インフラ基盤技術のセキュリティとこれから

Transcript

1. Πϯϑϥج൫ٕज़ͷηΩϡϦςΟͱ͜Ε͔Β ৿ా
   ߒฏ
   
   (.0
   1FQBCP
   *OD
   
   *OGSB4UVEZ
    ΠϯϑϥͱηΩϡϦςΟͱ
   ͜Ε͔Β

2. ৿ా
   ߒฏ
   
   !NSUD (.0ϖύϘ
   ηΩϡϦςΟରࡦࣨ
   γχΞΤϯδχΞ
   ηΩϡϦςΟɾΩϟϯϓߨࢣ
   ηΩϡϦςΟɾΩϟϯϓ
   εςΞϦϯάίϛοςΟ
   *1"ະ౿ΫϦΤʔλ IUUQTCMPHTTSGJO

3. ࠓ೔࿩͢͜ͱ wίϯςφ΍
   ,VCFSOFUFT
   ͳͲͷηΩϡϦςΟ
   wηΩϡϦςΟʹͲ͏޲͖߹͍͔ͬͯ͘
   ෼͸ҙ֎ͱ୹͍ͷͰ࿩͍ͨ͜͠ͱશ෦࿩͖͠Εͳ͍
   ͳͷͰ࣭ٙԠ౴΍࠙਌ձ౳Ͱ΋ٞ࿦͠·͠ΐ͏

4. $POUBJOFS
   4FDVSJUZ

5. ίϯςφͷ࡞Γํɺյ͠ํ IUUQTTQFBLFSEFDLDPNNSUDDPOUBJOFSTUSVDUVSFBOEFYQMPJUBUJPONFUIPE

6. -JOVYίϯςφͷ࢓૊Έ wৄ͘͠͸
   *OGSB4UVEZ
   
   ͷճΛ؍͍ͯͩ͘͞
   w-JOVY
   ͷηΩϡϦςΟػߏΛར༻ͯ͠ݖݶ΍Ϧιʔεͷ෼཭
   w/BNFTQBDF
   DHSPVQ
   $BQBCJMJUZ
   TFDDPNQ
   -4.
   FUD
   w΋͠ίϯςφͷݖݶ෼཭౳ʹෆඋ͕͋Δ৔߹͸ɺϗετͷ
   SPPU
   Λऔ

   ಘ͞ΕΔՄೳੑ͕͋Δ

7. -JOVY
   ίϯςφͷओͳ߈ܸγφϦΦ wίϯςφΠϝʔδͷ੬ऑੑ
   wίϯςφϥϯλΠϜͷ੬ऑੑٴͼઃఆෆඋ
   w-JOVY
   Χʔωϧͷ੬ऑੑ

8. ίϯςφηΩϡϦςΟͷࢦඪ wίϛϡχςΟ΍ػ͕ؔࡦఆ͍ͯ͠ΔΨΠυϥΠϯΛಡΉͱྑ͍
   w$*4
   #FODINBSLT
   
   4FDVSJOH
   %PDLFS
   w/*45
   41
   
   
   "QQMJDBUJPO
   $POUBJOFS
   4FDVSJUZ
   wͿͬͪΌ͚ʮ͑ɺͦ͜·Ͱ͢Δͷʯͱ͍͏ͷ΋͋ΔͷͰɺࣗࣾʹͱͬ ͯͷڴҖ͸Կ͔Λߟ͑ͯखΛೖΕ͍ͯ͘ͷ͕ྑ͍

9. 4FOTJUJWF
   'JMF
   .PVOU wίϯςφ͔ΒಡΈॻ͖Ͱ͖ͯ͸͍͚ͳ͍ϑΝΠϧ͕ଟ਺͋Δ
   wQSPDLDPSF
   QSPDTZTSRUSJHHFS
   w3FBE0OMZ
   ʹ͢Δ
   Ϛ΢ϯτ͠ͳ͍ͳͲͷରԠ
   wWBSSVOEPDLFSTPDL
   ͷϚ΢ϯτ΋μϝ

10. $BQBCJMJUZ
    ΍
    TFDDPNQ w $"1@4:4@"%.*/
    ΍
    $"1@4:4@153"$&
    $"1@%"$@3&"%@4&"3$)
    ͳͲ
    w ಛݖίϯςφ͸ඇৗʹةݥ
    w NPVOU
    Λݺͼग़ͯ͠
    EFWTEB
    ΍
    EFWWEB
    ͳͲͷϚ΢ϯτ
    w

    DHSPVQ
    ͷ
    OPUJGZ@PO@SFMFBTF
    Λར༻ͨ͠
    #SFBL0VU

11. DBMM@VTFSNPEFIFMQFS@FYFD wίʔϧόοΫͷΑ͏ʹϓϩάϥϜΛ࣮ߦ͢Δ
    wSFMFBTF@BHFOU
    CJOGNU@NJTD
    DPSF@QBUUFSO
    VFOWFU@IFMQFS
    ͳͲ
    w͜ͷ࢓૊ΈΛར༻ͯ͠ϗετଆʹΤεέʔϓͰ͖Δ

12. #SFBLPVU
    XJUI
    VFWFOU@IFMQFS IUUQTBTDJJOFNBPSHB,C5PZ3O%MZD#ULIW)(I1

13. #SFBLPVU
    XJUI
    DHSPVQ
    SFMFBTF@BHFOU IUUQTBTDJJOFNBPSHBO'MP;2V40'%IVGZ28WH

14. TFDDPNQ
    CZQBTT w-JOVY
    ,FSOFM
    
    Ҏલ͸
    QUSBDF 
    Λ࢖ͬͯόΠύεՄೳ IUUQTBTDJJOFNBPSHBK5+N-77Z$D'LJT+910&/L

15. %FGFOTF
    *O
    %FQUI w-JOVY
    ίϯςφ͸ଟ૚๷ޚͰͰ͖͍ͯΔ
    w͋Δػߏ͕ಥഁ͞Εͯ΋ɺผͷػߏͰ๷͙
    
    ؇࿨͢Δ
    wFH
    TFDDPNQ
    ͕ಥഁ͞Εͯ΋
    DBQBCJMJUZ
    ͰϒϩοΫ
    w͜ͷ֓೦͸͋ΒΏΔηΩϡϦςΟͷྖҬͰඞཁ

16. ,VCFSOFUFT
    4FDVSJUZ

17. ,VCFSOFUFT
    4FDVSJUZ w 4FSWJDF"DDPVOU
    ؚΊͨ
    3#"$
    ͷઃఆ
    w ҆શͳίϯςφΠϝʔδͷར༻
    w /FUXPSL
    1PMJDZ
    w 4FSWJDF
    .FTI
    w

    1PE
    ΍ίϯςφͷ
    $BQBCJMJUZ
    ΍Ϧιʔεઃఆ
    w 4FDSFU
    ͷ؅ཧ
    w "VEJU
    -PH
    w LVCFBQJTFSWFS
    ΍
    LVCFMFU
    ͷอޢ w %BTICPBSE
    ͳͲ΁ͷΞΫηε੍ޚ
    w ,VCFSOFSUFT
    ࣗମ΍ίϯςφϥϯλΠϜ
    Χʔω ϧͷ੬ऑੑ
    w ίϯϙʔωϯτؒͷ҆શͳ௨৴
    w .FUBEBUB
    4FSWJDF
    ͷอޢ
    w "ENJTTJPO
    $POUSPMMFS
    1MVHJO
    w FUDE
    ͷ҉߸Խ
    w ͳͲͳͲ
    

18. ,VCFSOFUFT
    4FDVSJUZ w ,VCFSOFUFT
    ͸ίϯϙʔωϯτ͕ෳࡶͳͷͰɺطʹެ։͞Ε͍ͯΔڴҖϞσϧͳͲΛࢀߟʹकΔՕॴ ΛܾΊΔ
    w $/$'
    ͷϢʔβʔάϧʔϓ͕
    453*%&
    Λ༻͍ͨԋशΛߦ͍ͬͯΔ
    w $*4
    #FODINBSL
    ΋
    ,VCFSOFUFT
    
    &,4
    
    (,&
    
    ",4
    ͋ΔͷͰɺͦͪΒ΋ࢀߟʹ IUUQTHJUIVCDPNDODGpOBODJBMVTFSHSPVQUSFFNBTUFSQSPKFDUTLTUISFBUNPEFM

19. IUUQTXXXNJDSPTPGUDPNTFDVSJUZCMPHBUUBDLNBUSJYLVCFSOFUFT

20. "UUBDL
    7FDUPS 4FSWJDF
    "DDPVOU
    5PLFO 1PE
    ʹϚ΢ϯτ͞ΕΔ
    4FSWJDF"DDPVOU
    5PLFO
    Λѱ༻͢Δɻ
    ࣗಈͰϚ΢ϯτ͠ͳ͍ɺ3#"$
    Λద੾ʹઃఆ͢Δɻ 6OBVUIPSJ[FE
    "1* "1*
    Λೝূͳ͠Ͱ୭Ͱ΋ୟ͚Δঢ়ଶʹ͠ͳ͍ɻ
    LVCFBQJTFSWFS
    Ͱ
    BOPOZNPVTBVUIUSVF
    ʹ͠ͳ͍ɻ 1PE4FDVSJUZ1PMJDZ
    (BUFLFFQFS

    ϗετϑΝΠϧͷϚ΢ϯτ΍վ͟ΜͳͲ΁ͷରࡦɻ
    BMMPXFE)PTU1BUIT
    ΍
    SFBE0OMZ3PPU'JMFTZTUFN
    $BQBCJMJUZ
    ͷઃఆ FUDE
    ͷ҉߸Խ΍ΞΫ ηε੍ޚ FUDE
    ʹ͸ػີ৘ใؚ͕·Ε͍ͯΔͷͰɺΞΫηε੍ޚ΍҉߸ԽΛࢪ͢ /FUXPSL ଞͷ
    1PE
    ΍
    NFUBEBUB
    TFSWJDF
    ΁ͷΞΫηε
    /FUXPSL1PMJDZ
    ΍
    4FSWJDF.FTI
    Ͱ੍ޚ 4FDSFU
    ͷ؅ཧ 7$4্ʹ
    4FDSFU
    Λͦͷ··؅ཧͯ͠͠·͏ɻ
    ҉߸ԽΛࢪͨ͠Γ
    7BVMU
    ΍
    ,.4
    ؅ཧʹ͢ΔͳͲɻ

21. NFUBEBUB
    TFSWJDF w Ϋϥ΢υϓϩόΠμʔ͕ఏڙ͍ͯ͠ΔΤϯυϙΠϯτ
    
    w IUUQ
    w *".
    ͷΫϨσϯγϟϧ΍
    ,VCFSOFUFT
    ͷ؀ڥม਺ͳͲ͕֨ೲ͞Ε͍ͯΔ͜ͱ͕ ͋ΔͨΊɺ1SJWJMFHF
    &TDBMBUJPO
    ʹར༻͞ΕΔ
    w ΞϓϦέʔγϣϯϨΠϠ͔Β͸
    443'
    ͳͲΛར༻ͯ͠઄औ͞ΕΔ͜ͱ΋

22. &,4 w Πϯελϯε৘ใͷऔಘ
    w 71$
    4FDVSJUZ(SPVQ
    ৘ใͷऔಘ
    w &$3
    ϦϙδτϦ͔ΒΠϝʔδͷऔಘ IUUQTEPDTBXTBNB[PODPNFLTMBUFTUVTFSHVJEFSFTUSJDUFDDSFEFOUJBMBDDFTTIUNM

23. (,& w .FUBEBUB
    LVCFFOW
    ʹ͸
    CPPUTUSBQ
    ॲཧͰ࢖༻͞ΕΔূ໌ॻ౳Λอ࣋
    w ͦͷΫϨσϯγϟϧΛ࢖ͬͯ
    $FSUJpDBUF4JHOJOH3FRVFTU
    ϦιʔεΛ࡞Δ
    w LVCFDPOUSPMMFSNBOBHFS
    ͸
    $43
    Λࣗಈঝೝ͢ΔͷͰ
    LVCFMFU
    ʹͳΓ͢·͢ ͜ͱ͕Ͱ͖Δɻ

24. &BDI
    OPEF
    JO
    UIF
    DMVTUFS
    JT
    JOKFDUFE
    XJUI
    B
    TIBSFE
    4FDSFU
    BU
    DSFBUJPO
    XIJDI
    JU
    DBO
    VTF
    UP
    TVCNJU
    DFSUJpDBUF
    TJHOJOH
    SFRVFTUT
    UP
    UIF
    DMVTUFS
    SPPU
    $"
    BOE
    PCUBJO
    LVCFMFU
    DMJFOU
    DFSUJpDBUFT
    5IFTF
    DFSUJpDBUFT
    BSF
    UIFO
    VTFE
    CZ
    UIF
    LVCFMFU
    UP
    BVUIFOUJDBUF
    JUT
    SFRVFTUT
    UP
    UIF
    "1*
    TFSWFS
    /PUF
    UIBU
    UIJT
    TIBSFE
    4FDSFU
    JT
    SFBDIBCMF
    CZ
    1PET
    VOMFTT
    NFUBEBUB
    DPODFBMNFOU
    JT
    FOBCMFE
    IUUQTDMPVEHPPHMFDPNLVCFSOFUFTFOHJOFEPDTDPODFQUTDMVTUFSUSVTU

25. JNQFSTPOBUF
    LVCFMFU root@test:/# echo $CA_CERT | base64 -d > bootstrap/ca.crt root@test:/#

    echo $KUBELET_CERT | base64 -d > bootstrap/kubelet-bootstrap.crt` root@test:/# echo $KUBELET_KEY | base64 -d > bootstrap/kubelet-bootstrap.key root@test:/# CURRENT_HOSTNAME="$(curl -s -H 'Metadata-flavor: Google' ${KUBE_HOSTNAME_URL} | awk -F. '{print $1}')" root@test:/# openssl ecparam -genkey -name prime256v1 -out kubelet.key root@test:/tmp# openssl req -new -config /tmp/openssl.cnf -key kubelet.key -out kubelet.csr root@test:/# cat /tmp/kubelet.yaml apiVersion: certificates.k8s.io/v1beta1 kind: CertificateSigningRequest metadata: name: node-csr-gke-sandbox-cluster-default-pool-f9270e72-mg63-2 spec: groups: - system:authenticated request: LS0tLS... ... username: kubelet root@test:/# kubectl create -f /tmp/kubelet.yaml --certificate-authority=bootstrap/ca.crt --server=https://$KUBERNETES_MASTER_NAME --client- certificate=bootstrap/kubelet-bootstrap.crt --client-key=bootstrap/kubelet-bootstrap.key root@test:/# kubectl --certificate-authority=bootstrap/ca.crt --server=https://$KUBERNETES_MASTER_NAME --client-certificate=bootstrap/kubelet-bootst client-key=bootstrap/kubelet-bootstrap.key get csr node-csr-gke-sandbox-cluster-default-pool-f9270e72-mg63-2 -o jsonpath='{.status.certificate}' | b /tmp/kubelet.crt

26. ࣄྫ w 4IPQJGZ
    
    443'
    JO
    &YDIBOHF
    MFBET
    UP
    3005
    BDDFTT
    JO
    BMM
    JOTUBODFT
    w IUUQTIBDLFSPOFDPNSFQPSUT
    w (JUMBC
    
    443'
    JOUP
    4IBSFE
    3VOOFS
    CZ
    SFQMBDJOH
    EPDLFSE
    XJUI
    NBMJDJPVT
    TFSWFS
    JO
    &YFDVUPS
    w IUUQTIBDLFSPOFDPNSFQPSUT
    

    w μογϡϘʔυҎ֎ʹ΋
    8FBWF
    4DPQF
    ΍
    LVCFqPX
    Λૂͬͨ߈ܸ
    w IUUQTXXXXFBWFXPSLTCMPHQSFWFOUJOHNBMJDJPVTVTFPGXFBWFTDPQF
    w IUUQTXXXNJDSPTPGUDPNTFDVSJUZCMPHNJTDPOpHVSFELVCFqPX XPSLMPBETBSFBTFDVSJUZSJTL

27. Ͳ͏΍ͬͯ޲͖߹͍͔ͬͯ͘

28. Ϋϥ΢υͰͷ੹೚ڞ༗Ϟσϧ wΫϥ΢υϓϩύΠμ͸Ͳ͜·Ͱकͬͯ͘ΕΔΜ͚ͩͬʁ
    wϢʔβʔ͸Ͳ͜ΛकΔඞཁ͕͋ΔΜ͚ͩͬʁ ग़య
    IUUQTMFBSOHJUMBCDPNOFYUHFOTPGUXBSFTFDVSJUZTUFQTDJTPTFDVSFOFYUHFOTPGUXBSF

29. Ͳ͏޲͖߹͍͔ͬͯ͘ wج൫पΓͷਐԽ͸ૣ͍ͷͰɺηΩϡϦςΟରԠ͕ٻΊΒΕͨλΠϛϯ άͩͱ࠷৽όʔδϣϯͱࠩҟ͕
    wηΩϡϦςΟʹؔ͢ΔΨΠυϥΠϯ͕ͳ͍ͷͰɺαʔϏεʹΑͬͯη ΩϡϦςΟϨϕϧ͕·ͪ·ͪ

30. %FW4FD0QT wͦ΋ͦ΋ɺηΩϡϦςΟͷจԽΛ࡞Δඞཁ͕͋Δ
    wΨΠυϥΠϯ΍ڴҖϞσϧΛߏங
    wෳࡶ͞Λந৅Խ͢ΔͨΊͷࣗಈԽɺج൫ͮ͘Γ
    w$P
    $PNNVOJDBUJPO
    $PNQMFUFOFTT
    $POUJOVPVT
    w5%4
    

    5FTU
    %SJWFO
    4FDVSJUZ

31. ܅΋ϖύϘͰಇ͔ͳ͍͔ʁ ࠷৽ͷ࠾༻৘ใΛνΣοΫˠ !QC@SFDSVJU