Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Istio RBAC入門
Search
Shunsuke Miyoshi
March 27, 2019
Programming
0
350
Istio RBAC入門
Istio RBACがどういうものかといった説明の簡単バージョン
勉強会にて使用
Shunsuke Miyoshi
March 27, 2019
Tweet
Share
More Decks by Shunsuke Miyoshi
See All by Shunsuke Miyoshi
RFCの歩き方
smiyoshi
1
250
クラウドネイティブ時代のセキュリティの考え方とIstioによる実装 / cloud native security and istio
smiyoshi
13
3.8k
GitlabとIstioでつくるコンテナネイティブCICD
smiyoshi
1
1.3k
A STORY OF USELESS CRYPTOGRAPHY
smiyoshi
0
160
Advanced Security on Kubernetes with Istio
smiyoshi
0
430
Other Decks in Programming
See All in Programming
AIのメモリー
watany
12
1.2k
#QiitaBash TDDで(自分の)開発がどう変わったか
ryosukedtomita
1
350
階層化自動テストで開発に機動力を
ickx
1
470
Dart 参戦!!静的型付き言語界の隠れた実力者
kno3a87
0
160
Google I/O Extended Incheon 2025 ~ What's new in Android development tools
pluu
1
220
Claude Code と OpenAI o3 で メタデータ情報を作る
laket
0
110
[SRE NEXT] 複雑なシステムにおけるUser Journey SLOの導入
yakenji
1
910
Quality Gates in the Age of Agentic Coding
helmedeiros
PRO
1
120
DataformでPythonする / dataform-de-python
snhryt
0
150
Gemini CLIの"強み"を知る! Gemini CLIとClaude Codeを比較してみた!
kotahisafuru
3
910
AWS Summit Japan 2024と2025の比較/はじめてのKiro、今あなたは岐路に立つ
satoshi256kbyte
1
260
대규모 트래픽을 처리하는 프론트 개발자의 전략
maryang
0
110
Featured
See All Featured
Faster Mobile Websites
deanohume
308
31k
Why Our Code Smells
bkeepers
PRO
337
57k
We Have a Design System, Now What?
morganepeng
53
7.7k
Fashionably flexible responsive web design (full day workshop)
malarkey
407
66k
Into the Great Unknown - MozCon
thekraken
40
2k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
110
19k
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
34
6k
Making Projects Easy
brettharned
117
6.3k
Reflections from 52 weeks, 52 projects
jeffersonlam
351
21k
Typedesign – Prime Four
hannesfritz
42
2.7k
Git: the NoSQL Database
bkeepers
PRO
431
65k
Put a Button on it: Removing Barriers to Going Fast.
kastner
60
3.9k
Transcript
Istio RBAC ೖ ࢜௨גࣜձࣾ ࡾ ढ़հ
ࣗݾհ • ࣾձਓ3 • Kubernetesͷٕज़ݕূɾීٴ׆ಈɾΞϓϦ։ൃͳͲ • IstioͷϑΝϯ • KubeCon 2017ͰॳΊͯݟͨ࣌ʹײಈ
• झຯϓϩάϥϚʔ • GitHub: https://github.com/sh-miyoshi • Twitter: https://twitter.com/shmiyoshi
ࠓօ͞Μʹ͓͍͑ͨ͜͠ͱ • ͜ͷઌϚΠΫϩαʔϏεԽͷ͖ͬͱ͘Δ • ͍͔ͭඞͣηΩϡϦςΟ͕ʹͳΔ • Microservices + Security →
1ͭͷղͱͯ͠Istio
ϚΠΫϩαʔϏε࣌ͷηΩϡϦςΟ ֤αʔϏεͦΕͧΕ͕ߴ͍ϨϕϧͰͷηΩϡϦ ςΟΛ࣮ݱ͠ͳ͚ΕͳΒͳ͍
Istio RBAC
Istio RBACͱʁ • IstioͷΞΫηείϯτϩʔϧػೳͷҰͭ • KubernetesͷRBACͱಉ༷͡ͳ͍ํͰ Serviceؒͷ௨৴ͷΞΫηε੍ޚͰ͖Δ (k8sϦιʔεͷΞΫηε੍ޚ) ྫʣserviceAͷGET /pathʹuserA͚ͩΞΫη
εΛڐՄ͢Δͱ͍͏Α͏ͳઃఆ͕Մೳ
Istio RBACͰͰ͖Δ͜ͱ • ServiceͷೝՄ(Authorization) ※ೝূ(Authentication)Istio mTLSͰΔ → ࣗͷService͕ͲͷService(User)ʹΞ ΫηεΛڐ͔͢ΛઃఆͰ͖Δ
Istio RBACͷ͍ํ 1. IstioΛΠϯετʔϧ • ࠓͩͱGKE͕ศར(νΣοΫೖΕΔ͚ͩ) • mTLSΛ༗ޮʹͯ͠ىಈ͢Δ 2. Istio
RBACΛ༗ޮԽ • σϑΥϧτDisableͳͷͰEnableʹ͢ΔͨΊͷ CRDΛk8sʹapply͢Δ • ※༗ޮʹͳΔ·Ͱগ͕͔͔࣌ؒ͠Δ߹͕͋Γ·͢
Istio RBACͷ͍ํ 3. ΞϓϦͷσϓϩΠ • istioctlίϚϯυͰΞϓϦΛσϓϩΠ 4. αʔϏεؒ௨৴ΛڐՄ • CRDͰServiceRoleΛ࡞Δ
• ServiceRoleΛServiceRoleBinding(Istio CRD)Ͱ KubernetesͷServiceAccountʹݖݶΛ͚ͭΔ ͓·͚: ֎෦͔ΒͷΞΫηεΛڐՄ͢Δ • ུ
Let’s Go Demo ! *) https://github.com/sh-miyoshi/sectest खॱsectest/rbac_demo/Apps_RBAC.md
Unhappy Things… • Istio͕େม • ࣦഊͨ࣌͠ϩά͕Ͳ͜ʹग़͍ͯΔ͔ෆ໌ • ίϯϙʔωϯτ͕ଟ͗͢ • ͳʹΛઃఆͨ͠Β͍͍͔͔Βͳ͍ॴ͕͋Δ
• Serviceͷ໊લݻఆɺGatewayʹࢦఆग़དྷΔsecret໊ݻఆ • Istio RBAC·ͩalpha • ༷͕େ͖͘มΘΔ͜ͱɾɾɾ (Istio v0.7 → v0.8ΛͬͯΔਓۤ͠Έ͕Θ͔Δͣ)
·ͱΊ Microservices + Security → Istio RBACͷհ ݱ࣌ͰIstioΛ͏ͷେม͔͚ͩͲଘࡏ Λ͓ͬͯ͘ͱخ͍͜͠ͱ͋Δ͔