©ãŒãå€æŽããå¿ èŠããããŸãã
PSPïŒãµããžã§ã¯ãã¬ãã«ã®ã¢ã¯ã»ã¹ïŒã®æ¬¡ã®ã¹ãããã®äŸåé¢ä¿ãšããŠhttps://github.com/kubernetes/kubernetes/pull/20573ã«æ³šæããŠãã ãã
ããã®ç¶æ³ã¯ã©ãã§ããïŒ æåã®ã³ã¡ã³ãã®èª¬æã¯ææ°ã§ããïŒ
æåã®ã³ã¡ã³ãã®èª¬æã¯ææ°ã§ãã
ãããïŒæŽæ°ããæš©éããããŸããïŒã ã¢ã«ãã¡èŠä»¶ã¯ãã¹ãŠæºããããŠãããšæããŸãã åæã¿ã€ããAPIãããã³ãã¹ããããŒãžãããŸããã ã¢ãããã·ã§ã³ã³ã³ãããŒã©ã¯ããã©ã«ãã§ã¯æå¹ã«ãªã£ãŠããŸããã
IMOããŒã¿/1.4ã®æ®ãã®äœæ¥ã¯ãæš©éã®èªèšŒçµ±åãå¶çŽããæ°ãããã£ãŒã«ãã®æŽæ°ïŒseccomp-é²è¡äžãsysctlïŒãããã³å¿ èŠãªããã¥ã¡ã³ã/ãã¥ãŒããªã¢ã«ã§ãã
ãããŠe2eãã¹ãã
2016幎7æ12æ¥ç«ææ¥ã®åå6æ23åã PaulWeilnotifications @ github.comã¯æ¬¡ã®ããã«æžããŠããŸãã
æåã®ã³ã¡ã³ãã®èª¬æã¯ææ°ã§ãã
ãããïŒæŽæ°ããæš©éããããŸããïŒã ç§ã¯ãã¹ãŠã®ã¢ã«ãã¡ãä¿¡ããŠããŸã
èŠä»¶ãæºããããŠããŸãã åæã®ã¿ã€ããAPIãããã³ãã¹ãã¯
ããŒãžãããŸããã ã¢ãããã·ã§ã³ã³ã³ãããŒã©ã¯ããã©ã«ãã§ã¯æå¹ã«ãªã£ãŠããŸãããIMOããŒã¿/1.4ã®æ®ãã®äœæ¥ã¯ãæš©éã®èªèšŒçµ±åã§ãã
å¶çŽãããæ°ãããã£ãŒã«ãã®æŽæ°ïŒseccomp-é²è¡äžã
sysctlïŒãããã³å¿ èŠãªããã¥ã¡ã³ã/ãã¥ãŒããªã¢ã«ãâ
ã¹ã¬ãããäœæããããããããåãåã£ãŠããŸãã
ãã®ã¡ãŒã«ã«çŽæ¥è¿ä¿¡ããGitHubã§è¡šç€ºããŠãã ãã
https://github.com/kubernetes/features/issues/5#issuecomment -232045429ã
ãŸãã¯ã¹ã¬ããããã¥ãŒãããŸã
https://github.com/notifications/unsubscribe/AHuudqFwephlYk0Y1PS77y0xxA5QW0_-ks5qU5U7gaJpZM4IaU8n
ã
ã¯ã©ãŠããããã€ããŒãšã®ããåãã¯ã©ãã§ããïŒ åãããã«ç°ãªãIAMããŒã«ãç°¡åã«å²ãåœãŠãŠãå®éã«å¿ èŠãªã¯ã©ãŠããµãŒãã¹ã®ãµãã»ããã«ã®ã¿ã¢ã¯ã»ã¹ã§ããããã«ãããšäŸ¿å©ã§ãã ç¯å²å ã«ããã®ã§ããããããããšãSecurityContextã®è©³çŽ°ãšèŠãªãããã®ã§ããããã
@thercã¯ãServiceAccountãä»ããŠå®è¡ããå¿ èŠããããŸãã
@goltermannãããã¢ã«ãã¡ã§ããŒã¯ãããŠããããšã«æ°ã¥ããŸããããããããhttps://github.com/kubernetes/features/issues/5#issuecomment-217939650ã«åºã¥ãããŒã¿ã¿ã°ãå¿ èŠã ãšæããŸã
@erictuneã¯@ pweil-ã³ã¡ã³ãã«åºã¥ããŠæ£ããèãããŸããïŒ
@goltermannæè¡çã«ã¯ãããã¯1.3ã§ã¯ããŒã¿çã ã£ããšæããŸããéçºã¯é²è¡äžã§ããã1.4ã§ã¯æ°ãããã®ã§ã¯ãããŸããã
ã¯ããããŒã¿çã¯æ£ããã§ãã ä»æ¥åãã«ã¢ã«ãã¡ãšèšã£ããšããç§ã¯ééã£ãŠããŸããã
çŽ æŽãããããããä¿®æ£ããŸãã
@ pweil-ããã¥ã¡ã³ãã®æºåã¯ã§ããŠããŸããïŒ ããã¥ã¡ã³ããhttps://github.com/kubernetes/kubernetes.github.ioã«æŽæ°ããŠãããPRçªå·ãè¿œå ããåé¡ã®èª¬æã§[ããã¥ã¡ã³ã]ãã§ãã¯ããã¯ã¹ããªã³ã«ããŠãã ãã
@janetkuo docs PR https://github.com/kubernetes/kubernetes.github.io/pull/1150
ç·šéïŒ https ïŒ//github.com/kubernetes/kubernetes.github.io/pull/1206ã¯æ£ãã1.4PRã§ã
cc @ kubernetes / feature-reviewers
@ pweil-ãã®PRã¯å®éã®ãã®ã ãšæããŸã-https ïŒ//github.com/kubernetes/kubernetes.github.io/pull/1206ïŒ
æ£ãã
90æ¥éæäœããªããšãåé¡ã¯å€ããªããŸãã
/remove-lifecycle stale
ã䜿çšããŠãåé¡ãæ°èŠãšããŠããŒã¯ããŸãã
å€ãåé¡ã¯ãããã«30æ¥ééã¢ã¯ãã£ãã«ãªããšè
æããæçµçã«ã¯éããŸãã
/lifecycle frozen
ã³ã¡ã³ãã䜿çšããŠãåé¡ãèªåçµäºããªãããã«ããŸãã
ãã®åé¡ãä»ãã解決ã§ããå Žåã¯ã /close
ã䜿çšããŠè§£æ±ºããŠãã ããã
sig-testingãkubernetes / test-infraãããã³/ãŸãã¯@fejta
ã«ãã£ãŒãããã¯ãéä¿¡ããŸãã
/ lifecycle stale
1.10ã§ã¯ãPSPãéæ¡åŒµAPIã°ã«ãŒãã«ç§»åããäœæ¥ãè¡ãããŠããŸãã
cc @ php-coder
@erictuneããã¥ã¡ã³ãã®æŽæ°ããé¡ãããŸãã [1.10æ©èœè¿œè·¡ã¹ãã¬ããã·ãŒã[ïŒhttps://docs.google.com/spreadsheets/d/17bZrKTk8dOx5nomLrD1-93uBfajK5JS-v1o-nCLJmzE/edit#gid=0ïŒïŒãåç §ããŠãã ããã ãäžæãªç¹ãããããŸãããlmkã ããã¥ã¡ã³ãPRãã¬ãã¥ãŒãã3/9ãŸã§ã«ããŒãžããå¿ èŠããããŸãã ããããšãïŒ
@ php-coder ^
@ Bradamant3 @liggittã©ã®ãããªããã¥ã¡ã³ãã®æŽæ°ãå¿ èŠã§ããïŒ
APIã°ã«ãŒãã®ç§»è¡ã«é¢é£ããå€æŽã«ã€ããŠã¯ã https ïŒ //github.com/kubernetes/website/pull/7562ãhttps ïŒ//github.com/kubernetes/examples/pull/206ãhttps ïŒ/ãéä¿¡ããŸããã
ç§ã¯PSPããã¥ã¡ã³ãã®æŽæ°ã®é©åãªææè ã§ã¯ãããŸããã
2018幎3æ2æ¥éææ¥åå11æ26åãVyacheslav Semushin <
[email protected]>ã¯æ¬¡ã®ããã«æžããŠããŸãïŒ
@ Bradamant3 https://github.com/bradamant3 @liggitt
https://github.com/liggittã©ã®ãããªããã¥ã¡ã³ãã®æŽæ°ãå¿ èŠã§ããïŒAPIã°ã«ãŒãã®ç§»è¡ã«é¢é£ããå€æŽã«ã€ããŠãç§ã¯ä»¥äžãæåºããŸããã
kubernetes / websiteïŒ7562 https://github.com/kubernetes/website/pull/7562 ã
kubernetes / examplesïŒ206 https://github.com/kubernetes/examples/pull/206 ã
ããã³kubernetes / examplesïŒ208
https://github.com/kubernetes/examples/pull/208â
ããªããèšåãããã®ã§ãããªãã¯ãããåãåã£ãŠããŸãã
ãã®ã¡ãŒã«ã«çŽæ¥è¿ä¿¡ããGitHubã§è¡šç€ºããŠãã ãã
https://github.com/kubernetes/features/issues/5#issuecomment-370026485 ã
ãŸãã¯ã¹ã¬ããããã¥ãŒãããŸã
https://github.com/notifications/unsubscribe-auth/AHuudtBCup17Kt91pqJzBRpKWStoXUt-ks5taZzcgaJpZM4IaU8n
ã
å¿ èŠãªã®ã¯ããã ãã§ãã 远跡ã¹ãã¬ããã·ãŒãã«PRãè¿œå ããŸããã ããããšãïŒ
@ php-coder @liggitt @tallclair
1.11ã§ããã«ã€ããŠäœãèšç»ã¯ãããŸããïŒ
ãããããªããããªãã¯ãã®æ©èœãé©åãªãã®ã§ææ°ã§ããããšã確èªããŠãã ããïŒ
stage/{alpha,beta,stable}
sig/*
kind/feature
cc @idvoretskyi
@ php-coder @justaugustusã®ã³ã¡ã³ãã«ãããã§è¡ã£ãŠããäœæ¥ã§è¿ä¿¡ã§ããŸããïŒ ããªã·ãŒã°ã«ãŒãã®ç§»å以å€ã«å€æŽã¯ãããŸããïŒ
ããªã·ãŒã°ã«ãŒãã®ç§»å以å€ã«å€æŽã¯ãããŸããïŒ
ããããç§ã¯ããã ãã«åãçµã¿ãŸããã
@liggittãæéããããšãã«èª¬æãæŽæ°ããããšãé¡ã£ãŠããŸãïŒé©åãªæš©éããªãããïŒã
çµããã
@tallclairæ確ã«ããããã«ã1.11ã®ã¿ãŒã²ãããšããŠå®å®ããŠè¿œè·¡ããŠããŸãããïŒ
ã©ãã«ãæŽæ°ããŸãããã確èªãããã ãã§ãã
ããããããã¯ãŸã ããŒã¿çã§ãã PodSecurityPolicyãå®å®ãããã©ããã¯ããããŸãããïŒã€ãŸããä»ã®äœãã«åã£ãŠä»£ããããïŒãä»ã®äººã¯ããã«ã€ããŠç§ã«åæããªããããããŸããã
ãšã£ãã æŽæ°ããŠãããŠããããšãã@ tallclairïŒ
@justaugustusçŸåšã®ãªãªãŒã¹ã§ã¯å€§ããªé²å±ã¯ãªããããããã1.11ãã€ã«ã¹ããŒã³ããåé€ããŸãã
1.12ã®ã¢ããããŒãã¯äºå®ãããŠããŸãã
@ tallclair1.12ã§RunAsGroupPSPãããå ¥æã§ãããããããŸãã
確èªããŸãã ãã ããããã¯ãŸã ããŒã¿çã§ãã çŸæç¹ã§ã¯ãPSPãGAã«ç§»è¡ããäºå®ã¯ãããŸããã ãããé²ããåã«å¯ŸåŠããå¿ èŠã®ããããã€ãã®äž»èŠãªãŠãŒã¶ããªãã£ã®åé¡ããããŸãã ïŒhttps://github.com/kubernetes/kubernetes/issues/60001ããã³https://github.com/kubernetes/kubernetes/issues/56174ãåç §ïŒ
/ unassign
/ assign @tallclair
ããã«ã¡ã¯
ãã®æ¡åŒµæ©èœã¯ä»¥åã«è¿œè·¡ãããŠããããããã§ãã¯ã€ã³ããŠãKubernetes1.13ã®ã¹ããŒãžãåæ¥ããèšç»ããããã©ããã確èªããããšæããŸãã ãã®ãªãªãŒã¹ã¯ããããå®å®ããããã®ãç®æšãšããŠãããç©æ¥µçãªã¿ã€ã ã©ã€ã³ããããŸãã 次ã®æéã«éã«åããšç¢ºä¿¡ã§ããå Žåã«ã®ã¿ããã®æ¡åŒµæ©èœãå«ããŠãã ããã
1.13æ¡åŒµæ©èœè¿œè·¡ã·ãŒãã«å«ããå¿ èŠãããå Žåã¯ãå°æ¥ã®è¿œè·¡ãšping @ kacole2ã®ããã«å ã®æçš¿ã®ãã€ã«ã¹ããŒã³ãæŽæ°ããŠãã ããã
ããããšãïŒ
1.13ã§ã¯å€æŽã¯äºå®ãããŠããŸããã
90æ¥éæäœããªããšãåé¡ã¯å€ããªããŸãã
/remove-lifecycle stale
ã䜿çšããŠãåé¡ãæ°èŠãšããŠããŒã¯ããŸãã
å€ãåé¡ã¯ãããã«30æ¥ééã¢ã¯ãã£ãã«ãªããšè
æããæçµçã«ã¯éããŸãã
ãã®åé¡ãä»ãã解決ã§ããå Žåã¯ã /close
ã䜿çšããŠè§£æ±ºããŠãã ããã
sig-testingãkubernetes / test-infraã fejtaã«ãã£ãŒãããã¯ãéä¿¡ããŸãã
/ lifecycle stale
/ remove-lifecycle stale
@tallclairããã«ã¡ã¯-ç§ã¯1.14ã®æ¡åŒµæ©èœã®ãªãŒããŒã§ããããã®åé¡ããã§ãã¯ããŠã1.14ãªãªãŒã¹ã§èšç»ãããŠããäœæ¥ïŒããå ŽåïŒã確èªããŠããŸãã æ¡åŒµæ©èœã®ããªãŒãºã¯1æ29æ¥ã§ããããã¹ãŠã®æ¡åŒµæ©èœã«ã¯KEPãå¿ èŠã§ããããšãæãåºããŠãã ããã
1.14ã«ã¯äœãèšç»ãããŠããŸããã
ãããGAã«ãªãããã®ã®ã£ããã¯äœã§ããïŒ å°ãããèããããŸãããã説æã«åºæºããããŸããã
ãããGAã«ç§»è¡ããåã«ã次ã®åé¡ãä¿®æ£ããå¿ èŠããããŸãã
@liggittãšç§ã¯ããã«å¯ŸåŠããæ¹æ³ã«ã€ããŠããã€ãã®ã¢ã€ãã¢ãæã£ãŠããŸããããããã³ã¢Kubernetesã«å±ãããã©ããã«ã€ããŠã¯æªè§£æ±ºã®è³ªåããããŸãã GAã«ç§»è¡ããèšç»ããéæšå¥šã®èšç»ã®ããããã§ãæ¥æã«ããŒãããããå ¬éããããšæããŸãã
æ å ±ãå ±æããŠããã ãããããšãããããŸãïŒ
ãããã¯ããã©ã«ãã§æåŠããããããPSPããã¹ãŠã®ã¯ã©ã¹ã¿ãŒã«ããŒã«ã¢ãŠãããã«ã¯ããããå£ããªãã§ãã ããã
ããã§ã¯ãªããšæããŸãã ãããè¡ãã«ã¯ãæåã«ååã«éããŠããïŒãŸãã¯ãã¹ãŠéããŠããïŒPodSecurityPolicyãäœæãã次ã«ãããåŸã ã«æ¹è¯ããŸãã
@ zhouhaibing089 KubrenetesãŠãŒã¶ãŒã¯ãããªã·ãŒãå¶åŸ¡ããããã«æ©èœãããã®æ¹æ³ã䜿çšã§ããŸãã ãã ããPodSecurityPolicyã¯ã¯ã©ã¹ã¿ãŒãéãã ããªã®ã§ãKubernetesã®ããã©ã«ããšããŠããŒã«ã¢ãŠãããããšã¯ã§ããŸãããã€ãŸããã·ã¹ãã å¶åŸ¡ã®allow-allPSPã管çããããšã¯éåžžã«å°é£ã§ãã
ããã«ã¡ã¯@ liggitt @ tallclair ãç§ã¯1.15ã®ãšã³ãã³ã¹ã¡ã³ããªãŒãã§ãã ãã®æ©èœã¯1.15ã§ã¢ã«ãã¡/ããŒã¿/å®å®ã¹ããŒãžãåæ¥ããäºå®ã§ããïŒ é©åã«è¿œè·¡ããŠã¹ãã¬ããã·ãŒãã«è¿œå ã§ããããã«ããç¥ãããã ããã ã³ãã¥ããã£ã®ææ¡ã¯ã1.15ã«å«ããããã«KEPã«ç§»è¡ããå¿ èŠããããŸãã
ã³ãŒãã£ã³ã°ãéå§ããããé©åã«è¿œè·¡ã§ããããã«ããã®å·ã«é¢é£ãããã¹ãŠã®k / kPRããªã¹ãããŠãã ããã
1.15ã®å€æŽã¯äºå®ãããŠããŸãã
@ tallclair1.16ã§ãã®åå°ãGAãšããŠèŠãããšæããŸãã ããã¯å¯èœã§ããïŒ
@ lachie83ããããPodSecurityPolicyãGAã«ç§»è¡ãããã©ããã¯ããããŸããã ãããKubernetesã³ã¢ã«ãã£ãŠè§£æ±ºãããã¹ããŠãŒã¹ã±ãŒã¹ã§ãããã©ããã¯æããã§ã¯ãªããã³ã¢å€ã®ä»£æ¿æ¡ãæ€èšããŠããŸãã 詳现ã«ã€ããŠã¯ãSIG-Authã«ãšã£ãŠè¯ããããã¯ã§ãã
@tallclair Open Policy Agentã®ã²ãŒãããŒããŒã®ãããªãã®ã¯ãé ãäžããããã®ããè¯ãéã§ããããïŒ
ã¯ããæ£ç¢ºã«ã ãããäž»èŠãªåè£ã§ããå¯èœæ§ããããŸããç§ã¯ãã®ããŒã ãšç·å¯ã«ååããŠããããã®ãŠãŒã¹ã±ãŒã¹ã確å®ã«ã«ããŒã§ããããã«ããŠããŸãã
ç§ãåŸ
ã¡æãã§ããããšã®1ã€ã¯ã PodSecurityPolicy
-> OPAã¬ãŽããªã·ãŒãå€æã§ããå¯èœæ§ã®ããããŒã«ã§ãã ããã¯ããªãã®èŠ³ç¹ããããããéé£ããããšãã¯ããã«ç°¡åã«ããã§ãããã
@tallclairã¯è¿ éãªå¯Ÿå¿ã«æè¬ããŸã
@SEJeffã¯åæããŸããã æ©èœã®ããªãã£ãšç§»è¡ãã¹ãæ確ã«çœ®ãæãããããŸã§ãPodSecurityPolicyã¯å»æ¢ãããŸããã
ãã@tallclair ãããªãã¯GAãžã®ããŒãããããŸãã¯éæšå¥šã®èšç»ã«ã€ããŠèšåããŸããã åŸè ã«åŸããŠããããã§ãã
解決çãšããŠPSPãæ€èšããŠãã人ã ãã«ãŒããéããã®ãå©ããããã«ãäœãæžããããã®ããããŸããïŒ
ãŸã ã èºèºã®äžéšã¯ãæ確ãªä»£æ¿åãèŠã€ãããŸã§ãä»ã®äœããåªå ããŠéæšå¥šã«ããããšãèšããããªããšããããšã§ãã ç§ã¯ã²ãŒãããŒããŒã«è奮ããŠããŸãããPSPã眮ãæããããã«å¿ èŠãªæ©èœïŒãŸãã¯å®å®æ§ïŒããŸã ãããŸããã ãã1ã€ã®å¯èœæ§ã¯ãPSPãããªãŒã®å€ã«ç§»åãããããã¢ãããã·ã§ã³WebhookãšããŠGAã«æã£ãŠããããšã§ãïŒ2ã€ã®ãªãã·ã§ã³ã¯çžäºã«æä»çã§ã¯ãããŸããïŒã ãã ããããŒããããã¯ãŸã æ£åŒã«çå®ãããŠããŸããã
Wtf
ããã«ã¡ã¯@tallclairã¯ã1.16ã§ãããã§ã¯äœãèµ·ããŠããªãããã§ãã®ã§ãåããŸãŸã«ããŠãããŸãã
ããã«ã¡ã¯@ tallclair -1.17ãšã³ãã³ã¹ã¡ã³ããªãŒãã¯ããã«ãããŸã-ããã¯1.17ã®å Žåãšåãããã«èŠããŸãã ãããå€ãã£ãå Žåã¯ãé æ ®ãªãç§ã«çªããŠãã ããã远跡ã·ãŒãã«è¿œå ã§ããŸãð
PSPã®å°æ¥ãžã®æ確ãªéã«ã€ããŠãã以äžã®è°è«ã¯ãããŸãããïŒ
ã¯ããæ£ç¢ºã«ã ãããäž»èŠãªåè£ã§ããå¯èœæ§ããããŸããç§ã¯ãã®ããŒã ãšç·å¯ã«ååããŠããããã®ãŠãŒã¹ã±ãŒã¹ã確å®ã«ã«ããŒã§ããããã«ããŠããŸãã
@ tallclair-ã»ãšãã©ã®PSPãã§ãã¯ãKyvernoã«å®è£ ããŸããã ããªãã¯èŠãŠã¿ãã®ãæäŒã£ãŠããããŸããïŒ ã¢ã€ãã¢ã詳现ã«ã€ããŠè©±ãåããããšæããŸãã
https://github.com/nirmata/kyverno/blob/master/samples/README.md
ã²ãŒãããŒããŒãããžã§ã¯ãã¯ãPSPåŸã®äžçãã©ã®ããã«ãªããã«ã€ããŠãæ€èšããŠããŸãã ç§ãã¡ã®æåã®ã¢ãããŒãã¯ãPSPãªãœãŒã¹ãåã ã®å¶çŽã«åå²ããããšã§ããã ç§ãã¡ã¯ããã®ã¢ãããŒãã«å¯Ÿããã³ãã¥ããã£ã®èããäœã§ãããçåã«æããŸããã ãã¶ãããããã®ããªã·ãŒãã©ã®ããã«æ§æãããŠããããåèããã®ã«è¯ãææã§ããããïŒ æ°èŠãŠãŒã¶ãŒãšæ¢åã®PSPãŠãŒã¶ãŒã®äž¡æ¹ã®ç§»è¡ãéèŠã«ãªããŸãã
cc @maxsmythe @sozercan @tsandall
ããªã·ãŒãåã ã®å¶çŽã«åå²ããããšãã€ãŸããããã«å€ãã®å¶çŽãªããžã§ã¯ããäœæããå¿ èŠãããããšã«ã€ããŠãããã€ãã®æžå¿µããããŸãã ç°ãªãã¯ãŒã¯ããŒãçšã«ããããè€è£œãŸãã¯å€æŽããå¿ èŠããããšæãå Žåããããéåžžã«è€éã«ãªãã®ã§ã¯ãªãããšå¿é ããŠããŸãã
æåã®ã¢ãããŒãã¯ãŠãŒã¶ãŒäžå¿ã®ã¢ãããŒãã ãšæããŸãã PSPãã©ã®ããã«äœ¿çšãããŠãããã«ã€ããŠå®éã®ãã£ãŒãããã¯ãååŸãããããã®ä»£æ¿ãã©ã°ã€ã³ã®äžã§åæ§ã®ã»ããã¢ãããã©ã®ããã«èŠãããã確èªã§ããã°ãããã¯èšèšã®åœ¢æã«åœ¹ç«ã¡ãŸãã
@tallclairç§ãã¡ãè¿œæ±ããŠãããŠãŒã¹ã±ãŒã¹ã®1ã€ã¯ãåå空éããŒã¹ã®ãã«ãããã³ã·ãŒã«é¢é£ããŠããŸãã ããªã·ãŒã䜿çšããŠå¶éãé©çšããåå空éãé©åã«æ§æãããŠããããšã確èªããããšãç®çãšããŠããŸãã
ãããGAã«ç§»è¡ããåã«ã次ã®åé¡ãä¿®æ£ããå¿ èŠããããŸãã
- æ¬ é¥ã®ããèªèšŒã¢ãã«-PSPã®äœ¿çšã¯RBACãä»ããŠä»äžããããŠãŒã¶ãŒãŸãã¯äœæããããããã®ããããã«ä»äžã§ããŸãã ãŠãŒã¶ãŒã«ãããä»äžããããšã¯çŽæçãªã¢ãããŒãã§ãããåé¡ããããŸãïŒèª¬æãåç §ïŒã ãã®ã¢ãããŒãã«ã¯ãã»ãã¥ãªãã£äžã®åé¡ãããã€ããããŸãã
@tallclair ãç§ã¯äžèšã«ã€ããŠçåã«æã£ãŠããŸã-ãã®ã¢ãããŒããã©ã®ããã«åé¡ãããããããã³/ãŸãã¯ã»ãã¥ãªãã£ã®åé¡ããããã«ã€ããŠè©³ãã説æã§ããŸããïŒ
誰ãããã£ãšæ å ±ãåŸãŠããã®ãã€ãŒãã確èªããŠãã ããïŒ
https://twitter.com/TechJournalist/status/1197658440040165377
ãããŠãããæ¬åœãªããä»æ¥ã®Linuxæ©èœãå¶éããããã«PSPã䜿çšããŠãã人ã ã¯ä»åŸäœããã¹ãã§ããããïŒ
ããã«ã¡ã¯ãã¿ããªã
ããã¯éåžžã«èå³æ·±ãè°è«ã§ãããçŸåšãKubernetesã¯ã©ã¹ã¿ãŒã§ãããã®äœæãä¿è·ããããã®ãœãªã¥ãŒã·ã§ã³ãæ¢ããŠããŸãã
OPAã²ãŒãããŒããŒãšPodSecurityPoliciesã®äž¡æ¹ãããã³OPAå¶çŽã§PSPãåå®è£
ããããã®åãçµã¿ã確èªããŸããã
ãã®æ¯èŒã§ããã£ãåºæ¬çãªåé¡ã¯ã2ã€ã®å察ã®ã¢ãã«ãæ±ã£ãŠããããšã§ãã
ã»ãã¥ãªãã£ã®èŠ³ç¹ããã¯ããã¹ãŠã®ã¯ãŒã¯ããŒããããã«æºæ ããå¿ èŠããããããæ¢åã®ã¯ã©ã¹ã¿ãŒã«çµã¿èŸŒãã®ã¯ããå°é£ã§ãããPSPã¢ãã«ã®æ¹ãåªããŠãããšç§ã¯äž»åŒµããŸãã
PSPãšå¶çŽãã¬ãŒã ã¯ãŒã¯ã®éã®ã¢ãŒããã¯ãã£ã«ããããã®åºæ¬çãªã®ã£ãããã©ã®ããã«åããäºå®ã§ããïŒ
/ cc @ritazh PSPæ©èœã®OPAãžã®ç§»æ€ã«åãçµãã§ããã®ã§ãããã«ã€ããŠã®ãæèŠããèãããã ããã
ããŸããŸãªã¢ãããŒãã«ããã移è¡ã¯ç¢ºå®ã«è€éã«ãªããŸãã 移è¡ãã¹ã ãŒãºã«ããããã®ããŸããŸãªæ¹æ³ã暡玢ããŠããŸãã
å®ç§ãªäžçã§ã¯ãããã©ã«ãã§ãã¹ãŠæåŠããæ¹ãããå®å šãªã¢ãããŒãã§ããããšã«åæããŸãã ãããããããPSPã®äœ¿çšãšå±éãéåžžã«é£ããããŠããçç±ã®1ã€ã§ãã å®éã«ã¯ãèš±å¯ãåŸã ã«äžããæ¹ãå®çŸå¯èœã ãšæããŸããå€ãæ Œèšãé²ãã«ã€ããŠããæé«ã®ã»ãã¥ãªãã£ã¯äœ¿çšããã»ãã¥ãªãã£ã§ããã
ã¡ãªã¿ã«ãå¶çŽã®äŸå€ããªããã¢ãŠã/é€å€/ååŸããæ¹æ³ã«ã€ããŠã説æããŠããŸãïŒããšãã°ãkube-systemåå空éãä¿è·ããããïŒã ãããã©ã®ããã«æ©èœãããã«å¿ããŠããã¹ãŠãããã¯ããŠã³ããŠããäŸå€ãèš±å¯ããããšã«ãããããã©ã«ãã§æåŠããã¢ãããŒããå®è£ ã§ããŸãã ãããç§ãã¡ãèšèšããããŠãŒã¹ã±ãŒã¹ã§ãããã©ããã¯ããããŸããã...
@tallclair 1.18ã§ãããé²å±ãããšæããŸããïŒ ç§ã¯ãªãªãŒã¹ã®æ¡åŒµã·ã£ããŠã§ãããããã远跡ããå¿ èŠããããã©ãããç¥ãããã§ãã
1.18ã®å€æŽã¯äºå®ãããŠããŸãã
90æ¥éæäœããªããšãåé¡ã¯å€ããªããŸãã
/remove-lifecycle stale
ã䜿çšããŠãåé¡ãæ°èŠãšããŠããŒã¯ããŸãã
å€ãåé¡ã¯ãããã«30æ¥ééã¢ã¯ãã£ãã«ãªããšè
æããæçµçã«ã¯éããŸãã
ãã®åé¡ãä»ãã解決ã§ããå Žåã¯ã /close
ã䜿çšããŠè§£æ±ºããŠãã ããã
sig-testingãkubernetes / test-infraã fejtaã«ãã£ãŒãããã¯ãéä¿¡ããŸãã
/ lifecycle stale
/ remove-lifecycle stale
@tallclairããã«ã¡ã¯ãã£ã ã 1.19ã§ããã«ã€ããŠäœãèšç»ã¯ãããŸããïŒ
v1.19ã®èšç»ã¯ãããŸããããv1.20ã®æéæ ã§äœããã®åããèŠãããããšãæåŸ ããŠããŸãã
Open PolicyAgentã䜿çšããKubernetesãããã»ãã¥ãªãã£ããªã·ãŒã«ééããŸããã @tallclairã¯ãç§ãã¡ã劚ããŠãããã®ãšãå©ããå¿ èŠãªå Žæãå ±æã§ããŸãããŸããåãã§è²¢ç®ããŠãã ããã
ç§ãã¡ããããã¯ããŠãããã®ãå ±æã§ããŸãã
åºæ¬çã«ãç§ãã¡ã¯åé²ããéã決å®ããå¿ èŠããããŸãã çŸåšãPSPã¯çŸåšã®åœ¢ã§GAã«ç§»è¡ãã¹ãã§ã¯ãªããšããåæããããšæããŸããããŸã 代æ¿åã決å®ããŠããŸããã ç§ãã¡ãè°è«ãããªãã·ã§ã³ïŒ
https://github.com/kubernetes/kubernetes/pull/90603ãæ£ããèªãã§ããŸããïŒãããã»ãã¥ãªãã£æšæºãå ¬éãããŠãããããAPIãµãŒããŒã§PSPã®ä»£æ¿ãèšç»ãããŠãããã代æ¿ãå€éšã·ã¹ãã ãšããŠå®è£ ããå¿ èŠããããŸããïŒ
https://github.com/kubernetes/enhancements/issues/5#issuecomment-637066475ãåç §ããŠãã ãã
1.22ã®çŸåšã®ããŒã¿ããŒãžã§ã³ã®éæšå¥šã¹ã±ãžã¥ãŒã«ã¯ãæšæºã®ãããã»ãã¥ãªãã£ãããã¡ã€ã«ã®ããªãŒå å®è£ ãæäŸããããã©ãããšã¯ç¡é¢ä¿ã§ãã ããã¯ãŸã 決å®ãããŠããŸããã
ããããšã@liggittã¯äœãèšå®ãããŠããªãããšã確èªããŠããŸããã ããšããšã代æ¿åãå©çšå¯èœã«ãªããŸã§ãå»æ¢ããããã®ã¯äœããªããšèããŠããŸããã äœããã®åœ¢ã§æ±ºå®ãäžããããã©ããã¯æ確ã§ã¯ãããŸããã§ããã
éæšå¥šã®ã¿ã€ã ã©ã€ã³ã¯PSPã«åºæã®ãã®ã§ã¯ãªãã httpsïŒ//github.com/kubernetes/enhancements/tree/master/keps/sig-architecture/1635-prevent-permabetaã®äžéšãšããŠè¿œå ãããŸããã
ç§ããããæ£ããèªãã§ããå Žåãéæšå¥šãæšé²ããŠããã®ã¯ã9ãæ以äžåãããŒã¿ããŒãžã§ã³ã®APIããªããããPSPãææ ŒãŸãã¯éæšå¥šã«ããå¿ èŠããããpspã®æ°ããããŒã¿ãŸãã¯GAããªãããã§ãã亀æã決å®ãããŠããªããŠããéæšå¥šã«åããŠè»éã«ä¹ãå¿ èŠããããŸããïŒ
ç§ããããæ£ããèªãã§ããå Žåãéæšå¥šãæšé²ããŠããã®ã¯ã9ãæ以äžåãããŒã¿ããŒãžã§ã³ã®APIã䜿çšããŠã¯ãªããªããšããããšã§ã
ãŸãã«ã ãã¹ãŠã®çµã¿èŸŒã¿APIã®å°æ¥ã®ãã¹ãŠã®ããŒã¿çã«ã¯ãæåã«å°å ¥ããããšãã«ãäºåã«çŒãä»ããããéæšå¥šããã³åé€ã®ã¿ãŒã²ãããä»å±ããŸãã
ããã«ã¡ã¯@tallclair
æ¡åŒµæ©èœã¯ããããªãŒãããŸãã 1.20ã§ããã«ã€ããŠäœãèšç»ã¯ãããŸããïŒ
ããããšãã
ãã«ã¹ãã³
v1.20ã®èšç»ã¯ãããŸããã
ãã®ç¶æ³ã¯ãé«åºŠãªã»ãã¥ãªãã£ã¯ã©ã¹ã¿ãŒãå®è¡ããå¿ èŠãããç§ãã¡ã«ãšã£ãŠéåžžã«èç«ããããã®ã§ãã ç§ãã¡ã®ãªãã·ã§ã³ã¯æ¬¡ã®ãšããã§ãã
ãã®ãããç§ã®äŒç€Ÿã¯å®å šã«ããã¯ããŠã³ãããPSPãå®è£ ããŸããã ãããã¯å®è£ ãç°¡åã§ã¯ãªãããããã°ã¯é¢åã§ãããéåžžã«æ©èœçã§ãããå®éã«æ©èœããŸãã ãã®ããã«äœ¿çšããæ¹æ³ãšãäŸå€ãçºçããå Žåã®åŠçââæ¹æ³ã«ã€ããŠè©³ãã説æããããã°æçš¿ãå ¬éããŸããã
IMOãPSPããŒã¿ã¯ãã®ãŸãŸã¡ã€ã³ã©ã€ã³ã®kubernetesã³ã¢ã«ããŒãžããå¿ èŠããããŸãã ç§ã®çç±ã¯æ¬¡ã®ãšããã§ãã
@ zapman449 ãå®å šã«å¶éãããPSPã®äº€æããšã¯ã©ãããæå³ããæ確ã«ã§ããŸããïŒ
ããŸãããã°ã Gatekeeper PSPã©ã€ãã©ãªã«ãã£ãŠãPSPã§äœ¿çšããããã®ãšåæ§ã®ã«ãŒã«ãç°¡åã«é©çšã§ããããã«ãªããŸãã ç§ã¯ããªããèŠãŠããæ©èœçãªã®ã£ããã«ééããªãèå³ããããŸãã
@ zapman449ããªãã¯ããŸããŸãã®ããã°æçš¿ãžã®ãªã³ã¯ãæã£ãŠããŸããïŒ
@christianhuening https://developer.squareup.com/blog/kubernetes-pod-security-policies
@maxsmytheç§ã¯GatekeeperPSPãäœãããŠãããã«ã€ããŠè¿œãã€ããŠããªãã®ã§ãã¬ãã¥ãŒããŸãã
ããããç§ãæå³ããã®ã¯ïŒ
ãããã¯çŸåšãPSPãšãšãã«æäŸãããŠããŸãã
ãŠã£ãã·ã¥ãªã¹ãããæ±ãã®å Žåã¯ã次ã®ããã«ãé¡ãããŸãã
@ zapman449-ãŸã ã芧ã«ãªã£ãŠããªãå Žåã¯ãååã®sig-authããŒãã£ã³ã°ã§PSPã®å°æ¥ã«ã€ããŠè©±ãåããŸããïŒhttps://docs.google.com/document/d/1woLGRoONE3EBVx-wTb4pvp4CI7tmLZ6lS26VTbosLKM/view#heading=h.hsgtsqg83z5u ïŒã å¯èœã§ããã°12æ9æ¥ã®äŒè°ã§ãè°è«ãç¶ããŸãããã¡ãŒãªã³ã°ãªã¹ãã«ææ¡ãéãããªãéããæçµçãªæ±ºå®ãäžãããšã¯ãããŸããã
ããã§ã®ç§ãã¡ã®æå³ã¯ã誰ããé«ããŠä¹Ÿç¥ãããŸãŸã«ããªãããšã§ãã PSPãKubernetesã®éèŠãªã»ãã¥ãªãã£ããŒãºã«å¯Ÿå¿ããŠããããšã¯ããã£ãŠããŸãããããã®ãã£ã¹ã«ãã·ã§ã³ã®ç®çã¯ãå°æ¥ãããã®ããŒãºãæºããããã®æåã®æ¹æ³ãèŠã€ããããšã§ãã
æãåèã«ãªãã³ã¡ã³ã
ãã®ç¶æ³ã¯ãé«åºŠãªã»ãã¥ãªãã£ã¯ã©ã¹ã¿ãŒãå®è¡ããå¿ èŠãããç§ãã¡ã«ãšã£ãŠéåžžã«èç«ããããã®ã§ãã ç§ãã¡ã®ãªãã·ã§ã³ã¯æ¬¡ã®ãšããã§ãã
ãã®ãããç§ã®äŒç€Ÿã¯å®å šã«ããã¯ããŠã³ãããPSPãå®è£ ããŸããã ãããã¯å®è£ ãç°¡åã§ã¯ãªãããããã°ã¯é¢åã§ãããéåžžã«æ©èœçã§ãããå®éã«æ©èœããŸãã ãã®ããã«äœ¿çšããæ¹æ³ãšãäŸå€ãçºçããå Žåã®åŠçââæ¹æ³ã«ã€ããŠè©³ãã説æããããã°æçš¿ãå ¬éããŸããã
IMOãPSPããŒã¿ã¯ãã®ãŸãŸã¡ã€ã³ã©ã€ã³ã®kubernetesã³ã¢ã«ããŒãžããå¿ èŠããããŸãã ç§ã®çç±ã¯æ¬¡ã®ãšããã§ãã