Slide 1
Slide 1 text
No content
Slide 2
Slide 2 text
No content
Slide 3
Slide 3 text
•
•
•
•
Slide 4
Slide 4 text
No content
Slide 5
Slide 5 text
No content
Slide 6
Slide 6 text
# iptables -A INPUT –s 10.0.0.0/8 -j ACCEPT
# iptables -A INPUT -s 172.16.0.0/12 -j ACCEPT
# iptables -A INPUT -s 192.168.0.0/16 -j ACCEPT
Slide 7
Slide 7 text
⚫
⚫
⚫
⚫
⚫
by Doug Barth, Evan Gilman
Publisher: O'Reilly Media, Inc.
Release Date: July 2017
Topic: Network Security
Slide 8
Slide 8 text
⚫
⚫
⚫
Figure 1-1. Traditional network security architecture
Figure 1-1. Traditional network security architecture
⚫
⚫
Slide 9
Slide 9 text
No content
Slide 10
Slide 10 text
private
非認証
認証
private
認証
認証
Slide 11
Slide 11 text
No content
Slide 12
Slide 12 text
⚫
⚫
⚫
⚫
⚫
⚫
Slide 13
Slide 13 text
Traffic
Inspection
metrics Service
Discovery
Slide 14
Slide 14 text
Traffic
Inspection
metrics Service
Discovery
Slide 15
Slide 15 text
Traffic
Inspection
metrics Service
Discovery
Slide 16
Slide 16 text
Policy checks,
telemetry
TLS cert
to Proxy
Config data
to Proxy
Slide 17
Slide 17 text
https://istio.io/
Slide 18
Slide 18 text
No content
Slide 19
Slide 19 text
No content
Slide 20
Slide 20 text
No content
Slide 21
Slide 21 text
⚫
⚫
⚫
Slide 22
Slide 22 text
https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md
spiffe://trust-domain/path
spiffe://staging.acme.com/payments/mysql
spiffe://staging.acme.com/payments/web-fe
spiffe://k8s-west.acme.com/ns/staging/sa/default
Slide 23
Slide 23 text
https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#3-spiffe-verifiable-identity-document
⚫
⚫
⚫
⚫
Slide 24
Slide 24 text
https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE_Workload_API.md
Slide 25
Slide 25 text
https://istio.io/docs/concepts/security/
⚫
⚫
⚫
⚫
⚫
Istio Security Architecture
⚫
⚫
⚫
Slide 26
Slide 26 text
⚫
⚫
https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md
spiffe://¥/ns/¥/sa/¥
Slide 27
Slide 27 text
https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md
•
•
•
•
Slide 28
Slide 28 text
https://github.com/istio/istio/blob/release-1.1/security/tools/generate_cert/main.go
https://github.com/istio/istio/blob/release-1.1/security/pkg/nodeagent/sds/server.go
https://github.com/istio/istio/blob/release-1.1/security/pkg/platform/onprem.go
https://istio.io/docs/concepts/security/#kubernetes-scenario
Slide 29
Slide 29 text
認証の図
Slide 30
Slide 30 text
認可の図
Slide 31
Slide 31 text
⚫
⚫
⚫
⚫
⚫
⚫
Slide 32
Slide 32 text
See also
https://istio.io/docs/tasks/security/authz-tcp/
Shows how to set up role-based access control for TCP services.
https://istio.io/docs/tasks/security/authz-http/
Shows how to set up role-based access control for HTTP services.
https://istio.io/docs/tasks/security/authz-permissive/
Shows how to use Authorization permissive mode.
https://istio.io/blog/2018/istio-authorization/
Describe Istio's authorization feature and how to use it in various use cases.
https://istio.io/help/ops/security/debugging-authorization/
Demonstrates how to debug authorization.
https://istio.io/docs/tasks/security/rbac-groups/
Tutorial on how to configure the groups-base authorization and configure the authorization of list-typed claims in Istio.
Slide 33
Slide 33 text
⚫
⚫
⚫
⚫
⚫
⚫
⚫
⚫
⚫
⚫
⚫
⚫
⚫
⚫
⚫
Slide 34
Slide 34 text
No content
Slide 35
Slide 35 text
No content