Recap: Zero Trust Service Mesh with Calico, SPIRE, and Envoy

Transcript

1. Recap: Zero Trust Service Mesh with Calico, SPIRE, and Envoy

   20 JUNE 2020 Envoy Meetup Tokyo #2

2. About Me Morito Ikeda (@_moricho_) ɾGo, Kubernetes, Rust, … ɾgVisor΍FirecrackerͳͲOSS΁ͷ

   ɹίϯτϦϏϡʔτ ɾ GoʹΑΔίϯςφϥϯλΠϜࣗ࡞ͷɹɹ ɹిࢠॻ੶ΛΠϯϓϨε͞Μ͔Βग़൛ɹɹ ɹ༧ఆͰ͢

3. ɾKubeCon + CloudNativeCon Europe 2019ͷηογϣϯ ɾ֤ཁૉٕज़ͷ঺հ ɾͲ͏Zero TrustͳωοτϫʔΫΛ ߏங͍͔ͯ͘͠

4. Zero Trust Networkͱ͸ ৗʹةݥʹࡽ͞Ε͓ͯΓɺ͢΂ͯͷτϥϑΟοΫΛ ৴པ͠ͳ͍͜ͱΛલఏͱͨ͠ωοτϫʔΫ ❌ɿ ڥքͷ֎ଆͷڴҖʹඋ͑Δɺڥքͷ಺ଆ͸҆શ ⭕ɿ ࣮ࡍ͸ڥքͷதͰ΋ෆਖ਼͸ى͜ΓɺڴҖ΋৵ೖ͢Δ

5. ैདྷͷϞϊϦγοΫͳ৔߹ https://static.sched.com/hosted_files/kccncna17/a9/KubeCon2017-Keynote.pdf

6. ϚΠΫϩαʔϏεͷ৔߹ https://static.sched.com/hosted_files/kccncna17/a9/KubeCon2017-Keynote.pdf

7. ϚΠΫϩαʔϏεͷ৔߹ https://static.sched.com/hosted_files/kccncna17/a9/KubeCon2017-Keynote.pdf

8. Zero Trust Networkʹඞཁͳ΋ͷᶃ ɾϚΠΫϩαʔϏεͷؒΛྲྀΕΔωοτϫʔΫτϥϑΟοΫ͕ ҉߸Խ͞Ε͍ͯΔඞཁ͕͋Δ => mTLS (mutual TLS)ʹΑΔAuthN

9. SPIFFE/SPIREͱ͸ SPIFFE ɾαʔϏεؒೝূͷͨΊͷඪ४࢓༷ ɾCNCFࡿԼͷϓϩδΣΫτ ɾϚΠΫϩαʔϏεؒͷೝূ΍௨৴ͷ҉߸Խʹඞཁͳ ɹূ໌ॻ؅ཧΛࣗಈԽ ɾmTLSΛ࣮ݱ ɾSVIDɿSPIFFE Verifable Identity

   Document Node΍workloadͷidentityΛূ໌͢ΔͨΊͷσʔλܗࣜ

10. SPIFFE/SPIREͱ͸ SPIRE ɾSPIFFEͷࢀর࣮૷ ɾSPIRE Server NodeͷೝূɺSVIDʹॺ໊͢ΔͨΊͷΩʔϖΞͷ؅ཧͳͲ ɾSPIRE Agent NodeʹҰ୆͋Δ workloadͷೝূɺ

    SVID, ൿີ伴, TrustBundle(CAূ໌ॻνΣʔϯ)ͷ഑෍ͳͲ

11. https://static.sched.com/hosted_files/kccnceu19/2a/SPIRE%20%2B%20Calico%20Kubecon%20Europe%20%20%283%29.pdf

12. https://static.sched.com/hosted_files/kccnceu19/2a/SPIRE%20%2B%20Calico%20Kubecon%20Europe%20%20%283%29.pdf

13. Zero Trust Networkʹඞཁͳ΋ͷᶄ ɾϚΠΫϩαʔϏε͝ͱͷFW͕ඞཁ => ωοτϫʔΫϙϦγʔΛ࢖༻ͨ͠AuthZ

14. Calicoͱ͸ Project Calico ɾPureͳL3ωοτϫʔΫ ϧʔςΟϯάϓϩτίϧʹBGPΛ࢖༻ flannelͱҧͬͯΦʔόʔϨΠͰ͸ͳ͍ ɾFelix Calicoͷத֩ػೳ ϧʔςΟϯάςʔϒϧ΁ͷܦ࿏৘ใͷઃఆ iptables΁ͷΞΫηεϦετͷઃఆ

    ͳͲ Controle Plane

15. Calicoͱ͸ Calico Network Policy ɾ endpointʹରͯ͠ϙϦγʔ੍ޚΛߦ͏FW ɾτϥϑΟοΫͷํ޲ (Ingress,Egress)΍ڋ൱/ڐՄ (Deny/Allow), ϓϩτίϧ

    (TCP/UDP/ICMPͳͲ), ϙʔτ൪߸ Dikastes ɾEnvoy Plugin ɾDataPlaneʹ഑ஔ͞ΕΔʢPod͝ͱʣ ɾFelix͔Β഑෍͞ΕͨωοτϫʔΫϙϦγʔͷద༻

16. https://static.sched.com/hosted_files/kccnceu19/2a/SPIRE%20%2B%20Calico%20Kubecon%20Europe%20%20%283%29.pdf

17. ZeroTrustͳ ServiceMeshΛ໨ࢦͯ͠ αʔϏε͝ͱͷAuthZ ɾCalicoΛ࢖ͬͨϙϦγʔઃఆͱ ద੾ͳΞΫηε੍ޚ ɾOPAͳͲ΋͋Γ ɾCalico͸NetworkPolicy୯ମͰͷ ࢖༻΋Մೳ ZeroTrustͳNetworkͱ͸ ɾϚΠΫϩαʔϏεԽʹ൐͍ɺ

    ωοτϫʔΫΛލ͍ͩ௨৴͕ ଟ͘ͳͬͨ ɾશͯͷτϥϑΟοΫΛ৴༻͠ͳ͍ લఏͰηΩϡϦςΟରࡦΛ͢Δ αʔϏεؒͷAuthN ɾSPIFFE/SPIREΛ࢖ͬͨೝূɺ ূ໌ॻ؅ཧ ɾαʔϏεؒͷ௨৴Λ mTLSʹ͢Δ ɾIstio΋͋Γ͚ͩͲେ͖͗͢Δ

18. ࢀߟࢿྉ ɾCalicoʹΑΔKubernetesϐϡΞL3ωοτϫʔΩϯά - Yahoo! JAPAN Tech Blog https://techblog.yahoo.co.jp/infrastructure/kubernetes_calico_networking/ ɾProject CalicoͷΞʔΩςΫνϟΛݟͯΈΑ͏

    https://thinkit.co.jp/article/14112 ɾSecuring the Service Mesh with SPIRE - Speaker Deck https://speakerdeck.com/ryysud/securing-the-service-mesh-with-spire ɾZero Trust Service Mesh with Calico, SPIRE, and Envoy https://kccnceu19.sched.com/event/MPe3

19. ࢀߟࢿྉ ɾ৽͍͠ηΩϡϦςΟΞϓϩʔνɺCalicoͱIstioɺKubernetesʹΑΔ ɹθϩτϥετωοτϫʔΫͱ͸ https://thinkit.co.jp/article/13276 ɾProgress Toward Zero Trust Kubernetes Network

    https://www.youtube.com/watch?v=Agxt9Vg-YP4&feature=youtu.be