Save 37% off PRO during our Black Friday Sale! »

CiliumによるKubernetes Network Policyの実現 CNDT2021

62a14b322f22ab9588702ab2064df63f?s=47 Tomoki Sugiura
November 05, 2021
Programming
0
300

CiliumによるKubernetes Network Policyの実現 CNDT2021

62a14b322f22ab9588702ab2064df63f?s=128

Tomoki Sugiura

November 05, 2021
Tweet

More Decks by Tomoki Sugiura

See All by Tomoki Sugiura
62a14b322f22ab9588702ab2064df63f?s=48 shanpu
0
48
62a14b322f22ab9588702ab2064df63f?s=48 shanpu
0
150
62a14b322f22ab9588702ab2064df63f?s=48 shanpu
0
26
62a14b322f22ab9588702ab2064df63f?s=48 shanpu
0
200
62a14b322f22ab9588702ab2064df63f?s=48 shanpu
0
57
62a14b322f22ab9588702ab2064df63f?s=48 shanpu
1
460
62a14b322f22ab9588702ab2064df63f?s=48 shanpu
0
370
62a14b322f22ab9588702ab2064df63f?s=48 shanpu
0
63
62a14b322f22ab9588702ab2064df63f?s=48 shanpu
0
170

Other Decks in Programming

See All in Programming
B7424f2bb6afd48c51cf88c2c15c395d?s=48 t2kob
0
180
434123e6e96afad5905d876ff5e355ca?s=48 castaneai
2
1.3k
9733730b7cb400f72ed99aa28fc1d210?s=48 karszawa
0
560
11cbdce6fef8ae507d51b96dca4a0ec5?s=48 sksat
1
400
C9ceeecd7454954e4f93ee2a1cbbf386?s=48 dragontaro
1
940
971ed28afdc89340ebbf2114ed4ef538?s=48 txkxyx
1
140
265bcbb56e831266de7a9f9281aab57a?s=48 appleboy
2
1k
71929a476c581dd754e4e1f355ac07d0?s=48 fukubaka0825
5
1.6k
E505897a79eede1a676f92740261e8f8?s=48 kubode
0
320
9e64d2069945742c818421e884603b44?s=48 ushisantoasobu
1
460
Ddecbf99faa27ea6257856734fa6f9b8?s=48 whitegreen
0
170
4d78b749c315e21a956053dcbf0508a9?s=48 po3rin
1
200

Featured

See All Featured
7653c7c449918ff6542880a8c284f5e7?s=48 jponch
106
5.4k
8081b26e05bb4354f7d65ffc34cbbd67?s=48 chriscoyier
498
130k
1b75d89772b7eea1f6c89fbf362607d9?s=48 moore
129
22k
E195ae45320d9202eaa01c9f1d31a416?s=48 marktimemedia
15
760
5f2da528927a2ec9ba4fec2069cbc958?s=48 kneath
298
39k
6804f1775cb4babfcc3851298566fbce?s=48 tanoku
261
24k
0bce06bd06ee7a2c4f5500f25dcf7f18?s=48 paulrobertlloyd
74
1.7k
A60068bce2e73de3a37ca9d2dbe36092?s=48 bryan
105
12k
1b8ad785acdd1ce1c99914b1c2a4e10e?s=48 sugarenia
236
980k
D09fad3e36ae6841f54820be0e907f7a?s=48 rocio
156
12k
3d4519fd34b76fb265fc0237f3792bd4?s=48 danielanewman
6
790
B47b288784fda77a94aeb234ca743c24?s=48 keavy
111
15k

Transcript

  1. CiliumʹΑΔ Kubernetes Network Policyͷ࣮ݱ 5PNPLJ4VHJVSB

  2. ຊηογϣϯͷ֓ཁ 2 1PE 1PE 1PE

  3. ຊηογϣϯͷ֓ཁ 3 $/*ϓϥάΠϯ 1PE 1PE 1PE 1PEؒͷ௨৴Λ؅ཧ

  4. ຊηογϣϯͷ֓ཁ 4 ❌ $/*ϓϥάΠϯ 1PEؒͷ௨৴Λ؅ཧ 1PE 1PE 1PE

  5. ຊηογϣϯͷ֓ཁ 5 ❌ Ͳ͏΍੍ͬͯޚʁ ઃఆ߲໨ʁ $/*ϓϥάΠϯ 1PEؒͷ௨৴Λ؅ཧ 1PE 1PE 1PE

    1PEؒͷ௨৴Λ؅ཧ

  6. ຊฤ΁ 6

  7. Kubernetes 7 ˓ ίϯςφΦʔέετϨʔγϣϯπʔϧ ˔ ෳ਺୆ͷίϯςφΛҰݩ؅ཧ ˓ ίϯςφӡ༻ͷͨΊͷ͜ͱΛͳΜͰ΋΍Δ ˔ ΦʔτώʔϦϯάɾϩʔϦϯάΞοϓσʔτ

    ˔ ίϯςφʹద༻͢Δઃఆ஋ͷ؅ཧ ˔ ݖݶ؅ཧ ˔ FUD ˓ 1PEؒͷ௨৴ػೳˠ$/*ϓϥάΠϯʹҕৡ ˔ 1PEʹωοτϫʔΫ໊લۭؒΛڞ༗͢Δίϯςφ܈

  8. CNI 8 ˓ $POUBJOFS/FUXPSL*OUFSGBDF ˓ $/$'*ODVCBUJOH1SPKFDU ˓ ίϯςφωοτϫʔΫ*'ͷ؅ཧʹ͓͚Δ࢓༷Λఆٛ ˔ ,VCFSOFUFTઐ༻πʔϧͰ͸ͳ͍

    ˓ ػೳ ˔ "%%ɿωοτϫʔΫ*'ͷ࡞੒ɾߋ৽ ˔ %&-ɿωοτϫʔΫ*'ͷ࡟আɾߋ৽ͷऔফ ˔ $)&$,ɿظ଴௨Γͷઃఆ͔֬ೝ ˔ 7&34*0/ɿαϙʔτ͍ͯ͠Δ$/*࢓༷ͷόʔδϣϯΛฦ͢

  9. ˓ $/*ʹ४ڌͨ͠,VCFSOFUFTͷ ωοτϫʔΫϓϥάΠϯ ˓ $/*όΠφϦ ˔ ίϯςφωοτϫʔΫ*'ͷ؅ཧ ˓ $/*σʔϞϯ ˔

    Ϋϥελ಺ͰͷωοτϫʔΫૄ௨Λ؅ཧ ˓ $/*ϓϥάΠϯྫ ˔ $BMJDP ˔ $JMJVN ˔ FUD CNIϓϥάΠϯ 9 $/* ϓϥάΠϯ FUI "%% ωοτϫʔΫ*'ͷ࡞੒ *1ΞυϨεͷׂΓ౰ͯ ܦ࿏ઃఆ

  10. ˓ $/*ϓϥάΠϯͷҰͭ ˓ $/$'*ODVCBUJOHQSPKFDU ˓ σʔλϓϨʔϯʹF#1'Λ׆༻ ˓ ར༻ࣄྫ ˔ (,&%BUBQMBOF7

    ˔ &,4"OZXIFSF Cilium 10

  11. ˓ FYUFOEFE#FSLFMFZ1BDLFU'JMUFS ˓ ࣗ෼ͷ࡞੒ͨ͠ϓϩάϥϜΛ -JOVYΧʔωϧ಺ͷ7.Ͱ࣮ߦ ˔ ಠࣗϨδελ໋ྩηοτ ˔ ϓϩάϥϜͷݕࠪػߏ͕͋Γ҆શੑΛอো ˓

    Πϕϯτۦಈ ˔ FHύέοτ͕/*$ʹ౸ୡ ˓ $ݴޠͰهड़Մೳ ˔ $MBOH--7. eBPF 11 DMBOHUBSHFUCQG $ݴޠϓϩάϥϜ όΠτίʔυ 7FSJ fi FS +*5$PNQJMFS ΠϕϯτʹԠ࣮ͯ͡ߦ CQG  Ϣʔβۭؒ Χʔωϧۭؒ

  12. ͜͜·Ͱͷ·ͱΊ 12 ˓ ,VCFSOFUFT͸1PEؒͷ௨৴ػೳΛ $/*ϓϥάΠϯʹҕৡ ˓ $/*ϓϥάΠϯ͸$/*४ڌͷ,VCFSOFUFTϓϥάΠϯ ˔ 1PEؒͷ௨৴ػೳͷఏڙɾ؅ཧΛߦ͏ ˓

    $JMJVN͸$/*ϓϥάΠϯͷҰछ ˔ σʔλϓϨʔϯʹF#1'Λ׆༻

  13. Network Policyͱ͸ 13

  14. Kubernetes Network PolicyϦιʔε 14 1PE 1PE 1PE

  15. Kubernetes Network PolicyϦιʔε 15 1PE 1PE 1PE ❌

  16. Kubernetes Network PolicyϦιʔε 16 1PE 1PE 1PE ❌

  17. Kubernetes Network Policyͱ͸ 17 ˓ ,VCFSFOUFTͷϦιʔεͷҰछ ˓ --ͷ௨৴Λ੍ޚ ˔ *1ΞυϨεϙʔτ൪߸

    ˓ $/*ϓϥάΠϯ͕ରԠ͍ͯ͠Ε͹࢖༻Մೳ ˔ $JMJVN͸ରԠ ˔ 'MBOOFM͸ະରԠ ˓ ུশ͸OFUQPM ˔ LVCFDUMHFUOFUQPM"

  18. Kubernetes Network Policy ྫ 18 ˓ ໊લۭؒ͝ͱʹ࡞੒ ˓ ڐՄϦετ ˓

    --ϨϕϧͷϙϦγʔ ˓ *OHSFTTʢ֎͔Β಺ʣɼ&HSFTTʢ಺͔Β֎ʣ ωοτϫʔΫϙϦγʔྫ

  19. Kubernetes Network Policy σϞ 19 6CVOUV /(*/9 ❌ DVSMIUUQ/(*/9@*1

  20. ˓ /FUXPSL1PMJDZͷ֦ு ˔ ΧελϜϦιʔε ˓ ໊લۭؒPSΫϥελશମ ˔ $JMJVN/FUXPSL1PMJDZ ˔ $JMJVN$MVTUFSXJEF/FUXPSL1PMJDZ

    ˓ "MMPX%FOZ྆ํઃఆՄೳ ˓ -ϨϕϧͰͷϙϦγʔΛઃఆՄೳ Cilium Network Policy 20

  21. Cilium Network Policy L3 21 ˓ -BCFMϕʔε ˔ 1PEͷϥϕϧͰࢦఆ ˓

    *1$*%3ϕʔε ˓ %/4ϕʔε ˓ 4FSWJDFϕʔε ˓ &OUJUZϕʔε -BCFMϕʔε$JMJVN/FUXPSL1PMJDZྫ

  22. Cilium Network Policy L3 22 ˓ -BCFMϕʔε ˓ *1$*%3ϕʔε ˔

    *1ΞυϨε ˔ *1ΞυϨεൣғ ˓ %/4ϕʔε ˓ 4FSWJDFϕʔε ˓ &OUJUZϕʔε *1$*%3ϕʔε$JMJVN/FUXPSL1PMJDZྫ

  23. Cilium Network Policy L3 23 ˓ -BCFMϕʔε ˓ *1$*%3ϕʔε ˓

    %/4ϕʔε ˔ '2%/Ͱࢦఆ ˓ 4FSWJDFϕʔε ˓ &OUJUZϕʔε %/4ϕʔε$JMJVN/FUXPSL1PMJDZྫ

  24. Cilium Network Policy L3 24 ˓ -BCFMϕʔε ˓ *1$*%3ϕʔε ˓

    %/4ϕʔε ˓ 4FSWJDFϕʔε ˔ ಛఆͷ4FSWJDFϦιʔε΁ͷ௨৴Λ੍ޚ ˓ &OUJUZϕʔε 4FSWJDFϕʔε$JMJVN/FUXPSL1PMJDZྫ

  25. Cilium Network Policy L3 25 ˓ -BCFMϕʔε ˓ *1$*%3ϕʔε ˓

    %/4ϕʔε ˓ 4FSWJDFϕʔε ˓ &OUJUZϕʔε ˔ &OUJUZʢଐੑʣͰ௨৴Λ੍ޚ ˗ Ϋϥελ֎ ˗ Ϋϥελ಺ ˗ $JMJVN؅ཧ ˗ $JMJVN؅ཧ֎ ˗ ͳͲ &OUJUZϕʔε$JMJVN/FUXPSL1PMJDZྫ

  26. Cilium Network Policy L4 26 ˓ 5$16%1ϙʔτ൪߸ ˓ *$.1λΠϓ 5$1ϙʔτ൪߸$JMJVN/FUXPSL1PMJDZͷྫ

  27. Cilium Network Policy L4 27 ˓ 5$16%1ϙʔτ൪߸ ˓ *$.1λΠϓ ˔

    *$.1ɺ*$.1WͷλΠϓ ˔ GFBUVSFϑϥάΛ༗ޮʹ͢Δ͜ͱͰར༻Մೳ ˔ ͨͩ͠ݱࡏ͸҆ఆಈ࡞͠ͳ͍ͨΊඇਪ঑ *$.1λΠϓ$JMJVN/FUXPSL1PMJDZͷྫ

  28. Cilium Network Policy L7 28 ˓ ڐՄϦετͷΈ ˓ )551 ˔

    ύε ˔ ϗετ໊ ˔ ϝιου ˔ ϔομʔ ˓ %/4 ˓ ,BGLB CFUB )551$JMJVN/FUXPSL1PMJDZͷྫ

  29. Cilium Network Policy L7 29 ˓ ڐՄϦετͷΈ ˓ )551 ˓

    %/4 ˔ ໊લࢦఆ ˔ ύλʔϯϚον ˓ ,BGLB CFUB %/4$JMJVN/FUXPSL1PMJDZͷྫ

  30. Cilium Network Policy L7 30 ˓ ڐՄϦετͷΈ ˓ )551 ˓

    %/4 ˓ ,BGLB CFUB  ˔ 3PMF ˔ "1*Ωʔ ˔ "1*όʔδϣϯ ˔ ΫϥΠΞϯτ*% ˔ τϐοΫ ,BGLB$JMJVN/FUXPSL1PMJDZͷྫ

  31. Cilium Network Policy σϞ L7-HTTP 31 6CVOUV /(*/9 ❌ BMMPX

    EFOZ

  32. Cilium Network Policyͷ࣮ݱ 32 /FUXPSL1PMJDZΛهड़ͨ͠ ϚχϑΣετϑΝΠϧ DJMJVNQLHLTXBUDIFSTDJMJVN@OFUXPSL@QPMJDZHP ,T8BUDIFSBEE$JMJVN/FUXPSL1PMJDZ7

  33. Cilium Network Policyͷ࣮૷ 33 ϙϦγʔͷݕࠪ Ϣʔβۭؒʢ(Pݴޠʣ DJMJVNQLHa QPMJDZBQJSVMF@WBMJEBUJPOHP 3VMF4BOJUJ[F

  34. Cilium Network Policyͷ࣮૷ 34 ϙϦγʔͷݕࠪ /FUXPSL1PMJDZ F#1'.BQʹ ରԠ͢Δߏ଄ମʹม׵ Ϣʔβۭؒʢ(Pݴޠʣ DJMJVNQLHa

    QPMJDZBQJSVMF@WBMJEBUJPOHP 3VMF4BOJUJ[F DJMJVNQLHa FOEQPJOUCQGHP &OEQPJOUBEE1PMJDZ,FZ F#1'.BQʹରԠͨ͠ߏ଄ମ

  35. Cilium Network Policyͷ࣮૷ 35 ϙϦγʔͷݕࠪ F#1'.BQʹରԠͨ͠ߏ଄ମ /FUXPSL1PMJDZ F#1'.BQʹ ରԠ͢Δߏ଄ମʹม׵ F#1'.BQʹ௥Ճ

    -͸&OWPZ Ϣʔβۭؒʢ(Pݴޠʣ DJMJVNQLHa QPMJDZBQJSVMF@WBMJEBUJPOHP 3VMF4BOJUJ[F DJMJVNQLHa FOEQPJOUCQGHP &OEQPJOUBEE1PMJDZ,FZ DJMJVNQLHa CQGNBQ@MJOVYHP .BQ6QEBUF

  36. ˓ F#1'ϓϩάϥϜؒ΍ϢʔβۭؒϓϩάϥϜͱ σʔλΛڞ༗͢Δ࢓૊Έ ˔ Ϣʔβۭ͔ؒΒ͸γεςϜίʔϧΛൃߦ ˓ LFZWBMVFετΞ eBPF Map 36

    F#1' .BQT

  37. Cilium Network Policyͷ࣮૷ 37 ύέοτ Χʔωϧۭؒ

  38. Cilium Network Policyͷ࣮૷ 38 ύέοτ Χʔωϧۭؒ ϔομ৘ใ͔Β ϚοϓΩʔʹରԠ͢Δ ߏ଄ମʹม׵ DJMJVNCQGMJCa

    DPOOUSBDLI DU@MPPLVQ  DU@MPPLVQ

  39. Cilium Network Policyͷ࣮૷ 39 ύέοτ Χʔωϧۭؒ ϔομ৘ใ͔Β ϚοϓΩʔʹରԠ͢Δ ߏ଄ମʹม׵ DJMJVNCQGMJCa

    DPOOUSBDLI DU@MPPLVQ  DU@MPPLVQ DJMJVNCQGMJCa QPMJDZI @@QPMJDZ@DBO@BDDFTT

  40. Cilium Network Policyͷ࣮૷ 40 ύέοτ Χʔωϧۭؒ ϔομ৘ใ͔Β ϚοϓΩʔʹରԠ͢Δ ߏ଄ମʹม׵ DJMJVNCQGMJCa

    DPOOUSBDLI DU@MPPLVQ  DU@MPPLVQ DJMJVNCQGMJCa QPMJDZI @@QPMJDZ@DBO@BDDFTT

  41. Cilium Network Policyͷ࣮૷ 41 ύέοτ Χʔωϧۭؒ ϔομ৘ใ͔Β ϚοϓΩʔʹରԠ͢Δ ߏ଄ମʹม׵ র߹͢Δ

    1PMJDZ.BQ F#1'.BQ %SPQ 1BTT DJMJVNCQGMJCa DPOOUSBDLI DU@MPPLVQ  DU@MPPLVQ DJMJVNCQGMJCa QPMJDZI @@QPMJDZ@DBO@BDDFTT

  42. ·ͱΊ 42 ˓ /FUXPSL1PMJDZϦιʔεͰ1PEͷ௨৴Λ੍ޚͰ͖Δ ˓ $JMJVN/FUXPSL1PMJDZ͸/FUXPSL1PMJDZͷ֦ு ˔ -ɺ-ɺ-ϙϦγʔ ˓ $JMJVN͸F#1'Λ׆༻ͯ͠/FUXPSL1PMJDZΛ࣮ݱ

    ˔ F#1'.BQΛ࢖ͬͯϙϦγʔ৘ใΛ఻೻