Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
CiliumによるKubernetes Network Policyの実現 CNDT2021
Search
Tomoki Sugiura
November 05, 2021
Programming
0
1.2k
CiliumによるKubernetes Network Policyの実現 CNDT2021
Tomoki Sugiura
November 05, 2021
Tweet
Share
More Decks by Tomoki Sugiura
See All by Tomoki Sugiura
naist colloquium-B 2
shanpu
0
220
ricc-20210826
shanpu
0
510
IOT53
shanpu
0
81
RICC-PIoT Workshop 2021
shanpu
0
620
ricc-nii-2020
shanpu
0
120
Cloud Native Kansai #05 LT4
shanpu
1
980
gcpug-kyoto#2-LT1
shanpu
0
670
kubernetes-seminar
shanpu
0
180
KansaiLT2
shanpu
0
240
Other Decks in Programming
See All in Programming
生成AI時代のコンポーネントライブラリの作り方
touyou
1
220
AIプログラマーDevinは PHPerの夢を見るか?
shinyasaita
1
220
なんとなくわかった気になるブロックテーマ入門/contents.nagoya 2025 6.28
chiilog
1
270
dbt民主化とLLMによる開発ブースト ~ AI Readyな分析サイクルを目指して ~
yoshyum
3
1k
Team operations that are not burdened by SRE
kazatohiei
1
310
Rubyでやりたい駆動開発 / Ruby driven development
chobishiba
1
710
明示と暗黙 ー PHPとGoの インターフェイスの違いを知る
shimabox
2
510
たった 1 枚の PHP ファイルで実装する MCP サーバ / MCP Server with Vanilla PHP
okashoi
1
260
なぜ適用するか、移行して理解するClean Architecture 〜構造を超えて設計を継承する〜 / Why Apply, Migrate and Understand Clean Architecture - Inherit Design Beyond Structure
seike460
PRO
3
770
AI コーディングエージェントの時代へ:JetBrains が描く開発の未来
masaruhr
1
150
「Cursor/Devin全社導入の理想と現実」のその後
saitoryc
0
820
20250628_非エンジニアがバイブコーディングしてみた
ponponmikankan
0
680
Featured
See All Featured
Facilitating Awesome Meetings
lara
54
6.4k
Automating Front-end Workflow
addyosmani
1370
200k
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
50
5.5k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
32
2.4k
Become a Pro
speakerdeck
PRO
29
5.4k
A Tale of Four Properties
chriscoyier
160
23k
Designing for humans not robots
tammielis
253
25k
What's in a price? How to price your products and services
michaelherold
246
12k
Connecting the Dots Between Site Speed, User Experience & Your Business [WebExpo 2025]
tammyeverts
6
300
Measuring & Analyzing Core Web Vitals
bluesmoon
7
510
Chrome DevTools: State of the Union 2024 - Debugging React & Beyond
addyosmani
7
740
Mobile First: as difficult as doing things right
swwweet
223
9.7k
Transcript
CiliumʹΑΔ Kubernetes Network Policyͷ࣮ݱ 5PNPLJ4VHJVSB
ຊηογϣϯͷ֓ཁ 2 1PE 1PE 1PE
ຊηογϣϯͷ֓ཁ 3 $/*ϓϥάΠϯ 1PE 1PE 1PE 1PEؒͷ௨৴Λཧ
ຊηογϣϯͷ֓ཁ 4 ❌ $/*ϓϥάΠϯ 1PEؒͷ௨৴Λཧ 1PE 1PE 1PE
ຊηογϣϯͷ֓ཁ 5 ❌ Ͳ͏੍ͬͯޚʁ ઃఆ߲ʁ $/*ϓϥάΠϯ 1PEؒͷ௨৴Λཧ 1PE 1PE 1PE
1PEؒͷ௨৴Λཧ
ຊฤ 6
Kubernetes 7 ˓ ίϯςφΦʔέετϨʔγϣϯπʔϧ ˔ ෳͷίϯςφΛҰݩཧ ˓ ίϯςφӡ༻ͷͨΊͷ͜ͱΛͳΜͰΔ ˔ ΦʔτώʔϦϯάɾϩʔϦϯάΞοϓσʔτ
˔ ίϯςφʹద༻͢Δઃఆͷཧ ˔ ݖݶཧ ˔ FUD ˓ 1PEؒͷ௨৴ػೳˠ$/*ϓϥάΠϯʹҕৡ ˔ 1PEʹωοτϫʔΫ໊લۭؒΛڞ༗͢Δίϯςφ܈
CNI 8 ˓ $POUBJOFS/FUXPSL*OUFSGBDF ˓ $/$'*ODVCBUJOH1SPKFDU ˓ ίϯςφωοτϫʔΫ*'ͷཧʹ͓͚Δ༷Λఆٛ ˔ ,VCFSOFUFTઐ༻πʔϧͰͳ͍
˓ ػೳ ˔ "%%ɿωοτϫʔΫ*'ͷ࡞ɾߋ৽ ˔ %&-ɿωοτϫʔΫ*'ͷআɾߋ৽ͷऔফ ˔ $)&$,ɿظ௨Γͷઃఆ͔֬ೝ ˔ 7&34*0/ɿαϙʔτ͍ͯ͠Δ$/*༷ͷόʔδϣϯΛฦ͢
˓ $/*ʹ४ڌͨ͠,VCFSOFUFTͷ ωοτϫʔΫϓϥάΠϯ ˓ $/*όΠφϦ ˔ ίϯςφωοτϫʔΫ*'ͷཧ ˓ $/*σʔϞϯ ˔
ΫϥελͰͷωοτϫʔΫૄ௨Λཧ ˓ $/*ϓϥάΠϯྫ ˔ $BMJDP ˔ $JMJVN ˔ FUD CNIϓϥάΠϯ 9 $/* ϓϥάΠϯ FUI "%% ωοτϫʔΫ*'ͷ࡞ *1ΞυϨεͷׂΓͯ ܦ࿏ઃఆ
˓ $/*ϓϥάΠϯͷҰͭ ˓ $/$'*ODVCBUJOHQSPKFDU ˓ σʔλϓϨʔϯʹF#1'Λ׆༻ ˓ ར༻ࣄྫ ˔ (,&%BUBQMBOF7
˔ &,4"OZXIFSF Cilium 10
˓ FYUFOEFE#FSLFMFZ1BDLFU'JMUFS ˓ ࣗͷ࡞ͨ͠ϓϩάϥϜΛ -JOVYΧʔωϧͷ7.Ͱ࣮ߦ ˔ ಠࣗϨδελ໋ྩηοτ ˔ ϓϩάϥϜͷݕࠪػߏ͕͋Γ҆શੑΛอো ˓
Πϕϯτۦಈ ˔ FHύέοτ͕/*$ʹ౸ୡ ˓ $ݴޠͰهड़Մೳ ˔ $MBOH--7. eBPF 11 DMBOHUBSHFUCQG $ݴޠϓϩάϥϜ όΠτίʔυ 7FSJ fi FS +*5$PNQJMFS ΠϕϯτʹԠ࣮ͯ͡ߦ CQG Ϣʔβۭؒ Χʔωϧۭؒ
͜͜·Ͱͷ·ͱΊ 12 ˓ ,VCFSOFUFT1PEؒͷ௨৴ػೳΛ $/*ϓϥάΠϯʹҕৡ ˓ $/*ϓϥάΠϯ$/*४ڌͷ,VCFSOFUFTϓϥάΠϯ ˔ 1PEؒͷ௨৴ػೳͷఏڙɾཧΛߦ͏ ˓
$JMJVN$/*ϓϥάΠϯͷҰछ ˔ σʔλϓϨʔϯʹF#1'Λ׆༻
Network Policyͱ 13
Kubernetes Network PolicyϦιʔε 14 1PE 1PE 1PE
Kubernetes Network PolicyϦιʔε 15 1PE 1PE 1PE ❌
Kubernetes Network PolicyϦιʔε 16 1PE 1PE 1PE ❌
Kubernetes Network Policyͱ 17 ˓ ,VCFSFOUFTͷϦιʔεͷҰछ ˓ --ͷ௨৴Λ੍ޚ ˔ *1ΞυϨεϙʔτ൪߸
˓ $/*ϓϥάΠϯ͕ରԠ͍ͯ͠Ε༻Մೳ ˔ $JMJVNରԠ ˔ 'MBOOFMະରԠ ˓ ུশOFUQPM ˔ LVCFDUMHFUOFUQPM"
Kubernetes Network Policy ྫ 18 ˓ ໊લۭؒ͝ͱʹ࡞ ˓ ڐՄϦετ ˓
--ϨϕϧͷϙϦγʔ ˓ *OHSFTTʢ֎͔Βʣɼ&HSFTTʢ͔Β֎ʣ ωοτϫʔΫϙϦγʔྫ
Kubernetes Network Policy σϞ 19 6CVOUV /(*/9 ❌ DVSMIUUQ/(*/9@*1
˓ /FUXPSL1PMJDZͷ֦ு ˔ ΧελϜϦιʔε ˓ ໊લۭؒPSΫϥελશମ ˔ $JMJVN/FUXPSL1PMJDZ ˔ $JMJVN$MVTUFSXJEF/FUXPSL1PMJDZ
˓ "MMPX%FOZ྆ํઃఆՄೳ ˓ -ϨϕϧͰͷϙϦγʔΛઃఆՄೳ Cilium Network Policy 20
Cilium Network Policy L3 21 ˓ -BCFMϕʔε ˔ 1PEͷϥϕϧͰࢦఆ ˓
*1$*%3ϕʔε ˓ %/4ϕʔε ˓ 4FSWJDFϕʔε ˓ &OUJUZϕʔε -BCFMϕʔε$JMJVN/FUXPSL1PMJDZྫ
Cilium Network Policy L3 22 ˓ -BCFMϕʔε ˓ *1$*%3ϕʔε ˔
*1ΞυϨε ˔ *1ΞυϨεൣғ ˓ %/4ϕʔε ˓ 4FSWJDFϕʔε ˓ &OUJUZϕʔε *1$*%3ϕʔε$JMJVN/FUXPSL1PMJDZྫ
Cilium Network Policy L3 23 ˓ -BCFMϕʔε ˓ *1$*%3ϕʔε ˓
%/4ϕʔε ˔ '2%/Ͱࢦఆ ˓ 4FSWJDFϕʔε ˓ &OUJUZϕʔε %/4ϕʔε$JMJVN/FUXPSL1PMJDZྫ
Cilium Network Policy L3 24 ˓ -BCFMϕʔε ˓ *1$*%3ϕʔε ˓
%/4ϕʔε ˓ 4FSWJDFϕʔε ˔ ಛఆͷ4FSWJDFϦιʔεͷ௨৴Λ੍ޚ ˓ &OUJUZϕʔε 4FSWJDFϕʔε$JMJVN/FUXPSL1PMJDZྫ
Cilium Network Policy L3 25 ˓ -BCFMϕʔε ˓ *1$*%3ϕʔε ˓
%/4ϕʔε ˓ 4FSWJDFϕʔε ˓ &OUJUZϕʔε ˔ &OUJUZʢଐੑʣͰ௨৴Λ੍ޚ ˗ Ϋϥελ֎ ˗ Ϋϥελ ˗ $JMJVNཧ ˗ $JMJVNཧ֎ ˗ ͳͲ &OUJUZϕʔε$JMJVN/FUXPSL1PMJDZྫ
Cilium Network Policy L4 26 ˓ 5$16%1ϙʔτ൪߸ ˓ *$.1λΠϓ 5$1ϙʔτ൪߸$JMJVN/FUXPSL1PMJDZͷྫ
Cilium Network Policy L4 27 ˓ 5$16%1ϙʔτ൪߸ ˓ *$.1λΠϓ ˔
*$.1ɺ*$.1WͷλΠϓ ˔ GFBUVSFϑϥάΛ༗ޮʹ͢Δ͜ͱͰར༻Մೳ ˔ ͨͩ͠ݱࡏ҆ఆಈ࡞͠ͳ͍ͨΊඇਪ *$.1λΠϓ$JMJVN/FUXPSL1PMJDZͷྫ
Cilium Network Policy L7 28 ˓ ڐՄϦετͷΈ ˓ )551 ˔
ύε ˔ ϗετ໊ ˔ ϝιου ˔ ϔομʔ ˓ %/4 ˓ ,BGLB CFUB )551$JMJVN/FUXPSL1PMJDZͷྫ
Cilium Network Policy L7 29 ˓ ڐՄϦετͷΈ ˓ )551 ˓
%/4 ˔ ໊લࢦఆ ˔ ύλʔϯϚον ˓ ,BGLB CFUB %/4$JMJVN/FUXPSL1PMJDZͷྫ
Cilium Network Policy L7 30 ˓ ڐՄϦετͷΈ ˓ )551 ˓
%/4 ˓ ,BGLB CFUB ˔ 3PMF ˔ "1*Ωʔ ˔ "1*όʔδϣϯ ˔ ΫϥΠΞϯτ*% ˔ τϐοΫ ,BGLB$JMJVN/FUXPSL1PMJDZͷྫ
Cilium Network Policy σϞ L7-HTTP 31 6CVOUV /(*/9 ❌ BMMPX
EFOZ
Cilium Network Policyͷ࣮ݱ 32 /FUXPSL1PMJDZΛهड़ͨ͠ ϚχϑΣετϑΝΠϧ DJMJVNQLHLTXBUDIFSTDJMJVN@OFUXPSL@QPMJDZHP ,T8BUDIFSBEE$JMJVN/FUXPSL1PMJDZ7
Cilium Network Policyͷ࣮ 33 ϙϦγʔͷݕࠪ Ϣʔβۭؒʢ(Pݴޠʣ DJMJVNQLHa QPMJDZBQJSVMF@WBMJEBUJPOHP 3VMF4BOJUJ[F
Cilium Network Policyͷ࣮ 34 ϙϦγʔͷݕࠪ /FUXPSL1PMJDZ F#1'.BQʹ ରԠ͢Δߏମʹม Ϣʔβۭؒʢ(Pݴޠʣ DJMJVNQLHa
QPMJDZBQJSVMF@WBMJEBUJPOHP 3VMF4BOJUJ[F DJMJVNQLHa FOEQPJOUCQGHP &OEQPJOUBEE1PMJDZ,FZ F#1'.BQʹରԠͨ͠ߏମ
Cilium Network Policyͷ࣮ 35 ϙϦγʔͷݕࠪ F#1'.BQʹରԠͨ͠ߏମ /FUXPSL1PMJDZ F#1'.BQʹ ରԠ͢Δߏମʹม F#1'.BQʹՃ
-&OWPZ Ϣʔβۭؒʢ(Pݴޠʣ DJMJVNQLHa QPMJDZBQJSVMF@WBMJEBUJPOHP 3VMF4BOJUJ[F DJMJVNQLHa FOEQPJOUCQGHP &OEQPJOUBEE1PMJDZ,FZ DJMJVNQLHa CQGNBQ@MJOVYHP .BQ6QEBUF
˓ F#1'ϓϩάϥϜؒϢʔβۭؒϓϩάϥϜͱ σʔλΛڞ༗͢ΔΈ ˔ Ϣʔβۭ͔ؒΒγεςϜίʔϧΛൃߦ ˓ LFZWBMVFετΞ eBPF Map 36
F#1' .BQT
Cilium Network Policyͷ࣮ 37 ύέοτ Χʔωϧۭؒ
Cilium Network Policyͷ࣮ 38 ύέοτ Χʔωϧۭؒ ϔομใ͔Β ϚοϓΩʔʹରԠ͢Δ ߏମʹม DJMJVNCQGMJCa
DPOOUSBDLI DU@MPPLVQ DU@MPPLVQ
Cilium Network Policyͷ࣮ 39 ύέοτ Χʔωϧۭؒ ϔομใ͔Β ϚοϓΩʔʹରԠ͢Δ ߏମʹม DJMJVNCQGMJCa
DPOOUSBDLI DU@MPPLVQ DU@MPPLVQ DJMJVNCQGMJCa QPMJDZI @@QPMJDZ@DBO@BDDFTT
Cilium Network Policyͷ࣮ 40 ύέοτ Χʔωϧۭؒ ϔομใ͔Β ϚοϓΩʔʹରԠ͢Δ ߏମʹม DJMJVNCQGMJCa
DPOOUSBDLI DU@MPPLVQ DU@MPPLVQ DJMJVNCQGMJCa QPMJDZI @@QPMJDZ@DBO@BDDFTT
Cilium Network Policyͷ࣮ 41 ύέοτ Χʔωϧۭؒ ϔομใ͔Β ϚοϓΩʔʹରԠ͢Δ ߏମʹม র߹͢Δ
1PMJDZ.BQ F#1'.BQ %SPQ 1BTT DJMJVNCQGMJCa DPOOUSBDLI DU@MPPLVQ DU@MPPLVQ DJMJVNCQGMJCa QPMJDZI @@QPMJDZ@DBO@BDDFTT
·ͱΊ 42 ˓ /FUXPSL1PMJDZϦιʔεͰ1PEͷ௨৴Λ੍ޚͰ͖Δ ˓ $JMJVN/FUXPSL1PMJDZ/FUXPSL1PMJDZͷ֦ு ˔ -ɺ-ɺ-ϙϦγʔ ˓ $JMJVNF#1'Λ׆༻ͯ͠/FUXPSL1PMJDZΛ࣮ݱ
˔ F#1'.BQΛͬͯϙϦγʔใΛ