Upgrade to Pro — share decks privately, control downloads, hide ads and more …

vs istio security

nwiizo
May 14, 2019
Technology
1
990

vs istio security

はい、なんとなくシュッとまとめたつもり

nwiizo

May 14, 2019
Tweet

More Decks by nwiizo

See All by nwiizo
SREの前に
nwiizo
12
3k
2024年版 運用者たちのLLM
nwiizo
3
860
Platform Engineering と SRE の門
nwiizo
16
5.5k
運用者の各領域で向き合うLLM
nwiizo
1
470
可観測性ガイダンス
nwiizo
14
3.6k
書を捨てよ、現場へ出よう
nwiizo
12
11k
走馬灯のIaCは考えておいて
nwiizo
10
5.9k
SREとPlatform Engineerの交差点
nwiizo
9
6.7k
SREからPlatform Engineerへの拡大
nwiizo
15
3.8k

Other Decks in Technology

See All in Technology
誰も全体を知らない ~ ロールの垣根を超えて引き上げる開発生産性 / Boosting Development Productivity Across Roles
kakehashi
1
220
マルチモーダル / AI Agent / LLMOps 3つの技術トレンドで理解するLLMの今後の展望
hirosatogamo
37
12k
透過型SMTPプロキシによる送信メールの可観測性向上: Update Edition / Improved observability of outgoing emails with transparent smtp proxy: Update edition
linyows
2
210
Taming you application's environments
salaboy
0
180
スクラムチームを立ち上げる〜チーム開発で得られたもの・得られなかったもの〜
ohnoeight
2
350
障害対応指揮の意思決定と情報共有における価値観 / Waroom Meetup #2
arthur1
5
470
SSMRunbook作成の勘所_20241120
koichiotomo
2
130
フルカイテン株式会社 採用資料
fullkaiten
0
40k
Amazon CloudWatch Network Monitor のススメ
yuki_ink
1
200
【令和最新版】AWS Direct Connectと愉快なGWたちのおさらい
minorun365
PRO
5
750
EventHub Startup CTO of the year 2024 ピッチ資料
eventhub
0
110
ハイパーパラメータチューニングって何をしているの
toridori_dev
0
140

Featured

See All Featured
Why You Should Never Use an ORM
jnunemaker
PRO
54
9.1k
The Illustrated Children's Guide to Kubernetes
chrisshort
48
48k
Done Done
chrislema
181
16k
Agile that works and the tools we love
rasmusluckow
327
21k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
506
140k
How to train your dragon (web standard)
notwaldorf
88
5.7k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
246
1.3M
Become a Pro
speakerdeck
PRO
25
5k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
29
2.3k
The Straight Up "How To Draw Better" Workshop
denniskardys
232
140k
Statistics for Hackers
jakevdp
796
220k
We Have a Design System, Now What?
morganepeng
50
7.2k

Transcript

  1. None
  2. None

  3. • • • •

  4. None
  5. None

  6. # iptables -A INPUT –s 10.0.0.0/8 -j ACCEPT # iptables

    -A INPUT -s 172.16.0.0/12 -j ACCEPT # iptables -A INPUT -s 192.168.0.0/16 -j ACCEPT

  7. ⚫ ⚫ ⚫ ⚫ ⚫ by Doug Barth, Evan Gilman

    Publisher: O'Reilly Media, Inc. Release Date: July 2017 Topic: Network Security

  8. ⚫ ⚫ ⚫ Figure 1-1. Traditional network security architecture Figure

    1-1. Traditional network security architecture ⚫ ⚫
  9. None

  10. private 非認証 認証 private 認証 認証

  11. None

  12. ⚫ ⚫ ⚫ ⚫ ⚫ ⚫

  13. Traffic Inspection metrics Service Discovery

  14. Traffic Inspection metrics Service Discovery

  15. Traffic Inspection metrics Service Discovery

  16. Policy checks, telemetry TLS cert to Proxy Config data to

    Proxy

  17.       https://istio.io/

  18. None
  19. None
  20. None

  21. ⚫ ⚫ ⚫

  22. https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md spiffe://trust-domain/path spiffe://staging.acme.com/payments/mysql spiffe://staging.acme.com/payments/web-fe spiffe://k8s-west.acme.com/ns/staging/sa/default

  23. https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#3-spiffe-verifiable-identity-document ⚫ ⚫ ⚫ ⚫

  24. https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE_Workload_API.md

  25. https://istio.io/docs/concepts/security/ ⚫  ⚫  ⚫  ⚫  ⚫

     Istio Security Architecture ⚫  ⚫  ⚫ 

  26. ⚫ ⚫ https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md spiffe://¥<domain¥>/ns/¥<namespace¥>/sa/¥<serviceaccount¥>

  27. https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md • • • •

  28. https://github.com/istio/istio/blob/release-1.1/security/tools/generate_cert/main.go https://github.com/istio/istio/blob/release-1.1/security/pkg/nodeagent/sds/server.go https://github.com/istio/istio/blob/release-1.1/security/pkg/platform/onprem.go https://istio.io/docs/concepts/security/#kubernetes-scenario

  29. 認証の図

  30. 認可の図

  31. ⚫ ⚫ ⚫ ⚫ ⚫ ⚫

  32. See also https://istio.io/docs/tasks/security/authz-tcp/ Shows how to set up role-based access

    control for TCP services. https://istio.io/docs/tasks/security/authz-http/ Shows how to set up role-based access control for HTTP services. https://istio.io/docs/tasks/security/authz-permissive/ Shows how to use Authorization permissive mode. https://istio.io/blog/2018/istio-authorization/ Describe Istio's authorization feature and how to use it in various use cases. https://istio.io/help/ops/security/debugging-authorization/ Demonstrates how to debug authorization. https://istio.io/docs/tasks/security/rbac-groups/ Tutorial on how to configure the groups-base authorization and configure the authorization of list-typed claims in Istio.

  33. ⚫ ⚫ ⚫ ⚫ ⚫ ⚫ ⚫ ⚫ ⚫ ⚫

    ⚫ ⚫ ⚫ ⚫ ⚫
  34. None
  35. None