インフラ基盤技術のセキュリティとこれから

Πϯϑϥج൫ٕज़ͷηΩϡϦςΟͱ͜Ε͔Β
৿ాߒฏ(.01FQBCP *OD
*OGSB4UVEZ
ΠϯϑϥͱηΩϡϦςΟͱ
͜Ε͔Β

View Slide

৿ాߒฏ!NSUD
(.0ϖύϘηΩϡϦςΟରࡦࣨγχΞΤϯδχΞ
ηΩϡϦςΟɾΩϟϯϓߨࢣ
ηΩϡϦςΟɾΩϟϯϓεςΞϦϯάίϛοςΟ
*1"ະ౿ΫϦΤʔλ
IUUQTCMPHTTSGJO

View Slide

ࠓ೔࿩͢͜ͱ
wίϯςφ΍,VCFSOFUFTͳͲͷηΩϡϦςΟ
wηΩϡϦςΟʹͲ͏޲͖߹͍͔ͬͯ͘
෼͸ҙ֎ͱ୹͍ͷͰ࿩͍ͨ͜͠ͱશ෦࿩͖͠Εͳ͍
ͳͷͰ࣭ٙԠ౴΍࠙਌ձ౳Ͱ΋ٞ࿦͠·͠ΐ͏

View Slide

$POUBJOFS4FDVSJUZ

View Slide

ίϯςφͷ࡞Γํɺյ͠ํ
IUUQTTQFBLFSEFDLDPNNSUDDPOUBJOFSTUSVDUVSFBOEFYQMPJUBUJPONFUIPE

View Slide

-JOVYίϯςφͷ࢓૊Έ
wৄ͘͠͸*OGSB4UVEZͷճΛ؍͍ͯͩ͘͞
w-JOVYͷηΩϡϦςΟػߏΛར༻ͯ͠ݖݶ΍Ϧιʔεͷ෼཭
w/BNFTQBDF DHSPVQ $BQBCJMJUZ TFDDPNQ -4. FUD
w΋͠ίϯςφͷݖݶ෼཭౳ʹෆඋ͕͋Δ৔߹͸ɺϗετͷSPPUΛऔ
ಘ͞ΕΔՄೳੑ͕͋Δ

View Slide

-JOVYίϯςφͷओͳ߈ܸγφϦΦ
wίϯςφΠϝʔδͷ੬ऑੑ
wίϯςφϥϯλΠϜͷ੬ऑੑٴͼઃఆෆඋ
w-JOVYΧʔωϧͷ੬ऑੑ

View Slide

ίϯςφηΩϡϦςΟͷࢦඪ
wίϛϡχςΟ΍ػ͕ؔࡦఆ͍ͯ͠ΔΨΠυϥΠϯΛಡΉͱྑ͍
w$*4#FODINBSLT4FDVSJOH%PDLFS
w/*4541"QQMJDBUJPO$POUBJOFS4FDVSJUZ
wͿͬͪΌ͚ʮ͑ɺͦ͜·Ͱ͢Δͷʯͱ͍͏ͷ΋͋ΔͷͰɺࣗࣾʹͱͬ
ͯͷڴҖ͸Կ͔Λߟ͑ͯखΛೖΕ͍ͯ͘ͷ͕ྑ͍

View Slide

4FOTJUJWF'JMF.PVOU
wίϯςφ͔ΒಡΈॻ͖Ͱ͖ͯ͸͍͚ͳ͍ϑΝΠϧ͕ଟ਺͋Δ
wQSPDLDPSF QSPDTZTSRUSJHHFS
w3FBE0OMZʹ͢Δ Ϛ΢ϯτ͠ͳ͍ͳͲͷରԠ
wWBSSVOEPDLFSTPDLͷϚ΢ϯτ΋μϝ

View Slide

$BQBCJMJUZ΍TFDDPNQ
w $"1@4:4@"%.*/΍$"1@4:4@153"$& $"1@%"$@3&"%@4&"3$)ͳͲ
w ಛݖίϯςφ͸ඇৗʹةݥ
w NPVOU
Λݺͼग़ͯ͠EFWTEB΍EFWWEBͳͲͷϚ΢ϯτ
w DHSPVQͷOPUJGZ@PO@SFMFBTFΛར༻ͨ͠#SFBL0VU

View Slide

DBMM@VTFSNPEFIFMQFS@FYFD

wίʔϧόοΫͷΑ͏ʹϓϩάϥϜΛ࣮ߦ͢Δ
wSFMFBTF@BHFOU CJOGNU@NJTD DPSF@QBUUFSO VFOWFU@IFMQFSͳͲ
w͜ͷ࢓૊ΈΛར༻ͯ͠ϗετଆʹΤεέʔϓͰ͖Δ

View Slide

#SFBLPVUXJUIVFWFOU@IFMQFS
IUUQTBTDJJOFNBPSHB,C5PZ3O%MZD#ULIW)(I1

View Slide

#SFBLPVUXJUIDHSPVQSFMFBTF@BHFOU
IUUQTBTDJJOFNBPSHBO'MP;2V40'%IVGZ28WH

View Slide

TFDDPNQCZQBTT
w-JOVY,FSOFMҎલ͸QUSBDF
Λ࢖ͬͯόΠύεՄೳ
IUUQTBTDJJOFNBPSHBK5+N-77Z$D'LJT+910&/L

View Slide

%FGFOTF*O%FQUI
w-JOVYίϯςφ͸ଟ૚๷ޚͰͰ͖͍ͯΔ
w͋Δػߏ͕ಥഁ͞Εͯ΋ɺผͷػߏͰ๷͙؇࿨͢Δ
wFHTFDDPNQ͕ಥഁ͞Εͯ΋DBQBCJMJUZͰϒϩοΫ
w͜ͷ֓೦͸͋ΒΏΔηΩϡϦςΟͷྖҬͰඞཁ

View Slide

,VCFSOFUFT4FDVSJUZ

View Slide

,VCFSOFUFT4FDVSJUZ
w 4FSWJDF"DDPVOUؚΊͨ3#"$ͷઃఆ
w ҆શͳίϯςφΠϝʔδͷར༻
w /FUXPSL1PMJDZ
w 4FSWJDF.FTI
w 1PE΍ίϯςφͷ$BQBCJMJUZ΍Ϧιʔεઃఆ
w 4FDSFUͷ؅ཧ
w "VEJU-PH
w LVCFBQJTFSWFS΍LVCFMFUͷอޢ
w %BTICPBSEͳͲ΁ͷΞΫηε੍ޚ
w ,VCFSOFSUFTࣗମ΍ίϯςφϥϯλΠϜ Χʔω
ϧͷ੬ऑੑ
w ίϯϙʔωϯτؒͷ҆શͳ௨৴
w .FUBEBUB4FSWJDFͷอޢ
w "ENJTTJPO$POUSPMMFS1MVHJO
w FUDEͷ҉߸Խ
w ͳͲͳͲ

View Slide

,VCFSOFUFT4FDVSJUZ
w ,VCFSOFUFT͸ίϯϙʔωϯτ͕ෳࡶͳͷͰɺطʹެ։͞Ε͍ͯΔڴҖϞσϧͳͲΛࢀߟʹकΔՕॴ
ΛܾΊΔ
w $/$'ͷϢʔβʔάϧʔϓ͕453*%&Λ༻͍ͨԋशΛߦ͍ͬͯΔ
w $*4#FODINBSL΋,VCFSOFUFT&,4(,&",4͋ΔͷͰɺͦͪΒ΋ࢀߟʹ
IUUQTHJUIVCDPNDODGpOBODJBMVTFSHSPVQUSFFNBTUFSQSPKFDUTLTUISFBUNPEFM

View Slide

IUUQTXXXNJDSPTPGUDPNTFDVSJUZCMPHBUUBDLNBUSJYLVCFSOFUFT

View Slide

"UUBDL7FDUPS
4FSWJDF"DDPVOU
5PLFO
1PEʹϚ΢ϯτ͞ΕΔ4FSWJDF"DDPVOU5PLFOΛѱ༻͢Δɻ
ࣗಈͰϚ΢ϯτ͠ͳ͍ɺ3#"$Λద੾ʹઃఆ͢Δɻ
6OBVUIPSJ[FE"1*
"1*Λೝূͳ͠Ͱ୭Ͱ΋ୟ͚Δঢ়ଶʹ͠ͳ͍ɻ
LVCFBQJTFSWFSͰBOPOZNPVTBVUIUSVFʹ͠ͳ͍ɻ
1PE4FDVSJUZ1PMJDZ
(BUFLFFQFS

ϗετϑΝΠϧͷϚ΢ϯτ΍վ͟ΜͳͲ΁ͷରࡦɻ
BMMPXFE)PTU1BUIT΍SFBE0OMZ3PPU'JMFTZTUFN $BQBCJMJUZͷઃఆ
FUDEͷ҉߸Խ΍ΞΫ
ηε੍ޚ
FUDEʹ͸ػີ৘ใؚ͕·Ε͍ͯΔͷͰɺΞΫηε੍ޚ΍҉߸ԽΛࢪ͢
/FUXPSL
ଞͷ1PE΍NFUBEBUBTFSWJDF΁ͷΞΫηε
/FUXPSL1PMJDZ΍4FSWJDF.FTIͰ੍ޚ
4FDSFUͷ؅ཧ
7$4্ʹ4FDSFUΛͦͷ··؅ཧͯ͠͠·͏ɻ
҉߸ԽΛࢪͨ͠Γ7BVMU΍,.4؅ཧʹ͢ΔͳͲɻ

View Slide

NFUBEBUBTFSWJDF
w Ϋϥ΢υϓϩόΠμʔ͕ఏڙ͍ͯ͠ΔΤϯυϙΠϯτ
w IUUQ
w *".ͷΫϨσϯγϟϧ΍,VCFSOFUFTͷ؀ڥม਺ͳͲ͕֨ೲ͞Ε͍ͯΔ͜ͱ͕
͋ΔͨΊɺ1SJWJMFHF&TDBMBUJPOʹར༻͞ΕΔ
w ΞϓϦέʔγϣϯϨΠϠ͔Β͸443'ͳͲΛར༻ͯ͠઄औ͞ΕΔ͜ͱ΋

View Slide

&,4
w Πϯελϯε৘ใͷऔಘ
w 71$ 4FDVSJUZ(SPVQ৘ใͷऔಘ
w &$3ϦϙδτϦ͔ΒΠϝʔδͷऔಘ
IUUQTEPDTBXTBNB[PODPNFLTMBUFTUVTFSHVJEFSFTUSJDUFDDSFEFOUJBMBDDFTTIUNM

View Slide

(,&
w .FUBEBUBLVCFFOWʹ͸CPPUTUSBQॲཧͰ࢖༻͞ΕΔূ໌ॻ౳Λอ࣋
w ͦͷΫϨσϯγϟϧΛ࢖ͬͯ$FSUJpDBUF4JHOJOH3FRVFTUϦιʔεΛ࡞Δ
w LVCFDPOUSPMMFSNBOBHFS͸$43Λࣗಈঝೝ͢ΔͷͰLVCFMFUʹͳΓ͢·͢
͜ͱ͕Ͱ͖Δɻ

View Slide

&BDIOPEFJOUIFDMVTUFSJTJOKFDUFEXJUIBTIBSFE4FDSFUBUDSFBUJPO XIJDIJUDBO
VTFUPTVCNJUDFSUJpDBUFTJHOJOHSFRVFTUTUPUIFDMVTUFSSPPU$"BOEPCUBJOLVCFMFU
DMJFOUDFSUJpDBUFT5IFTFDFSUJpDBUFTBSFUIFOVTFECZUIFLVCFMFUUPBVUIFOUJDBUF
JUTSFRVFTUTUPUIF"1*TFSWFS/PUFUIBUUIJTTIBSFE4FDSFUJTSFBDIBCMFCZ1PET
VOMFTTNFUBEBUBDPODFBMNFOUJTFOBCMFE
IUUQTDMPVEHPPHMFDPNLVCFSOFUFTFOHJOFEPDTDPODFQUTDMVTUFSUSVTU

View Slide

JNQFSTPOBUFLVCFMFU
root@test:/# echo $CA_CERT | base64 -d > bootstrap/ca.crt
root@test:/# echo $KUBELET_CERT | base64 -d > bootstrap/kubelet-bootstrap.crt`
root@test:/# echo $KUBELET_KEY | base64 -d > bootstrap/kubelet-bootstrap.key
root@test:/# CURRENT_HOSTNAME="$(curl -s -H 'Metadata-flavor: Google' ${KUBE_HOSTNAME_URL} | awk -F. '{print $1}')"
root@test:/# openssl ecparam -genkey -name prime256v1 -out kubelet.key
root@test:/tmp# openssl req -new -config /tmp/openssl.cnf -key kubelet.key -out kubelet.csr
root@test:/# cat /tmp/kubelet.yaml
apiVersion: certificates.k8s.io/v1beta1
kind: CertificateSigningRequest
metadata:
name: node-csr-gke-sandbox-cluster-default-pool-f9270e72-mg63-2
spec:
groups:
- system:authenticated
request: LS0tLS...
...
username: kubelet
root@test:/# kubectl create -f /tmp/kubelet.yaml --certificate-authority=bootstrap/ca.crt --server=https://$KUBERNETES_MASTER_NAME --client-
certificate=bootstrap/kubelet-bootstrap.crt --client-key=bootstrap/kubelet-bootstrap.key
root@test:/# kubectl --certificate-authority=bootstrap/ca.crt --server=https://$KUBERNETES_MASTER_NAME --client-certificate=bootstrap/kubelet-bootst
client-key=bootstrap/kubelet-bootstrap.key get csr node-csr-gke-sandbox-cluster-default-pool-f9270e72-mg63-2 -o jsonpath='{.status.certificate}' | b
/tmp/kubelet.crt

View Slide

ࣄྫ
w 4IPQJGZ443'JO&YDIBOHFMFBETUP3005BDDFTTJOBMMJOTUBODFT
w IUUQTIBDLFSPOFDPNSFQPSUT
w (JUMBC443'JOUP4IBSFE3VOOFS CZSFQMBDJOHEPDLFSEXJUINBMJDJPVTTFSWFSJO&YFDVUPS
w IUUQTIBDLFSPOFDPNSFQPSUT
w μογϡϘʔυҎ֎ʹ΋8FBWF4DPQF΍LVCFqPXΛૂͬͨ߈ܸ
w IUUQTXXXXFBWFXPSLTCMPHQSFWFOUJOHNBMJDJPVTVTFPGXFBWFTDPQF
w IUUQTXXXNJDSPTPGUDPNTFDVSJUZCMPHNJTDPOpHVSFELVCFqPX
XPSLMPBETBSFBTFDVSJUZSJTL

View Slide

Ͳ͏΍ͬͯ޲͖߹͍͔ͬͯ͘

View Slide

Ϋϥ΢υͰͷ੹೚ڞ༗Ϟσϧ
wΫϥ΢υϓϩύΠμ͸Ͳ͜·Ͱकͬͯ͘ΕΔΜ͚ͩͬʁ
wϢʔβʔ͸Ͳ͜ΛकΔඞཁ͕͋ΔΜ͚ͩͬʁ
ग़యIUUQTMFBSOHJUMBCDPNOFYUHFOTPGUXBSFTFDVSJUZTUFQTDJTPTFDVSFOFYUHFOTPGUXBSF

View Slide

Ͳ͏޲͖߹͍͔ͬͯ͘
wج൫पΓͷਐԽ͸ૣ͍ͷͰɺηΩϡϦςΟରԠ͕ٻΊΒΕͨλΠϛϯ
άͩͱ࠷৽όʔδϣϯͱࠩҟ͕
wηΩϡϦςΟʹؔ͢ΔΨΠυϥΠϯ͕ͳ͍ͷͰɺαʔϏεʹΑͬͯη
ΩϡϦςΟϨϕϧ͕·ͪ·ͪ

View Slide

%FW4FD0QT
wͦ΋ͦ΋ɺηΩϡϦςΟͷจԽΛ࡞Δඞཁ͕͋Δ
wΨΠυϥΠϯ΍ڴҖϞσϧΛߏங
wෳࡶ͞Λந৅Խ͢ΔͨΊͷࣗಈԽɺج൫ͮ͘Γ
w$P $PNNVOJDBUJPO $PNQMFUFOFTT $POUJOVPVT

w5%4 5FTU%SJWFO4FDVSJUZ

View Slide

܅΋ϖύϘͰಇ͔ͳ͍͔ʁ
࠷৽ͷ࠾༻৘ใΛνΣοΫˠ !QC@SFDSVJU

View Slide

インフラ基盤技術のセキュリティとこれから

インフラ基盤技術のセキュリティとこれから

mrtc0

More Decks by mrtc0

Other Decks in Programming

Featured

Transcript