Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
踏み台で環境にTeleportする.pdf
Search
Kengo Suzuki
December 05, 2018
Technology
1
340
踏み台で環境にTeleportする.pdf
#Teleport #Bastion
Kengo Suzuki
December 05, 2018
Tweet
Share
More Decks by Kengo Suzuki
See All by Kengo Suzuki
適応し続けるプロダクトとセキュリティ
ken5scal
5
1.6k
同志諸君よ、ゼロトラストを撃て_CloudNativeDays2022
ken5scal
2
3k
なぜLayerXのセキュリティでSoftware指向が重視されているか
ken5scal
0
220
暇だしDevSecOpsやってみた - CodePipeline Now and Then
ken5scal
3
5.4k
やはりタグ。タグは全てを解決する
ken5scal
2
8.6k
サプライチェーン・セキュリティ Infra Study 2nd #4「セキュリティエンジニアリングの世界」
ken5scal
4
2k
外部Identityから考える Azure ADの向かい先
ken5scal
1
800
俺たちはマルチステークホルダー間のセキュリティインシデントから何を学ぶのか
ken5scal
9
4.9k
Zero Trust上から見るか?下から見るか?
ken5scal
8
13k
Other Decks in Technology
See All in Technology
VS CodeでAWSを操作しよう
smt7174
7
1.6k
ワールドカフェI /チューターを改良する / World Café I and Improving the Tutors
ks91
PRO
0
120
KubeCon EU 2024 Recap “Kubernetes Policy Time Machine: Where to Next?”
ryysud
0
210
Compose Compiler Metricsを使った実践的なコードレビュー
tomorrowkey
1
220
一生覚えておきたい「システム開発=コミュニケーション」〜初めての実務案件振り返りLT〜
maimyyym
0
120
コードを書く隙間を見つけて生きていく技術/Findy 思考の現在地
fujiwara3
27
5.9k
Terraformあれやこれ/terraform-this-and-that
emiki
8
1.4k
SPI原点回帰論:事業課題とFour Keysの結節点を見出す実践的ソフトウェアプロセス改善 / DevOpsDays Tokyo 2024
visional_engineering_and_design
4
1.9k
最近たまに見かけるTiDBってなんだ? - Findy
pingcap0315
2
770
Kernel MemoryでAzure OpenAI Serviceとお手軽データソース連携
mitsuzono
1
240
EMとして2023年度に頑張ったこと / What we did well in FY2023 as a EM
pauli
1
160
ユーザーストーリーのレビューを自動化したみたの
bun913
1
410
Featured
See All Featured
Agile that works and the tools we love
rasmusluckow
325
20k
Documentation Writing (for coders)
carmenintech
60
3.9k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
659
120k
Put a Button on it: Removing Barriers to Going Fast.
kastner
58
3k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
357
22k
The Invisible Customer
myddelton
114
12k
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
40
4.4k
4 Signs Your Business is Dying
shpigford
175
21k
How to Ace a Technical Interview
jacobian
272
22k
The World Runs on Bad Software
bkeepers
PRO
61
6.7k
Mobile First: as difficult as doing things right
swwweet
216
8.6k
What’s in a name? Adding method to the madness
productmarketing
PRO
16
2.6k
Transcript
౿ΈͰڥʹTeleport͢Δ 2018/10/31 By @ken5scal
- Access Control - Environmental Separation - Separation of Duties
- Audit Bastion
- Teleport - Our Architecture - Deployment - TSURAMI Outline
Teleport
- OSS and CNCF - Browser Based Bastion - Session
Sharable - Byebye to SSH Teleport
OSS and CNCF
Browser Based (login)
Browser Based (Audit)
Session Sharable
- No local SSH private key required - Less Credential
in local - IdP Federated - SAML, OIDC SSO - So RBAC can be done - Makes user Identifiable Bye Bye to SSH
OpenSSH is still possible
- Teleport - Our Architecture - Deployment - TSURAMI Outline
Our Architecture
None
Emergency Bastion - Accessible from Internet - SSH Key Based
- Krypton - Save private key in Smart Phone - No local private key :)
Managed in Terraform Module - Terraform module - I'm not
a big fun of Ansible - But about to give up - TSURAMI
- Teleport - Our Architecture - Deployment - TSURAMI Outline
Deployment
- Terraform apply - and… Deployment
- Ϧετ - Ϧετ - Ϧετ - Ϧετͷڧௐจࣈ - Ϧετ
ݟग़͠ IUUQTXXXTFLBJSPDPNIUNM
Ts˒ura˒mi
- Multi-Deploy - Multi-Envs Manual Environment
- Multi-Deploy - Code Deploy - Multi-Envs Manual Environment
- Multi-Deploy - Multi-Envs - Trusted Clusters Manual Environment
- Min-privilege w/ 15-microservices - 5 different environments - No
centralized AuthZ service - Distributed but same config RBAC
- RBAC -> ABAC? - JWT base federation? - Controll
Plane? RBAC Solution?
- RBAC -> ABAC? - JWT base federation? - Controll
Plane? RBAC Solution? $POUSPM1MBOF
- Hard to read in Dynamo DB - Datadog log
Logs
Isolate, for real
͜͜ʹςΩετΛೖΕ·͢ɻ ͻͱͭͷεϥΠυʹ༰Λ٧Ί͗͢ ͳ͍Α͏ʹ͠·͠ΐ͏ɻ ʮ̍ຕͷεϥΠυʹ̍ͭͷҙຯʯ͕ εϥΠυ࡞ΓͷجຊͰ͢ɻ ݟग़͠
And More
͜͜ʹςΩετΛೖΕ·͢ɻ ͻͱͭͷεϥΠυʹ༰Λ٧Ί͗͢ ͳ͍Α͏ʹ͠·͠ΐ͏ɻ ʮ̍ຕͷεϥΠυʹ̍ͭͷҙຯʯ͕ εϥΠυ࡞ΓͷجຊͰ͢ɻ ݟग़͠
We are hiring!
Thank you @ken5scal
ಊʑͱͨ͠ݟग़͠
None