Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Istio RBAC入門
Search
Shunsuke Miyoshi
March 27, 2019
Programming
370
0
Share
Istio RBAC入門
Istio RBACがどういうものかといった説明の簡単バージョン
勉強会にて使用
Shunsuke Miyoshi
March 27, 2019
More Decks by Shunsuke Miyoshi
See All by Shunsuke Miyoshi
RFCの歩き方
smiyoshi
1
310
クラウドネイティブ時代のセキュリティの考え方とIstioによる実装 / cloud native security and istio
smiyoshi
13
3.8k
GitlabとIstioでつくるコンテナネイティブCICD
smiyoshi
1
1.3k
A STORY OF USELESS CRYPTOGRAPHY
smiyoshi
0
170
Advanced Security on Kubernetes with Istio
smiyoshi
0
460
Other Decks in Programming
See All in Programming
Go_College_最終発表資料__外部公開用_.pdf
xe_pc23
0
120
Radical Imagining - LIFT 2025-2027 Policy Agenda
lift1998
0
230
Strategy for Finding a Problem for OSS: With Real Examples
kibitan
0
130
アーキテクチャモダナイゼーションとは何か
nwiizo
14
3k
Rethinking API Platform Filters
vinceamstoutz
0
7.9k
メッセージングを利用して時間的結合を分離しよう #phperkaigi
kajitack
3
550
VueエンジニアがReactを触って感じた_設計の違い
koukimiura
0
150
飯MCP
yusukebe
0
480
我々はなぜ「層」を分けるのか〜「関心の分離」と「抽象化」で手に入れる変更に強いシンプルな設計〜 #phperkaigi / PHPerKaigi 2026
shogogg
2
790
Java 21/25 Virtual Threads 소개
debop
0
320
AI-DLC 入門 〜AIコーディングの本質は「コード」ではなく「構造」〜 / Introduction to AI-DLC: The Essence of AI Coding Is Not “Code” but “Structure”
seike460
PRO
0
220
Migration to Signals, Signal Forms, Resource API, and NgRx Signal Store @Angular Days 03/2026 Munich
manfredsteyer
PRO
0
230
Featured
See All Featured
WCS-LA-2024
lcolladotor
0
510
Jamie Indigo - Trashchat’s Guide to Black Boxes: Technical SEO Tactics for LLMs
techseoconnect
PRO
0
93
Designing Powerful Visuals for Engaging Learning
tmiket
1
320
Put a Button on it: Removing Barriers to Going Fast.
kastner
60
4.2k
Noah Learner - AI + Me: how we built a GSC Bulk Export data pipeline
techseoconnect
PRO
0
160
The Illustrated Guide to Node.js - THAT Conference 2024
reverentgeek
1
330
Ethics towards AI in product and experience design
skipperchong
2
250
Bioeconomy Workshop: Dr. Julius Ecuru, Opportunities for a Bioeconomy in West Africa
akademiya2063
PRO
1
85
HDC tutorial
michielstock
1
600
10 Git Anti Patterns You Should be Aware of
lemiorhan
PRO
659
61k
It's Worth the Effort
3n
188
29k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
333
22k
Transcript
Istio RBAC ೖ ࢜௨גࣜձࣾ ࡾ ढ़հ
ࣗݾհ • ࣾձਓ3 • Kubernetesͷٕज़ݕূɾීٴ׆ಈɾΞϓϦ։ൃͳͲ • IstioͷϑΝϯ • KubeCon 2017ͰॳΊͯݟͨ࣌ʹײಈ
• झຯϓϩάϥϚʔ • GitHub: https://github.com/sh-miyoshi • Twitter: https://twitter.com/shmiyoshi
ࠓօ͞Μʹ͓͍͑ͨ͜͠ͱ • ͜ͷઌϚΠΫϩαʔϏεԽͷ͖ͬͱ͘Δ • ͍͔ͭඞͣηΩϡϦςΟ͕ʹͳΔ • Microservices + Security →
1ͭͷղͱͯ͠Istio
ϚΠΫϩαʔϏε࣌ͷηΩϡϦςΟ ֤αʔϏεͦΕͧΕ͕ߴ͍ϨϕϧͰͷηΩϡϦ ςΟΛ࣮ݱ͠ͳ͚ΕͳΒͳ͍
Istio RBAC
Istio RBACͱʁ • IstioͷΞΫηείϯτϩʔϧػೳͷҰͭ • KubernetesͷRBACͱಉ༷͡ͳ͍ํͰ Serviceؒͷ௨৴ͷΞΫηε੍ޚͰ͖Δ (k8sϦιʔεͷΞΫηε੍ޚ) ྫʣserviceAͷGET /pathʹuserA͚ͩΞΫη
εΛڐՄ͢Δͱ͍͏Α͏ͳઃఆ͕Մೳ
Istio RBACͰͰ͖Δ͜ͱ • ServiceͷೝՄ(Authorization) ※ೝূ(Authentication)Istio mTLSͰΔ → ࣗͷService͕ͲͷService(User)ʹΞ ΫηεΛڐ͔͢ΛઃఆͰ͖Δ
Istio RBACͷ͍ํ 1. IstioΛΠϯετʔϧ • ࠓͩͱGKE͕ศར(νΣοΫೖΕΔ͚ͩ) • mTLSΛ༗ޮʹͯ͠ىಈ͢Δ 2. Istio
RBACΛ༗ޮԽ • σϑΥϧτDisableͳͷͰEnableʹ͢ΔͨΊͷ CRDΛk8sʹapply͢Δ • ※༗ޮʹͳΔ·Ͱগ͕͔͔࣌ؒ͠Δ߹͕͋Γ·͢
Istio RBACͷ͍ํ 3. ΞϓϦͷσϓϩΠ • istioctlίϚϯυͰΞϓϦΛσϓϩΠ 4. αʔϏεؒ௨৴ΛڐՄ • CRDͰServiceRoleΛ࡞Δ
• ServiceRoleΛServiceRoleBinding(Istio CRD)Ͱ KubernetesͷServiceAccountʹݖݶΛ͚ͭΔ ͓·͚: ֎෦͔ΒͷΞΫηεΛڐՄ͢Δ • ུ
Let’s Go Demo ! *) https://github.com/sh-miyoshi/sectest खॱsectest/rbac_demo/Apps_RBAC.md
Unhappy Things… • Istio͕େม • ࣦഊͨ࣌͠ϩά͕Ͳ͜ʹग़͍ͯΔ͔ෆ໌ • ίϯϙʔωϯτ͕ଟ͗͢ • ͳʹΛઃఆͨ͠Β͍͍͔͔Βͳ͍ॴ͕͋Δ
• Serviceͷ໊લݻఆɺGatewayʹࢦఆग़དྷΔsecret໊ݻఆ • Istio RBAC·ͩalpha • ༷͕େ͖͘มΘΔ͜ͱɾɾɾ (Istio v0.7 → v0.8ΛͬͯΔਓۤ͠Έ͕Θ͔Δͣ)
·ͱΊ Microservices + Security → Istio RBACͷհ ݱ࣌ͰIstioΛ͏ͷେม͔͚ͩͲଘࡏ Λ͓ͬͯ͘ͱخ͍͜͠ͱ͋Δ͔
smiyoshi
xe_pc23
lift1998
kibitan
nwiizo
vinceamstoutz
kajitack
koukimiura
yusukebe
shogogg
debop
seike460
manfredsteyer
lcolladotor
techseoconnect
tmiket
kastner
reverentgeek
skipperchong
akademiya2063
michielstock
lemiorhan
3n
caitiem20
