Upgrade to Pro — share decks privately, control downloads, hide ads and more …

CiliumによるKubernetes Network Policyの実現 CNDT2021

Tomoki Sugiura
November 05, 2021
Programming
0
710

CiliumによるKubernetes Network Policyの実現 CNDT2021

Tomoki Sugiura

November 05, 2021
Tweet

More Decks by Tomoki Sugiura

See All by Tomoki Sugiura
naist colloquium-B 2
shanpu
0
150
ricc-20210826
shanpu
0
330
IOT53
shanpu
0
33
RICC-PIoT Workshop 2021
shanpu
0
380
ricc-nii-2020
shanpu
0
63
Cloud Native Kansai #05 LT4
shanpu
1
700
gcpug-kyoto#2-LT1
shanpu
0
480
kubernetes-seminar
shanpu
0
110
KansaiLT2
shanpu
0
190

Other Decks in Programming

See All in Programming
From complexity to observability using OpenTelemetry
danilop
1
340
AWS CDKのあるあるお悩みに答えたい
tmokmss
5
1.4k
「無ければ作る」Backlogに欲しい機能を自分で作った話
nsuz
0
190
サーバーレスJavaの今 ~SnapStartとWeb Adapterを寄せて~
xblood
3
700
Goのメモリ管理 / Memory management in Go
ymotongpoo
4
3.2k
Kotlin Multiplatform Library 배포하기
fornewid
0
200
フロントエンドエンジニアの友人と“型”で話がすれ違った原因 YUMEMI.grow合同LT会in横浜 @Kaito-Dogi
doggy
1
370
Attributes in PHP 8
beberlei
1
430
Mitigate Attacks on your PHP Supply Chain
dunglas
2
570
Learn Ractor
m_seki
1
1.5k
Symfony Messenger et ses messages: à la queleuleu…. Et s’il était temps de grouper ?
alli83
1
240
失敗から学ぶBtoB SaaSでカオスを招かない個社カスタマイズ開発の考え方 #開発話
77web
1
350

Featured

See All Featured
5 minutes of I Can Smell Your CMS
philhawksworth
198
18k
The Illustrated Children's Guide to Kubernetes
chrisshort
26
44k
Automating Front-end Workflow
addyosmani
1352
200k
What the flash - Photography Introduction
edds
64
10k
Stop Working from a Prison Cell
hatefulcrawdad
264
18k
Building Your Own Lightsaber
phodgson
96
5k
Designing Dashboards & Data Visualisations in Web Apps
destraynor
225
50k
The Invisible Side of Design
smashingmag
292
49k
Making Projects Easy
brettharned
102
5k
Imperfection Machines: The Place of Print at Facebook
scottboms
255
12k
Gamification - CAS2011
davidbonilla
75
4.2k
Web Components: a chance to create the future
zenorocha
304
41k

Transcript

  1. CiliumʹΑΔ


    Kubernetes Network Policyͷ࣮ݱ
    5PNPLJ4VHJVSB

    View Slide

  2. ຊηογϣϯͷ֓ཁ
    2
    1PE 1PE
    1PE

    View Slide

  3. ຊηογϣϯͷ֓ཁ
    3
    $/*ϓϥάΠϯ
    1PE 1PE
    1PE
    1PEؒͷ௨৴Λ؅ཧ

    View Slide

  4. ຊηογϣϯͷ֓ཁ
    4

    $/*ϓϥάΠϯ 1PEؒͷ௨৴Λ؅ཧ
    1PE 1PE
    1PE

    View Slide

  5. ຊηογϣϯͷ֓ཁ
    5

    Ͳ͏΍੍ͬͯޚʁ
    ઃఆ߲໨ʁ
    $/*ϓϥάΠϯ 1PEؒͷ௨৴Λ؅ཧ
    1PE 1PE
    1PE
    1PEؒͷ௨৴Λ؅ཧ

    View Slide

  6. ຊฤ΁
    6

    View Slide

  7. Kubernetes
    7
    ˓ ίϯςφΦʔέετϨʔγϣϯπʔϧ
    ˔ ෳ਺୆ͷίϯςφΛҰݩ؅ཧ
    ˓ ίϯςφӡ༻ͷͨΊͷ͜ͱΛͳΜͰ΋΍Δ
    ˔ ΦʔτώʔϦϯάɾϩʔϦϯάΞοϓσʔτ
    ˔ ίϯςφʹద༻͢Δઃఆ஋ͷ؅ཧ
    ˔ ݖݶ؅ཧ
    ˔ FUD
    ˓ 1PEؒͷ௨৴ػೳˠ$/*ϓϥάΠϯʹҕৡ
    ˔ 1PEʹωοτϫʔΫ໊લۭؒΛڞ༗͢Δίϯςφ܈

    View Slide

  8. CNI
    8
    ˓ $POUBJOFS/FUXPSL*OUFSGBDF
    ˓ $/$'*ODVCBUJOH1SPKFDU
    ˓ ίϯςφωοτϫʔΫ*'ͷ؅ཧʹ͓͚Δ࢓༷Λఆٛ
    ˔ ,VCFSOFUFTઐ༻πʔϧͰ͸ͳ͍
    ˓ ػೳ
    ˔ "%%ɿωοτϫʔΫ*'ͷ࡞੒ɾߋ৽
    ˔ %&-ɿωοτϫʔΫ*'ͷ࡟আɾߋ৽ͷऔফ
    ˔ $)&$,ɿظ଴௨Γͷઃఆ͔֬ೝ
    ˔ 7&34*0/ɿαϙʔτ͍ͯ͠Δ$/*࢓༷ͷόʔδϣϯΛฦ͢

    View Slide

  9. ˓ $/*ʹ४ڌͨ͠,VCFSOFUFTͷ
    ωοτϫʔΫϓϥάΠϯ
    ˓ $/*όΠφϦ
    ˔ ίϯςφωοτϫʔΫ*'ͷ؅ཧ
    ˓ $/*σʔϞϯ
    ˔ Ϋϥελ಺ͰͷωοτϫʔΫૄ௨Λ؅ཧ
    ˓ $/*ϓϥάΠϯྫ
    ˔ $BMJDP
    ˔ $JMJVN
    ˔ FUD
    CNIϓϥάΠϯ
    9
    $/*
    ϓϥάΠϯ
    FUI
    "%%
    ωοτϫʔΫ*'ͷ࡞੒
    *1ΞυϨεͷׂΓ౰ͯ
    ܦ࿏ઃఆ

    View Slide

  10. ˓ $/*ϓϥάΠϯͷҰͭ
    ˓ $/$'*ODVCBUJOHQSPKFDU
    ˓ σʔλϓϨʔϯʹF#1'Λ׆༻
    ˓ ར༻ࣄྫ
    ˔ (,&%BUBQMBOF7
    ˔ &,4"OZXIFSF
    Cilium
    10

    View Slide

  11. ˓ FYUFOEFE#FSLFMFZ1BDLFU'JMUFS
    ˓ ࣗ෼ͷ࡞੒ͨ͠ϓϩάϥϜΛ
    -JOVYΧʔωϧ಺ͷ7.Ͱ࣮ߦ
    ˔ ಠࣗϨδελ໋ྩηοτ
    ˔ ϓϩάϥϜͷݕࠪػߏ͕͋Γ҆શੑΛอো
    ˓ Πϕϯτۦಈ
    ˔ FHύέοτ͕/*$ʹ౸ୡ
    ˓ $ݴޠͰهड़Մೳ
    ˔ $MBOH--7.
    eBPF
    11
    DMBOHUBSHFUCQG
    $ݴޠϓϩάϥϜ
    όΠτίʔυ
    7FSJ
    fi
    FS
    +*5$PNQJMFS
    ΠϕϯτʹԠ࣮ͯ͡ߦ
    CQG

    Ϣʔβۭؒ
    Χʔωϧۭؒ

    View Slide

  12. ͜͜·Ͱͷ·ͱΊ
    12
    ˓ ,VCFSOFUFT͸1PEؒͷ௨৴ػೳΛ
    $/*ϓϥάΠϯʹҕৡ
    ˓ $/*ϓϥάΠϯ͸$/*४ڌͷ,VCFSOFUFTϓϥάΠϯ
    ˔ 1PEؒͷ௨৴ػೳͷఏڙɾ؅ཧΛߦ͏
    ˓ $JMJVN͸$/*ϓϥάΠϯͷҰछ
    ˔ σʔλϓϨʔϯʹF#1'Λ׆༻

    View Slide

  13. Network Policyͱ͸
    13

    View Slide

  14. Kubernetes Network PolicyϦιʔε
    14
    1PE
    1PE
    1PE

    View Slide

  15. Kubernetes Network PolicyϦιʔε
    15
    1PE
    1PE
    1PE

    View Slide

  16. Kubernetes Network PolicyϦιʔε
    16
    1PE
    1PE
    1PE

    View Slide

  17. Kubernetes Network Policyͱ͸
    17
    ˓ ,VCFSFOUFTͷϦιʔεͷҰछ
    ˓ --ͷ௨৴Λ੍ޚ
    ˔ *1ΞυϨεϙʔτ൪߸
    ˓ $/*ϓϥάΠϯ͕ରԠ͍ͯ͠Ε͹࢖༻Մೳ
    ˔ $JMJVN͸ରԠ
    ˔ 'MBOOFM͸ະରԠ
    ˓ ུশ͸OFUQPM
    ˔ LVCFDUMHFUOFUQPM"

    View Slide

  18. Kubernetes Network Policy ྫ
    18
    ˓ ໊લۭؒ͝ͱʹ࡞੒
    ˓ ڐՄϦετ
    ˓ --ϨϕϧͷϙϦγʔ
    ˓ *OHSFTTʢ֎͔Β಺ʣɼ&HSFTTʢ಺͔Β֎ʣ
    ωοτϫʔΫϙϦγʔྫ

    View Slide

  19. Kubernetes Network Policy σϞ
    19
    6CVOUV /(*/9

    DVSMIUUQ/(*/[email protected]*1

    View Slide

  20. ˓ /FUXPSL1PMJDZͷ֦ு
    ˔ ΧελϜϦιʔε
    ˓ ໊લۭؒPSΫϥελશମ
    ˔ $JMJVN/FUXPSL1PMJDZ
    ˔ $JMJVN$MVTUFSXJEF/FUXPSL1PMJDZ
    ˓ "MMPX%FOZ྆ํઃఆՄೳ
    ˓ -ϨϕϧͰͷϙϦγʔΛઃఆՄೳ
    Cilium Network Policy
    20

    View Slide

  21. Cilium Network Policy L3
    21
    ˓ -BCFMϕʔε
    ˔ 1PEͷϥϕϧͰࢦఆ
    ˓ *1$*%3ϕʔε
    ˓ %/4ϕʔε
    ˓ 4FSWJDFϕʔε
    ˓ &OUJUZϕʔε
    -BCFMϕʔε$JMJVN/FUXPSL1PMJDZྫ

    View Slide

  22. Cilium Network Policy L3
    22
    ˓ -BCFMϕʔε
    ˓ *1$*%3ϕʔε
    ˔ *1ΞυϨε
    ˔ *1ΞυϨεൣғ
    ˓ %/4ϕʔε
    ˓ 4FSWJDFϕʔε
    ˓ &OUJUZϕʔε
    *1$*%3ϕʔε$JMJVN/FUXPSL1PMJDZྫ

    View Slide

  23. Cilium Network Policy L3
    23
    ˓ -BCFMϕʔε
    ˓ *1$*%3ϕʔε
    ˓ %/4ϕʔε
    ˔ '2%/Ͱࢦఆ
    ˓ 4FSWJDFϕʔε
    ˓ &OUJUZϕʔε
    %/4ϕʔε$JMJVN/FUXPSL1PMJDZྫ

    View Slide

  24. Cilium Network Policy L3
    24
    ˓ -BCFMϕʔε
    ˓ *1$*%3ϕʔε
    ˓ %/4ϕʔε
    ˓ 4FSWJDFϕʔε
    ˔ ಛఆͷ4FSWJDFϦιʔε΁ͷ௨৴Λ੍ޚ
    ˓ &OUJUZϕʔε
    4FSWJDFϕʔε$JMJVN/FUXPSL1PMJDZྫ

    View Slide

  25. Cilium Network Policy L3
    25
    ˓ -BCFMϕʔε
    ˓ *1$*%3ϕʔε
    ˓ %/4ϕʔε
    ˓ 4FSWJDFϕʔε
    ˓ &OUJUZϕʔε
    ˔ &OUJUZʢଐੑʣͰ௨৴Λ੍ޚ
    ˗ Ϋϥελ֎
    ˗ Ϋϥελ಺
    ˗ $JMJVN؅ཧ
    ˗ $JMJVN؅ཧ֎
    ˗ ͳͲ
    &OUJUZϕʔε$JMJVN/FUXPSL1PMJDZྫ

    View Slide

  26. Cilium Network Policy L4
    26
    ˓ 5$16%1ϙʔτ൪߸
    ˓ *$.1λΠϓ
    5$1ϙʔτ൪߸$JMJVN/FUXPSL1PMJDZͷྫ

    View Slide

  27. Cilium Network Policy L4
    27
    ˓ 5$16%1ϙʔτ൪߸
    ˓ *$.1λΠϓ
    ˔ *$.1ɺ*$.1WͷλΠϓ
    ˔ GFBUVSFϑϥάΛ༗ޮʹ͢Δ͜ͱͰར༻Մೳ
    ˔ ͨͩ͠ݱࡏ͸҆ఆಈ࡞͠ͳ͍ͨΊඇਪ঑
    *$.1λΠϓ$JMJVN/FUXPSL1PMJDZͷྫ

    View Slide

  28. Cilium Network Policy L7
    28
    ˓ ڐՄϦετͷΈ
    ˓ )551
    ˔ ύε
    ˔ ϗετ໊
    ˔ ϝιου
    ˔ ϔομʔ
    ˓ %/4
    ˓ ,BGLB CFUB

    )551$JMJVN/FUXPSL1PMJDZͷྫ

    View Slide

  29. Cilium Network Policy L7
    29
    ˓ ڐՄϦετͷΈ
    ˓ )551
    ˓ %/4
    ˔ ໊લࢦఆ
    ˔ ύλʔϯϚον
    ˓ ,BGLB CFUB

    %/4$JMJVN/FUXPSL1PMJDZͷྫ

    View Slide

  30. Cilium Network Policy L7
    30
    ˓ ڐՄϦετͷΈ
    ˓ )551
    ˓ %/4
    ˓ ,BGLB CFUB

    ˔ 3PMF
    ˔ "1*Ωʔ
    ˔ "1*όʔδϣϯ
    ˔ ΫϥΠΞϯτ*%
    ˔ τϐοΫ
    ,BGLB$JMJVN/FUXPSL1PMJDZͷྫ

    View Slide

  31. Cilium Network Policy σϞ L7-HTTP
    31
    6CVOUV /(*/9

    BMMPX
    EFOZ

    View Slide

  32. Cilium Network Policyͷ࣮ݱ
    32
    /FUXPSL1PMJDZΛهड़ͨ͠
    ϚχϑΣετϑΝΠϧ
    [email protected]@QPMJDZHP
    ,T8BUDIFSBEE$JMJVN/FUXPSL1PMJDZ7

    View Slide

  33. Cilium Network Policyͷ࣮૷
    33
    ϙϦγʔͷݕࠪ
    Ϣʔβۭؒʢ(Pݴޠʣ
    DJMJVNQLHa
    [email protected]
    3VMF4BOJUJ[F

    View Slide

  34. Cilium Network Policyͷ࣮૷
    34
    ϙϦγʔͷݕࠪ /FUXPSL1PMJDZ
    F#1'.BQʹ
    ରԠ͢Δߏ଄ମʹม׵
    Ϣʔβۭؒʢ(Pݴޠʣ
    DJMJVNQLHa
    [email protected]
    3VMF4BOJUJ[F

    DJMJVNQLHa
    FOEQPJOUCQGHP
    &OEQPJOUBEE1PMJDZ,FZ

    F#1'.BQʹରԠͨ͠ߏ଄ମ

    View Slide

  35. Cilium Network Policyͷ࣮૷
    35
    ϙϦγʔͷݕࠪ
    F#1'.BQʹରԠͨ͠ߏ଄ମ
    /FUXPSL1PMJDZ
    F#1'.BQʹ
    ରԠ͢Δߏ଄ମʹม׵
    F#1'.BQʹ௥Ճ
    -͸&OWPZ

    Ϣʔβۭؒʢ(Pݴޠʣ
    DJMJVNQLHa
    [email protected]
    3VMF4BOJUJ[F

    DJMJVNQLHa
    FOEQPJOUCQGHP
    &OEQPJOUBEE1PMJDZ,FZ

    DJMJVNQLHa
    [email protected]
    .BQ6QEBUF

    View Slide

  36. ˓ F#1'ϓϩάϥϜؒ΍ϢʔβۭؒϓϩάϥϜͱ
    σʔλΛڞ༗͢Δ࢓૊Έ
    ˔ Ϣʔβۭ͔ؒΒ͸γεςϜίʔϧΛൃߦ
    ˓ LFZWBMVFετΞ
    eBPF Map
    36
    F#1'
    .BQT

    View Slide

  37. Cilium Network Policyͷ࣮૷
    37
    ύέοτ
    Χʔωϧۭؒ

    View Slide

  38. Cilium Network Policyͷ࣮૷
    38
    ύέοτ
    Χʔωϧۭؒ
    ϔομ৘ใ͔Β
    ϚοϓΩʔʹରԠ͢Δ
    ߏ଄ମʹม׵
    DJMJVNCQGMJCa
    DPOOUSBDLI
    [email protected]

    [email protected]

    View Slide

  39. Cilium Network Policyͷ࣮૷
    39
    ύέοτ
    Χʔωϧۭؒ
    ϔομ৘ใ͔Β
    ϚοϓΩʔʹରԠ͢Δ
    ߏ଄ମʹม׵
    DJMJVNCQGMJCa
    DPOOUSBDLI
    [email protected]

    [email protected]

    DJMJVNCQGMJCa
    QPMJDZI
    @@[email protected]@BDDFTT

    View Slide

  40. Cilium Network Policyͷ࣮૷
    40
    ύέοτ
    Χʔωϧۭؒ
    ϔομ৘ใ͔Β
    ϚοϓΩʔʹରԠ͢Δ
    ߏ଄ମʹม׵
    DJMJVNCQGMJCa
    DPOOUSBDLI
    [email protected]

    [email protected]

    DJMJVNCQGMJCa
    QPMJDZI
    @@[email protected]@BDDFTT

    View Slide

  41. Cilium Network Policyͷ࣮૷
    41
    ύέοτ
    Χʔωϧۭؒ
    ϔομ৘ใ͔Β
    ϚοϓΩʔʹରԠ͢Δ
    ߏ଄ମʹม׵
    র߹͢Δ
    1PMJDZ.BQ
    F#1'.BQ

    %SPQ
    1BTT
    DJMJVNCQGMJCa
    DPOOUSBDLI
    [email protected]

    [email protected]

    DJMJVNCQGMJCa
    QPMJDZI
    @@[email protected]@BDDFTT

    View Slide

  42. ·ͱΊ
    42
    ˓ /FUXPSL1PMJDZϦιʔεͰ1PEͷ௨৴Λ੍ޚͰ͖Δ
    ˓ $JMJVN/FUXPSL1PMJDZ͸/FUXPSL1PMJDZͷ֦ு
    ˔ -ɺ-ɺ-ϙϦγʔ
    ˓ $JMJVN͸F#1'Λ׆༻ͯ͠/FUXPSL1PMJDZΛ࣮ݱ
    ˔ F#1'.BQΛ࢖ͬͯϙϦγʔ৘ใΛ఻೻

    View Slide