Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
CiliumによるKubernetes Network Policyの実現 CNDT2021
Search
Tomoki Sugiura
November 05, 2021
Programming
0
1.2k
CiliumによるKubernetes Network Policyの実現 CNDT2021
Tomoki Sugiura
November 05, 2021
Tweet
Share
More Decks by Tomoki Sugiura
See All by Tomoki Sugiura
naist colloquium-B 2
shanpu
0
220
ricc-20210826
shanpu
0
510
IOT53
shanpu
0
79
RICC-PIoT Workshop 2021
shanpu
0
620
ricc-nii-2020
shanpu
0
120
Cloud Native Kansai #05 LT4
shanpu
1
980
gcpug-kyoto#2-LT1
shanpu
0
670
kubernetes-seminar
shanpu
0
180
KansaiLT2
shanpu
0
230
Other Decks in Programming
See All in Programming
「ElixirでIoT!!」のこれまでとこれから
takasehideki
0
370
git worktree × Claude Code × MCP ~生成AI時代の並列開発フロー~
hisuzuya
1
490
童醫院敏捷轉型的實踐經驗
cclai999
0
190
なんとなくわかった気になるブロックテーマ入門/contents.nagoya 2025 6.28
chiilog
1
230
iOSアプリ開発で 関数型プログラミングを実現する The Composable Architectureの紹介
yimajo
2
220
データの民主化を支える、透明性のあるデータ利活用への挑戦 2025-06-25 Database Engineering Meetup#7
y_ken
0
320
すべてのコンテキストを、 ユーザー価値に変える
applism118
2
870
なぜ適用するか、移行して理解するClean Architecture 〜構造を超えて設計を継承する〜 / Why Apply, Migrate and Understand Clean Architecture - Inherit Design Beyond Structure
seike460
PRO
1
690
Deep Dive into ~/.claude/projects
hiragram
9
1.6k
Code as Context 〜 1にコードで 2にリンタ 34がなくて 5にルール? 〜
yodakeisuke
0
110
Create a website using Spatial Web
akkeylab
0
310
ふつうの技術スタックでアート作品を作ってみる
akira888
0
130
Featured
See All Featured
Fireside Chat
paigeccino
37
3.5k
Side Projects
sachag
455
42k
Fashionably flexible responsive web design (full day workshop)
malarkey
407
66k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
367
26k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
31
2.4k
How to Think Like a Performance Engineer
csswizardry
24
1.7k
Stop Working from a Prison Cell
hatefulcrawdad
270
20k
10 Git Anti Patterns You Should be Aware of
lemiorhan
PRO
657
60k
Building Flexible Design Systems
yeseniaperezcruz
328
39k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
46
9.6k
The Cult of Friendly URLs
andyhume
79
6.5k
Six Lessons from altMBA
skipperchong
28
3.9k
Transcript
CiliumʹΑΔ Kubernetes Network Policyͷ࣮ݱ 5PNPLJ4VHJVSB
ຊηογϣϯͷ֓ཁ 2 1PE 1PE 1PE
ຊηογϣϯͷ֓ཁ 3 $/*ϓϥάΠϯ 1PE 1PE 1PE 1PEؒͷ௨৴Λཧ
ຊηογϣϯͷ֓ཁ 4 ❌ $/*ϓϥάΠϯ 1PEؒͷ௨৴Λཧ 1PE 1PE 1PE
ຊηογϣϯͷ֓ཁ 5 ❌ Ͳ͏੍ͬͯޚʁ ઃఆ߲ʁ $/*ϓϥάΠϯ 1PEؒͷ௨৴Λཧ 1PE 1PE 1PE
1PEؒͷ௨৴Λཧ
ຊฤ 6
Kubernetes 7 ˓ ίϯςφΦʔέετϨʔγϣϯπʔϧ ˔ ෳͷίϯςφΛҰݩཧ ˓ ίϯςφӡ༻ͷͨΊͷ͜ͱΛͳΜͰΔ ˔ ΦʔτώʔϦϯάɾϩʔϦϯάΞοϓσʔτ
˔ ίϯςφʹద༻͢Δઃఆͷཧ ˔ ݖݶཧ ˔ FUD ˓ 1PEؒͷ௨৴ػೳˠ$/*ϓϥάΠϯʹҕৡ ˔ 1PEʹωοτϫʔΫ໊લۭؒΛڞ༗͢Δίϯςφ܈
CNI 8 ˓ $POUBJOFS/FUXPSL*OUFSGBDF ˓ $/$'*ODVCBUJOH1SPKFDU ˓ ίϯςφωοτϫʔΫ*'ͷཧʹ͓͚Δ༷Λఆٛ ˔ ,VCFSOFUFTઐ༻πʔϧͰͳ͍
˓ ػೳ ˔ "%%ɿωοτϫʔΫ*'ͷ࡞ɾߋ৽ ˔ %&-ɿωοτϫʔΫ*'ͷআɾߋ৽ͷऔফ ˔ $)&$,ɿظ௨Γͷઃఆ͔֬ೝ ˔ 7&34*0/ɿαϙʔτ͍ͯ͠Δ$/*༷ͷόʔδϣϯΛฦ͢
˓ $/*ʹ४ڌͨ͠,VCFSOFUFTͷ ωοτϫʔΫϓϥάΠϯ ˓ $/*όΠφϦ ˔ ίϯςφωοτϫʔΫ*'ͷཧ ˓ $/*σʔϞϯ ˔
ΫϥελͰͷωοτϫʔΫૄ௨Λཧ ˓ $/*ϓϥάΠϯྫ ˔ $BMJDP ˔ $JMJVN ˔ FUD CNIϓϥάΠϯ 9 $/* ϓϥάΠϯ FUI "%% ωοτϫʔΫ*'ͷ࡞ *1ΞυϨεͷׂΓͯ ܦ࿏ઃఆ
˓ $/*ϓϥάΠϯͷҰͭ ˓ $/$'*ODVCBUJOHQSPKFDU ˓ σʔλϓϨʔϯʹF#1'Λ׆༻ ˓ ར༻ࣄྫ ˔ (,&%BUBQMBOF7
˔ &,4"OZXIFSF Cilium 10
˓ FYUFOEFE#FSLFMFZ1BDLFU'JMUFS ˓ ࣗͷ࡞ͨ͠ϓϩάϥϜΛ -JOVYΧʔωϧͷ7.Ͱ࣮ߦ ˔ ಠࣗϨδελ໋ྩηοτ ˔ ϓϩάϥϜͷݕࠪػߏ͕͋Γ҆શੑΛอো ˓
Πϕϯτۦಈ ˔ FHύέοτ͕/*$ʹ౸ୡ ˓ $ݴޠͰهड़Մೳ ˔ $MBOH--7. eBPF 11 DMBOHUBSHFUCQG $ݴޠϓϩάϥϜ όΠτίʔυ 7FSJ fi FS +*5$PNQJMFS ΠϕϯτʹԠ࣮ͯ͡ߦ CQG Ϣʔβۭؒ Χʔωϧۭؒ
͜͜·Ͱͷ·ͱΊ 12 ˓ ,VCFSOFUFT1PEؒͷ௨৴ػೳΛ $/*ϓϥάΠϯʹҕৡ ˓ $/*ϓϥάΠϯ$/*४ڌͷ,VCFSOFUFTϓϥάΠϯ ˔ 1PEؒͷ௨৴ػೳͷఏڙɾཧΛߦ͏ ˓
$JMJVN$/*ϓϥάΠϯͷҰछ ˔ σʔλϓϨʔϯʹF#1'Λ׆༻
Network Policyͱ 13
Kubernetes Network PolicyϦιʔε 14 1PE 1PE 1PE
Kubernetes Network PolicyϦιʔε 15 1PE 1PE 1PE ❌
Kubernetes Network PolicyϦιʔε 16 1PE 1PE 1PE ❌
Kubernetes Network Policyͱ 17 ˓ ,VCFSFOUFTͷϦιʔεͷҰछ ˓ --ͷ௨৴Λ੍ޚ ˔ *1ΞυϨεϙʔτ൪߸
˓ $/*ϓϥάΠϯ͕ରԠ͍ͯ͠Ε༻Մೳ ˔ $JMJVNରԠ ˔ 'MBOOFMະରԠ ˓ ུশOFUQPM ˔ LVCFDUMHFUOFUQPM"
Kubernetes Network Policy ྫ 18 ˓ ໊લۭؒ͝ͱʹ࡞ ˓ ڐՄϦετ ˓
--ϨϕϧͷϙϦγʔ ˓ *OHSFTTʢ֎͔Βʣɼ&HSFTTʢ͔Β֎ʣ ωοτϫʔΫϙϦγʔྫ
Kubernetes Network Policy σϞ 19 6CVOUV /(*/9 ❌ DVSMIUUQ/(*/9@*1
˓ /FUXPSL1PMJDZͷ֦ு ˔ ΧελϜϦιʔε ˓ ໊લۭؒPSΫϥελશମ ˔ $JMJVN/FUXPSL1PMJDZ ˔ $JMJVN$MVTUFSXJEF/FUXPSL1PMJDZ
˓ "MMPX%FOZ྆ํઃఆՄೳ ˓ -ϨϕϧͰͷϙϦγʔΛઃఆՄೳ Cilium Network Policy 20
Cilium Network Policy L3 21 ˓ -BCFMϕʔε ˔ 1PEͷϥϕϧͰࢦఆ ˓
*1$*%3ϕʔε ˓ %/4ϕʔε ˓ 4FSWJDFϕʔε ˓ &OUJUZϕʔε -BCFMϕʔε$JMJVN/FUXPSL1PMJDZྫ
Cilium Network Policy L3 22 ˓ -BCFMϕʔε ˓ *1$*%3ϕʔε ˔
*1ΞυϨε ˔ *1ΞυϨεൣғ ˓ %/4ϕʔε ˓ 4FSWJDFϕʔε ˓ &OUJUZϕʔε *1$*%3ϕʔε$JMJVN/FUXPSL1PMJDZྫ
Cilium Network Policy L3 23 ˓ -BCFMϕʔε ˓ *1$*%3ϕʔε ˓
%/4ϕʔε ˔ '2%/Ͱࢦఆ ˓ 4FSWJDFϕʔε ˓ &OUJUZϕʔε %/4ϕʔε$JMJVN/FUXPSL1PMJDZྫ
Cilium Network Policy L3 24 ˓ -BCFMϕʔε ˓ *1$*%3ϕʔε ˓
%/4ϕʔε ˓ 4FSWJDFϕʔε ˔ ಛఆͷ4FSWJDFϦιʔεͷ௨৴Λ੍ޚ ˓ &OUJUZϕʔε 4FSWJDFϕʔε$JMJVN/FUXPSL1PMJDZྫ
Cilium Network Policy L3 25 ˓ -BCFMϕʔε ˓ *1$*%3ϕʔε ˓
%/4ϕʔε ˓ 4FSWJDFϕʔε ˓ &OUJUZϕʔε ˔ &OUJUZʢଐੑʣͰ௨৴Λ੍ޚ ˗ Ϋϥελ֎ ˗ Ϋϥελ ˗ $JMJVNཧ ˗ $JMJVNཧ֎ ˗ ͳͲ &OUJUZϕʔε$JMJVN/FUXPSL1PMJDZྫ
Cilium Network Policy L4 26 ˓ 5$16%1ϙʔτ൪߸ ˓ *$.1λΠϓ 5$1ϙʔτ൪߸$JMJVN/FUXPSL1PMJDZͷྫ
Cilium Network Policy L4 27 ˓ 5$16%1ϙʔτ൪߸ ˓ *$.1λΠϓ ˔
*$.1ɺ*$.1WͷλΠϓ ˔ GFBUVSFϑϥάΛ༗ޮʹ͢Δ͜ͱͰར༻Մೳ ˔ ͨͩ͠ݱࡏ҆ఆಈ࡞͠ͳ͍ͨΊඇਪ *$.1λΠϓ$JMJVN/FUXPSL1PMJDZͷྫ
Cilium Network Policy L7 28 ˓ ڐՄϦετͷΈ ˓ )551 ˔
ύε ˔ ϗετ໊ ˔ ϝιου ˔ ϔομʔ ˓ %/4 ˓ ,BGLB CFUB )551$JMJVN/FUXPSL1PMJDZͷྫ
Cilium Network Policy L7 29 ˓ ڐՄϦετͷΈ ˓ )551 ˓
%/4 ˔ ໊લࢦఆ ˔ ύλʔϯϚον ˓ ,BGLB CFUB %/4$JMJVN/FUXPSL1PMJDZͷྫ
Cilium Network Policy L7 30 ˓ ڐՄϦετͷΈ ˓ )551 ˓
%/4 ˓ ,BGLB CFUB ˔ 3PMF ˔ "1*Ωʔ ˔ "1*όʔδϣϯ ˔ ΫϥΠΞϯτ*% ˔ τϐοΫ ,BGLB$JMJVN/FUXPSL1PMJDZͷྫ
Cilium Network Policy σϞ L7-HTTP 31 6CVOUV /(*/9 ❌ BMMPX
EFOZ
Cilium Network Policyͷ࣮ݱ 32 /FUXPSL1PMJDZΛهड़ͨ͠ ϚχϑΣετϑΝΠϧ DJMJVNQLHLTXBUDIFSTDJMJVN@OFUXPSL@QPMJDZHP ,T8BUDIFSBEE$JMJVN/FUXPSL1PMJDZ7
Cilium Network Policyͷ࣮ 33 ϙϦγʔͷݕࠪ Ϣʔβۭؒʢ(Pݴޠʣ DJMJVNQLHa QPMJDZBQJSVMF@WBMJEBUJPOHP 3VMF4BOJUJ[F
Cilium Network Policyͷ࣮ 34 ϙϦγʔͷݕࠪ /FUXPSL1PMJDZ F#1'.BQʹ ରԠ͢Δߏମʹม Ϣʔβۭؒʢ(Pݴޠʣ DJMJVNQLHa
QPMJDZBQJSVMF@WBMJEBUJPOHP 3VMF4BOJUJ[F DJMJVNQLHa FOEQPJOUCQGHP &OEQPJOUBEE1PMJDZ,FZ F#1'.BQʹରԠͨ͠ߏମ
Cilium Network Policyͷ࣮ 35 ϙϦγʔͷݕࠪ F#1'.BQʹରԠͨ͠ߏମ /FUXPSL1PMJDZ F#1'.BQʹ ରԠ͢Δߏମʹม F#1'.BQʹՃ
-&OWPZ Ϣʔβۭؒʢ(Pݴޠʣ DJMJVNQLHa QPMJDZBQJSVMF@WBMJEBUJPOHP 3VMF4BOJUJ[F DJMJVNQLHa FOEQPJOUCQGHP &OEQPJOUBEE1PMJDZ,FZ DJMJVNQLHa CQGNBQ@MJOVYHP .BQ6QEBUF
˓ F#1'ϓϩάϥϜؒϢʔβۭؒϓϩάϥϜͱ σʔλΛڞ༗͢ΔΈ ˔ Ϣʔβۭ͔ؒΒγεςϜίʔϧΛൃߦ ˓ LFZWBMVFετΞ eBPF Map 36
F#1' .BQT
Cilium Network Policyͷ࣮ 37 ύέοτ Χʔωϧۭؒ
Cilium Network Policyͷ࣮ 38 ύέοτ Χʔωϧۭؒ ϔομใ͔Β ϚοϓΩʔʹରԠ͢Δ ߏମʹม DJMJVNCQGMJCa
DPOOUSBDLI DU@MPPLVQ DU@MPPLVQ
Cilium Network Policyͷ࣮ 39 ύέοτ Χʔωϧۭؒ ϔομใ͔Β ϚοϓΩʔʹରԠ͢Δ ߏମʹม DJMJVNCQGMJCa
DPOOUSBDLI DU@MPPLVQ DU@MPPLVQ DJMJVNCQGMJCa QPMJDZI @@QPMJDZ@DBO@BDDFTT
Cilium Network Policyͷ࣮ 40 ύέοτ Χʔωϧۭؒ ϔομใ͔Β ϚοϓΩʔʹରԠ͢Δ ߏମʹม DJMJVNCQGMJCa
DPOOUSBDLI DU@MPPLVQ DU@MPPLVQ DJMJVNCQGMJCa QPMJDZI @@QPMJDZ@DBO@BDDFTT
Cilium Network Policyͷ࣮ 41 ύέοτ Χʔωϧۭؒ ϔομใ͔Β ϚοϓΩʔʹରԠ͢Δ ߏମʹม র߹͢Δ
1PMJDZ.BQ F#1'.BQ %SPQ 1BTT DJMJVNCQGMJCa DPOOUSBDLI DU@MPPLVQ DU@MPPLVQ DJMJVNCQGMJCa QPMJDZI @@QPMJDZ@DBO@BDDFTT
·ͱΊ 42 ˓ /FUXPSL1PMJDZϦιʔεͰ1PEͷ௨৴Λ੍ޚͰ͖Δ ˓ $JMJVN/FUXPSL1PMJDZ/FUXPSL1PMJDZͷ֦ு ˔ -ɺ-ɺ-ϙϦγʔ ˓ $JMJVNF#1'Λ׆༻ͯ͠/FUXPSL1PMJDZΛ࣮ݱ
˔ F#1'.BQΛͬͯϙϦγʔใΛ