Upgrade to Pro — share decks privately, control downloads, hide ads and more …

乗っ取れKubernetes!!~リスクから学ぶKubernetesセキュリティの考え方~/k...

mochizuki875
November 28, 2024
Technology
2
130

 乗っ取れKubernetes!!~リスクから学ぶKubernetesセキュリティの考え方~/k8s-risk-and-security

2024/11/28 CloudNative Days Winter 2024
15:20-16:00 Track C
乗っ取れKubernetes!!
~リスクから学ぶKubernetesセキュリティの考え方~

セッション動画
https://event.cloudnativedays.jp/cndw2024/talks/2378

mochizuki875

November 28, 2024
Tweet

More Decks by mochizuki875

See All by mochizuki875
リスクから学ぶKubernetesコンテナセキュリティ/k8s-risk-and-security
mochizuki875
1
420
コンテナ専用OS Talos LinuxによるKubernetesクラスタの構築
mochizuki875
1
550
Kubernetes Member になりました~CNDT 2023 LT~/CNDT2023 LT
mochizuki875
5
520
KubernetesのSecret管理~Vaultへの超入門~/Vault on Kubernetes
mochizuki875
2
530
コンテナってなあに?/Container Basic
mochizuki875
1
180
pod-security-admission-k8s-policy
mochizuki875
1
1.1k
container-seccomp
mochizuki875
1
1.5k
container-immutable
mochizuki875
1
470
container-dev-security
mochizuki875
24
4.4k

Other Decks in Technology

See All in Technology
OCI Security サービス 概要
oracle4engineer
PRO
0
6.6k
RAMP2024
takeyukitamura
2
180
飲食店データの分析事例とそれを支えるデータ基盤
kimujun
0
240
偶有的複雑性と戦うためのアーキテクチャとチームトポロジー
knih
7
4.7k
The Web Performance Landscape in 2024 [PerfNow 2024]
tammyeverts
1
190
データプロダクトの定義からはじめる、データコントラクト駆動なデータ基盤
chanyou0311
3
390
SSMRunbook作成の勘所_20241120
koichiotomo
3
190
Android 15 でウィジェットピッカーのプレビュー画像をGlanceで魅せたい/nikkei-tech-talk-27-1
nikkei_engineer_recruiting
0
110
Amazon ECSとCloud Runの相互理解で広げる クラウドネイティブの景色 / Mutually understanding Amazon ECS and Cloud Run
iselegant
7
390
Yahoo! JAPANトップページにおけるマイクロフロントエンド - 大規模組織におけるFE開発を加速させるには
lycorptech_jp
PRO
0
1.5k
もし大規模障害が、10分で解決できたら?
masaaki_k
0
120
OOM発生時のトラブルシューティング Profilerを活用できるか調査してみた
atsushii
0
220

Featured

See All Featured
Being A Developer After 40
akosma
87
590k
YesSQL, Process and Tooling at Scale
rocio
169
14k
StorybookのUI Testing Handbookを読んだ
zakiyama
27
5.3k
Reflections from 52 weeks, 52 projects
jeffersonlam
346
20k
Happy Clients
brianwarren
98
6.7k
How to Ace a Technical Interview
jacobian
276
23k
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
44
2.2k
4 Signs Your Business is Dying
shpigford
180
21k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
28
9.1k
Art, The Web, and Tiny UX
lynnandtonic
297
20k
The Power of CSS Pseudo Elements
geoffreycrofte
73
5.3k
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
eileencodes
16
2.1k

Transcript

  1.  5SBDL$ !NPDIJ[VLJ ৐ͬऔΕ,VCFSOFUFTʂʂ ʙϦεΫ͔ΒֶͿ,VCFSOFUFTηΩϡϦςΟͷߟ͑ํʙ

  2. XIPBNJ !NPDIJ[VLJ 🌕,FJUB.PDIJ[VLJ ❤,VCFSOFUFT 🚨"GPY OPUBSBDDPPOEPH

  3. ஫ҙࣄ߲ ຊൃද͸αΠόʔ߈ܸΛߠఆ͢Δ΋ͷͰ͸͋Γ·ͤΜ ܝࡌ಺༰͸ݸਓͷݟղͰ͋Γɺॴଐ͢Δاۀ΍૊৫ͷཱ৔ɺઓུɺҙݟΛ୅ද͢Δ΋ͷͰ͸͋Γ·ͤΜ هࡌ͞Ε͍ͯΔձ໊ࣾɺ঎඼໊ɺ·ͨ͸αʔϏε໊͸ɺ֤ࣾͷ঎ඪొ࿥·ͨ͸঎ඪͰ͢

  4. "HFOEB ಋೖ ɹຊηογϣϯͷΰʔϧ ɹ,VCFSOFUFTηΩϡϦςΟͷશମ૾ ɹ,VCFSOFUFTηΩϡϦςΟͷϓϥΫςΟε ,VCFSOFUFT΁ͷ߈ܸࣄྫ ɹঢ়گઃఆ ɹ۩ମతͳ߈ܸࣄྫ ɹɹ,VCFSOFUFTΫϥελ΁ͷ৵ೖ 45&1

     ɹɹෆਖ਼ͳϫʔΫϩʔυͷ࡞੒ 45&1  ɹɹ/PEF΁ͷ৵ೖ 45&1  ɹ߈ܸࣄྫͷ෮श ରࡦͷߟ͑ํ ɹ<ରࡦ>,VCFSOFUFTΫϥελ΁ͷ৵ೖ 45&1  ɹ<ରࡦ>ෆਖ਼ͳϫʔΫϩʔυͷ࣮ߦ 45&1  ɹ<ରࡦ>/PEF΁ͷ৵ೖ 45&1  ɹରࡦͷ·ͱΊ ·ͱΊ

  5. "HFOEB ಋೖ ɹຊηογϣϯͷΰʔϧ ɹ,VCFSOFUFTηΩϡϦςΟͷશମ૾ ɹ,VCFSOFUFTηΩϡϦςΟͷϓϥΫςΟε ,VCFSOFUFT΁ͷ߈ܸࣄྫ ɹঢ়گઃఆ ɹ۩ମతͳ߈ܸࣄྫ ɹɹ,VCFSOFUFTΫϥελ΁ͷ৵ೖ 45&1

     ɹɹෆਖ਼ͳϫʔΫϩʔυͷ࡞੒ 45&1  ɹɹ/PEF΁ͷ৵ೖ 45&1  ɹ߈ܸࣄྫͷ෮श ରࡦͷߟ͑ํ ɹ<ରࡦ>,VCFSOFUFTΫϥελ΁ͷ৵ೖ 45&1  ɹ<ରࡦ>ෆਖ਼ͳϫʔΫϩʔυͷ࣮ߦ 45&1  ɹ<ରࡦ>/PEF΁ͷ৵ೖ 45&1  ɹରࡦͷ·ͱΊ ·ͱΊ

  6. ಋೖ ,VCFSOFUFT͸Ϋϥ΢υωΠςΟϒٕज़ͷதͰ΋޿͘׆༻͞ΕΔٕज़ͱͳΓ·ͨ͠ɻ $/$'"//6"-4637&: IUUQTXXXDODGJPSFQPSUTDODGBOOVBMTVSWFZ

  7. ಋೖ ぶっちゃけ よくわからんけど いい感じにね! は い っ ! Kubernetesセキュリティやって。

  8. ಋೖ ͿͬͪΌ͚΍Γͨ͘ͳ͍ むずそう。。。 え、やだ え、待って、 何やれば良いの? k8sセキュリティ is 何?

  9. ಋೖ ಛʹ1SPEVDUJPO؀ڥͰ,VCFSOFUFTΛར༻͢Δ࣌ ηΩϡϦςΟͷݕ౼͸ආ͚ͯ௨Δ͜ͱͷͰ͖ͳ͍՝୊ͷͭ 🛡 🗡 Ͱ΋΍Βͳ͖Ό͍͚ͳ͍

  10. ಋೖ $/$'"//6"-4637&: IUUQTXXXDODGJPSFQPSUTDODGBOOVBMTVSWFZ

  11. ಋೖ ,VCFSOFUFTηΩϡϦςΟʹؔ͢ΔϓϥΫςΟε͸৭ʑ͋Δ CVU ϦεΫΛΠϝʔδͰ͖ͳ͍ঢ়ଶͰରࡦΛߦ͏ͷ͸೉͍͠

  12. ຊηογϣϯͷΰʔϧ 🏁ΰʔϧ ɹ✅۩ମతͳ߈ܸࣄྫʹ৮ΕΔ͜ͱͰϦεΫͷղ૾౓Λ্͛Δ ɹ✅߈ܸࣄྫΛ౿·͑ͯ୅දతͳରࡦख๏Λ஌Δ͜ͱͰରࡦͷҙٛΛཧղ͢Δ ⚠࿩͞ͳ͍͜ͱ ɹ❌ϦεΫɾରࡦʹؔ͢Δ໢ཏతͳղઆ ɹ❌֤छରࡦख๏ͷৄࡉͳղઆ ɹ❌ΞϓϦέʔγϣϯ΍ίϯςφͷηΩϡϦςΟʹؔ͢Δղઆ

  13. ,VCFSOFUFTηΩϡϦςΟͷશମ૾ ,VCFSOFUFTͷηΩϡϦςΟ͸ɺ࣍ͷΑ͏ʹϨΠϠʹ෼͚ͯߟ͑Δ͜ͱ͕Ͱ͖·͢ɻ Ұൠతʹ͸֤ϨΠϠʹରͯ͠ରࡦΛߦ͏ଟ૚๷ޚͷߟ͑ํ͕ਪ঑͞Ε·͢ɻ ࠓճ͸͜ͷதͰ΋ओʹ,VCFSOFUFTͷϨΠϠΛத৺ʹείʔϓΛ౰ͯͯղઆ͠·͢ɻ "QQMJDBUJPO 安全なワークロードをコンテナとして実行する 安全なコンテナ実行環境を提供する $POUBJOFS*NBHF $POUBJOFS ,VCFSOFUFT

    $MPVE%BUBDFOUFS 今回は この辺りの話

  14. ,VCFSOFUFTͷηΩϡϦςΟʹؔ͢ΔϓϥΫςΟε ✅,VCFSOFUFT4FDVSJUZ 0 ff i DJBM  ɹɹIUUQTLVCFSOFUFTJPEPDTDPODFQUTTFDVSJUZ ✅$*4,VCFSOFUFT#FODINBSLT ɹɹIUUQTXXXDJTFDVSJUZPSHCFODINBSLLVCFSOFUFT

    ✅08"41,VCFSOFUFT4FDVSJUZ$IFBU4IFFU ɹɹIUUQTDIFBUTIFFUTFSJFTPXBTQPSHDIFBUTIFFUT,VCFSOFUFT@4FDVSJUZ@$IFBU@4IFFUIUNM ✅08"41,VCFSOFUFT5PQ5FO ɹɹIUUQTPXBTQPSHXXXQSPKFDULVCFSOFUFTUPQUFO ✅,VCFSOFUFT)BSEFOJOH(VJEF ɹɹIUUQTNFEJBEFGFOTFHPW"VH$53@,6#&3/&5&4@)"3%&/*/(@(6*%"/$&@@1%' ✅/*4541"QQMJDBUJPO$POUBJOFS4FDVSJUZ(VJEF ɹɹIUUQTOWMQVCTOJTUHPWOJTUQVCTTQFDJBMQVCMJDBUJPOTOJTUTQQEG

  15. ,VCFSOFUFTͷηΩϡϦςΟʹؔ͢ΔϓϥΫςΟε ✅.*53&"55$,$POUBJOFST.BUSJY ɹɹIUUQTLVCFSOFUFTJPEPDTDPODFQUTTFDVSJUZ ✅5ISFBUNBUSJYGPS,VCFSOFUFT ɹɹIUUQTXXXNJDSPTPGUDPNFOVTTFDVSJUZCMPHBUUBDLNBUSJYLVCFSOFUFT ɹɹIUUQTXXXNJDSPTPGUDPNFOVTTFDVSJUZCMPHTFDVSFDPOUBJOFSJ[FEFOWJSPONFOUTXJUIVQEBUFEUISFBUNBUSJYGPSLVCFSOFUFT

  16. "HFOEB ಋೖ ɹຊηογϣϯͷΰʔϧ ɹ,VCFSOFUFTηΩϡϦςΟͷશମ૾ ɹ,VCFSOFUFTηΩϡϦςΟͷϓϥΫςΟε ,VCFSOFUFT΁ͷ߈ܸࣄྫ ɹঢ়گઃఆ ɹ۩ମతͳ߈ܸࣄྫ ɹɹ,VCFSOFUFTΫϥελ΁ͷ৵ೖ 45&1

     ɹɹෆਖ਼ͳϫʔΫϩʔυͷ࡞੒ 45&1  ɹɹ/PEF΁ͷ৵ೖ 45&1  ɹ߈ܸࣄྫͷ෮श ରࡦͷߟ͑ํ ɹ<ରࡦ>,VCFSOFUFTΫϥελ΁ͷ৵ೖ 45&1  ɹ<ରࡦ>ෆਖ਼ͳϫʔΫϩʔυͷ࣮ߦ 45&1  ɹ<ରࡦ>/PEF΁ͷ৵ೖ 45&1  ɹରࡦͷ·ͱΊ ·ͱΊ

  17. ঢ়گઃఆ ͜͜Ͱ͸ͱ͋Δ,VCFSOFUFTΫϥελʹ߈ܸऀ͕֎෦͔Β৵ೖ͠ɺ ࠷ऴతʹͦͷதʹଘࡏ͢Δൿີ৘ใΛୣऔ͢ΔྫΛ঺հ͠·͢ɻ ݱ࣌఺Ͱ͸ߏ੒౳ͷ৘ใ͸໌Β͔ʹ͠·ͤΜͷͰɺ ߈ܸऀͷ໨ઢͰԿ͕ى͍ͬͯ͜Δ͔Λମײ͠ͳ͕Β͓ฉ͖௖͚Ε͹ͱࢥ͍·͢ɻ ˞ݕূ؀ڥʹ͸,VCFSOFUFTWΛ࢖༻͍ͯ͠·͢ɻ

  18. ৐ͬऔ͍͎ͬͯ͘ʂʂ 😎

  19. ,VCFSOFUFTΫϥελ΁ͷ৵ೖ 45&1 ࠷ॳʹ߈ܸऀ͸ϙʔτεΩϟϯΛߦ͍·͢ɻ εΩϟϯͷ݁ՌɺΠϯλʔωοτ্ʹϙʔτ͕ެ։͞Ε͍ͯΔͷΛൃݟ͠·͢ɻ QPSU ONBQQ99999 /NBQTDBOSFQPSUGPSOPEF """"  )PTUJTVQ

    TMBUFODZ  /PUTIPXODMPTFEUDQQPSUT DPOOSFGVTFE  103545"5&4&37*$&  UDQPQFOVOLOPXO  /NBQEPOF*1BEESFTT IPTUVQ TDBOOFEJOTFDPOET

  20. ,VCFSOFUFTΫϥελ΁ͷ৵ೖ 45&1 ࣮ࡍʹDFOTZTͰݕࡧͯ͠ΈΔͱɺ໿,΋ͷϙʔτ͕Πϯλʔωοτʹެ։͞Ε͍ͯΔ ͜ͱ͕֬ೝͰ͖·͢ɻ IUUQTTFBSDIDFOTZTJPTFBSDI SFTPVSDFIPTUTWJSUVBM@IPTUT&9$-6%&RTFSWJDFTTFSWJDF@OBNF%,6#&3/&5&4 BOE TFSWJDFTQPSU% 55.5Kのホストで 10250

    portが公開されている

  21.  ࢀߟ ,VCFSOFUFTͷΞʔΩςΫνϟ LVCFMFUͱݺ͹ΕΔ/PEFͷ"HFOU͕ϙʔτͰ"1*Λެ։͍ͯ͠Δɻ LVCFDUM FUDE LVCFQSPYZ LVCFMFU LVCFBQJTFSWFS LVCFDPOUSPMMFSNBOBHFS

    LVCFTDIFEVMFS /PEFͰ1PEΛ؅ཧ͢Δ"HFOU LVCFBQJTFSWFS͔Β ϦΫΤετΛड͚෇͚Δ"1*Λ ϙʔτͰެ։ 

  22.  ࢀߟ LVCFMFUͷ"1*࣮૷ IUUQTHJUIVCDPNLVCFSOFUFTLVCFSOFUFTCMPCSFMFBTFQLHLVCFMFUTFSWFSTFSWFSHP ࠓճͷσϞͰ͸ҎԼΛ࢖༻ ɹQPETLVCFMFU͕؅ཧ͢Δ1PEҰཡΛऔಘ ɹSVOࢦఆͨ͠1PEʹؚ·ΕΔίϯςφͰ೚ҙͷίϚϯυΛ࣮ߦ

  23. ,VCFSOFUFTΫϥελ΁ͷ৵ೖ 45&1 ߈ܸऀ͸ϙʔτ͕LVCFMFU͕"1*Λެ։͍ͯ͠Δϙʔτͩͱਪଌ͠ɺ"1*ͷ࣮ߦΛࢼΈ·͢ɻ ·ͣ͸LVCFMFU͕؅ཧ͍ͯ͠Δ1PEҰཡΛऔಘ͢ΔͨΊͷQPETͱ͍͏ΤϯυϙΠϯτʹ ϦΫΤετΛૹ৴ͯ͠Έ·͢ɻ OPEF """" QPET /0%&@*1"""" DVSMLIUUQT/0%&@*1QPET

  24. ,VCFSOFUFTΫϥελ΁ͷ৵ೖ 45&1 ͢Δͱ/PEFͰ࣮ߦ͞Ε͍ͯΔ1PEҰཡΛऔಘͰ͖·ͨ͠ɻ UFTUQPE OPEF """" QPET DVSMLIUUQT/0%&@*1QPETcKR \ LJOE1PE-JTU

     BQJ7FSTJPOW  NFUBEBUB\^  JUFNT< \ NFUBEBUB\ OBNFUFTUQPE  OBNFTQBDFUNQ   DPOUBJOFST< \ OBNFVCVOUV   test-podというPodに 目を付ける

  25. ,VCFSOFUFTΫϥελ΁ͷ৵ೖ 45&1 ࣍ʹର৅ͷ1PEʹؚ·ΕΔίϯςφ಺Ͱ೚ҙͷίϚϯυΛϦϞʔτ࣮ߦ͢ΔͨΊͷSVOͱ͍͏ ΤϯυϙΠϯτʹϦΫΤετΛૹ৴͠·͢ɻ ·ͣ͸͜ͷޙͷ߈ܸʹ࢖༻͢ΔODBUΛίϯςφʹΠϯετʔϧ͠·͢ɻ UFTUQPE OPEF """" SVO DNE

    DVSML91045(IUUQT/0%&@*1SVOUNQUFTUQPEVCVOUVEBUBVSMFODPEFDNEBQUVQEBUF DVSML91045(IUUQT/0%&@*1SVOUNQUFTUQPEVCVOUVEBUBVSMFODPEFDNEBQUJOTUBMMZODBU ncatをインストール /podsで取得したPodを対象に /runを実行

  26. ,VCFSOFUFTΫϥελ΁ͷ৵ೖ 45&1 ଓ͍ͯΠϯετʔϧͨ͠ODBU༻͍ͯϦόʔεγΣϧΛ࣮ߦ͠·͢ɻ ͜ΕͰ߈ܸऀ͸ެ։͞Ε͍ͯͨLVCFMFUΛܦ༝ͯ͠1PEʹؚ·ΕΔίϯςφʹ৵ೖͰ͖·ͨ͠ɻ ͸࣮ࡍʹ͸දࣔ͞Ε·ͤΜ UFTUQPE OPEF """" SVO DNE

    3FWFSTF 4IFMM DVSML91045(IUUQT/0%&@*1SVOUNQUFTUQPEVCVOUV EBUBVSMFODPEFDNECJOODFCJOCBTI߈ܸ୺຤*1ΞυϨε リバースシェルを実行 ODMQ IPTUOBNF UFTUQPE XIPBNJ SPPU コンテナに侵入できた 😊 1000ポートで待ち受け ߈ܸ୺຤

  27. ෆਖ਼ͳϫʔΫϩʔυͷ࡞੒ 45&1 ৵ೖͨ͠ίϯςφ಺ͰLVCFDUMίϚϯυΛΠϯετʔϧ͠·͢ɻ UFTUQPE OPEF """" BQUJOTUBMMZDVSM DVSM-0IUUQTEMLTJPSFMFBTFWCJOMJOVYBNELVCFDUM DINPE YLVCFDUM

    NWLVCFDUMVTSMPDBMCJOLVCFDUM

  28. ෆਖ਼ͳϫʔΫϩʔυͷ࡞੒ 45&1 ͜ͷ1PE͕,VCFSOFUFTΫϥελʹରͯ͠ͲͷΑ͏ͳݖݶΛ͍࣋ͬͯΔ͔֬ೝͯ͠Έ·͢ɻ Ͳ͏΍Β͜ͷ1PEʹ͸ɺ৵ೖͨ͠,VCFSOFUFTΫϥελʹ͓͍ͯ1PEʹؔ͢ΔҰఆͷݖݶ͕ ෇༩͞Ε͍ͯͦ͏Ͱ͢ɻ UFTUQPE OPEF """" LVCFDUMBVUIDBOJMJTU 3FTPVSDFT/PO3FTPVSDF63-T3FTPVSDF/BNFT7FSCT

    QPETFYFD<><>< > QPETMPH<><>< >  QPET<><><HFUMJTU >  クラスタ上の Podに関する権限が 付与されている

  29. ෆਖ਼ͳϫʔΫϩʔυͷ࡞੒ 45&1 ͜ΕΒͷݖݶΛར༻ͯ͠ɺ·ͣ͸,VCFSOFUFTΫϥελͰ࣮ߦ͞Ε͍ͯΔ1PEҰཡΛऔಘ͠·͢ɻ UFTUQPE OPEF """" LVCFDUMHFUQPEPXJEF" /".&41"$&/".&3&"%:45"564/0%&  LVCFTZTUFNLVCFBQJTFSWFSDQ3VOOJOHDQ

     QSPECBDLFOEBQQ3VOOJOHOPEF UNQUFTUQPE3VOOJOHOPEF

  30. ෆਖ਼ͳϫʔΫϩʔυͷ࡞੒ 45&1 ͜ͷ݁Ռ͔Βɺ৵ೖͨ͠,VCFSOFUFTΫϥελ͸গͳ͘ͱ΋ҎԼͷߏ੒Ͱ͋Δ͜ͱ͕෼͔Γ·ͨ͠ɻ ·ͨɺOPEFͷQSPEͱ͍͏/BNFTQBDFʹॏཁͳ৘ใΛ͍࣋ͬͯͦ͏ͳ1PEΛൃݟ͠·ͨ͠ɻ ͔͜͜Β͸ɺ͜ͷ1PEΛ߈ܸͷλʔήοτͱ͠·͢ɻ QSPE UNQ CBDLFOEBQQ UFTUQPE OPEF

    #### OPEF """" DQ $$$$

  31. ෆਖ਼ͳϫʔΫϩʔυͷ࡞੒ 45&1 ·ͣ͸LVCFDUMFYFDͰ৵ೖΛࢼΈ·͢ɻ͔͠͠Ԡ౴͕ͳ͘ίϚϯυͷ࣮ߦʹࣦഊͨ͠Α͏Ͱ͢ɻ /BNFTQBDF͕ҟͳΔͨΊɺݖݶ͕ෆ଍͍ͯ͠Δͱ૝ఆ͞Ε·͢ɻ QSPE UNQ CBDLFOEBQQ UFTUQPE OPEF ####

    OPEF """" DQ $$$$ LVCFDUMFYFDJUCBDLFOEBQQOQSPECJOCBTI 😇 😢

  32. ෆਖ਼ͳϫʔΫϩʔυͷ࡞੒ 45&1 ௚઀1PEʹ৵ೖ͢Δ͜ͱ͸׎Θͳ͔ͬͨͷͰɺ৵ೖͨ͠1PEͱಉ͡/BNFTQBDF͔ͭ λʔήοτͱͳΔ1PEͱಉ͡/PEFʹ౿୆ͱͳΔ੬ऑͳ ಛݖίϯςφΛؚΉ 1PEΛσϓϩΠ͠ɺ ͦΕΛܦ༝ͯ͠߈ܸΛࢼΈΔ͜ͱʹ͠·͢ɻ QSPE UNQ UNQ

    NBMJDJPVTQPE CBDLFOEBQQ UFTUQPE OPEF #### OPEF """" DQ $$$$ DBU&0'cLVCFDUMBQQMZG BQJ7FSTJPOW LJOE1PE NFUBEBUB OBNFNBMJDJPVTQPE OBNFTQBDFUNQ TQFD IPTU1*%USVF DPOUBJOFST OBNFVCVOUV JNBHFVCVOUV DPNNBOE<CJOTI D XIJMFEPTMFFQEPOF> TFDVSJUZ$POUFYU QSJWJMFHFEUSVF OPEF4FMFDUPS LVCFSOFUFTJPIPTUOBNFOPEF &0' 脆弱な設定 ターゲットと同じNode 侵入したPodと同じNamespace

  33. ෆਖ਼ͳϫʔΫϩʔυͷ࡞੒ 45&1 ίϚϯυΛ࣮ߦͨ݁͠Ռɺλʔήοτͷ1PEͱಉ͡/PEFʹ੬ऑͳ1PEͷσϓϩΠ͢Δ͜ͱ͕ Ͱ͖·ͨ͠ɻ ͜͜Ͱ͸͜ͷ࣍ͷ߈ܸʹ༻͍ΔͨΊͷ1PEΛσϓϩΠ͠·͕ͨ͠ɺ࣮ࡍͷ߈ܸͰ͸ΫϦϓτϚΠφʔͷΑ͏ͳ1PEΛσϓϩΠ͞ΕΔέʔε΋૝ఆ͞Ε·͢ɻ QSPE UNQ UNQ NBMJDJPVTQPE CBDLFOEBQQ

    UFTUQPE OPEF #### OPEF """" DQ $$$$ LVCFDUMHFUQPEPXJEFOUNQ /".&3&"%:45"564/0%& NBMJDJPVTQPE3VOOJOHOPEF UFTUQPE3VOOJOHOPEF

  34. /PEF΁ͷ৵ೖ 45&1 ͔͜͜Β͸ઌ΄ͲσϓϩΠͨ͠੬ऑͳ1PEΛར༻ͯ͠ɺλʔήοτͱͳΔ1PEʹΞΫηε ͢Δ͜ͱΛࢼΈ·͢ɻ ·ͣ͸LVCFDUMFYFDίϚϯυΛ༻͍ͯɺ੬ऑͳ1PEʹΞΫηε͠·͢ɻ UNQ NBMJDJPVTQPE OPEF #### QSPE

    CBDLFOEBQQ LVCFDUMFYFDJUNBMJDJPVTQPEOUNQCJOCBTI IPTUOBNF NBMJDJPVTQPE XIPBNJ SPPU デプロイしたPodにアクセス

  35. /PEF΁ͷ৵ೖ 45&1 ߈ܸऀ͕OPEFʹσϓϩΠͨ͠੬ऑͳ1PEʹ͸ಛݖ͕෇༩͞Ε͍ͯ·͢ɻ ͜ΕΛར༻͢Δ͜ͱͰɺ߈ܸऀ͸OPEFʹ৵ೖ͢Δ͜ͱ͕Ͱ͖·͢ɻ ͜ͷΑ͏ʹίϯςφ͔Β/PEFʹ৵ೖ͢Δ͜ͱΛ$POUBJOFS#SFBLPVUͱݺͼ·͢ɻ UNQ NBMJDJPVTQPE OPEF #### QSPE

    CBDLFOEBQQ (勝った...!) 😏 OTFOUFSUBCJOCBTI QZUIPODJNQPSUQUZQUZTQBXO CJOCBTI  SPPU!OPEFIPTUOBNF OPEF SPPU!OPEFXIPBNJ SPPU コンテナからNodeに侵入できた

  36. /PEF΁ͷ৵ೖ 45&1 OPEFͰ࣮ߦ͞Ε͍ͯΔίϯςφҰཡΛ֬ೝ͠·͢ɻ UNQ NBMJDJPVTQPE OPEF #### QSPE CBDLFOEBQQ SPPU!OPEFDSJDUMQT

    $0/5"*/&3/".&10% ECCGCBVCVOUVNBMJDJPVTQPE EBBFDGDBQQCBDLFOEBQQ

  37. /PEF΁ͷ৵ೖ 45&1 /PEF͔Β߈ܸର৅ͷίϯςφʹ৵ೖ͠୳ࡧΛߦͳͬͨ݁Ռɺ ࠓճ͸ൿີ৘ใͱͯ͠ɺ͜ͷ1PE͕઀ଓͯ͠Δͱ૝ఆ͞ΕΔ%#ͷ৘ใΛୣऔͰ͖·ͨ͠ɻ UNQ NBMJDJPVTQPE OPEF #### QSPE CBDLFOEBQQ

    %# SPPU!CBDLFOEBQQDSJDUMFYFDJUEBBFDGDCJOCBTI SPPU!CBDLFOEBQQMTEBUB DSFEFOUJBMT SPPU!CBDLFOEBQQDBUEBUBDSFEFOUJBMT %"5"#"4&@)045ECFYBNQMFDPN %"5"#"4&@1035 %"5"#"4&@/".&DVTUPNFS %"5"#"4&@64&3/".&VTFS %"5"#"4&@1"44803%1!TTXSE 秘密情報を奪取できた 👍

  38. ΍ͬͨͥʂʂ 😈

  39. ߈ܸࣄྫͷ෮श ࠓճͷ߈ܸࣄྫΛ·ͱΊΔͱҎԼͷΑ͏ʹͳΓ·͢ɻ ɹ✅45&1,VCFSOFUFTΫϥελ΁ͷ৵ೖ ɹ✅45&1ෆਖ਼ͳϫʔΫϩʔυͷ࡞੒ ɹ✅45&1/PEF΁ͷ৵ೖ QSPE UNQ UNQ 45&1 45&1

    45&1 NBMJDJPVTQPE CBDLFOEBQQ UFTUQPE OPEF #### OPEF """" DQ $$$$

  40. ߈ܸࣄྫͷ෮श ͜ͷΑ͏ͳ͜ͱ͕ݱ࣮ʹى͜ΓಘΔͷ͔ͱٙ໰Λ࣋ͨΕͨํ΋͍Δ͔΋͠Ε·ͤΜ͕ɺ ࠓճ঺հͨ͠߈ܸࣄྫ͸աڈ࣮ࡍʹߦΘΕͨLVCFMFUͷ"1*Λૂͬͨ߈ܸࣄྫΛࢀߟʹ͍ͯ͠·͢ɻ 5FBN5/55BSHFUT,VCFSOFUFT /FBSMZ *1T$PNQSPNJTFEJO8PSNMJLF"UUBDL IUUQTXXXUSFOENJDSPDPNFO@VTSFTFBSDIFUFBNUOUUBSHFUTLVCFSOFUFTOFBSMZJQTDPNQSPNJTFEIUNM

  41. 何がいけなかったのか? どうすれば良かったのか?

  42. "HFOEB ಋೖ ɹຊηογϣϯͷΰʔϧ ɹ,VCFSOFUFTηΩϡϦςΟͷશମ૾ ɹ,VCFSOFUFTηΩϡϦςΟͷϓϥΫςΟε ,VCFSOFUFT΁ͷ߈ܸࣄྫ ɹঢ়گઃఆ ɹ۩ମతͳ߈ܸࣄྫ ɹɹ,VCFSOFUFTΫϥελ΁ͷ৵ೖ 45&1

     ɹɹෆਖ਼ͳϫʔΫϩʔυͷ࡞੒ 45&1  ɹɹ/PEF΁ͷ৵ೖ 45&1  ɹ߈ܸࣄྫͷ෮श ରࡦͷߟ͑ํ ɹ<ରࡦ>,VCFSOFUFTΫϥελ΁ͷ৵ೖ 45&1  ɹ<ରࡦ>ෆਖ਼ͳϫʔΫϩʔυͷ࣮ߦ 45&1  ɹ<ରࡦ>/PEF΁ͷ৵ೖ 45&1  ɹରࡦͷ·ͱΊ ·ͱΊ

  43. ରࡦͷߟ͑ํ ͔͜͜Β͸ࠓճͷ߈ܸࣄྫͷ֤45&1Ͱىͬͨ͜͜ͱΛϕʔεʹɺ ͦͷཁҼͱ,VCFSOFUFTΫϥελʹରͯ͠ͲͷΑ͏ͳରࡦΛߦͳ͓ͬͯ͘΂͖͔ͩͬͨΛղઆ͠·͢ɻ ཁҼ ରࡦ

  44. <ରࡦ>,VCFSOFUFTΫϥελ΁ͷ৵ೖ 45&1

  45. <ରࡦ>,VCFSOFUFTΫϥελ΁ͷ৵ೖ 45&1 45&1Ͱ͸߈ܸऀ͕,VCFSOFUFTΫϥελΛߏ੒͢ΔίϯϙʔωϯτͷͭͰ͋Δ LVCFMFUͷ"1*Λෆਖ਼ʹ࣮ߦ͢Δ͜ͱͰɺ֎෦͔Β1PEʹ৵ೖ͢ΔʹࢸΓ·ͨ͠ɻ QSPE UNQ UNQ NBMJDJPVTQPE CBDLFOEBQQ UFTUQPE

    OPEF #### OPEF """" DQ $$$$ ֎෦͔ΒLVCFMFUͷ"1*Λ ෆਖ਼ʹ࣮ߦ͞Εͨ

  46. <ରࡦ>,VCFSOFUFTΫϥελ΁ͷ৵ೖ 45&1 ͭͷ؍఺ͰཁҼͱରࡦ͕ߟ͑ΒΕ·͢ɻ ɹ✅,VCFSOFUFTΫϥελʹର͢Δ/8੍ޚ ɹ✅,VCFSOFUFTίϯϙʔωϯτͷઃఆ

  47. <ରࡦ>,VCFSOFUFTΫϥελ΁ͷ৵ೖ 45&1 ͭͷ؍఺ͰཁҼͱରࡦ͕ߟ͑ΒΕ·͢ɻ ɹ✅,VCFSOFUFTΫϥελʹର͢Δ/8੍ޚ ɹ✅,VCFSOFUFTίϯϙʔωϯτͷઃఆ

  48. ,VCFSOFUFTΫϥελʹର͢Δ/8੍ޚ ,VCFSOFUFTͷ֤ίϯϙʔωϯτ͸ɺίϯϙʔωϯτؒͷ࿈ܞ΍ϔϧενΣοΫͳͲͷ໨తͰ ಛఆͷϙʔτΛެ։͍ͯ͠·͢ɻ45&1Ͱ͸LVCFMFUͷϙʔτ͕֎෦ެ։͞Ε͍ͯͨ͜ͱ͕ɺ ߈ܸऀʹ,VCFSOFUFTΫϥελ΁ͷΞΫηεΛڐͨ͠ཁҼͰͨ͠ɻ ཁҼ FUDE LVCFQSPYZ LVCFMFU LVCFBQJTFSWFS LVCFDPOUSPMMFSNBOBHFS

    LVCFTDIFEVMFS LVCFDUM クラスタ データを保持 Podの配置を決定 各種リソースの状態を管理 Kubernetes APIを公開 クラスタネットワークを管理 NodeのPodを管理するAgent        )FBMUI$IFDL FUDE"EWJSUJTF  *OUFSOFU

  49. ,VCFSOFUFTΫϥελʹର͢Δ/8੍ޚ ௨ৗ͜ΕΒ΁ͷΞΫηεݩ͸ݶఆ͞Ε͍ͯΔͨΊɺෆཁͳΞΫηεݩ͔ΒͷΞΫηε͸ېࢭ͢΂͖Ͱ͢ɻ ੍ݶΛߦ͏ཻ౓ʹ͸ٞ࿦ͷ༨஍͕͋Γ·͕͢ɺগͳ͘ͱ΋ΠϯλʔωοτͳͲෆಛఆଟ਺͔Βͷ ΞΫηε͸ېࢭ͢΂͖Ͱ͢ɻ˞֎෦ެ։͢Δඞཁͷ͋Δ1PEʹ͍ͭͯ͸-PBE#BMBODFSܦ༝Ͱެ։ FUDE LVCFQSPYZ LVCFMFU LVCFBQJTFSWFS LVCFDPOUSPMMFSNBOBHFS LVCFTDIFEVMFS

    LVCFDUM クラスタ データを保持 Podの配置を決定 各種リソースの状態を管理 Kubernetes APIを公開 クラスタネットワークを管理 NodeのPodを管理するAgent        )FBMUI$IFDL FUDE"EWJSUJTF  *OUFSOFU ରࡦ

  50. ,VCFSOFUFTΫϥελʹର͢Δ/8੍ޚ ,VCFSOFUFTެࣜυΩϡϝϯτ Ͱ͸ҎԼͷΑ͏ʹɺ֤ίϯϙʔωϯτ͕ެ։͢Δϙʔτͱ ͦͷ༻్͕ղઆ͞Ε͍ͯ·͢ɻ 1PSUTBOE1SPUPDPMT IUUQTLVCFSOFUFTJPEPDTSFGFSFODFOFUXPSLJOHQPSUTBOEQSPUPDPMT ରࡦ

  51. <ରࡦ>,VCFSOFUFTΫϥελ΁ͷ৵ೖ 45&1 ͭͷ؍఺ͰཁҼͱରࡦ͕ߟ͑ΒΕ·͢ɻ ɹ✅,VCFSOFUFTΫϥελʹର͢Δ/8੍ޚ ɹ✅,VCFSOFUFTίϯϙʔωϯτͷઃఆ

  52. ,VCFSOFUFTίϯϙʔωϯτͷઃఆ OPEF """" BQJ7FSTJPOLVCFMFUDPO fi HLTJPWCFUB LJOE,VCFMFU$PO fi HVSBUJPO BVUIFOUJDBUJPO

    BOPOZNPVT FOBCMFEUSVF XFCIPPL DBDIF55-T FOBCMFEUSVF Y DMJFOU$"'JMFFUDLVCFSOFUFTQLJDBDSU BVUIPSJ[BUJPO NPEF"MXBZT"MMPX  ,VCFMFU$PO fi HVSBUJPO OPEF 匿名ユーザーの認証を許可 認可の無効化 LVCFMFU  ʹ౸ୡͰ͖Ε͹ ೝূɾೝՄෆཁͰ "1*ΞΫηεՄೳͳঢ়ଶ ,VCFSOFUFTͷ֤ίϯϙʔωϯτʹ͸༷ʑͳઃఆ߲໨͕ଘࡏ͠·͢ɻ 45&1Ͱ͸LVCFMFUͷઃఆ͕ద੾ʹߦΘΕ͓ͯΒͣɺ"1*ͷೝূɾೝՄ͕ແޮԽ͞Ε͍ͯͨ͜ͱ͕ ߈ܸऀʹLVCFMFUͷ"1*ͷ࣮ߦΛڐͨ͠ཁҼͰͨ͠ɻ  ཁҼ

  53. ,VCFSOFUFTίϯϙʔωϯτͷઃఆ ,VCFSOFUFTͷίϯϙʔωϯτʹ͸༷ʑͳઃఆ߲໨͕ଘࡏ͠·͕͢ɺ ͜ΕΒͷઃఆΛద੾ʹߦ͏ʹ͸$*4,VCFSOFUFT#FODINBSLT ͕ࢀߟʹͳΓ·͢ɻ $*4,VCFSOFUFT#FODINBSLTͰ͸/PEF͓Αͼίϯϙʔωϯτʹର͢Δਪ঑ઃఆ͕ఆٛ͞Ε͍ͯ·͢ɻ ˞Ճ͑ͯʮ1PMJDJFTʯͰ͸͜ͷޙղઆ͢Δ֤छରࡦʹ͍ͭͯ΋Ұ෦ݴٴ͞Ε͍ͯΔɻ $POUSPM1MBOF$PNQPOFOUT ɹ$POUSPM1MBOF/PEF$PO fi HVSBUJPO'JMFT

    ɹ"1*4FSWFS ɹ$POUSPMMFS.BOBHFS ɹ4DIFEVMFS FUDE $POUSPM1MBOF$PO fi HVSBUJPO ɹ"VUIFOUJDBUJPOBOE"VUIPSJ[BUJPO ɹ-PHHJOH 8PSLFS/PEFT ɹ8PSLFS/PEF$PO fi HVSBUJPO'JMFT ɹ,VCFMFU ɹLVCFQSPYZ 1PMJDJFT ɹ3#"$BOE4FSWJDF"DDPVOUT ɹ1PE4FDVSJUZ4UBOEBSET ɹ/FUXPSL1PMJDJFTBOE$/* ɹ4FDSFUT.BOBHFNFOU ɹ&YUFOTJCMF"ENJTTJPO$POUSPM ɹ(FOFSBM1PMJDJFT $*4,VCFSOFUFT#FODINBSLT IUUQTXXXDJTFDVSJUZPSHCFODINBSLLVCFSOFUFT ରࡦ

  54. ,VCFSOFUFTίϯϙʔωϯτͷઃఆ ,VCFSOFUFTΫϥελͷઃఆ͕$*4,VCFSOFUFT#FODINBSLTʹͲͷఔ౓४ڌ͍ͯ͠Δ͔Λ ֬ೝ͢Δπʔϧͱͯ͠LVCFCFODI͕͋Γ·͢ɻ ✅࣮ߦํ๏͕γϯϓϧ ɹɹ✔νΣοΫର৅/PEFͰLVCFCFODIίϚϯυΛ࣮ߦ ɹɹ✔,VCFSOFUFTͷ৔߹ɺఏڙ͞Ε͍ͯΔ:".-ͰKPCΛ࣮ߦ͢Ε͹͙͢ʹνΣοΫՄೳ ✅؀ڥʹԠͨ͡೚ҙͷόʔδϣϯࢦఆ͕Մೳ ɹɹ✔7BOJMB,VCFSOFUFTҎ֎ʹ΋&,4΍(,&ͳͲ֤छ%JTUSJCVUJPO޲͚ͷ#FODINBSLʹରԠ ✅ಛఆͷ߲໨ʹߜͬͨνΣοΫ͕Մೳ ɹɹ✔೚ҙͷ߲໨Λࢦఆ࣮ͯ͠ߦ

    ✅೚ҙͷܗࣜͰ݁Ռͷग़ྗ͕Մೳ ɹɹ✔+40/ɺ+6OJUɺ"844FDVSJUZ)VCɺ1PTUHSF42- LVCFCFODI IUUQTBRVBTFDVSJUZHJUIVCJPLVCFCFODI ରࡦ

  55. ,VCFSOFUFTίϯϙʔωϯτͷઃఆ ྫ͑͹,VCFSOFUFTͷ+PCͱͯ͠LVCFCFODIΛ࣮ߦͨ͠৔߹͸ɺ ҎԼͷΑ͏ʹ1PEͷϩάͱͯ݁͠ՌΛ֬ೝͰ͖·͢ɻ ࠓճ໰୊ͱͳͬͨLVCFMFUʹؔ͢Δઃఆͷෆඋ΋ݕ஌͞Ε͍ͯΔ͜ͱ͕֬ೝͰ͖·͢ɻ LVCFDUMBQQMZGKPCZBNM LVCFDUMMPHTLVCFCFODIDCEMO  <*/'0>,VCFMFU <'"*->&OTVSFUIBUUIFBOPOZNPVTBVUIBSHVNFOUJTTFUUPGBMTF "VUPNBUFE

     <'"*->&OTVSFUIBUUIFBVUIPSJ[BUJPONPEFBSHVNFOUJTOPUTFUUP"MXBZT"MMPX "VUPNBUFE  <1"44>&OTVSFUIBUUIFDMJFOUDB fi MFBSHVNFOUJTTFUBTBQQSPQSJBUF "VUPNBUFE  <1"44>7FSJGZUIBUUIFSFBEPOMZQPSUBSHVNFOUJTTFUUP .BOVBM  <1"44>&OTVSFUIBUUIFTUSFBNJOHDPOOFDUJPOJEMFUJNFPVUBSHVNFOUJTOPUTFUUP .BOVBM   4VNNBSZOPEF DIFDLT1"44 DIFDLT'"*- DIFDLT8"3/ DIFDLT*/'0  ରࡦ OPEFͰLVCFCFODIΛ࣮ߦͨ݁͠Ռ ൈਮ ͜ΕΒʹ͖ͪΜͱରॲ͍ͯ͠Ε͹ LVCFMFUͷ"1*͕ෆਖ਼ʹ࣮ߦ͞ΕΔͷΛ ๷͙͜ͱ͕Ͱ͖ͨ

  56. ,VCFSOFUFTίϯϙʔωϯτͷઃఆ ͨͩ͠$*4,VCFSOFUFT#FODINBSLͷਪ঑ઃఆʹ४ڌ͍ͯ͠ͳ͍͔Βͱ͍ͬͯ ͦΕ͕ඞͣ͠΋ΫϦςΟΧϧͳ໰୊ʹܨ͕Δͱ͍͏έʔε͹͔ΓͰ͸͋Γ·ͤΜɻ ·ͣ͸ݱঢ়Λೝࣝ͢Δͱ͍͏؍఺Ͱ४ڌͰ͖͍ͯͳ͍߲໨Λ֬ೝ͠ɺ $*4$POUSPMT*( ͳͲΛ౿·͑ͨ༏ઌ౓ʹج͍ͮͯରԠ༗ແͷ൑அΛߦ͏ͱྑ͍Ͱ͠ΐ͏ɻ ˞$*4,VCFSOFUFT#FODINBSLTͰ͸"QQFOEJYͱ֤߲ͯ͠໨ͱ$*4$POUSPMT*(ͷϚοϐϯά͕ܝࡌ͞Ε͍ͯΔɻ $*4$SJUJDBM4FDVSJUZ$POUSPMT*NQMFNFOUBUJPO(SPVQT IUUQTXXXDJTFDVSJUZPSHDPOUSPMTJNQMFNFOUBUJPOHSPVQT ରࡦ

  57. ,VCFSOFUFTίϯϙʔωϯτͷઃఆ ,VCFSOFUFTΫϥελΛอޢ͢Δ্Ͱಛʹҙࣝ͢΂͖ίϯϙʔωϯτ ✅LVCFBQJTFSWFS ɹɹ,VCFSOFUFTͷ"1*Λఏڙ͢Δίϯϙʔωϯτ ɹɹ,VCFSOFUFTΫϥελʹؔ͢Δ͋ΒΏΔૢ࡞Λڐͯ͠͠·͏ϦεΫʹܨ͕Δ ɹɹ45&1ͷରࡦͰղઆ͢Δ3#"$ ݖݶ੍ޚ ΍ϙϦγʔ੍ޚ΋ؔ࿈ ✅LVCFMFU ɹɹ/PEFͰ࣮ߦ͞Ε͍ͯΔ1PEΛ؅ཧ͢Δ"HFOU

    ɹɹ1PE΁ͷ৵ೖΛ͸͡Ίͱͨ͠ϦεΫʹܨ͕Δ 45&1  ✅FUDE ɹɹ,VCFSOFUFTΫϥελͷશͯͷϦιʔε৘ใΛอ࣋ ɹɹϦιʔε৘ใͷୣऔվ᜵΍࡞੒ͳͲͷϦεΫʹܨ͕Δɹ ରࡦ

  58.  ࢀߟ ͦͷଞؔ࿈πʔϧ ✅5SJWZ˞W࣌఺Ͱ͸&YQFSJNFOUBM ɹ5SJWZ,VCFSOFUFT ɹIUUQTBRVBTFDVSJUZHJUIVCJPUSJWZMBUFTUEPDTUBSHFULVCFSOFUFT ɹ$*44DBOOJOHBTQBSUPG5SJWZBOEUIF5SJWZ0QFSBUPS ɹIUUQTHJUIVCDPNBRVBTFDVSJUZLVCFCFODI UBCSFBENFPW fi

    MFDJTTDBOOJOHBTQBSUPGUSJWZBOEUIFUSJWZPQFSBUPS ✅,VCFTDBQF ɹ4DBOOJOHXJUI,VCFTDBQF ɹIUUQTLVCFTDBQFJPEPDTTDBOOJOH ରࡦ

  59. <ରࡦ>ෆਖ਼ͳϫʔΫϩʔυͷ࣮ߦ 45&1

  60. <ରࡦ>ෆਖ਼ͳϫʔΫϩʔυͷ࣮ߦ 45&1 45&1Ͱ͸ɺ߈ܸऀ͸৵ೖͨ͠1PE͔Β,VCFSOFUFT"1*ʹΞΫηε͠ɺ ߈ܸͷ౿Έ୆ͱͳΔෆਖ਼ͳϫʔΫϩʔυ ಛݖίϯςφΛؚΉ੬ऑͳ1PE ΛσϓϩΠ͠·ͨ͠ɻ QSPE UNQ UNQ NBMJDJPVTQPE

    CBDLFOEBQQ UFTUQPE OPEF #### OPEF """" DQ $$$$ ෆਖ਼ͳϫʔΫϩʔυΛσϓϩΠ

  61. <ରࡦ>ෆਖ਼ͳϫʔΫϩʔυͷ࣮ߦ 45&1 ͭͷ؍఺ͰཁҼͱରࡦ͕ߟ͑ΒΕ·͢ɻ ɹ✅,VCFSOFUFTΫϥελ಺෦ͷ/8੍ޚ ɹ✅,VCFSOFUFTΫϥελʹର͢Δݖݶ੍ޚ ɹ✅,VCFSOFUFTΫϥελͷϙϦγʔ੍ޚ

  62. <ରࡦ>ෆਖ਼ͳϫʔΫϩʔυͷ࣮ߦ 45&1 ͭͷ؍఺ͰཁҼͱରࡦ͕ߟ͑ΒΕ·͢ɻ ɹ✅,VCFSOFUFTΫϥελ಺෦ͷ/8੍ޚ ɹ✅,VCFSOFUFTΫϥελʹର͢Δݖݶ੍ޚ ɹ✅,VCFSOFUFTΫϥελͷϙϦγʔ੍ޚ

  63. ,VCFSOFUFTΫϥελ಺෦ͷ/8੍ޚ ,VCFSOFUFTͷσϑΥϧτઃఆͰ͸ɺ1PEʹରͯ͠௨৴੍ݶ͕Ұ੾ߦΘΕ͓ͯΒͣɺ σϓϩΠ͞Εͨ1PE͸ࣗ༝ʹ௨৴Λߦ͑Δঢ়ଶʹͳ͍ͬͯ·͢ɻ ͜ΕʹΑΓɺ߈ܸऀ͸৵ೖͨ͠1PE͔Β,VCFSOFUFT"1*ʹϦΫΤετΛૹ৴͢Δ͜ͱ͕Ͱ͖·ͨ͠ɻ ·ͨɺ45&1ͰߦͬͨΠϯλʔωοτ͔Βͷπʔϧͷ%-΍ɺϦόʔεγΣϧʹΑΔηογϣϯͷ ཱ֬΋Մೳͳঢ়ଶͰͨ͠ɻ *OUFSOFU UNQ UFTUQPE ཁҼ

    1PE࡞੒౳ͷϦΫΤετΛૹ৴

  64. ,VCFSOFUFTΫϥελ಺෦ͷ/8੍ޚ 1PEʹର͢Δ௨৴΍1PE͔Βͷ௨৴͸ɺඞཁ࠷௿ݶͷ΋ͷʹ੍ݶ͞ΕΔ΂͖Ͱ͢ɻ ͜ͷΑ͏ͳ੍ݶ͕ߦΘΕ͍ͯΕ͹ɺ1PE͔Βͷ,VCFSOFUFT"1*΁ͷϦΫΤετΛ͸͡Ίͱͨ͠ɺ ѱҙ͋Δ௨৴Λ๷ࢭ͢Δ͜ͱ͕Ͱ͖·͢ɻ ҙਤͨ͠௨৴ͷΈΛڐՄ ҙਤ͠ͳ͍௨৴͸ېࢭ ରࡦ

  65. UNQ ,VCFSOFUFTΫϥελ಺෦ͷ/8੍ޚ ,VCFSOFUFTͰ͸1PEʹ/FUXPSL1PMJDZ Λద༻͢Δ͜ͱͰɺ/8੍ݶΛߦ͏͜ͱ͕Ͱ͖·͢ɻ ͜ΕʹΑΓɺҙਤͨ͠௨৴Ҏ֎Λःஅ͠ෆਖ਼ͳ௨৴ͷϦεΫΛ௿Լͤ͞Δ͜ͱʹܨ͕Γ·͢ɻ ˞ͳ͓ɺ/FUXPSL1PMJDZΛ࢖༻͢ΔͨΊʹ͸ɺ/FUXPSL1PMJDZΛαϙʔτ͢Δ/FUXPSL1MVHJOΛ࢖༻͢Δඞཁ͕͋Γ·͢ɻ ɹ·ͨɺ/FUXPSL1MVHJOʹΑͬͯ͸ಠࣗͷ/FUXPSL1PMJDZΛαϙʔτ͍ͯ͠Δέʔε΋͋Γ·͢ɻ /FUXPSL1PMJDJFT IUUQTLVCFSOFUFTJPEPDTDPODFQUTTFSWJDFTOFUXPSLJOHOFUXPSLQPMJDJFT UFTUQPE

    BQJ7FSTJPOOFUXPSLJOHLTJPW LJOE/FUXPSL1PMJDZ NFUBEBUB OBNFEFOZBMM OBNFTQBDFUNQ TQFD QPE4FMFDUPS\^ QPMJDZ5ZQFT *OHSFTT &HSFTT BQJ7FSTJPOOFUXPSLJOHLTJPW LJOE/FUXPSL1PMJDZ NFUBEBUB OBNFUFTUOFUQPM OBNFTQBDFUNQ TQFD QPE4FMFDUPS NBUDI-BCFMT BQQUFTU QPMJDZ5ZQFT *OHSFTT &HSFTT JOHSFTT TPNFSVMF FHSFTT TPNFSVMF ඞཁʹԠͯ͡ ݸผͷ1PEʹڐՄϧʔϧΛ ؚΉϙϦγʔΛద༻ /BNFTQBDFશମʹ શͯͷ௨৴Λېࢭ͢Δ ϙϦγʔΛద༻ ରࡦ

  66.  ิ଍ 4FSWJDFΛࢦఆͨ͠௨৴ΛڐՄ͢Δ৔߹ 4FSWJDFΛࢦఆͯ͠ଞͷ1PEʹΞΫηεΛߦ͏৔߹ɺ ,VCFSOFUFTͷ಺෦%/4 $PSF%/4 Ͱ4FSWJDFͷ໊લղܾΛߦ͏͜ͱʹͳΓ·͢ɻ ͜ͷͨΊ಺෦%/4ʹର͢Δ&HSFTT௨৴ͷڐՄΛߦ͏ඞཁ͕͋Δ఺ʹ஫ҙ͍ͯͩ͘͠͞ɻ BQJ7FSTJPOOFUXPSLJOHLTJPW LJOE/FUXPSL1PMJDZ

    NFUBEBUB OBNFUFTUOFUQPM OBNFTQBDFUNQ TQFD QPE4FMFDUPS NBUDI-BCFMT BQQUFTU QPMJDZ5ZQFT *OHSFTT &HSFTT JOHSFTT TPNFSVMF FHSFTT TPNFSVMF UP OBNFTQBDF4FMFDUPS NBUDI-BCFMT LVCFSOFUFTJPNFUBEBUBOBNFLVCFTZTUFN QPE4FMFDUPS NBUDI-BCFMT LTBQQLVCFEOT QPSUT QPSU QSPUPDPM6%1 QPSU QSPUPDPM5$1 ରࡦ 内部DNSへの通信を許可

  67. <ରࡦ>ෆਖ਼ͳϫʔΫϩʔυͷ࣮ߦ 45&1 ͭͷ؍఺ͰཁҼͱରࡦ͕ߟ͑ΒΕ·͢ɻ ɹ✅,VCFSOFUFTΫϥελ಺෦ͷ/8੍ޚ ɹ✅,VCFSOFUFTΫϥελʹର͢Δݖݶ ɹ✅,VCFSOFUFTΫϥελͷϙϦγʔ੍ޚ

  68. ,VCFSOFUFTΫϥελʹର͢Δݖݶ੍ޚ ,VCFSOFUFTʹ͸େ͖͘෼͚ͯछྨͷϢʔβʔͷ֓೦͕ଘࡏ͠·͢ɻ ͜ΕΒʹର͠3#"$ͷ࢓૊ΈΛ༻͍Δ͜ͱͰɺ,VCFSOFUFTΫϥελʹର͢ΔݖݶΛ෇༩Ͱ͖·͢ɻ 3PMF#JOEJOH $MVTUFS3PMF#JOEJOH 3PMF $MVTUFS3PMF 6TJOH3#"$"VUIPSJ[BUJPO IUUQTLVCFSOFUFTJPEPDTSFGFSFODFBDDFTTBVUIOBVUI[SCBD 6TFS(SPVQ

    4FSWJDF"DDPVOU ,VCFSOFUFTʹؔ͢ΔݖݶΛఆٛ ԿͷϦιʔε SFTPVSDFTOPO3FTPVSDF63-T ʹ Կͷૢ࡞ WFSCT ΛڐՄ͢Δ͔ Ϣʔβʔͱ ݖݶΛඥ෇͚ ,VCFSOFUFTΛૢ࡞͢ΔϢʔβʔ 㲈LVCFDUMΛ࣮ߦ͢Δਓ  ,VCFSOFUFT֎෦Ͱ؅ཧ 9ূ໌ॻ΍֎෦ϢʔβʔετΞͰఆٛ 1PEͳͲ͕࢖༻͢ΔγεςϜΞΧ΢ϯτ ,VCFSOFUFT಺෦Ͱ؅ཧ ,VCFSOFUFTͷϦιʔεͱͯ͠ఆٛ "VUIFOUJDBUJOH IUUQTLVCFSOFUFTJPEPDTSFGFSFODFBDDFTTBVUIOBVUI[BVUIFOUJDBUJPO ཁҼ

  69. ,VCFSOFUFTΫϥελʹର͢Δݖݶ੍ޚ 45&1Ͱ߈ܸऀʹෆਖ਼ͳ1PEΛ࡞੒͞Εͯ͠·ͬͨ௚઀తͳཁҼ͸ɺ 4FSWJDF"DDPVOUʹQPET΍FYFDαϒϦιʔε ʹؔ͢Δશͯͷૢ࡞ݖݶ WFSCT ͕෇༩͞Ε͍ͯͨ͜ͱ ʹ͋Γ·͢ɻ˞LVCFDUMFYFDΛߦ͏ࡍ͸QPETFYFDͱ͍͏αϒϦιʔεʹΞΫηε͢Δ UFTUTB 3FGFSSJOHUPSFTPVSDFT IUUQTLVCFSOFUFTJPEPDTSFGFSFODFBDDFTTBVUIOBVUI[SCBDSFGFSSJOHUPSFTPVSDFT

    ɹɹɹ ɹɹɹSVMFT ɹɹɹBQJ(SPVQT ɹɹɹ ɹɹɹSFTPVSDFT ɹɹɹQPET ɹɹɹQPETFYFD ɹɹɹQPETMPH ɹɹɹWFSCT ɹɹɹ  ɹɹɹ ɹɹɹSVMFT ɹɹɹBQJ(SPVQT ɹɹɹ ɹɹɹSFTPVSDFT ɹɹɹQPET ɹɹɹWFSCT ɹɹɹHFU ɹɹɹMJTU ɹɹɹBQJ7FSTJPOW ɹɹɹLJOE1PE ɹɹɹNFUBEBUB ɹɹɹOBNFUFTUQPE ɹɹɹ ɹɹɹTQFD ɹɹɹDPOUBJOFST ɹɹɹ ɹɹɹTFSWJDF"DDPVOU/BNFUFTUTB ɹɹɹ ཁҼ クラスタ全体に対する権限 Namespace内の権限

  70. ,VCFSOFUFTΫϥελʹର͢Δݖݶ੍ޚ ݖݶʹؔ͢Δରࡦ͸ঢ়گʹ΋ΑΓ·͕͢ɺجຊతʹ͸࠷খݖݶͷݪଇʹଇΔ΂͖Ͱ͢ɻ ͜͜Ͱ͸࣍ͷ੾ΓޱͰରࡦΛߟ͑·͢ɻ ɹᶃ,VCFSOFUFTΫϥελͷར༻ऀͱͯ͠1PEʹݖݶΛ༩͑Δ৔߹ ɹɹɹ1PEʹର͢Δద੾ͳݖݶ؅ཧ͕ߦΘΕ͍ͯΕ͹੬ऑͳ1PEͷ࡞੒Λ๷ࢭͰ͖ͨՄೳੑ͕͋Δ ɹᶄ,VCFSOFUFTΫϥελͷ؅ཧऀͱͯ͠ར༻ऀʹݖݶΛ༩͑Δ৔߹ ɹɹɹར༻ऀʹର͢Δద੾ͳݖݶ؅ཧ͕ߦΘΕ͍ͯΕ͹1PE΁ͷݖݶ෇༩Λ๷ࢭͰ͖ͨՄೳੑ͕͋Δ 6TFS(SPVQ "ENJOJTUSBUPS UFTUQPE

    UFTUTB ௚઀తݪҼ ᶃ ᶄ ରࡦ ˞ύϒϦοΫΫϥ΢υͰ͸Ϋϥ΢υαʔϏεͷݖݶΛ4FSWJDF"DDPVOUʹ ɹඥ෇͚Δͱ͍͏έʔε΋ଘࡏ͠·͕͢͜͜Ͱ͸ৄࡉʹ৮Ε·ͤΜɻ ɹ͜ͷΑ͏ͳ৔߹΋࠷খݖݶͷݪଇʹଇΔͱ͍͏ߟ͑ํʹมΘΓ͸͋Γ·ͤΜɻ

  71. ,VCFSOFUFTΫϥελͷར༻ऀͱͯ͠1PEʹݖݶΛ༩͑Δ৔߹ ✅EFGBVMU4FSWJDF"DDPVOUΛ࢖༻͢Δ ɹɹ✔1PEͷ4FSWJDF"DDPVOUΛࢦఆ͠ͳ͚Ε͹EFGBVMU4FSWJDF"DDPVOU͕ඥ෇͚ΒΕΔ ɹɹ✔EFGBVMU4FSWJDF"DDPVOU͸ݖݶΛ΄ͱΜͲ࣋ͨͳ͍ "1*΍7FSTJPO৘ใΛऔಘͰ͖Δఔ౓  ɹɹ✔ͨͩ͠EFGBVMU4FSWJDF"DDPVOUʹݖݶΛඥ෇͚ͳ͍͜ͱʹ஫ҙ ✅1PEʹ4FSWJDF"DDPVOUΛඥ෇͚ͳ͍ ɹɹ✔ҰൠతͳϫʔΫϩʔυͰ͋Ε͹,VCFSOFUFTʹؔ͢Δݖݶ͸ͦ΋ͦ΋ෆཁͳ͜ͱ͕ଟ͍ ɹɹ✔EFGBVMU4FSWJDF"DDPVOUͰ͸,VCFSOFUFTΫϥελʹର͢Δೝূࣗମ͸ߦ͑ͯ͠·͏

    ɹɹ✔4FSWJDF"DDPVOUΛඥ෇͚ͳ͚Ε͹ೝূ͞ΕΔͷΛ๷ࢭͰ͖Δ ✅ݖݶΛඥ෇͚Δ৔߹͸ඞཁ࠷খݶʹ͢Δ ɹɹ✔΍ΉΛಘͣݖݶΛඥ෇͚Δ৔߹͸ඞཁ࠷খݶʹ͢Δ ɹɹɹɹFH1PEͷࢀরͷΈ͕ඞཁͰ͋Ε͹HFU΍MJTUͷΈʹWFSCTΛݶఆ͢Δ %FGBVMUTFSWJDFBDDPVOUT IUUQTLVCFSOFUFTJPEPDTDPODFQUTTFDVSJUZTFSWJDFBDDPVOUTEFGBVMUTFSWJDFBDDPVOUT ରࡦ

  72. ,VCFSOFUFTΫϥελͷར༻ऀͱͯ͠1PEʹݖݶΛ༩͑Δ৔߹ ✅EFGBVMU4FSWJDF"DDPVOUΛ࢖༻͢Δ ɹɹ✔1PEͷ4FSWJDF"DDPVOUΛࢦఆ͠ͳ͚Ε͹EFGBVMU4FSWJDF"DDPVOU͕ඥ෇͚ΒΕΔ ɹɹ✔EFGBVMU4FSWJDF"DDPVOU͸ݖݶΛ΄ͱΜͲ࣋ͨͳ͍ "1*΍7FSTJPO৘ใΛऔಘͰ͖Δఔ౓  ɹɹ✔ͨͩ͠EFGBVMU4FSWJDF"DDPVOUʹݖݶΛඥ෇͚ͳ͍͜ͱʹ஫ҙ ✅1PEʹ4FSWJDF"DDPVOUΛඥ෇͚ͳ͍ ɹɹ✔ҰൠతͳϫʔΫϩʔυͰ͋Ε͹,VCFSOFUFTʹؔ͢Δݖݶ͸ͦ΋ͦ΋ෆཁͳ͜ͱ͕ଟ͍ ɹɹ✔EFGBVMU4FSWJDF"DDPVOUͰ͸,VCFSOFUFTΫϥελʹର͢Δೝূࣗମ͸ߦ͑ͯ͠·͏

    ɹɹ✔4FSWJDF"DDPVOUΛඥ෇͚ͳ͚Ε͹ೝূ͞ΕΔͷΛ๷ࢭͰ͖Δ ✅ݖݶΛඥ෇͚Δ৔߹͸ඞཁ࠷খݶʹ͢Δ ɹɹ✔΍ΉΛಘͣݖݶΛඥ෇͚Δ৔߹͸ඞཁ࠷খݶʹ͢Δ ɹɹɹɹFH1PEͷࢀরͷΈ͕ඞཁͰ͋Ε͹HFU΍MJTUͷΈʹWFSCTΛݶఆ͢Δ %FGBVMUTFSWJDFBDDPVOUT IUUQTLVCFSOFUFTJPEPDTDPODFQUTTFDVSJUZTFSWJDFBDDPVOUTEFGBVMUTFSWJDFBDDPVOUT BQJ7FSTJPOW LJOE1PE NFUBEBUB OBNFUFTUQPE  TQFD DPOUBJOFST  TFSWJDF"DDPVOU/BNFUFTUTB  ରࡦ

  73. ,VCFSOFUFTΫϥελͷར༻ऀͱͯ͠1PEʹݖݶΛ༩͑Δ৔߹ ✅EFGBVMU4FSWJDF"DDPVOUΛ࢖༻͢Δ ɹɹ✔1PEͷ4FSWJDF"DDPVOUΛࢦఆ͠ͳ͚Ε͹EFGBVMU4FSWJDF"DDPVOU͕ඥ෇͚ΒΕΔ ɹɹ✔EFGBVMU4FSWJDF"DDPVOU͸ݖݶΛ΄ͱΜͲ࣋ͨͳ͍ "1*΍7FSTJPO৘ใΛऔಘͰ͖Δఔ౓  ɹɹ✔ͨͩ͠EFGBVMU4FSWJDF"DDPVOUʹݖݶΛඥ෇͚ͳ͍͜ͱʹ஫ҙ ✅1PEʹ4FSWJDF"DDPVOUΛඥ෇͚ͳ͍ ɹɹ✔ҰൠతͳϫʔΫϩʔυͰ͋Ε͹,VCFSOFUFTʹؔ͢Δݖݶ͸ͦ΋ͦ΋ෆཁͳ͜ͱ͕ଟ͍ ɹɹ✔EFGBVMU4FSWJDF"DDPVOUͰ͸,VCFSOFUFTΫϥελʹର͢Δೝূࣗମ͸ߦ͑ͯ͠·͏

    ɹɹ✔4FSWJDF"DDPVOUΛඥ෇͚ͳ͚Ε͹ೝূ͞ΕΔͷΛ๷ࢭͰ͖Δ ✅ݖݶΛඥ෇͚Δ৔߹͸ඞཁ࠷খݶʹ͢Δ ɹɹ✔΍ΉΛಘͣݖݶΛඥ෇͚Δ৔߹͸ඞཁ࠷খݶʹ͢Δ ɹɹɹɹFH1PEͷࢀরͷΈ͕ඞཁͰ͋Ε͹HFU΍MJTUͷΈʹWFSCTΛݶఆ͢Δ %FGBVMUTFSWJDFBDDPVOUT IUUQTLVCFSOFUFTJPEPDTDPODFQUTTFDVSJUZTFSWJDFBDDPVOUTEFGBVMUTFSWJDFBDDPVOUT BQJ7FSTJPOW LJOE1PE NFUBEBUB OBNFUFTUQPE  TQFD DPOUBJOFST  BVUPNPVOU4FSWJDF"DDPVOU5PLFOGBMTF  ରࡦ

  74. ,VCFSOFUFTΫϥελͷར༻ऀͱͯ͠1PEʹݖݶΛ༩͑Δ৔߹ ✅EFGBVMU4FSWJDF"DDPVOUΛ࢖༻͢Δ ɹɹ✔1PEͷ4FSWJDF"DDPVOUΛࢦఆ͠ͳ͚Ε͹EFGBVMU4FSWJDF"DDPVOU͕ඥ෇͚ΒΕΔ ɹɹ✔EFGBVMU4FSWJDF"DDPVOU͸ݖݶΛ΄ͱΜͲ࣋ͨͳ͍ "1*΍7FSTJPO৘ใΛऔಘͰ͖Δఔ౓  ɹɹ✔ͨͩ͠EFGBVMU4FSWJDF"DDPVOUʹݖݶΛඥ෇͚ͳ͍͜ͱʹ஫ҙ ✅1PEʹ4FSWJDF"DDPVOUΛඥ෇͚ͳ͍ ɹɹ✔ҰൠతͳϫʔΫϩʔυͰ͋Ε͹,VCFSOFUFTʹؔ͢Δݖݶ͸ͦ΋ͦ΋ෆཁͳ͜ͱ͕ଟ͍ ɹɹ✔EFGBVMU4FSWJDF"DDPVOUͰ͸,VCFSOFUFTΫϥελʹର͢Δೝূࣗମ͸ߦ͑ͯ͠·͏

    ɹɹ✔4FSWJDF"DDPVOUΛඥ෇͚ͳ͚Ε͹ೝূ͞ΕΔͷΛ๷ࢭͰ͖Δ ✅ݖݶΛඥ෇͚Δ৔߹͸ඞཁ࠷খݶʹ͢Δ ɹɹ✔΍ΉΛಘͣݖݶΛඥ෇͚Δ৔߹͸ඞཁ࠷খݶʹ͢Δ ɹɹɹɹFH1PEͷࢀরͷΈ͕ඞཁͰ͋Ε͹HFU΍MJTUͷΈʹWFSCTΛݶఆ͢Δ %FGBVMUTFSWJDFBDDPVOUT IUUQTLVCFSOFUFTJPEPDTDPODFQUTTFDVSJUZTFSWJDFBDDPVOUTEFGBVMUTFSWJDFBDDPVOUT  SVMFT BQJ(SPVQT  SFTPVSDFT QPET QPETFYFD QPETMPH WFSCT   HFU MJTU 必要最小限のresources 必要最小限のverbs ରࡦ

  75. ,VCFSOFUFTΫϥελͷ؅ཧऀͱͯ͠ར༻ऀʹݖݶΛ༩͑Δ৔߹ ✅෇༩͢Δݖݶ͸ඞཁ࠷খݶʹ͢Δ ɹɹ✔Ϣʔβʔʹ͸ԿΒ͔ͷݖݶΛ෇༩͢Δඞཁ͕͋Δ ɹɹ✔/BNFTQBDFɺϦιʔεछผʹԠͨ͡ඞཁ࠷খݶͷݖݶΛ෇༩ ɹɹ✔#VJMEJO3PMF Λ׆༻͢Δͷ΋͋Γ BENJOFEJUWJFX UFOBOUB UFOBOUC 6TFS(SPVQ

    6TFS(SPVQ ॏཁϦιʔε΁ͷΞΫηε͸ېࢭ 8PSLMPBEܥϦιʔε΁ͷΞΫηε͸ڐՄ 6TFSGBDJOHSPMFT IUUQTLVCFSOFUFTJPEPDTSFGFSFODFBDDFTTBVUIOBVUI[SCBDVTFSGBDJOHSPMFT /BNFTQBDF୯Ґͷ੍ޚ Ϧιʔεछผ୯Ґͷ੍ޚ ରࡦ

  76. ,VCFSOFUFTΫϥελͷ؅ཧऀͱͯ͠ར༻ऀʹݖݶΛ༩͑Δ৔߹ ✅෇༩͢Δݖݶ͸ඞཁ࠷খݶʹ͢Δ ɹɹ✔Ϣʔβʔʹ͸ԿΒ͔ͷݖݶΛ෇༩͢Δඞཁ͕͋Δ ɹɹ✔/BNFTQBDFɺϦιʔεछผʹԠͨ͡ඞཁ࠷খݶͷݖݶΛ෇༩ ɹɹ✔#VJMEJO3PMF Λ׆༻͢Δͷ΋͋Γ BENJOFEJUWJFX  ✅ݖݶঢ֨ʹ஫ҙ ɹɹ✔SFTPVSDFTͱWFSCTͷ૊Έ߹ΘͤʹΑͬͯ͸௥ՃͷݖݶΛऔಘͰ͖Δ৔߹͕͋Δ

    ✅ϫΠϧυΧʔυ ͷ࢖༻ʹ஫ҙ ɹɹ✔ҙਤ͠ͳ͍ݖݶؚ͕·Εͯ͠·͏Մೳੑ͕͋Δ SFTPVSDFT WFSCT ֓ཁ SPMFT DMVTUFSSPMFT FTDBMBUF ݱࡏ෇༩͞Ε͍ͯͳ͍ݖݶΛ෇༩Ͱ͖Δ ݖݶऔಘͷͨΊͷ3PMFʹର͢ΔDSFBUFVQEBUF͕ڐՄ͞ΕΔ CJOE ݱࡏ෇༩͞Ε͍ͯͳ͍ݖݶΛؚΉ3PMFΛඥ෇͚Ͱ͖Δ ݖݶऔಘͷͨΊͷ3PMF#JOEJOHʹର͢ΔDSFBUFVQEBUF͕ڐՄ͞ΕΔ VTFST HSPVQT TFSWJDFBDDPVOUT JNQFSTPOBUF ଞͷϢʔβʔݖݶͰΞΫηε Ϣʔβʔِ૷ ग़དྷͯ͠·͏ LVCFDUMBTɺLVCFDUMBTHSPVQͰTVEPతͳ͜ͱ͕Ͱ͖ΔΠϝʔδ ରࡦ

  77. ,VCFSOFUFTΫϥελͷ؅ཧऀͱͯ͠ར༻ऀʹݖݶΛ༩͑Δ৔߹ ✅෇༩͢Δݖݶ͸ඞཁ࠷খݶʹ͢Δ ɹɹ✔Ϣʔβʔʹ͸ԿΒ͔ͷݖݶΛ෇༩͢Δඞཁ͕͋Δ ɹɹ✔/BNFTQBDFɺϦιʔεछผʹԠͨ͡ඞཁ࠷খݶͷݖݶΛ෇༩ ɹɹ✔#VJMEJO3PMF Λ׆༻͢Δͷ΋͋Γ BENJOFEJUWJFX  ✅ݖݶঢ֨ʹ஫ҙ ɹɹ✔SFTPVSDFTͱWFSCTͷ૊Έ߹ΘͤʹΑͬͯ͸௥ՃͷݖݶΛऔಘͰ͖Δ৔߹͕͋Δ

    ✅ϫΠϧυΧʔυ ͷ࢖༻ʹ஫ҙ ɹɹ✔ҙਤ͠ͳ͍ݖݶؚ͕·Εͯ͠·͏Մೳੑ͕͋Δ SFTPVSDFT WFSCT ֓ཁ SPMFT DMVTUFSSPMFT FTDBMBUF ݱࡏ෇༩͞Ε͍ͯͳ͍ݖݶΛ෇༩Ͱ͖Δ ݖݶऔಘͷͨΊͷ3PMFʹର͢ΔDSFBUFVQEBUF͕ڐՄ͞ΕΔ CJOE ݱࡏ෇༩͞Ε͍ͯͳ͍ݖݶΛؚΉ3PMFΛඥ෇͚Ͱ͖Δ ݖݶऔಘͷͨΊͷ3PMF#JOEJOHʹର͢ΔDSFBUFVQEBUF͕ڐՄ͞ΕΔ VTFST HSPVQT TFSWJDFBDDPVOUT JNQFSTPOBUF ଞͷϢʔβʔݖݶͰΞΫηε Ϣʔβʔِ૷ ग़དྷͯ͠·͏ LVCFDUMBTɺLVCFDUMBTHSPVQͰTVEPతͳ͜ͱ͕Ͱ͖ΔΠϝʔδ  BQJ(SPVQT SCBDBVUIPSJ[BUJPOLTJP SFTPVSDFT SPMFT WFSCT FTDBMBUF MJTU HFU DSFBUF VQEBUF QBUDI EFMFUF これだけでは 現在付与されている 以上の権限をRoleに 追加できない ରࡦ

  78. ,VCFSOFUFTΫϥελͷ؅ཧऀͱͯ͠ར༻ऀʹݖݶΛ༩͑Δ৔߹ ✅෇༩͢Δݖݶ͸ඞཁ࠷খݶʹ͢Δ ɹɹ✔Ϣʔβʔʹ͸ԿΒ͔ͷݖݶΛ෇༩͢Δඞཁ͕͋Δ ɹɹ✔/BNFTQBDFɺϦιʔεछผʹԠͨ͡ඞཁ࠷খݶͷݖݶΛ෇༩ ɹɹ✔#VJMEJO3PMF Λ׆༻͢Δͷ΋͋Γ BENJOFEJUWJFX  ✅ݖݶঢ֨ʹ஫ҙ ɹɹ✔SFTPVSDFTͱWFSCTͷ૊Έ߹ΘͤʹΑͬͯ͸௥ՃͷݖݶΛऔಘͰ͖Δ৔߹͕͋Δ

    ✅ϫΠϧυΧʔυ ͷ࢖༻ʹ஫ҙ ɹɹ✔ҙਤ͠ͳ͍ݖݶؚ͕·Εͯ͠·͏Մೳੑ͕͋Δ SFTPVSDFT WFSCT ֓ཁ SPMFT DMVTUFSSPMFT FTDBMBUF ݱࡏ෇༩͞Ε͍ͯͳ͍ݖݶΛ෇༩Ͱ͖Δ ݖݶऔಘͷͨΊͷ3PMFʹର͢ΔDSFBUFVQEBUF͕ڐՄ͞ΕΔ CJOE ݱࡏ෇༩͞Ε͍ͯͳ͍ݖݶΛؚΉ3PMFΛඥ෇͚Ͱ͖Δ ݖݶऔಘͷͨΊͷ3PMF#JOEJOHʹର͢ΔDSFBUFVQEBUF͕ڐՄ͞ΕΔ VTFST HSPVQT TFSWJDFBDDPVOUT JNQFSTPOBUF ଞͷϢʔβʔݖݶͰΞΫηε Ϣʔβʔِ૷ ग़དྷͯ͠·͏ LVCFDUMBTɺLVCFDUMBTHSPVQͰTVEPతͳ͜ͱ͕Ͱ͖ΔΠϝʔδ  BQJ(SPVQT SCBDBVUIPSJ[BUJPOLTJP SFTPVSDFT SPMFT WFSCT CJOE MJTU HFU DSFBUF VQEBUF BQJ(SPVQT SCBDBVUIPSJ[BUJPOLTJP SFTPVSDFT SPMFCJOEJOHT WFSCT MJTU HFU DSFBUF VQEBUF QBUDI EFMFUF これだけでは 現在付与されている 以上の権限を持つRoleは 紐付けできない ରࡦ

  79. ,VCFSOFUFTΫϥελͷ؅ཧऀͱͯ͠ར༻ऀʹݖݶΛ༩͑Δ৔߹ ✅෇༩͢Δݖݶ͸ඞཁ࠷খݶʹ͢Δ ɹɹ✔Ϣʔβʔʹ͸ԿΒ͔ͷݖݶΛ෇༩͢Δඞཁ͕͋Δ ɹɹ✔/BNFTQBDFɺϦιʔεछผʹԠͨ͡ඞཁ࠷খݶͷݖݶΛ෇༩ ɹɹ✔#VJMEJO3PMF Λ׆༻͢Δͷ΋͋Γ BENJOFEJUWJFX  ✅ݖݶঢ֨ʹ஫ҙ ɹɹ✔SFTPVSDFTͱWFSCTͷ૊Έ߹ΘͤʹΑͬͯ͸௥ՃͷݖݶΛऔಘͰ͖Δ৔߹͕͋Δ

    ✅ϫΠϧυΧʔυ ͷ࢖༻ʹ஫ҙ ɹɹ✔ҙਤ͠ͳ͍ݖݶؚ͕·Εͯ͠·͏Մೳੑ͕͋Δ SFTPVSDFT WFSCT ֓ཁ SPMFT DMVTUFSSPMFT FTDBMBUF ݱࡏ෇༩͞Ε͍ͯͳ͍ݖݶΛ෇༩Ͱ͖Δ ݖݶऔಘͷͨΊͷ3PMFʹର͢ΔDSFBUFVQEBUF͕ڐՄ͞ΕΔ CJOE ݱࡏ෇༩͞Ε͍ͯͳ͍ݖݶΛؚΉ3PMFΛඥ෇͚Ͱ͖Δ ݖݶऔಘͷͨΊͷ3PMF#JOEJOHʹର͢ΔDSFBUFVQEBUF͕ڐՄ͞ΕΔ VTFST HSPVQT TFSWJDFBDDPVOUT JNQFSTPOBUF ଞͷϢʔβʔݖݶͰΞΫηε Ϣʔβʔِ૷ ग़དྷͯ͠·͏ LVCFDUMBTɺLVCFDUMBTHSPVQͰTVEPతͳ͜ͱ͕Ͱ͖ΔΠϝʔδ  BQJ(SPVQT  SFTPVSDFT VTFST HSPVQT TFSWJDFBDDPVOUT WFSCT JNQFSTPOBUF ରࡦ

  80. ,VCFSOFUFTΫϥελͷ؅ཧऀͱͯ͠ར༻ऀʹݖݶΛ༩͑Δ৔߹ ✅෇༩͢Δݖݶ͸ඞཁ࠷খݶʹ͢Δ ɹɹ✔Ϣʔβʔʹ͸ԿΒ͔ͷݖݶΛ෇༩͢Δඞཁ͕͋Δ ɹɹ✔/BNFTQBDFɺϦιʔεछผʹԠͨ͡ඞཁ࠷খݶͷݖݶΛ෇༩ ɹɹ✔#VJMEJO3PMF Λ׆༻͢Δͷ΋͋Γ BENJOFEJUWJFX  ✅ݖݶঢ֨ʹ஫ҙ ɹɹ✔SFTPVSDFTͱWFSCTͷ૊Έ߹ΘͤʹΑͬͯ͸௥ՃͷݖݶΛऔಘͰ͖Δ৔߹͕͋Δ

    ✅ϫΠϧυΧʔυ ͷ࢖༻ʹ஫ҙ ɹɹ✔ҙਤ͠ͳ͍ݖݶؚ͕·Εͯ͠·͏Մೳੑ͕͋Δ SFTPVSDFT WFSCT ֓ཁ SPMFT DMVTUFSSPMFT FTDBMBUF ݱࡏ෇༩͞Ε͍ͯͳ͍ݖݶΛ෇༩Ͱ͖Δ ݖݶऔಘͷͨΊͷ3PMFʹର͢ΔDSFBUFVQEBUF͕ڐՄ͞ΕΔ CJOE ݱࡏ෇༩͞Ε͍ͯͳ͍ݖݶΛؚΉ3PMFΛඥ෇͚Ͱ͖Δ ݖݶऔಘͷͨΊͷ3PMF#JOEJOHʹର͢ΔDSFBUFVQEBUF͕ڐՄ͞ΕΔ VTFST HSPVQT TFSWJDFBDDPVOUT JNQFSTPOBUF ଞͷϢʔβʔݖݶͰΞΫηε Ϣʔβʔِ૷ ग़དྷͯ͠·͏ LVCFDUMBTɺLVCFDUMBTHSPVQͰTVEPతͳ͜ͱ͕Ͱ͖ΔΠϝʔδ SVMFT BQJ(SPVQT   SFTPVSDFT   WFSCT   ରࡦ

  81.  ࢀߟ 3#"$ʹؔ͢ΔϦϑΝϨϯεͷྫ ✅3PMF#BTFE"DDFTT$POUSPM(PPE1SBDUJDFT ɹɹIUUQTLVCFSOFUFTJPEPDTDPODFQUTTFDVSJUZSCBDHPPEQSBDUJDFT ✅$*4,VCFSOFUFT#FODINBSLT 3#"$BOE4FSWJDF"DDPVOUT ରࡦ

  82.  ࢀߟ 3#"$ʹؔ͢Δπʔϧͷྫ 3#"$ʹؔ͢Δ෼ੳ΍ՄࢹԽΛՄೳʹ͢Δπʔϧ΋ଘࡏ͢Δɻ ɹ✅SCBDUPPM ɹɹɹIUUQTHJUIVCDPNBMDJEFJPSCBDUPPM ରࡦ

  83. <ରࡦ>ෆਖ਼ͳϫʔΫϩʔυͷ࣮ߦ 45&1 ͭͷ؍఺ͰཁҼͱରࡦ͕ߟ͑ΒΕ·͢ɻ ɹ✅,VCFSOFUFTΫϥελ಺෦ͷ/8੍ޚ ɹ✅,VCFSOFUFTΫϥελʹର͢Δݖݶ੍ޚ ɹ✅,VCFSOFUFTΫϥελͷϙϦγʔ੍ޚ

  84. ,VCFSOFUFTΫϥελͷϙϦγʔ੍ޚ ,VCFSOFUFTͰ͸ɺσϑΥϧτͰͲͷΑ͏ͳઃఆΛ࣋ͭ1PEͷσϓϩΠ΋ڐՄ͞Ε͍ͯ·͢ɻ ͜ͷͨΊ߈ܸऀ͸45&1Ͱɺ,VCFSOFUFTΫϥελʹ੬ऑͳ1PEΛσϓϩΠ͠ɺ 45&1ͷ߈ܸ /PEF΁ͷ৵ೖ ʹܨ͛Δ͜ͱ͕Ͱ͖·ͨ͠ɻ ݖݶ͑͋͞Ε͹ͲͷΑ͏ͳ1PE΋σϓϩΠͰ͖Δ NBMJDJPVTQPE BQJ7FSTJPOW LJOE1PE

    NFUBEBUB OBNFNBMJDJPVTQPE OBNFTQBDFUNQ TQFD IPTU1*%USVF DPOUBJOFST OBNFVCVOUV JNBHFVCVOUV DPNNBOE<CJOTI > TFDVSJUZ$POUFYU QSJWJMFHFEUSVF OPEF4FMFDUPS LVCFSOFUFTJPIPTUOBNFOPEF 脆弱な設定 ཁҼ

  85. ,VCFSOFUFTΫϥελͷϙϦγʔ੍ޚ ͜Εʹର͢Δରࡦͱͯ͠ɺϙϦγʔ੍ޚͱݺ͹ΕΔ࢓૊Έ͕͋Γ·͢ɻ ϙϦγʔ੍ޚͱ͸ɺ͋Β͔͡Ί,VCFSOFUFTΫϥελʹϙϦγʔΛఆ͓͖ٛͯ͠ɺ ੬ऑͳઃఆΛ࣋ͭ1PEͳͲϙϦγʔʹ४ڌ͠ͳ͍Ϧιʔεͷ࡞੒Λ๷͙࢓૊ΈͰ͢ ɻ ϙϦγʔ੍ޚʹ͸7BMJEBUJPOͱ.VUBUJPOͷछྨͷ੍ޚํ͕ࣜ͋Γ·͢ɻ ͜͜Ͱ͸ѱҙͷ͋Δ߈ܸऀʹΑΔෆਖ਼ͳϦιʔεͷ࡞੒Λ๷͙ͱ͍͏จ຺ͰϙϦγʔ੍ޚͷղઆΛߦͳ͍ͬͯ·͕͢ɺ ϙϦγʔ੍ޚ͸,VCFSOFUFTΫϥελͷར༻ऀʹΑͬͯҙਤͤͣ੬ऑͳϦιʔε͕࡞੒͞ΕΔ͜ͱΛ๷͙ͱ͍͏ޮՌ΋͋Γ·͢ɻ BQJ7FSTJPOW LJOE1PE

     TQFD IPTU1*%USVF DPOUBJOFST  TFDVSJUZ$POUFYU QSJWJMFHFEUSVF .VUBUJPO 7BMJEBUJPO  TQFD IPTU1*%GBMTF  TFDVSJUZ$POUFYU QSJWJMFHFEGBMTF  1PEͷσϓϩΠΛېࢭ ϙϦγʔʹ४ڌ͢ΔΑ͏ʹઃఆΛॻ͖׵͑ͯ1PEΛσϓϩΠ ରࡦ ϙϦγʔʹ४ڌ͍ͯ͠ͳ͍1PEΛ࡞੒

  86.  ࢀߟ ,VCFSOFUFT"1*ʹ͓͚ΔॲཧͷྲྀΕ ,VCFSOFUFT"1* LVCFBQJTFSWFS ͕ϦΫΤετΛड৴͢Δͱɺ ҎԼͷΑ͏ͳϑΣʔζΛܦͯϦιʔε͕࡞੒͞Ε·͢ ௨ৗϙϦγʔ੍ޚ͸"ENJTTJPOϑΣʔζͰߦΘΕ·͢ɻ Ϣʔβʔͷೝূ "VUIFOUJDBUJPO

    "VUIPSJ[BUJPO "ENJTTJPO ݖݶʹجͮ͘ೝՄ ϦΫΤετ಺༰ͷ ݕূ 7BMJEBUJPO ͱมߋ .VUBUJPO $POUSPMMJOH"DDFTTUPUIF,VCFSOFUFT"1* IUUQTLVCFSOFUFTJPEPDTDPODFQUTTFDVSJUZDPOUSPMMJOHBDDFTT 3.2.2. Kubernetesクラスタに対する権限制御 3.2.3. Kubernetesクラスタのポリシー制御 ,VCFSOFUFT"1* LVCFBQJTFSWFS .VUBUJPO 7BMJEBUJPO ରࡦ

  87. ,VCFSOFUFTΫϥελͷϙϦγʔ੍ޚ ϙϦγʔ੍ޚΛ࣮ݱ͢Δ୅දతͳखஈͱͯ͠ɺྫ͑͹ҎԼͷΑ͏ͳ΋ͷ͕͋Γ·͢ɻ ✅1PE4FDVSJUZ"ENJTTJPO ,VCFSOFUFT#VJMUJO W4UBCMF  ɹɹIUUQTLVCFSOFUFTJPEPDTDPODFQUTTFDVSJUZQPETFDVSJUZBENJTTJPO ✅7BMJEBUJOH"ENJTTJPO1PMJDZ ,VCFSOFUFT#VJMUJO W4UBCMF

     ɹɹIUUQTLVCFSOFUFTJPEPDTSFGFSFODFBDDFTTBVUIOBVUI[WBMJEBUJOHBENJTTJPOQPMJDZ ✅.VUBUJOH"ENJTTJPO1PMJDZ ,VCFSOFUFT#VJMUJO W"MQIB༧ఆ  ɹɹ ,&1 IUUQTHJUIVCDPNLVCFSOFUFTFOIBODFNFOUTUSFFNBTUFSLFQTTJHBQJNBDIJOFSZNVUBUJOHBENJTTJPOQPMJDJFT ɹɹ ଟ෼ެࣜEPD͸͜ΕʹͳΔ͸ͣ IUUQTLVCFSOFUFTJPEPDTSFGFSFODFBDDFTTBVUIOBVUI[NVUBUJOHBENJTTJPOQPMJDZ ✅,ZWFSOP SE1BSUZ  ɹɹIUUQTLZWFSOPJP ✅01"(BUFLFFQFS SE1BSUZ  ɹɹIUUQTPQFOQPMJDZBHFOUHJUIVCJPHBUFLFFQFSXFCTJUF ରࡦ

  88. ,VCFSOFUFTΫϥελͷϙϦγʔ੍ޚ ϙϦγʔ ֓ཁ نఆ߲໨ͷྫ ηΩϡϦςΟϨϕϧ 1SJWJMFHFE ઃఆ߲໨ʹنఆΛઃ͚ͳ͍ϙϦγʔ  نఆͳ͠ ௿

    #BTFMJOF ϦεΫ͕໌֬Ͱ͋Δઃఆ߲໨ʹ͍ͭͯ࠷௿ݶͷنఆΛߦͬͨϙϦγʔ ɾಛݖίϯςφͷېࢭ ɾϗετͱͷ/BNFTQBDFڞ༗ͷېࢭ ɾ)PTU1BUIͷېࢭ FUD த 3FTUSJDUFE ৄࡉͳઃఆ߲໨·ͰنఆΛߦͬͨϕετϓϥΫςΟεʹ֘౰͢ΔϙϦγʔ ɾ#BTFMJOFͷ߲໨શͯ ɾSPPUϢʔβʔͰͷίϯςφ࣮ߦېࢭ ɾಛݖঢ֨ͷېࢭ ɾ4FDDPNQͷڧ੍ FUD ߴ ͜͜Ͱ͸ྫͱͯ͠ɺ,VCFSOFUFT#VJMUJOͷػೳͰ͋Δ1PE4FDVSJUZ"ENJTTJPOʹ͍ͭͯղઆ͠·͢ɻ 1PE4FDVSJUZ"ENJTTJPOͰ͸ɺ͋Β͔͡Ί,VCFSOFUFTͰఆٛ͞Εͨ1PEʹؔ͢Δ ϙϦγʔ 1PE4FDVSJUZ4UBOEBSET ʹج͖ͮϙϦγʔ੍ޚ 7BMJEBUJPO Λߦ͏͜ͱ͕Ͱ͖·͢ɻ 1PE4FDVSJUZ4UBOEBSET IUUQTLVCFSOFUFTJPEPDTDPODFQUTTFDVSJUZQPETFDVSJUZTUBOEBSET 1PE4FDVSJUZ4UBOEBSETͷ֓ཁ ରࡦ

  89. ,VCFSOFUFTΫϥελͷϙϦγʔ੍ޚ ϙϦγʔ ֓ཁ نఆ߲໨ͷྫ ηΩϡϦςΟϨϕϧ 1SJWJMFHFE ઃఆ߲໨ʹنఆΛઃ͚ͳ͍ϙϦγʔ  نఆͳ͠ ௿

    #BTFMJOF ϦεΫ͕໌֬Ͱ͋Δઃఆ߲໨ʹ͍ͭͯ࠷௿ݶͷنఆΛߦͬͨϙϦγʔ ɾಛݖίϯςφͷېࢭ ɾϗετͱͷ/BNFTQBDFڞ༗ͷېࢭ ɾ)PTU1BUIͷېࢭ FUD த 3FTUSJDUFE ৄࡉͳઃఆ߲໨·ͰنఆΛߦͬͨϕετϓϥΫςΟεʹ֘౰͢ΔϙϦγʔ ɾ#BTFMJOFͷ߲໨શͯ ɾSPPUϢʔβʔͰͷίϯςφ࣮ߦېࢭ ɾಛݖঢ֨ͷېࢭ ɾ4FDDPNQͷڧ੍ FUD ߴ 1PE4FDVSJUZ4UBOEBSET IUUQTLVCFSOFUFTJPEPDTDPODFQUTTFDVSJUZQPETFDVSJUZTUBOEBSET 1PE4FDVSJUZ4UBOEBSETͷ֓ཁ ରࡦ QSJWJMFHFEUSVFΛېࢭ IPTU1*%USVFΛېࢭ ͜͜Ͱ͸ྫͱͯ͠ɺ,VCFSOFUFT#VJMUJOͷػೳͰ͋Δ1PE4FDVSJUZ"ENJTTJPOʹ͍ͭͯղઆ͠·͢ɻ 1PE4FDVSJUZ"ENJTTJPOͰ͸ɺ͋Β͔͡Ί,VCFSOFUFTͰఆٛ͞Εͨ1PEʹؔ͢Δ ϙϦγʔ 1PE4FDVSJUZ4UBOEBSET ʹج͖ͮϙϦγʔ੍ޚ 7BMJEBUJPO Λߦ͏͜ͱ͕Ͱ͖·͢ɻ

  90. ,VCFSOFUFTΫϥελͷϙϦγʔ੍ޚ 1PE4FDVSJUZ"ENJTTJPOʹΑΔϙϦγʔ੍ޚ͸ɺ ੍ޚର৅ͱ͢Δ/BNFTQBDFʹϥϕϧΛ෇༩͢Δ͜ͱͰ࣮ݱͰ͖·͢ɻ ҎԼ͸UNQ/BNFTQBDFʹରͯ͠#BTFMJOFϙϦγʔʹҧ൓͢Δ1PEͷσϓϩΠΛېࢭ͢ΔྫͰ͢ɻ BQJ7FSTJPOW LJOE/BNFTQBDF NFUBEBUB OBNFUNQ MBCFMT #BTFMJOFϙϦγʔʹҧ൓͢Δ1PEͷσϓϩΠΛېࢭ

    QPETFDVSJUZLVCFSOFUFTJPFOGPSDFCBTFMJOF QPETFDVSJUZLVCFSOFUFTJPFOGPSDFWFSTJPOW 3FTUSJDUFEϙϦγʔʹҧ൓͢Δ1PEͷσϓϩΠΛݕ஌ͨ͠৔߹͸"VEJU-PHʹه࿥ QPETFDVSJUZLVCFSOFUFTJPBVEJUSFTUSJDUFE QPETFDVSJUZLVCFSOFUFTJPBVEJUWFSTJPOW 3FTUSJDUFEϙϦγʔʹҧ൓͢Δ1PEͷσϓϩΠΛݕ஌ͨ͠৔߹͸ܯࠂΛදࣔ QPETFDVSJUZLVCFSOFUFTJPXBSOSFTUSJDUFE QPETFDVSJUZLVCFSOFUFTJPXBSOWFSTJPOW 1PE4FDVSJUZ"ENJTTJPO IUUQTLVCFSOFUFTJPEPDTDPODFQUTTFDVSJUZQPETFDVSJUZBENJTTJPO baselineに違反するPodを禁止 ରࡦ

  91. ,VCFSOFUFTΫϥελͷϙϦγʔ੍ޚ ࣮ࡍʹ#BTFMJOFϙϦγʔʹҧ൓͢Δ1PEͷσϓϩΠΛࢼΈΔͱɺ σϓϩΠʹࣦഊ͢Δ͜ͱ͕֬ೝͰ͖·͢ɻ45&1Ͱ͸͜ͷΑ͏ͳϙϦγʔ੍ޚ͕ߦΘΕ͍ͯΕ͹ɺ ߈ܸऀʹΑΔ੬ऑͳ1PEͷσϓϩΠΛ๷͙͜ͱ͕Ͱ͖·ͨ͠ɻ DBU&0'cLVCFDUMBQQMZG BQJ7FSTJPOW LJOE1PE NFUBEBUB OBNFNBMJDJPVTQPE OBNFTQBDFUNQ

    TQFD IPTU1*%USVF  TFDVSJUZ$POUFYU QSJWJMFHFEUSVF  &0' &SSPSGSPNTFSWFS 'PSCJEEFO FSSPSXIFODSFBUJOH45%*/QPETNBMJDJPVTQPEJTGPSCJEEFOWJPMBUFT1PE4FDVSJUZ CBTFMJOFWIPTUOBNFTQBDFT IPTU1*%USVF QSJWJMFHFE DPOUBJOFSVCVOUVNVTUOPUTFU TFDVSJUZ$POUFYUQSJWJMFHFEUSVF baselineに違反するPodのデプロイが拒否された ରࡦ

  92. <ରࡦ>/PEF΁ͷ৵ೖ 45&1

  93. <ରࡦ>/PEF΁ͷ৵ೖ 45&1 45&1Ͱ͸߈ܸऀ͸45&1ͰσϓϩΠͨ͠ಛݖίϯςφΛؚΉ੬ऑͳ1PEʹ৵ೖ͠ɺ ͔ͦ͜Β/PEFʹ৵ೖ $POUBJOFS#SFBLPVU ͠·ͨ͠ɻ ͞Βʹ৵ೖͨ͠/PEFΛܦ༝ͯ͠ɺ1PEʹؚ·ΕΔൿີ৘ใΛୣऔ͠·ͨ͠ɻ QSPE UNQ UNQ

    NBMJDJPVTQPE CBDLFOEBQQ UFTUQPE OPEF #### OPEF """" DQ $$$$ /PEFʹ৵ೖ

  94. <ରࡦ>/PEF΁ͷ৵ೖ 45&1 ࠓճͷ45&1ͷέʔεʹ͓͍ͯɺ׬ᘳͳରࡦ͸΄΅ෆՄೳͰ͢ɻ ίϯςφ͸௨ৗɺίϯςφϗετ͔Βִ཭͞Εͨϓϩηεͱ࣮ͯ͠ߦ͞Ε·͢ɻ ͔͠͠45&1Ͱ߈ܸऀ͕σϓϩΠͨ͠ಛݖίϯςφ QSJWJMFHFEUSVF ͸ɺ ίϯςφϗετͷ-JOVYΧʔωϧʹରͯ͠શͯͷݖݶΛִ࣋ͭ཭ੑͷ௿͍ϓϩηεͱ࣮ͯ͠ߦ͞Ε·͢ɻ ͭ·Γಛݖίϯςφʹ৵ೖ͞ΕΔ͜ͱ͸ɺ/PEFͷಛݖΛୣऔ͞Εͨͷͱಉ౳Ͱ͋Δͱݴ͑·͢ɻ ˞ίϯςφͰ͸ݖݶҎ֎ʹ΋ɺ/BNFTQBDFΛ͸͡Ίͱ࣮ͨ͠ߦۭؒ΍ɺϑΝΠϧγεςϜɺϦιʔεͳͲෳ਺ͷٕज़Λ૊Έ߹Θִͤͨ཭͕࣮ݱ͞Ε·͢ɻ

    ɹ45&1Ͱ͸QSJWJMFHFEUSVFҎ֎ʹIPTU1*%USVFͱ͍͏ઃఆΛߦͳ͍ͬͯ·͕͢ɺ͜Ε͸1*%/BNFTQBDFΛίϯςφͱϗετͰڞ༗͢Δͱ͍͏ઃఆͰ͢ɻ ɹ͜Ε͸͋͘·Ͱ߈ܸΛ੒ཱ͠΍͘͢͢ΔͨΊͷઃఆͳͷͰɺ͜͜Ͱ͸ਂ͘ݴٴ͠·ͤΜɻ /PEF ίϯςφϗετ /PEFͷ-JOVYΧʔωϧʹର͢Δ ݖݶ੍͕ݶ͞Εͳ͍ ͋ΒΏΔૢ࡞͕Մೳ ࣮ߦ؀ڥݖݶϦιʔε ͷ؍఺Ͱִ཭ $POUBJOFS 1SPDFTT $POUBJOFS 1SPDFTT ڐՄ͞Εͨૢ࡞ͷΈՄೳ

  95. <ରࡦ>/PEF΁ͷ৵ೖ 45&1 ɹ✅ίϯςφઐ༻04 ɹ✅ৼΔ෣͍؂ࢹ ͜͜Ͱ͸͜ͷΑ͏ͳϦεΫʹର͢Δ؇࿨ࡦ΍؂ࢹํ๏Λ঺հ͠·͢ɻ

  96. <ରࡦ>/PEF΁ͷ৵ೖ 45&1 ɹ✅ίϯςφઐ༻04 ɹ✅ৼΔ෣͍؂ࢹ ͜͜Ͱ͸͜ͷΑ͏ͳϦεΫʹର͢Δ؇࿨ࡦ΍؂ࢹํ๏Λ঺հ͠·͢ɻ

  97. ίϯςφઐ༻04 45&1ͷྫͰ͸ɺ߈ܸऀ͕σϓϩΠͨ͠੬ऑͳ1PEʹؚ·ΕΔ ಛݖίϯςφ͔Β/PEFʹؚ·ΕΔCBTIΛ࣮ߦ͢Δ͜ͱͰɺ /PEF΁ͷ৵ೖ $POUBJOFS#SFBLPVU Λߦͳ͍ͬͯ·ͨ͠ɻ /PEF NBMJDJPVTQPE CBTI ҙਤతʹ/PEFͱͷ

    ִ཭ੑΛ௿Լͤͨ͞ίϯςφ ✌ ίϯςφ͔Β/PEFͷCBTIΛ࣮ߦ OTFOUFSUBCJOCBTI IPTUOBNF OPEF ཁҼ $POUBJOFS 1SPDFTT

  98. ίϯςφઐ༻04 $POUBJOFS3VOUJNF $POUBJOFS3VOUJNF LVCFMFU LVCFMFU CBTI TTI ൚༻04 ίϯςφઐ༻04 ɾ

    ɾ ɾ ͜Εʹର͢Δରࡦͱͯ͠ɺίϯςφ࣮ߦʹಛԽͨ͠ίϯςφઐ༻04ͷ࢖༻͕ڍ͛ΒΕ·͢ɻ ίϯςφઐ༻04͸൚༻04 3)&-΍6CVOUVͳͲ ͱൺ΂ඞཁ࠷௿ݶͷ΋ͷͷΈؚ͕·Ε͍ͯΔͨΊɺ ,VCFSOFUFTΫϥελΛߏ੒͢Δ/PEFͷ-JOVYσΟετϦϏϡʔγϣϯͱͯ͠࠾༻͢Δ͜ͱͰ ੬ऑੑ΍ΞλοΫαʔϑΣεͷ࡟ݮʹ༗ޮͰ͋Δͱݴ͑·͢ɻ ˞ͦͷଞʹ΋ಛఆͷϑΝΠϧγεςϜ͕3FBE0OMZʹͳ͍ͬͯΔͳͲɺσΟετϦϏϡʔγϣϯʹΑΓৄࡉͳ࢓༷͸ҟͳΓ·͢ ରࡦ ίϯςφͷ࣮ߦʹෆཁͳ΋ͷΛ ۃྗؚ·ͳ͍

  99. ίϯςφઐ༻04 ίϯςφઐ༻04ʹ͸ྫ͑͹࣍ͷ΋ͷ͕͋Γ·͢ɻ ✅#PUUMFSPDLFU "84  IUUQTBXTBNB[PODPNCPUUMFSPDLFU ✅$POUBJOFS0QUJNJ[FE04 (PPHMF$MPVE  IUUQTDMPVEHPPHMFDPNDPOUBJOFSPQUJNJ[FEPT

    ✅"[VSF-JOVY$POUBJOFS)PTU .JDSPTPGU"[VSF  IUUQTMFBSONJDSPTPGUDPNB[VSFB[VSFMJOVY ✅'FEPSB$PSF04 'FEPSB  IUUQTGFEPSBQSPKFDUPSHDPSFPT ✅5BMPT-JOVY 4*%&30-"#  IUUQTXXXUBMPTEFW ରࡦ

  100. ίϯςφઐ༻04 45&1Ͱ͸ɺCBTIΛؚ·ͳ͍ίϯςφઐ༻04Λ/PEFͷ04ͱͯ͠࢖༻͍ͯ͠Ε͹ɺ ߈ܸऀʹΑΔ/PEF΁ͷ৵ೖΛ๷͙͜ͱ͕Ͱ͖·ͨ͠ɻ /PEF ίϯςφઐ༻04 NBMJDJPVTQPE CBTI ҙਤతʹ/PEFͱͷ ִ཭ੑΛ௿Լͤͨ͞ίϯςφ /PEFʹCBTIؚ͕·Ε͍ͯͳ͍

    OTFOUFSUBCJOCBTI OTFOUFSGBJMFEUPFYFDVUFCJOCBTI/PTVDI fi MFPSEJSFDUPSZ ରࡦ ˞5BMPT-JOVYͷྫ $POUBJOFS 1SPDFTT

  101. ίϯςφઐ༻04 ͨͩ͠ɺಛݖίϯςφ͸-JOVYΧʔωϧʹର͢ΔશͯͷݖݶΛ͍࣋ͬͯΔͨΊɺ ඞͣ͠΋׬ᘳͳରࡦʹ͸ͳΒͳ͍఺ʹ஫ҙ͍ͯͩ͘͠͞ɻ /PEF ίϯςφઐ༻04 NBMJDJPVTQPE ҙਤతʹ/PEFͱͷ ִ཭ੑΛ௿Լͤͨ͞ίϯςφ %08/ FDIPPQSPDTZTSRUSJHHFS

    -JOVYΧʔωϧͷ.BHJD4ZTUFN3FRVFTU,FZʹΑΓ /PEFΛγϟοτμ΢ϯ QSPDGT ରࡦ ˞5BMPT-JOVYͷྫ $POUBJOFS 1SPDFTT

  102. <ରࡦ>/PEF΁ͷ৵ೖ 45&1 ɹ✅ίϯςφઐ༻04 ɹ✅ৼΔ෣͍؂ࢹ ͜͜Ͱ͸͜ͷΑ͏ͳϦεΫʹର͢Δ؇࿨ࡦ΍؂ࢹํ๏Λ঺հ͠·͢ɻ

  103. ৼΔ෣͍؂ࢹ ηΩϡϦςΟΛߟ͑Δ্Ͱɺ߈ܸΛະવʹ๷͙ͨΊͷରࡦ͸ॏཁͰ͢ɻ ͜ΕʹՃ͑ɺສҰ,VCFSOFUFTΫϥελͰ$POUBJOFS#SFBLPVUͷΑ͏ͳෆਖ਼ͳૢ࡞͕ߦΘΕͨ৔߹ɺ ͦΕΒΛݕ஌͢ΔͨΊͷηΩϡϦςΟ؂ࢹΛߦ͏͜ͱ΋·ͨॏཁͰ͢ɻ ͜͜Ͱ͸ίϯςφͷηΩϡϦςΟ؂ࢹͷதͰ΋୅දతͳৼΔ෣͍؂ࢹʹ͍ͭͯղઆ͠·͢ɻ ରࡦ 🚨

  104. ৼΔ෣͍؂ࢹ ίϯςφͷৼΔ෣͍؂ࢹͰ͸ίϯςφ͕࣮ߦͨ͠γεςϜίʔϧ΍ίϯςφ಺Ͱͷϓϩηε࣮ߦɺ ϑΝΠϧΞΫηε౳Λ؂ࢹ͢Δ͜ͱͰɺಛఆͷϧʔϧʹج͖ͮηΩϡϦςΟϦεΫʹܨ͕ΓಘΔ ΠϕϯτΛݕ஌͠·͢ɻ /PEF 1SPDFTT 4FOTJUJWF 4ZTDBMM ରࡦ $POUBJOFS

    1SPDFTT

  105. ৼΔ෣͍؂ࢹ ৼΔ෣͍؂ࢹΛ࣮ݱ͢Δπʔϧͱͯ͠ɺྫ͑͹࣍ͷ΋ͷ͕͋Γ·͢ɻ ✅'BMDP IUUQTGBMDPPSH ✅5FUSBHPO IUUQTUFUSBHPOJP ✅5SBDFF IUUQTBRVBTFDVSJUZHJUIVCJPUSBDFF ରࡦ

  106. ৼΔ෣͍؂ࢹ ҎԼ͸'BMDPʹΑΔ45&1ͷ$POUBJOFS#SFBLPVUʹؔ͢ΔΠϕϯτݕ஌ͷྫͰ͢ɻ ݕ஌ͨ͠Πϕϯτ͸'BMDPTJEFLJDL Λ༻͍ͯ4MBDL౳ʹసૹՄೳ͢Δ͜ͱ͕Ͱ͖·͢ɻ LVCFDUMMPHTGBMDPLTHMCOGBMDPG *OGPSNBUJPOBM1SJWJMFHFEDPOUBJOFSTUBSUFE FWU@UZQFDPOUBJOFSVTFSVTFS@VJE VTFS@MPHJOVJEQSPDFTTDPOUBJOFSEGBBQSPD@FYFQBUIQBSFOU/"DPNNBOEDPOUBJOFSEGBB UFSNJOBMDPOUBJOFS@JEEGBBDPOUBJOFS@JNBHFEPDLFSJPMJCSBSZVCVOUVDPOUBJOFS@JNBHF@UBH DPOUBJOFS@OBNFVCVOUVLT@OTUNQLT@QPE@OBNFNBMJDJPVTQPE

     /PUJDF"TIFMMXBTTQBXOFEJOBDPOUBJOFSXJUIBOBUUBDIFEUFSNJOBM FWU@UZQFFYFDWFVTFSSPPU VTFS@VJEVTFS@MPHJOVJEQSPDFTTCBTIQSPD@FYFQBUIVTSCJOCBTIQBSFOUDPOUBJOFSETIJNDPNNBOECBTI UFSNJOBMFYF@ fl BHT&9&@83*5"#-&c&9&@-08&3@-":&3DPOUBJOFS@JEEGBB DPOUBJOFS@JNBHFEPDLFSJPMJCSBSZVCVOUVDPOUBJOFS@JNBHF@UBHDPOUBJOFS@OBNFVCVOUVLT@OTUNQ LT@QPE@OBNFNBMJDJPVTQPE  /PUJDF/BNFTQBDFDIBOHF TFUOT CZVOFYQFDUFEQSPHSBN FWU@UZQFTFUOTVTFSSPPUVTFS@VJE VTFS@MPHJOVJEQSPDFTTOTFOUFSQSPD@FYFQBUIVTSCJOOTFOUFSQBSFOUCBTIDPNNBOEOTFOUFSUBCJOCBTI UFSNJOBMDPOUBJOFS@JEEGBBDPOUBJOFS@JNBHFEPDLFSJPMJCSBSZVCVOUVDPOUBJOFS@JNBHF@UBH DPOUBJOFS@OBNFVCVOUVLT@OTUNQLT@QPE@OBNFNBMJDJPVTQPE ରࡦ nsenterによるContainer Breakoutを検知 'BMDPTJEFLJDL IUUQTGBMDPPSHEPDTPVUQVUTGPSXBSEJOH 特権コンテナが実行されたことを検知 コンテナ内でshellを実行されたことを検知

  107. ରࡦͷ·ͱΊ ؍఺ ରࡦͷ֓ཁ ରࡦख๏ͷྫ ,VCFSOFUFTΫϥελʹର͢Δ/8੍ޚ ֎෦͔Βͷ,VCFSOFUFTίϯϙʔωϯτ΁ͷෆਖ਼ͳ/8ΞΫηεΛ๷ࢭ͢Δ %$$MPVE/8 ,VCFSOFUFTίϯϙʔωϯτͷઃఆ ,VCFSOFUFTίϯϙʔωϯτͷઃఆΛద੾ʹߦ͍ηΩϡϦςΟϨϕϧΛ޲্ͤ͞Δ LVCFCFODI

    ,VCFSOFUFTΫϥελ಺෦ͷ/8੍ޚ ,VCFSOFUFTΫϥελ಺෦Ͱͷෆਖ਼ͳ/8ΞΫηεΛ๷ࢭ͢Δ /FUXPSL1PMJDZ ,VCFSOFUFTΫϥελʹର͢Δݖݶ੍ޚ ࠷খݖݶͷݪଇʹ४ڌ͠Ϋϥελͷෆਖ਼ͳૢ࡞Λ๷ࢭ͢Δ 3#"$ ,VCFSOFUFTΫϥελͷϙϦγʔ੍ޚ ϙϦγʔ੍ޚͷ࣮ࢪʹΑΓෆਖ਼ͳϦιʔεͷ࡞੒Λ๷ࢭ͢Δ 1PE4FDVSJUZ"ENJTTJPO 7BMJEBUJOH"ENJTTJPO1PMJDZ .VUBUJOH"ENJTTJPO1PMJDZ SEQBSUZ ίϯςφઐ༻04 /PEFʹίϯςφઐ༻04Λ༻͍Δ͜ͱͰΞλοΫαʔϑΣεΛ࠷খԽ͢Δ $MPVE$P4 'FEPSB$PSF04 5BMPT-JOVY ৼΔ෣͍؂ࢹ ηΩϡϦςΟϦεΫʹܨ͕ΓಘΔΫϥελ಺Ͱͷෆ৹ͳڍಈΛݕ஌͢Δ 'BMDP 5FUSBHPO 5SBDFF ߈ܸࣄྫͷ45&1ʹԊͬͯɺ,VCFSOFUFTʹ͓͚Δ୅දతͳηΩϡϦςΟରࡦΛղઆ͠·ͨ͠ɻ

  108.  ࢀߟ ͦͷଞରࡦͷྫ ,VCFSOFUFTΫϥελࣗମʹؔ͢Δରࡦʹ͸֘౰͠·ͤΜ͕ɺ,VCFSOFUFTΫϥελΛར༻͢Δ ίϯςφ։ൃऀͷηΩϡϦςΟରࡦΛิॿ͢Δख๏ͱͯ͠ྫ͑͹࣍ͷΑ͏ͳ΋ͷ͕͋Γ·͢ɻ ✅ܧଓతͳεΩϟϯ ɹ,VCFSOFUFTͰ࣮ߦ͞ΕΔ1PEʹؚ·ΕΔ੬ऑੑ΍ઃఆෆඋΛܧଓతʹεΩϟϯ͢Δɻ ɹɹ5SJWZ0QFSBUPS IUUQTBRVBTFDVSJUZHJUIVCJPUSJWZPQFSBUPS 

    ɹɹ,VCFTDBQF0QFSBUPS IUUQTLVCFTDBQFJPEPDTPQFSBUPS  ✅Πϝʔδॺ໊ͷݕূ ɹ࢖༻͢ΔίϯςφΠϝʔδͷॺ໊Λݕূ͠ɺෆਖ਼ͳίϯςφΠϝʔδͷ࢖༻Λ๷ࢭ͢Δɻ ɹɹ1PMJDZ$POUSPMMFS IUUQTEPDTTJHTUPSFEFWQPMJDZDPOUSPMMFSPWFSWJFX  ɹɹ,ZWFSOP IUUQTLZWFSOPJPEPDTXSJUJOHQPMJDJFTWFSJGZJNBHFTTJHTUPSF  ✅αϯυϘοΫε؀ڥͷఏڙ ɹηΩϡϦςΟ͕ڧԽ͞ΕͨίϯςφϥϯλΠϜΛఏڙ͢Δ͜ͱͰִ཭ੑͷߴ͍ίϯςφͷ࣮ߦΛࢧԉ͢Δɻ ɹɹ3VOUJNF$MBTT IUUQTLVCFSOFUFTJPEPDTDPODFQUTDPOUBJOFSTSVOUJNFDMBTT  ɹɹH7JTPS IUUQTHWJTPSEFW  ɹɹ,BUB$POUBJOFST IUUQTLBUBDPOUBJOFSTJP

  109.  ࢀߟ աڈʹൃݟ͞Εͨ,VCFSOFUFTʹؔ࿈͢Δ੬ऑੑͷྫ ,VCFSOFUFTΫϥελͰར༻͢Δίϯϙʔωϯτʹؚ·ΕΔ੬ऑੑʹ͍ͭͯ΋஫ҙ͕ඞཁͰ͢ɻ ✅$7&IUUQTOWEOJTUHPWWVMOEFUBJMDWF ɹɹ/PEFͱͷ௨৴Λߦ͏ࡍʹDSFEFOUJBM৘ใ͕ୣऔ͞ΕΔՄೳੑʹܨ͕ΔLVCFBQJTFSWFSͷ੬ऑੑ ✅$7&IUUQTOWEOJTUHPWWVMOEFUBJM$7& ɹɹίϯςφ͔ΒDHSPVQWͷSFMFBTF@BHFOUΛհͯ͠ಛݖঢ֨ΛҾ͖ى͜͢-JOVYΧʔωϧͷ੬ऑੑ ✅$7& -FBLZ7FTTFMT

    IUUQTOWEOJTUHPWWVMOEFUBJM$7& ɹɹίϯςφ͔ΒίϯςφϗετͷϑΝΠϧγεςϜ΁ͷΞΫηεΛҾ͖ى͜͢SVODͷ੬ऑੑ ✅$7&IUUQTOWEOJTUHPWWVMOEFUBJM$7& ɹɹඇਪ঑ͷHJU3FQPUZQFWPMVNFΛ࢖༻ͯ͠ಛݖঢ֨ΛҾ͖ى͜͢LVCFMFUͷ੬ऑੑɹɹ ࢀߟ ,VCFSOFUFT0 ff i DJBM$7&'FFE ɹɹɹIUUQTLVCFSOFUFTJPEPDTSFGFSFODFJTTVFTTFDVSJUZP ffi DJBMDWFGFFE

  110. "HFOEB ಋೖ ɹຊηογϣϯͷΰʔϧ ɹ,VCFSOFUFTηΩϡϦςΟͷશମ૾ ɹ,VCFSOFUFTηΩϡϦςΟͷϓϥΫςΟε ,VCFSOFUFT΁ͷ߈ܸࣄྫ ɹঢ়گઃఆ ɹ۩ମతͳ߈ܸࣄྫ ɹɹ,VCFSOFUFTΫϥελ΁ͷ৵ೖ 45&1

     ɹɹෆਖ਼ͳϫʔΫϩʔυͷ࡞੒ 45&1  ɹɹ/PEF΁ͷ৵ೖ 45&1  ɹ߈ܸࣄྫͷ෮श ରࡦͷߟ͑ํ ɹ<ରࡦ>,VCFSOFUFTΫϥελ΁ͷ৵ೖ 45&1  ɹ<ରࡦ>ෆਖ਼ͳϫʔΫϩʔυͷ࣮ߦ 45&1  ɹ<ରࡦ>/PEF΁ͷ৵ೖ 45&1  ɹରࡦͷ·ͱΊ ·ͱΊ

  111. ·ͱΊ ✅,VCFSOFUFTʹ͓͚ΔηΩϡϦςΟରࡦΛ۩ମతϦεΫͱඥ෇͚ͯղઆ ɹɹ✔ʮى͖ͯཉ͘͠ͳ͍͜ͱʯ ϦεΫ Λཧղͯ͠ద੾ͳରࡦΛ࣮ࢪ͢Δ ɹɹ✔৔߹ʹΑͬͯ͸ϦεΫͷड༰΋બ୒ࢶͷͭ ✅঺հͨ͠ରࡦख๏͸ͲΕ΋ࣖʹೖΓ΍͍͢Ұൠతͳ΋ͷ ɹɹ✔֤ख๏͕ͲͷΑ͏ͳ৔໘Ͱ༗ޮʹػೳ͢Δ͔Λཧղ͓ͯ͘͜͠ͱ͕ॏཁ ɹɹ✔ա৒ͳରࡦʹΑΔίετ૿ͷ๷ࢭ

  112. খ͞ͳҰา

  113. খ͞ͳҰาɺେ͖ͳඈ༂ ʙΫϥ΢υωΠςΟϒΛܧଓ͢Δʙ CZ

  114. ,VCFSOFUFTίϯςφηΩϡϦςΟ ,VCFSOFUFTͷηΩϡϦςΟΛߟ͑Δ্Ͱ͸,VCFSOFUFTΫϥελͰ࣮ߦ͞ΕΔ ίϯςφͷηΩϡϦςΟʹ΋ҙࣝΛ޲͚Δඞཁ͕͋Γ·͢ɻ ,VCFSOFUFTΫϥελΛ؅ཧ͢Δͱ͍͏໨ઢͰ΋ɺ͜ΕΒͷཧղ͸ෆՄܽͰ͢ɻ "QQMJDBUJPO 安全なワークロードをコンテナとして実行する 安全なコンテナ実行環境を提供する $POUBJOFS*NBHF $POUBJOFS ,VCFSOFUFT

    $MPVE%BUBDFOUFS コンテナセキュリティ

  115. 13 "NB[PO ✅୅දతͳϦεΫΛ࣮ײ͠ରࡦͷߟ͑ํʢجૅʣΛཧղͰ͖Δ ɹɹ✔ϦεΫΛϕʔεͱͨ͠ষߏ੒ʢશέʔεʴЋʣ ɹɹ✔ϦεΫΛ౿·͑ͯରࡦͷجຊݪଇ΍۩ମతख๏ରࡦΛཧղͰ͖Δ ✅ϋϯζΦϯΛ௨ͯ͡۩ମతʹཧղͰ͖Δ ɹɹ✔खΛಈ͔͠ͳ͕Βֶ΂ΔʢϋϯζΦϯ཰͘Β͍ʣ ɹɹ✔,VCFSOFUFT޷͖Ͱ͋Ε͹ͦ͜·ͰηΩϡϦςΟʹڵຯ͕ͳ͍ਓͰ΋ָ͠ΊΔ ϦεΫ͔ΒֶͿ,VCFSOFUFTίϯςφηΩϡϦςΟ ίϯςφ։ൃऀ͕͓͓͑ͯ͘͞΂͖جૅ஌ࣝ

    ίϯςφηΩϡϦςΟΛֶͿೖΓޱ 絶賛発売中!!

  116. 5IBOL:PV この後も 引き続き楽しんでいきましょう!!