Recap: Zero Trust Service Mesh with Calico, SPIRE, and Envoy

Slide 1

Slide 1 text

Recap: Zero Trust Service Mesh with Calico, SPIRE, and Envoy 20 JUNE 2020 Envoy Meetup Tokyo #2

Slide 2

Slide 2 text

About Me Morito Ikeda (@_moricho_) ɾGo, Kubernetes, Rust, … ɾgVisor΍FirecrackerͳͲOSS΁ͷ ɹίϯτϦϏϡʔτ ɾ GoʹΑΔίϯςφϥϯλΠϜࣗ࡞ͷɹɹ ɹిࢠॻ੶ΛΠϯϓϨε͞Μ͔Βग़൛ɹɹ ɹ༧ఆͰ͢

Slide 3

Slide 3 text

ɾKubeCon + CloudNativeCon Europe 2019ͷηογϣϯ ɾ֤ཁૉٕज़ͷ঺հ ɾͲ͏Zero TrustͳωοτϫʔΫΛ ߏங͍͔ͯ͘͠

Slide 4

Slide 4 text

Zero Trust Networkͱ͸ ৗʹةݥʹࡽ͞Ε͓ͯΓɺ͢΂ͯͷτϥϑΟοΫΛ ৴པ͠ͳ͍͜ͱΛલఏͱͨ͠ωοτϫʔΫ ❌ɿ ڥքͷ֎ଆͷڴҖʹඋ͑Δɺڥքͷ಺ଆ͸҆શ ⭕ɿ ࣮ࡍ͸ڥքͷதͰ΋ෆਖ਼͸ى͜ΓɺڴҖ΋৵ೖ͢Δ

Slide 5

Slide 5 text

ैདྷͷϞϊϦγοΫͳ৔߹ https://static.sched.com/hosted_ﬁles/kccncna17/a9/KubeCon2017-Keynote.pdf

Slide 6

Slide 6 text

ϚΠΫϩαʔϏεͷ৔߹ https://static.sched.com/hosted_ﬁles/kccncna17/a9/KubeCon2017-Keynote.pdf

Slide 7

Slide 7 text

ϚΠΫϩαʔϏεͷ৔߹ https://static.sched.com/hosted_ﬁles/kccncna17/a9/KubeCon2017-Keynote.pdf

Slide 8

Slide 8 text

Zero Trust Networkʹඞཁͳ΋ͷᶃ ɾϚΠΫϩαʔϏεͷؒΛྲྀΕΔωοτϫʔΫτϥϑΟοΫ͕ ҉߸Խ͞Ε͍ͯΔඞཁ͕͋Δ => mTLS (mutual TLS)ʹΑΔAuthN

Slide 9

Slide 9 text

SPIFFE/SPIREͱ͸ SPIFFE ɾαʔϏεؒೝূͷͨΊͷඪ४࢓༷ ɾCNCFࡿԼͷϓϩδΣΫτ ɾϚΠΫϩαʔϏεؒͷೝূ΍௨৴ͷ҉߸Խʹඞཁͳ ɹূ໌ॻ؅ཧΛࣗಈԽ ɾmTLSΛ࣮ݱ ɾSVIDɿSPIFFE Verifable Identity Document Node΍workloadͷidentityΛূ໌͢ΔͨΊͷσʔλܗࣜ

Slide 10

Slide 10 text

SPIFFE/SPIREͱ͸ SPIRE ɾSPIFFEͷࢀর࣮૷ ɾSPIRE Server NodeͷೝূɺSVIDʹॺ໊͢ΔͨΊͷΩʔϖΞͷ؅ཧͳͲ ɾSPIRE Agent NodeʹҰ୆͋Δ workloadͷೝূɺ SVID, ൿີ伴, TrustBundle(CAূ໌ॻνΣʔϯ)ͷ഑෍ͳͲ

Slide 11

Slide 11 text

https://static.sched.com/hosted_ﬁles/kccnceu19/2a/SPIRE%20%2B%20Calico%20Kubecon%20Europe%20%20%283%29.pdf

Slide 12

Slide 12 text

https://static.sched.com/hosted_ﬁles/kccnceu19/2a/SPIRE%20%2B%20Calico%20Kubecon%20Europe%20%20%283%29.pdf

Slide 13

Slide 13 text

Zero Trust Networkʹඞཁͳ΋ͷᶄ ɾϚΠΫϩαʔϏε͝ͱͷFW͕ඞཁ => ωοτϫʔΫϙϦγʔΛ࢖༻ͨ͠AuthZ

Slide 14

Slide 14 text

Calicoͱ͸ Project Calico ɾPureͳL3ωοτϫʔΫ ϧʔςΟϯάϓϩτίϧʹBGPΛ࢖༻ flannelͱҧͬͯΦʔόʔϨΠͰ͸ͳ͍ ɾFelix Calicoͷத֩ػೳ ϧʔςΟϯάςʔϒϧ΁ͷܦ࿏৘ใͷઃఆ iptables΁ͷΞΫηεϦετͷઃఆ ͳͲ Controle Plane

Slide 15

Slide 15 text

Calicoͱ͸ Calico Network Policy ɾ endpointʹରͯ͠ϙϦγʔ੍ޚΛߦ͏FW ɾτϥϑΟοΫͷํ޲ (Ingress,Egress)΍ڋ൱/ڐՄ (Deny/Allow), ϓϩτίϧ (TCP/UDP/ICMPͳͲ), ϙʔτ൪߸ Dikastes ɾEnvoy Plugin ɾDataPlaneʹ഑ஔ͞ΕΔʢPod͝ͱʣ ɾFelix͔Β഑෍͞ΕͨωοτϫʔΫϙϦγʔͷద༻

Slide 16

Slide 16 text

https://static.sched.com/hosted_ﬁles/kccnceu19/2a/SPIRE%20%2B%20Calico%20Kubecon%20Europe%20%20%283%29.pdf

Slide 17

Slide 17 text

ZeroTrustͳ ServiceMeshΛ໨ࢦͯ͠ αʔϏε͝ͱͷAuthZ ɾCalicoΛ࢖ͬͨϙϦγʔઃఆͱ ద੾ͳΞΫηε੍ޚ ɾOPAͳͲ΋͋Γ ɾCalico͸NetworkPolicy୯ମͰͷ ࢖༻΋Մೳ ZeroTrustͳNetworkͱ͸ ɾϚΠΫϩαʔϏεԽʹ൐͍ɺ ωοτϫʔΫΛލ͍ͩ௨৴͕ ଟ͘ͳͬͨ ɾશͯͷτϥϑΟοΫΛ৴༻͠ͳ͍ લఏͰηΩϡϦςΟରࡦΛ͢Δ αʔϏεؒͷAuthN ɾSPIFFE/SPIREΛ࢖ͬͨೝূɺ ূ໌ॻ؅ཧ ɾαʔϏεؒͷ௨৴Λ mTLSʹ͢Δ ɾIstio΋͋Γ͚ͩͲେ͖͗͢Δ

Slide 18

Slide 18 text

ࢀߟࢿྉ ɾCalicoʹΑΔKubernetesϐϡΞL3ωοτϫʔΩϯά - Yahoo! JAPAN Tech Blog https://techblog.yahoo.co.jp/infrastructure/kubernetes_calico_networking/ ɾProject CalicoͷΞʔΩςΫνϟΛݟͯΈΑ͏ https://thinkit.co.jp/article/14112 ɾSecuring the Service Mesh with SPIRE - Speaker Deck https://speakerdeck.com/ryysud/securing-the-service-mesh-with-spire ɾZero Trust Service Mesh with Calico, SPIRE, and Envoy https://kccnceu19.sched.com/event/MPe3

Slide 19

Slide 19 text

ࢀߟࢿྉ ɾ৽͍͠ηΩϡϦςΟΞϓϩʔνɺCalicoͱIstioɺKubernetesʹΑΔ ɹθϩτϥετωοτϫʔΫͱ͸ https://thinkit.co.jp/article/13276 ɾProgress Toward Zero Trust Kubernetes Network https://www.youtube.com/watch?v=Agxt9Vg-YP4&feature=youtu.be