Upgrade to Pro — share decks privately, control downloads, hide ads and more …

vs istio security

nwiizo
May 14, 2019
Technology
1
940

vs istio security

はい、なんとなくシュッとまとめたつもり

nwiizo

May 14, 2019
Tweet

More Decks by nwiizo

See All by nwiizo
書を捨てよ、現場へ出よう
nwiizo
12
10k
走馬灯のIaCは考えておいて
nwiizo
8
5.2k
SREとPlatform Engineerの交差点
nwiizo
7
5.3k
SREからPlatform Engineerへの拡大
nwiizo
14
3.4k
k8sgpt Deep Dive: KubernetesクラスタのAI駆動型分析について
nwiizo
1
1.6k
Cloud Native の作法
nwiizo
8
6.6k
2023年もSRE再考と叫びなさい‼️
nwiizo
12
5.2k
自由研究には向かないウェブオペレーション 
nwiizo
4
3.4k
ポストモーテムはじめました
nwiizo
3
1.5k

Other Decks in Technology

See All in Technology
よく聞くけど使ったことないソフトウェアNo.1 KafkaとSnowflake
foursue
4
320
ServiceNow Knowledge 24の歩き方 EYストラテジー・アンド・コンサルティング
manarobot
0
170
「手動オペレーションに定評がある」と言われた私が心がけていること / phpcon_odawara2024
blue_goheimochi
2
370
SREとその組織類型
tatsuo48
9
1.6k
20240416_devopsdaystokyo
kzkmaeda
1
210
FrontDoorとWebAppsを組み合わせた際のリダイレクト処理の注意点
kenichirokimura
1
450
LLM とプロンプトエンジニアリング/チューターをビルドする / LLM and Prompt Engineering and Building Tutors
ks91
PRO
0
250
コンテナセキュリティの基本と脅威への対策
kyohmizu
3
740
Kernel MemoryでAzure OpenAI Serviceとお手軽データソース連携
mitsuzono
1
160
エンジニアのキャリアをちょっと楽しくする3本の軸/Three Pillars to Make an Engineer's Career More Enjoyable
kwappa
0
2.5k
VS CodeでAWSを操作しよう
smt7174
7
1.6k
Tableau事例紹介 / Tableau Case Study of Eureka
kazuya_araki_tokyo
1
180

Featured

See All Featured
GraphQLの誤解/rethinking-graphql
sonatard
50
9.2k
A Modern Web Designer's Workflow
chriscoyier
689
190k
How GitHub (no longer) Works
holman
304
140k
The Illustrated Children's Guide to Kubernetes
chrisshort
30
46k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
20
1.6k
Optimising Largest Contentful Paint
csswizardry
7
2.3k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
220
21k
A Tale of Four Properties
chriscoyier
150
22k
Design by the Numbers
sachag
274
18k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
34
8.9k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
19
1.9k
The Cost Of JavaScript in 2023
addyosmani
15
3.8k

Transcript

  1. None
  2. None

  3. • • • •

  4. None
  5. None

  6. # iptables -A INPUT –s 10.0.0.0/8 -j ACCEPT # iptables

    -A INPUT -s 172.16.0.0/12 -j ACCEPT # iptables -A INPUT -s 192.168.0.0/16 -j ACCEPT

  7. ⚫ ⚫ ⚫ ⚫ ⚫ by Doug Barth, Evan Gilman

    Publisher: O'Reilly Media, Inc. Release Date: July 2017 Topic: Network Security

  8. ⚫ ⚫ ⚫ Figure 1-1. Traditional network security architecture Figure

    1-1. Traditional network security architecture ⚫ ⚫
  9. None

  10. private 非認証 認証 private 認証 認証

  11. None

  12. ⚫ ⚫ ⚫ ⚫ ⚫ ⚫

  13. Traffic Inspection metrics Service Discovery

  14. Traffic Inspection metrics Service Discovery

  15. Traffic Inspection metrics Service Discovery

  16. Policy checks, telemetry TLS cert to Proxy Config data to

    Proxy

  17.       https://istio.io/

  18. None
  19. None
  20. None

  21. ⚫ ⚫ ⚫

  22. https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md spiffe://trust-domain/path spiffe://staging.acme.com/payments/mysql spiffe://staging.acme.com/payments/web-fe spiffe://k8s-west.acme.com/ns/staging/sa/default

  23. https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#3-spiffe-verifiable-identity-document ⚫ ⚫ ⚫ ⚫

  24. https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE_Workload_API.md

  25. https://istio.io/docs/concepts/security/ ⚫  ⚫  ⚫  ⚫  ⚫

     Istio Security Architecture ⚫  ⚫  ⚫ 

  26. ⚫ ⚫ https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md spiffe://¥<domain¥>/ns/¥<namespace¥>/sa/¥<serviceaccount¥>

  27. https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md • • • •

  28. https://github.com/istio/istio/blob/release-1.1/security/tools/generate_cert/main.go https://github.com/istio/istio/blob/release-1.1/security/pkg/nodeagent/sds/server.go https://github.com/istio/istio/blob/release-1.1/security/pkg/platform/onprem.go https://istio.io/docs/concepts/security/#kubernetes-scenario

  29. 認証の図

  30. 認可の図

  31. ⚫ ⚫ ⚫ ⚫ ⚫ ⚫

  32. See also https://istio.io/docs/tasks/security/authz-tcp/ Shows how to set up role-based access

    control for TCP services. https://istio.io/docs/tasks/security/authz-http/ Shows how to set up role-based access control for HTTP services. https://istio.io/docs/tasks/security/authz-permissive/ Shows how to use Authorization permissive mode. https://istio.io/blog/2018/istio-authorization/ Describe Istio's authorization feature and how to use it in various use cases. https://istio.io/help/ops/security/debugging-authorization/ Demonstrates how to debug authorization. https://istio.io/docs/tasks/security/rbac-groups/ Tutorial on how to configure the groups-base authorization and configure the authorization of list-typed claims in Istio.

  33. ⚫ ⚫ ⚫ ⚫ ⚫ ⚫ ⚫ ⚫ ⚫ ⚫

    ⚫ ⚫ ⚫ ⚫ ⚫
  34. None
  35. None