Upgrade to Pro — share decks privately, control downloads, hide ads and more …

脅威モデリングで考える Kubernetes セキュリティ / CloudNative Days Tokyo 2021 #CNDT2021 #CNDT2021_B

mrtc0
November 04, 2021
Programming
7
1.9k

脅威モデリングで考える Kubernetes セキュリティ / CloudNative Days Tokyo 2021 #CNDT2021 #CNDT2021_B

mrtc0

November 04, 2021
Tweet

More Decks by mrtc0

See All by mrtc0
GMO ペパボ株式会社 23卒・24卒向け セキュリティ勉強会 実践 DevSecOps パイプライン
mrtc0
1
230
実践 DevSecOps パイプライン ~システム開発へのセキュリティの取り入れ方~
mrtc0
1
170
ProSec-IT 2021 Container Security
mrtc0
2
460
GMO Developer Day 2021 - DevSecOps 推進の取り組みの紹介.pdf
mrtc0
4
1.2k
Web セキュリティ研修 / GMO ペパボ 新卒研修 2021
mrtc0
6
37k
実践コンテナ & Kubernetes セキュリティ
mrtc0
12
3.4k
Introduction to Seccomp
mrtc0
4
7.9k
Kubernetes Security for penetration testers
mrtc0
2
2.2k
Container Security - Linux container isolation and breakout techniques
mrtc0
0
1k

Other Decks in Programming

See All in Programming
PO,SMに送るテスト自動化の8原則に5箇条を添えて / scrumniigata2023
pineapplecandy
2
830
MicroProfileのススメ~ なぜぼくはコレを使うのか~
ogiwarat
2
120
Github CopilotとChatGPTを使って感じた使い分けの糸口 / JavaDo #22
gishi_yama
0
180
Jetpack Compose Debugging to fix performance problems
yucamm124
0
260
sync.Mutexの仕組みを理解する
ffjlabo
1
580
Evolving a microservice architecture: how to right-size your services
cer
PRO
0
750
enjoy_conferences
maimux2x
0
5k
例示! Spring Bootで作られた REST APIのテストコード/ Testing-Example-for-a-REST-API-created-with-Spring-Boot
hirotokirimaru
1
270
KubeCon + CNCon Europe 2023 Recap Flux Beyond Git: Harnessing the Power of OCI
ksudate
0
310
コンテナ環境でのJavaチューニング
kazumura
2
390
サイト信頼性を高める前に開発チームからの信頼性を高めよう
syossan27
9
2.2k
ゲームの抽選ロジックにGenericsを使ってみたら開発が楽になった話
qualiarts
0
120

Featured

See All Featured
Build your cross-platform service in a week with App Engine
jlugia
222
17k
Learning to Love Humans: Emotional Interface Design
aarron
264
38k
Keith and Marios Guide to Fast Websites
keithpitt
407
21k
The Invisible Customer
myddelton
113
12k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
236
1.1M
Support Driven Design
roundedbygravity
88
9k
Bootstrapping a Software Product
garrettdimon
PRO
299
110k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
9
780
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
5
6.5k
Making the Leap to Tech Lead
cromwellryan
118
7.8k
WebSockets: Embracing the real-time Web
robhawkes
58
6.2k
The MySQL Ecosystem @ GitHub 2015
samlambert
240
11k

Transcript

  1. ,PIFJ.PSJUB(.01FQBCP *OD
    $MPVE/BUJWF%BZT5PLZP
    ڴҖϞσϦϯάͰߟ͑Δ
    ,VCFSOFUFTηΩϡϦςΟ

    View Slide

  2. (.01FQBCP *OD4FOJPS&OHJOFFS
    ,PIFJ.PSJUB!NSUD
    ηΩϡϦςΟରࡦࣨ
    CMPHTTSGJO NSUD!TTSGJO

    View Slide

  3. .ZSFDFOU"DUJWJUJFT
    DPOUBJOFSTFDVSJUZEFW HJUIVCDPNNSUDCPVIFLJ

    View Slide

  4. "HFOEB
    ڴҖϞσϦϯάͱ͸
    طଘͷ,VCFSOFUFTڴҖϞσϦϯά
    ڴҖϞσϦϯά͔ΒݟΔ,VCFSOFUFTΫϥελͷ"UUBDL4VSGBDFT

    View Slide

  5. ,VCFSOFUFT4FDVSJUZJT)BSE
    ,VCFSOFUFTίϯςφίϯςφΠϝʔδ$*ɾ$%ύΠϓϥΠϯιϑτ΢ΣΞFUD
    ɾෳࡶͳͷͰʮͲ͜ΛकΔ΂͖͔ʯʮԿ͔ΒकΔ΂͖͔ʯ͕෼͔Γʹ͍͘ɺ೉͘͠ײͯ͡͠·͏
    cc
    ,VCFSOFUFTΫϥελ
    ɾίϯςφ͚ͩΛηΩϡΞʹͯ͠΋ɺଞͷͱ͜Ζʹ͕݀͋Ε͹ɺΫϥελΛঠѲ͞Εͯ͠·͏
    NJTDPOpHSBUJPO 4VQQMZ$IBJO 7VMOFSBCJMJUJFT FUD

    View Slide

  6. Կ͔ΒकΔ͔ɺԿΛकΔ͔
    ɾγεςϜ͕ʮͲͷΑ͏ʹ߈ܸ͞ΕΔ͔ʯΛཧղ͢Δ͜ͱ͸๷ޚͷجຊ
    Կ͔ΒकΔͷ͔εΫϦϓτΩσΟ ߴ౓ͳ߈ܸ ಺෦൜ߦ
    ԿΛकΔͷ͔ػີσʔλ αʔόʔ ΞϓϦέʔγϣϯ
    ɾγεςϜɾΞʔΩςΫνϟͷཧղ
    ԿΛ͢ΔͨΊͷιϑτ΢ΣΞ αʔϏε
    ηΩϡϦςΟཁ݅͸
    ͲͷΑ͏ͳػີ৘ใΛѻ͏ ͦͷσʔλ΁ͷΞΫηεํ๏͸
    σʔλ͸ͲͷίϯϙʔωϯτͰॲཧ͢Δ

    View Slide

  7. ڴҖϞσϦϯάͱ͸
    γεςϜͷજࡏతͳڴҖΛ༧ଌ͢ΔͨΊͷϞσϧΛ࡞੒͢Δϓϩηε
    γεςϜΛந৅Խͯ͠શମ૾Λ၆ᛌ͢Δ͜ͱͰɺڴҖ ϦεΫͱͳΔཁҼ
    Λݟ͚ͭΔ
    ڴҖϞσϦϯά㱩ڴҖ෼ੳͰ͋Γɺຊདྷ͸ڴҖͷநग़ͷΈΛߦ͍·͕͢ɺຊηογϣϯͰ͸ରࡦ౳ʹ͍ͭͯ΋৮Ε·͢ɻ

    View Slide

  8. ڴҖϞσϦϯάͷϑϨʔϜϫʔΫ
    453*%& 1"45" 5SJLF 33"
    ݫີʹ͸33"͸ηΩϡϦςΟͷͨΊͷڴҖ෼ੳΛߦ͏ख๏Ͱ͸͋Γ·ͤΜ͕ɺ.P[JMMB,VCFSOFUFTͰ΋ར༻͞Ε͍ͯΔख๏ͳͷͰࡌ͍ͤͯ·͢ɻ
    ΋ͪΖΜɺ্هҎ֎ͷख๏΋͋Γ·͢ɻ

    View Slide

  9. 453*%&
    ڴҖ ҙຯ ྫ
    4QPPpOH ͳΓ͢·͠
    ଞϢʔβʔ΁ͷͳΓ͢·͠
    ωοτϫʔΫ্Ͱͷผ୺຤΁ͷͳΓ͢·͠
    5BNQFSJOH վ᜵ɺσʔλͷมߋ ϑΝΠϧ΍%#ɺωοτϫʔΫܦ࿏ͷվ᜵
    3FQVEJBUJPO ൱ೝɺ߈ܸ͍ͯ͠ͳ͍͜ͱΛओுͰ͖Δɻ ϩάͱͯ͠ه࿥͕࢒Βͳ͍
    *OGPSNBUJPO%JTDMPTVSF ެ։͞ΕΔ΂͖Ͱͳ͍৘ใ͕Ӿཡ͞ΕΔ
    Τϥʔϝοηʔδ΍ϩάʹൿಗ͢΂͖৘ใؚ͕·ΕΔ
    "$-ͷෆඋ
    %FOJBMPG4FSWJDF αʔϏε๦֐ɺਖ਼ৗʹαʔϏεΛఏڙͰ͖ͳ͍ɻ
    ॲཧͷॏ͍ΤϯυϙΠϯτͷଘࡏ
    େྔͷΞΫηεɺσΟεΫ༰ྔͷѹഭ
    &MFWBUJPOPG1SJWJMFHF ݖݶঢ֨ɺҙਤͨ͠Ҏ֎ͷݖݶΛऔಘ͞ΕΔɻ
    ೚ҙͷίʔυΛ࣮ߦͰ͖Δ࢓૊Έͷଘࡏ
    ೝূɾೝՄͷෆඋ

    View Slide

  10. %'% %BUB'MPX%JBHSBN

    ڴҖϞσϧର৅ͷίϯϙʔωϯτΛྻڍ͠ɺσʔλͷྲྀΕ΍ͲͷΑ͏ͳσʔλΛѻ͏͔هࡌ͢Δ

    View Slide

  11. %'% %BUB'MPX%JBHSBN

    ϓϩηεσʔλͷೖग़ྗΛߦ͏΋ͷɻ8FCαʔϏε΍04ϓϩηεͳͲ
    σʔλετΞӬଓɾҰ࣍هԱྖҬɻΩϟογϡ΍%#ͳͲ
    ֎෦ΤϯςΟςΟ௚઀੍ޚͰ͖ͳ͍΋ͷɻϢʔβʔɺ֎෦αʔϏεͳͲ
    σʔλϑϩʔ֎෦ΤϯςΟςΟɺϓϩηεɺσʔλετΞؒͷσʔλͷྲྀΕ
    ৴པڥքԿ͔Λ੍ޚ͢Δͱ͜ΖʹҾ͘ڥքઢɻωοτϫʔΫɺϗετɺ૊৫
    ڥքઢΛ௒͑Δ߈ܸʹࡽ͞ΕΔՄೳੑ͕ߴ͍ͱ͜Ζ

    View Slide

  12. %'% %BUB'MPX%JBHSBN

    $/$''JOBODJBM6TFS(SPVQ
    453*%&
    IUUQTHJUIVCDPNDODGpOBODJBMVTFSHSPVQUSFFNBTUFSQSPKFDUTLTUISFBUNPEFM

    View Slide

  13. ڴҖͷಛఆ
    ڴҖͷಛఆΛ؆୯ʹ͢ΔͨΊʹ453*%&7BSJBOUT͕͋Δ
    453*%&QFS&MFNFOU
    %'%ͷ͢΂ͯͷཁૉʹରͯ͠ɺ9ͷνΣοΫϚʔΫ͕͋Δ
    453*%&ͷڴҖΛಋग़͢Δ
    453*%&QFS*OUFSBDUJPO
    ৴པڥքͱަࠩ͢Δσʔλϑϩʔʹண໨͠ɺڴҖΛಋग़͢Δ
    γεςϜͷن໛΍ෳࡶ౓ʹΑͬͯ1SPT$POT͋Δ

    View Slide

  14. "UUBDL5SFF
    ൃݟͨ͠ڴҖʹ͍ͭͯɺ۩ମతͳ߈ܸख๏Λྻڍ͢Δ
    FHผͷϢʔβʔʹͳΓ͢·͠Ͱ͖ΔڴҖ 4QPPpOH

    FHผͷϢʔβʔʹͳΓ͢·͠Ͱ͖ΔڴҖ 4QPPpOH

    ͳΓ͢·͢ख๏ͱͯ͠ʮෆਖ਼ϩάΠϯʯʮ౪ௌʯ͕ߟ͑ΒΕΔ
    ʮෆਖ਼ϩάΠϯʯΛ໨తͱͨ͠৔߹ɺͦͷख๏ͱͯ͠
    ʮ૯౰Γ߈ܸʯʮϦετܕ߈ܸʯ͕ߟ͑ΒΕΔ
    ໨తͱखஈΛ໦ߏ଄Ͱදݱ͍ͯ͘͜͠ͱͰɺ
    ߈ܸύλʔϯΛ၆ᛌͰ͖ɺ
    ߈ܸ͕Ͱ͖ͳ͘ͳΔ৚݅Λಋग़Ͱ͖Δ

    View Slide

  15. "UUBDL5SFF
    "UUBDL5SFFͷ࡞੒ʹ͸߈ܸख๏ʹؔ͢Δ஌͕ࣝඞཁͱ͞ΕΔ
    ˠ࡞੒ऀͷ஌ࣝ΍ܦݧʹґଘͯ͠͠·͏
    "UUBDL-JCSBSZͳͲɺ߈ܸύλʔϯΛ஝ੵͨ͠ϥΠϒϥϦΛࢀߟʹ͢Δ
    $"1&$IUUQTDBQFDNJUSFPSH
    "55$,IUUQTBUUBDLNJUFSPSH
    IUUQTBUUBDLNJUSFPSHNBUSJDFTFOUFSQSJTFDPOUBJOFST
    IUUQTXXXNJDSPTPGUDPNTFDVSJUZCMPHTFDVSFDPOUBJOFSJ[FEFOWJSPONFOUTXJUIVQEBUFEUISFBUNBUSJYGPSLVCFSOFUFT
    ίϯςφ,VCFSOFUFTͷ"55$,΋ଘࡏ͢Δ

    View Slide

  16. ϦεΫ΁ͷରԠ
    ରࡦͷ༏ઌ౓Λߦ͏ͨΊʹϦεΫධՁΛߦ͏
    $744IUUQTXXXJQBHPKQTFDVSJUZWVMO$744IUNM
    %3&"%IUUQTFOXJLJQFEJBPSHXJLJ%3&"%@ [email protected]@NPEFM

    .JUJHBUJPO؇࿨ࡦɺѱ༻Λࠔ೉ʹ͢Δ
    &MJNJOBUJOHػೳΛഉআ͢Δ
    5SBOTGFSSJOHผͷԿ͔ʹϦεΫΛ೚ͤΔFHೝূΛ֎෦αʔϏεʹ೚ͤΔ
    "DDFQUJOHϦεΫΛड͚ೖΕΔ
    ࠜຊతͳղܾࡦ͕ଘࡏ͠ͳ͍έʔε΋͋Δ

    View Slide

  17. طଘͷ,VCFSOFUFTڴҖϞσϦϯά

    View Slide

  18. ,VCFSOFUFTͷڴҖϞσϦϯά
    w 4FDVSJUZ"VEJU8( 5SBJMPG#JUT

    33"

    IUUQTHJUIVCDPNLVCFSOFUFTDPNNVOJUZUSFFNBTUFSTJHTFDVSJUZTFDVSJUZBVEJUpOEJOHT

    View Slide

  19. 3BQJE3JTL"TTFTTNFOU 33"

    w αʔϏεʹؔ͢Δ࣭໰
    w ࢓૊ΈɺίϯϙʔωϯτϦετɺϓϩτίϧɺσʔλͷอଘՕॴ΍อଘͷํ๏ͳͲ
    w $POUSPM'BNJMJFT γεςϜͷػີੑɺ׬શੑɺՄ༻ੑΛอޢ͢ΔͨΊͷٕज़తͳཁૉʹ͍ͭͯ

    w "VUIPSJ[BUJPO "VUIFOUJDBUJPO 4FDSFUT.BOBHFNFOU /FUXPSLJOH FUD
    w ίϯϙʔωϯτ͝ͱʹ$POUSPM'BNJMJFTͷධՁ
    w ۩ମతͳ߈ܸͷγφϦΦྻڍͱਂࠁ౓౳ͷධՁɺ୹ظతɾ௕ظతͳରࡦ
    w .P[JMMBͷ33"ςϯϓϨʔτΛΧελϚΠζ͍ͯ͠Δ
    IUUQTJOGPTFDNP[[email protected]@BTTFTTNFOUIUNM

    View Slide

  20. $POUSPM'BNJMJFT LVCFMFU

    ೝূͳ͠Ͱ઀ଓͰ͖ΔαʔϏε͕͋Γɺ
    ͜ͷϙʔτʹΞΫηεͰ͖Δ߈ܸऀʹ
    1PETQFDͳͲͷ৘ใ͕࿙Ӯ͢Δ

    View Slide

  21. 'JOEJOHT LVCFMFU

    ߈ܸʹ͍ͭͯͷධՁ
    ɾ߈ܸऀ͸৵ೖࡁΈ͔ɺ಺෦Ϣʔβʔ͕લఏ
    ɾϫʔΫϩʔυͷ৘ใ΍Ұ෦ͷΫϨσϯγϟϧ͕
    ࿙Ӯ͢ΔՄೳੑ
    ରࡦʹ͍ͭͯ
    ɾϙʔτ͸σϑΥϧτͰด͡ΔΑ͏ʹมߋ
    ɾϙʔτ͸N5-4ʹΑͬͯอޢ

    View Slide

  22. ,VCFSOFUFTͷڴҖϞσϦϯά
    w $/$''JOBODJBM6TFS(SPVQ
    453*%&

    IUUQTHJUIVCDPNDODGpOBODJBMVTFSHSPVQUSFFNBTUFSQSPKFDUTLTUISFBUNPEFM

    View Slide

  23. "UUBDL7FDUPST
    IUUQTHJUIVCDPNDODGpOBODJBMVTFSHSPVQUSFFNBTUFSQSPKFDUTLTUISFBUNPEFM

    View Slide

  24. (JU-BC,VCFSOFUFT"HFOU
    w (JU-BC,VCFSOFUFT"HFOU
    IUUQTBCPVUHJUMBCDPNCMPHUISFBUNPEFMJOHLVCFSOFUFTBHFOU
    [email protected]
    ,VCFSOFUFTࣗମͷڴҖϞσϦϯάͰ͸͋Γ·ͤΜ͕ɺ
    ,VCFSOFUFTͱΠϯςάϨʔγϣϯ͢Διϑτ΢ΣΞͷࣄྫͳͷͰɺڍ͍͛ͯ·͢

    View Slide

  25. ՍۭͷΫϥελΛڴҖϞσϦϯά͢Δ

    View Slide

  26. ՍۭͷΫϥελͷ%'%
    ؆୯ͷͨΊʹҰ෦লུ͍ͯ͠·͢

    View Slide

  27. 453*%&QFS*OUFSBDUJPO
    ߈ܸऀͱϓϩηεؒͷσʔλϑϩʔʹݶఆ͍ͯ͠·͢
    453*%&ͷநग़΋Ұ෦ͷΈͰ͢

    View Slide

  28. "55$,
    &YQPTFE%BTICPBSE
    "SHP$% "SHP8PSLMPBE
    (SBGBOB ,VCFSOFUFT%BTICPBSE
    IUUQTB[VSFNJDSPTPGUDPNFOVTCMPHEFUFDUMBSHFTDBMFDSZQUPDVSSFODZNJOJOHBUUBDLBHBJOTULVCFSOFUFTDMVTUFST
    IUUQTXXXJOUF[FSDPNCMPHDPOUBJOFSTFDVSJUZOFXBUUBDLTPOLVCFSOFUFTWJBNJTDPOpHVSFEBSHPXPSLqPXT
    ࣄྫ

    View Slide

  29. "55$,
    $MPVE$SFEFOUJBMT,VCFDPOpH
    ΤϯυϙΠϯτ୺຤ͷอޢ΋ඞཁ

    View Slide

  30. "UUBDL5SFF
    "UUBDL5SFFʹͯ͠۩ମతͳ
    ߈ܸख๏Λྻڍ͢Δ

    View Slide

  31. 4VNNBSZ
    ڴҖϞσϦϯάɾڴҖ෼ੳͰજࡏతͳϦεΫΛચ͍ग़͢͜ͱ͕Ͱ͖Δ
    γεςϜɾσʔλΛอޢ͢Δʹ͸ɺͲ͜ΛकΕ͹Α͍͔͕ݟ͑ͯ͘Δ
    ΋ͪΖΜສೳͰ͸ͳ͍͠ɺͦΕΛߦ͏ͨΊͷτϨʔχϯά΋ඞཁ
    ,VCFSOFUFT΍ίϯςφͷ"55$,Λࢀরͯ͠۩ମతͳ߈ܸख๏Λ஌Δ
    Ϋϥελ߈ུͷͨΊʹԿΛ଍͕͔Γʹ͢Δͷ͔ɺ߈ܸΛӬଓԽ͢ΔͨΊʹԿΛ࢓ֻ͚Δͷ͔
    ˠࣗ෼ͨͪͷ࡞ٕͬͨज़ج൫΍ιϑτ΢ΣΞͷ"55$,ͷ࡞੒ͯ͠׆༻͢Δ
    ݟ͔ͭͬͨڴҖΛνΣοΫϦετԽͯ͠αʔϏε։ൃʹ׆͔͢

    View Slide