Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Recap: Zero Trust Service Mesh with Calico, SPIRE, and Envoy

71c783224e1fccdb1d02ed37d494247f?s=47 moricho
June 20, 2020

Recap: Zero Trust Service Mesh with Calico, SPIRE, and Envoy

71c783224e1fccdb1d02ed37d494247f?s=128

moricho

June 20, 2020
Tweet

More Decks by moricho

Other Decks in Technology

Transcript

  1. Recap: Zero Trust Service Mesh with Calico, SPIRE, and Envoy

    20 JUNE 2020 Envoy Meetup Tokyo #2
  2. About Me Morito Ikeda (@_moricho_) ɾGo, Kubernetes, Rust, … ɾgVisor΍FirecrackerͳͲOSS΁ͷ

    ɹίϯτϦϏϡʔτ ɾ GoʹΑΔίϯςφϥϯλΠϜࣗ࡞ͷɹɹ ɹిࢠॻ੶ΛΠϯϓϨε͞Μ͔Βग़൛ɹɹ ɹ༧ఆͰ͢
  3. ɾKubeCon + CloudNativeCon Europe 2019ͷηογϣϯ ɾ֤ཁૉٕज़ͷ঺հ ɾͲ͏Zero TrustͳωοτϫʔΫΛ ߏங͍͔ͯ͘͠

  4. Zero Trust Networkͱ͸ ৗʹةݥʹࡽ͞Ε͓ͯΓɺ͢΂ͯͷτϥϑΟοΫΛ ৴པ͠ͳ͍͜ͱΛલఏͱͨ͠ωοτϫʔΫ ❌ɿ ڥքͷ֎ଆͷڴҖʹඋ͑Δɺڥքͷ಺ଆ͸҆શ ⭕ɿ ࣮ࡍ͸ڥքͷதͰ΋ෆਖ਼͸ى͜ΓɺڴҖ΋৵ೖ͢Δ

  5. ैདྷͷϞϊϦγοΫͳ৔߹ https://static.sched.com/hosted_files/kccncna17/a9/KubeCon2017-Keynote.pdf

  6. ϚΠΫϩαʔϏεͷ৔߹ https://static.sched.com/hosted_files/kccncna17/a9/KubeCon2017-Keynote.pdf

  7. ϚΠΫϩαʔϏεͷ৔߹ https://static.sched.com/hosted_files/kccncna17/a9/KubeCon2017-Keynote.pdf

  8. Zero Trust Networkʹඞཁͳ΋ͷᶃ ɾϚΠΫϩαʔϏεͷؒΛྲྀΕΔωοτϫʔΫτϥϑΟοΫ͕ ҉߸Խ͞Ε͍ͯΔඞཁ͕͋Δ => mTLS (mutual TLS)ʹΑΔAuthN

  9. SPIFFE/SPIREͱ͸ SPIFFE ɾαʔϏεؒೝূͷͨΊͷඪ४࢓༷ ɾCNCFࡿԼͷϓϩδΣΫτ ɾϚΠΫϩαʔϏεؒͷೝূ΍௨৴ͷ҉߸Խʹඞཁͳ ɹূ໌ॻ؅ཧΛࣗಈԽ ɾmTLSΛ࣮ݱ ɾSVIDɿSPIFFE Verifable Identity

    Document Node΍workloadͷidentityΛূ໌͢ΔͨΊͷσʔλܗࣜ
  10. SPIFFE/SPIREͱ͸ SPIRE ɾSPIFFEͷࢀর࣮૷ ɾSPIRE Server NodeͷೝূɺSVIDʹॺ໊͢ΔͨΊͷΩʔϖΞͷ؅ཧͳͲ ɾSPIRE Agent NodeʹҰ୆͋Δ workloadͷೝূɺ

    SVID, ൿີ伴, TrustBundle(CAূ໌ॻνΣʔϯ)ͷ഑෍ͳͲ
  11. https://static.sched.com/hosted_files/kccnceu19/2a/SPIRE%20%2B%20Calico%20Kubecon%20Europe%20%20%283%29.pdf

  12. https://static.sched.com/hosted_files/kccnceu19/2a/SPIRE%20%2B%20Calico%20Kubecon%20Europe%20%20%283%29.pdf

  13. Zero Trust Networkʹඞཁͳ΋ͷᶄ ɾϚΠΫϩαʔϏε͝ͱͷFW͕ඞཁ => ωοτϫʔΫϙϦγʔΛ࢖༻ͨ͠AuthZ

  14. Calicoͱ͸ Project Calico ɾPureͳL3ωοτϫʔΫ ϧʔςΟϯάϓϩτίϧʹBGPΛ࢖༻ flannelͱҧͬͯΦʔόʔϨΠͰ͸ͳ͍ ɾFelix Calicoͷத֩ػೳ ϧʔςΟϯάςʔϒϧ΁ͷܦ࿏৘ใͷઃఆ iptables΁ͷΞΫηεϦετͷઃఆ

    ͳͲ Controle Plane
  15. Calicoͱ͸ Calico Network Policy ɾ endpointʹରͯ͠ϙϦγʔ੍ޚΛߦ͏FW ɾτϥϑΟοΫͷํ޲ (Ingress,Egress)΍ڋ൱/ڐՄ (Deny/Allow), ϓϩτίϧ

    (TCP/UDP/ICMPͳͲ), ϙʔτ൪߸ Dikastes ɾEnvoy Plugin ɾDataPlaneʹ഑ஔ͞ΕΔʢPod͝ͱʣ ɾFelix͔Β഑෍͞ΕͨωοτϫʔΫϙϦγʔͷద༻
  16. https://static.sched.com/hosted_files/kccnceu19/2a/SPIRE%20%2B%20Calico%20Kubecon%20Europe%20%20%283%29.pdf

  17. ZeroTrustͳ ServiceMeshΛ໨ࢦͯ͠ αʔϏε͝ͱͷAuthZ ɾCalicoΛ࢖ͬͨϙϦγʔઃఆͱ ద੾ͳΞΫηε੍ޚ ɾOPAͳͲ΋͋Γ ɾCalico͸NetworkPolicy୯ମͰͷ ࢖༻΋Մೳ ZeroTrustͳNetworkͱ͸ ɾϚΠΫϩαʔϏεԽʹ൐͍ɺ

    ωοτϫʔΫΛލ͍ͩ௨৴͕ ଟ͘ͳͬͨ ɾશͯͷτϥϑΟοΫΛ৴༻͠ͳ͍ લఏͰηΩϡϦςΟରࡦΛ͢Δ αʔϏεؒͷAuthN ɾSPIFFE/SPIREΛ࢖ͬͨೝূɺ ূ໌ॻ؅ཧ ɾαʔϏεؒͷ௨৴Λ mTLSʹ͢Δ ɾIstio΋͋Γ͚ͩͲେ͖͗͢Δ
  18. ࢀߟࢿྉ ɾCalicoʹΑΔKubernetesϐϡΞL3ωοτϫʔΩϯά - Yahoo! JAPAN Tech Blog https://techblog.yahoo.co.jp/infrastructure/kubernetes_calico_networking/ ɾProject CalicoͷΞʔΩςΫνϟΛݟͯΈΑ͏

    https://thinkit.co.jp/article/14112 ɾSecuring the Service Mesh with SPIRE - Speaker Deck https://speakerdeck.com/ryysud/securing-the-service-mesh-with-spire ɾZero Trust Service Mesh with Calico, SPIRE, and Envoy https://kccnceu19.sched.com/event/MPe3
  19. ࢀߟࢿྉ ɾ৽͍͠ηΩϡϦςΟΞϓϩʔνɺCalicoͱIstioɺKubernetesʹΑΔ ɹθϩτϥετωοτϫʔΫͱ͸ https://thinkit.co.jp/article/13276 ɾProgress Toward Zero Trust Kubernetes Network

    https://www.youtube.com/watch?v=Agxt9Vg-YP4&feature=youtu.be