Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Istio RBAC入門

Shunsuke Miyoshi
March 27, 2019
Programming
0
300

Istio RBAC入門

Istio RBACがどういうものかといった説明の簡単バージョン
勉強会にて使用

Shunsuke Miyoshi

March 27, 2019
Tweet

More Decks by Shunsuke Miyoshi

See All by Shunsuke Miyoshi
RFCの歩き方
smiyoshi
1
210
クラウドネイティブ時代のセキュリティの考え方とIstioによる実装 / cloud native security and istio
smiyoshi
13
3.7k
GitlabとIstioでつくるコンテナネイティブCICD
smiyoshi
1
1.2k
A STORY OF USELESS CRYPTOGRAPHY
smiyoshi
0
150
Advanced Security on Kubernetes with Istio
smiyoshi
0
370

Other Decks in Programming

See All in Programming
シールドクラスをはじめよう / Getting Started with Sealed Classes
mackey0225
3
400
Jakarta Concurrencyによる並行処理プログラミングの始め方 (JJUG CCC 2024 Fall)
tnagao7
1
230
のびしろを広げる巻き込まれ力:偶然を活かすキャリアの作り方/oso2024
takahashiikki
1
410
Dev ContainersとGitHub Codespacesの素敵な関係
ymd65536
1
130
Nuxtベースの「WXT」でChrome拡張を作成する | Vue Fes 2024 ランチセッション
moshi1121
1
520
WEBエンジニア向けAI活用入門
sutetotanuki
0
300
現場で役立つモデリング 超入門
masuda220
PRO
13
2.9k
Realtime API 入門
riofujimon
0
110
Content Security Policy入門 セキュリティ設定と 違反レポートのはじめ方 / Introduction to Content Security Policy Getting Started with Security Configuration and Violation Reporting
uskey512
1
430
GCCのプラグインを作る / I Made a GCC Plugin
shouth
1
150
NSOutlineView何もわからん:( 前編 / I Don't Understand About NSOutlineView :( Pt. 1
usagimaru
0
140
CSC509 Lecture 09
javiergs
PRO
0
110

Featured

See All Featured
Why Our Code Smells
bkeepers
PRO
334
57k
The MySQL Ecosystem @ GitHub 2015
samlambert
250
12k
For a Future-Friendly Web
brad_frost
175
9.4k
Building a Modern Day 
E-commerce SEO Strategy
aleyda
38
6.9k
Designing for Performance
lara
604
68k
Reflections from 52 weeks, 52 projects
jeffersonlam
346
20k
Building Better People: How to give real-time feedback that sticks.
wjessup
363
19k
Build your cross-platform service in a week with App Engine
jlugia
229
18k
Designing Dashboards & Data Visualisations in Web Apps
destraynor
228
52k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
46
2.1k
Visualization
eitanlees
144
15k
Keith and Marios Guide to Fast Websites
keithpitt
408
22k

Transcript

  1. Istio RBAC ೖ໳ ෋࢜௨גࣜձࣾ ࡾ޷ ढ़հ

  2. ࣗݾ঺հ • ࣾձਓ3೥໨ • Kubernetesͷٕज़ݕূɾීٴ׆ಈɾΞϓϦ։ൃͳͲ • IstioͷϑΝϯ • KubeCon 2017ͰॳΊͯݟͨ࣌ʹײಈ

    • झຯϓϩάϥϚʔ • GitHub: https://github.com/sh-miyoshi • Twitter: https://twitter.com/shmiyoshi

  3. ࠓ೔օ͞Μʹ͓఻͍͑ͨ͜͠ͱ • ͜ͷઌϚΠΫϩαʔϏεԽͷ೾͸͖ͬͱ͘Δ • ͍͔ͭඞͣηΩϡϦςΟ͕໰୊ʹͳΔ • Microservices + Security
 →

    1ͭͷղͱͯ͠Istio

  4. ϚΠΫϩαʔϏε࣌୅ͷηΩϡϦςΟ ֤αʔϏεͦΕͧΕ͕ߴ͍ϨϕϧͰͷηΩϡϦ ςΟΛ࣮ݱ͠ͳ͚Ε͹ͳΒͳ͍

  5. Istio RBAC

  6. Istio RBACͱ͸ʁ • IstioͷΞΫηείϯτϩʔϧػೳͷҰͭ • KubernetesͷRBACͱಉ༷͡ͳ࢖͍ํͰ Serviceؒͷ௨৴ͷΞΫηε੍ޚͰ͖Δ
 (k8s͸ϦιʔεͷΞΫηε੍ޚ) ྫʣserviceAͷGET /pathʹ͸userA͚ͩΞΫη

    εΛڐՄ͢Δͱ͍͏Α͏ͳઃఆ͕Մೳ

  7. Istio RBACͰͰ͖Δ͜ͱ • ServiceͷೝՄ(Authorization)
 ※ೝূ(Authentication)͸Istio mTLSͰ΍Δ → ࣗ਎ͷService͕ͲͷService(΍User)ʹΞ ΫηεΛڐ͔͢ΛઃఆͰ͖Δ

  8. Istio RBACͷ࢖͍ํ 1. IstioΛΠϯετʔϧ • ࠓͩͱGKE͕ศར(νΣοΫೖΕΔ͚ͩ) • mTLSΛ༗ޮʹͯ͠ىಈ͢Δ 2. Istio

    RBACΛ༗ޮԽ • σϑΥϧτ͸DisableͳͷͰEnableʹ͢ΔͨΊͷ CRDΛk8sʹapply͢Δ • ※༗ޮʹͳΔ·Ͱগ͕͔͔࣌ؒ͠Δ৔߹͕͋Γ·͢

  9. Istio RBACͷ࢖͍ํ 3. ΞϓϦͷσϓϩΠ • istioctlίϚϯυͰΞϓϦΛσϓϩΠ 4. αʔϏεؒ௨৴ΛڐՄ • CRDͰServiceRoleΛ࡞Δ

    • ServiceRoleΛServiceRoleBinding(Istio CRD)Ͱ KubernetesͷServiceAccountʹݖݶΛ͚ͭΔ ͓·͚: ֎෦͔ΒͷΞΫηεΛڐՄ͢Δ • ུ

  10. Let’s Go Demo ! *) https://github.com/sh-miyoshi/sectest खॱ͸sectest/rbac_demo/Apps_RBAC.md

  11. Unhappy Things… • Istio͕େม • ࣦഊͨ࣌͠ϩά͕Ͳ͜ʹग़͍ͯΔ͔ෆ໌ • ίϯϙʔωϯτ͕ଟ͗͢ • ͳʹΛઃఆͨ͠Β͍͍͔෼͔Βͳ͍৔ॴ͕͋Δ

    • Serviceͷ໊લ͸ݻఆɺGatewayʹࢦఆग़དྷΔsecret໊΋ݻఆ • Istio RBAC͸·ͩalpha • ࢓༷͕େ͖͘มΘΔ͜ͱ΋ɾɾɾ
 (Istio v0.7 → v0.8Λ஌ͬͯΔਓ͸ۤ͠Έ͕Θ͔Δ͸ͣ)

  12. ·ͱΊ Microservices + Security → Istio RBACͷ঺հ ݱ࣌఺ͰIstioΛ࢖͏ͷ͸େม͔΋͚ͩͲଘࡏ Λ஌͓ͬͯ͘ͱخ͍͜͠ͱ͋Δ͔΋