vs istio security

vs istio security

はい、なんとなくシュッとまとめたつもり

6ed12627fec46a135f1bce5d56f3568e?s=128

nwiizo

May 14, 2019
Tweet

Transcript

  1. None
  2. None
  3. • • • •

  4. None
  5. None
  6. # iptables -A INPUT –s 10.0.0.0/8 -j ACCEPT # iptables

    -A INPUT -s 172.16.0.0/12 -j ACCEPT # iptables -A INPUT -s 192.168.0.0/16 -j ACCEPT
  7. ⚫ ⚫ ⚫ ⚫ ⚫ by Doug Barth, Evan Gilman

    Publisher: O'Reilly Media, Inc. Release Date: July 2017 Topic: Network Security
  8. ⚫ ⚫ ⚫ Figure 1-1. Traditional network security architecture Figure

    1-1. Traditional network security architecture ⚫ ⚫
  9. None
  10. private 非認証 認証 private 認証 認証

  11. None
  12. ⚫ ⚫ ⚫ ⚫ ⚫ ⚫

  13. Traffic Inspection metrics Service Discovery

  14. Traffic Inspection metrics Service Discovery

  15. Traffic Inspection metrics Service Discovery

  16. Policy checks, telemetry TLS cert to Proxy Config data to

    Proxy
  17.       https://istio.io/

  18. None
  19. None
  20. None
  21. ⚫ ⚫ ⚫

  22. https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md spiffe://trust-domain/path spiffe://staging.acme.com/payments/mysql spiffe://staging.acme.com/payments/web-fe spiffe://k8s-west.acme.com/ns/staging/sa/default

  23. https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#3-spiffe-verifiable-identity-document ⚫ ⚫ ⚫ ⚫

  24. https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE_Workload_API.md

  25. https://istio.io/docs/concepts/security/ ⚫  ⚫  ⚫  ⚫  ⚫

     Istio Security Architecture ⚫  ⚫  ⚫ 
  26. ⚫ ⚫ https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md spiffe://¥<domain¥>/ns/¥<namespace¥>/sa/¥<serviceaccount¥>

  27. https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md • • • •

  28. https://github.com/istio/istio/blob/release-1.1/security/tools/generate_cert/main.go https://github.com/istio/istio/blob/release-1.1/security/pkg/nodeagent/sds/server.go https://github.com/istio/istio/blob/release-1.1/security/pkg/platform/onprem.go https://istio.io/docs/concepts/security/#kubernetes-scenario

  29. 認証の図

  30. 認可の図

  31. ⚫ ⚫ ⚫ ⚫ ⚫ ⚫

  32. See also https://istio.io/docs/tasks/security/authz-tcp/ Shows how to set up role-based access

    control for TCP services. https://istio.io/docs/tasks/security/authz-http/ Shows how to set up role-based access control for HTTP services. https://istio.io/docs/tasks/security/authz-permissive/ Shows how to use Authorization permissive mode. https://istio.io/blog/2018/istio-authorization/ Describe Istio's authorization feature and how to use it in various use cases. https://istio.io/help/ops/security/debugging-authorization/ Demonstrates how to debug authorization. https://istio.io/docs/tasks/security/rbac-groups/ Tutorial on how to configure the groups-base authorization and configure the authorization of list-typed claims in Istio.
  33. ⚫ ⚫ ⚫ ⚫ ⚫ ⚫ ⚫ ⚫ ⚫ ⚫

    ⚫ ⚫ ⚫ ⚫ ⚫
  34. None
  35. None