Upgrade to Pro — share decks privately, control downloads, hide ads and more …

vs istio security

Avatar for nwiizo nwiizo
May 14, 2019
Technology
1
1.1k

vs istio security

はい、なんとなくシュッとまとめたつもり
Avatar for nwiizo

nwiizo

May 14, 2019
Tweet

More Decks by nwiizo

See All by nwiizo
生成AIで小説を書くためにプロンプトの制約や原則について学ぶ / prompt-engineering-for-ai-fiction
Avatar for nwiizo nwiizo
2
390
Claude Code どこまでも/ Claude Code Everywhere
Avatar for nwiizo nwiizo
53
32k
転職したらMCPサーバーだった件
Avatar for nwiizo nwiizo
14
11k
ここはMCPの夜明けまえ
Avatar for nwiizo nwiizo
32
14k
生成AIによるCloud Native基盤構築の可能性と実践的ガードレールの敷設について
Avatar for nwiizo nwiizo
8
1.7k
Kubernetesで実現できるPlatform Engineering の現在地
Avatar for nwiizo nwiizo
3
2.3k
SLI/SLO・ラプソディあるいは組織への適用の旅
Avatar for nwiizo nwiizo
4
1.6k
インフラをつくるとはどういうことなのか、 あるいはPlatform Engineeringについて
Avatar for nwiizo nwiizo
6
5k
Platform Engineeringは自由のめまい
Avatar for nwiizo nwiizo
4
2.7k

Other Decks in Technology

See All in Technology
原則から考える保守しやすいComposable関数設計
Avatar for Mori Atsushi moriatsushi
3
510
Snowflake Summit 2025 データエンジニアリング関連新機能紹介 / Snowflake Summit 2025 What's New about Data Engineering
Avatar for t-hiroto tiltmax3
0
290
“社内”だけで完結していた私が、AWS Community Builder になるまで
Avatar for nagisa_53 nagisa53
1
280
データプラットフォーム技術におけるメダリオンアーキテクチャという考え方/DataPlatformWithMedallionArchitecture
Avatar for Masatoshi Shimada smdmts
5
590
Uniadex__公開版_20250617-AIxIoTビジネス共創ラボ_ツナガルチカラ_.pdf
Avatar for AIxIoTビジネス共創ラボ iotcomjpadmin
0
150
20250623 Findy Lunch LT Brown
Avatar for Brown 3150
0
820
実践! AIエージェント導入記
Avatar for 森本タカヒロ 1mono2prod
0
150
PHPでWebブラウザのレンダリングエンジンを実装する
Avatar for ディップ株式会社 dip_tech
PRO
0
180
LinkX_GitHubを基点にした_AI時代のプロジェクトマネジメント.pdf
Avatar for AIxIoTビジネス共創ラボ iotcomjpadmin
0
160
監視のこれまでとこれから/sakura monitoring seminar 2025
Avatar for FUJIWARA Shunichiro fujiwara3
11
3.5k
Agentic Workflowという選択肢を考える
Avatar for takuya kikuchi tkikuchi1002
1
440
Claude Code Actionを使ったコード品質改善の取り組み
Avatar for Katsunori Kanda potix2
PRO
6
1.9k

Featured

See All Featured
Scaling GitHub
Avatar for Zach Holman holman
459
140k
The Straight Up "How To Draw Better" Workshop
Avatar for Dennis Kardys denniskardys
233
140k
Build The Right Thing And Hit Your Dates
Avatar for Maggie C. maggiecrowley
36
2.8k
Learning to Love Humans: Emotional Interface Design
Avatar for Aarron Walter aarron
273
40k
10 Git Anti Patterns You Should be Aware of
Avatar for Lemi Orhan Ergin lemiorhan
PRO
657
60k
Building Better People: How to give real-time feedback that sticks.
Avatar for Will Jessup wjessup
367
19k
Done Done
Avatar for chrislema chrislema
184
16k
Art, The Web, and Tiny UX
Avatar for Lynn Fisher lynnandtonic
299
21k
The Pragmatic Product Professional
Avatar for Laura Van Doore lauravandoore
35
6.7k
Bash Introduction
Avatar for André Augusto Costa Santos 62gerente
614
210k
Side Projects
Avatar for Sacha Greif sachag
455
42k
ReactJS: Keep Simple. Everything can be a component!
Avatar for Pedro Nauck pedronauck
667
120k

Transcript

  1. None
  2. None

  3. • • • •

  4. None
  5. None

  6. # iptables -A INPUT –s 10.0.0.0/8 -j ACCEPT # iptables

    -A INPUT -s 172.16.0.0/12 -j ACCEPT # iptables -A INPUT -s 192.168.0.0/16 -j ACCEPT

  7. ⚫ ⚫ ⚫ ⚫ ⚫ by Doug Barth, Evan Gilman

    Publisher: O'Reilly Media, Inc. Release Date: July 2017 Topic: Network Security

  8. ⚫ ⚫ ⚫ Figure 1-1. Traditional network security architecture Figure

    1-1. Traditional network security architecture ⚫ ⚫
  9. None

  10. private 非認証 認証 private 認証 認証

  11. None

  12. ⚫ ⚫ ⚫ ⚫ ⚫ ⚫

  13. Traffic Inspection metrics Service Discovery

  14. Traffic Inspection metrics Service Discovery

  15. Traffic Inspection metrics Service Discovery

  16. Policy checks, telemetry TLS cert to Proxy Config data to

    Proxy

  17.       https://istio.io/

  18. None
  19. None
  20. None

  21. ⚫ ⚫ ⚫

  22. https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md spiffe://trust-domain/path spiffe://staging.acme.com/payments/mysql spiffe://staging.acme.com/payments/web-fe spiffe://k8s-west.acme.com/ns/staging/sa/default

  23. https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#3-spiffe-verifiable-identity-document ⚫ ⚫ ⚫ ⚫

  24. https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE_Workload_API.md

  25. https://istio.io/docs/concepts/security/ ⚫  ⚫  ⚫  ⚫  ⚫

     Istio Security Architecture ⚫  ⚫  ⚫ 

  26. ⚫ ⚫ https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md spiffe://¥<domain¥>/ns/¥<namespace¥>/sa/¥<serviceaccount¥>

  27. https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md • • • •

  28. https://github.com/istio/istio/blob/release-1.1/security/tools/generate_cert/main.go https://github.com/istio/istio/blob/release-1.1/security/pkg/nodeagent/sds/server.go https://github.com/istio/istio/blob/release-1.1/security/pkg/platform/onprem.go https://istio.io/docs/concepts/security/#kubernetes-scenario

  29. 認証の図

  30. 認可の図

  31. ⚫ ⚫ ⚫ ⚫ ⚫ ⚫

  32. See also https://istio.io/docs/tasks/security/authz-tcp/ Shows how to set up role-based access

    control for TCP services. https://istio.io/docs/tasks/security/authz-http/ Shows how to set up role-based access control for HTTP services. https://istio.io/docs/tasks/security/authz-permissive/ Shows how to use Authorization permissive mode. https://istio.io/blog/2018/istio-authorization/ Describe Istio's authorization feature and how to use it in various use cases. https://istio.io/help/ops/security/debugging-authorization/ Demonstrates how to debug authorization. https://istio.io/docs/tasks/security/rbac-groups/ Tutorial on how to configure the groups-base authorization and configure the authorization of list-typed claims in Istio.

  33. ⚫ ⚫ ⚫ ⚫ ⚫ ⚫ ⚫ ⚫ ⚫ ⚫

    ⚫ ⚫ ⚫ ⚫ ⚫
  34. None
  35. None