踏み台で環境にTeleportする.pdf

Transcript

1. ౿Έ୆Ͱ؀ڥʹTeleport͢Δ 2018/10/31 By @ken5scal

2. - Access Control - Environmental Separation - Separation of Duties

   - Audit Bastion

3. - Teleport - Our Architecture - Deployment - TSURAMI Outline

4. Teleport

5. - OSS and CNCF - Browser Based Bastion - Session

   Sharable - Byebye to SSH Teleport

6. OSS and CNCF

7. Browser Based (login)

8. Browser Based (Audit)

9. Session Sharable

10. - No local SSH private key required - Less Credential

    in local - IdP Federated - SAML, OIDC SSO - So RBAC can be done - Makes user Identifiable Bye Bye to SSH

11. OpenSSH is still possible

12. - Teleport - Our Architecture - Deployment - TSURAMI Outline

13. Our Architecture

14. None

15. Emergency Bastion - Accessible from Internet - SSH Key Based

    - Krypton - Save private key in Smart Phone - No local private key :)

16. Managed in Terraform Module - Terraform module - I'm not

    a big fun of Ansible - But about to give up - TSURAMI

17. - Teleport - Our Architecture - Deployment - TSURAMI Outline

18. Deployment

19. - Terraform apply - and… Deployment

20. - Ϧετ - Ϧετ - Ϧετ - Ϧετͷڧௐจࣈ - Ϧετ

    ݟग़͠ IUUQTXXXTFLBJSPDPNIUNM

21. Ts˒ura˒mi

22. - Multi-Deploy - Multi-Envs Manual Environment

23. - Multi-Deploy - Code Deploy - Multi-Envs Manual Environment

24. - Multi-Deploy - Multi-Envs - Trusted Clusters Manual Environment

25. - Min-privilege w/ 15-microservices - 5 different environments - No

    centralized AuthZ service - Distributed but same config RBAC

26. - RBAC -> ABAC? - JWT base federation? - Controll

    Plane? RBAC Solution?

27. - RBAC -> ABAC? - JWT base federation? - Controll

    Plane? RBAC Solution? $POUSPM
    1MBOF

28. - Hard to read in Dynamo DB - Datadog log

    Logs

29. Isolate, for real

30. ͜͜ʹςΩετΛೖΕ·͢ɻ ͻͱͭͷεϥΠυʹ಺༰Λ٧Ί͗͢ ͳ͍Α͏ʹ͠·͠ΐ͏ɻ ʮ̍ຕͷεϥΠυʹ̍ͭͷҙຯʯ͕ εϥΠυ࡞ΓͷجຊͰ͢ɻ ݟग़͠

31. And More

32. ͜͜ʹςΩετΛೖΕ·͢ɻ ͻͱͭͷεϥΠυʹ಺༰Λ٧Ί͗͢ ͳ͍Α͏ʹ͠·͠ΐ͏ɻ ʮ̍ຕͷεϥΠυʹ̍ͭͷҙຯʯ͕ εϥΠυ࡞ΓͷجຊͰ͢ɻ ݟग़͠

33. We are hiring!

34. Thank you @ken5scal

35. ಊʑͱͨ͠ݟग़͠

36. None