Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
CiliumによるKubernetes Network Policyの実現 CNDT2021
Search
Tomoki Sugiura
November 05, 2021
Programming
0
1.1k
CiliumによるKubernetes Network Policyの実現 CNDT2021
Tomoki Sugiura
November 05, 2021
Tweet
Share
More Decks by Tomoki Sugiura
See All by Tomoki Sugiura
naist colloquium-B 2
shanpu
0
200
ricc-20210826
shanpu
0
470
IOT53
shanpu
0
62
RICC-PIoT Workshop 2021
shanpu
0
590
ricc-nii-2020
shanpu
0
110
Cloud Native Kansai #05 LT4
shanpu
1
940
gcpug-kyoto#2-LT1
shanpu
0
640
kubernetes-seminar
shanpu
0
170
KansaiLT2
shanpu
0
220
Other Decks in Programming
See All in Programming
良いコードレビューとは
danimal141
10
9.1k
Google Cloudとo11yで実現するアプリケーション開発者主体のDB改善
nnaka2992
1
150
コミュニティ駆動 AWS CDK ライブラリ「Open Constructs Library」 / community-cdk-library
gotok365
2
260
GoとPHPのインターフェイスの違い
shimabox
2
220
メンテが命: PHPフレームワークのコンテナ化とアップグレード戦略
shunta27
0
330
React 19アップデートのために必要なこと
uhyo
8
1.6k
.NET Frameworkでも汎用ホストが使いたい!
tomokusaba
0
210
機能が複雑化しても 頼りになる FactoryBotの話
tamikof
1
260
仕様変更に耐えるための"今の"DRY原則を考える
mkmk884
9
3.3k
dbt Pythonモデルで実現するSnowflake活用術
trsnium
0
280
Better Code Design in PHP
afilina
0
190
5分で理解する SOLID 原則 #phpcon_nagoya
shogogg
1
420
Featured
See All Featured
The Straight Up "How To Draw Better" Workshop
denniskardys
232
140k
A Modern Web Designer's Workflow
chriscoyier
693
190k
Evolution of real-time – Irina Nazarova, EuRuKo, 2024
irinanazarova
6
580
Testing 201, or: Great Expectations
jmmastey
42
7.2k
The Illustrated Children's Guide to Kubernetes
chrisshort
48
49k
[RailsConf 2023] Rails as a piece of cake
palkan
53
5.3k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
49
2.3k
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
33
2.1k
Art, The Web, and Tiny UX
lynnandtonic
298
20k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
28
9.3k
Raft: Consensus for Rubyists
vanstee
137
6.8k
The Cult of Friendly URLs
andyhume
78
6.2k
Transcript
CiliumʹΑΔ Kubernetes Network Policyͷ࣮ݱ 5PNPLJ4VHJVSB
ຊηογϣϯͷ֓ཁ 2 1PE 1PE 1PE
ຊηογϣϯͷ֓ཁ 3 $/*ϓϥάΠϯ 1PE 1PE 1PE 1PEؒͷ௨৴Λཧ
ຊηογϣϯͷ֓ཁ 4 ❌ $/*ϓϥάΠϯ 1PEؒͷ௨৴Λཧ 1PE 1PE 1PE
ຊηογϣϯͷ֓ཁ 5 ❌ Ͳ͏੍ͬͯޚʁ ઃఆ߲ʁ $/*ϓϥάΠϯ 1PEؒͷ௨৴Λཧ 1PE 1PE 1PE
1PEؒͷ௨৴Λཧ
ຊฤ 6
Kubernetes 7 ˓ ίϯςφΦʔέετϨʔγϣϯπʔϧ ˔ ෳͷίϯςφΛҰݩཧ ˓ ίϯςφӡ༻ͷͨΊͷ͜ͱΛͳΜͰΔ ˔ ΦʔτώʔϦϯάɾϩʔϦϯάΞοϓσʔτ
˔ ίϯςφʹద༻͢Δઃఆͷཧ ˔ ݖݶཧ ˔ FUD ˓ 1PEؒͷ௨৴ػೳˠ$/*ϓϥάΠϯʹҕৡ ˔ 1PEʹωοτϫʔΫ໊લۭؒΛڞ༗͢Δίϯςφ܈
CNI 8 ˓ $POUBJOFS/FUXPSL*OUFSGBDF ˓ $/$'*ODVCBUJOH1SPKFDU ˓ ίϯςφωοτϫʔΫ*'ͷཧʹ͓͚Δ༷Λఆٛ ˔ ,VCFSOFUFTઐ༻πʔϧͰͳ͍
˓ ػೳ ˔ "%%ɿωοτϫʔΫ*'ͷ࡞ɾߋ৽ ˔ %&-ɿωοτϫʔΫ*'ͷআɾߋ৽ͷऔফ ˔ $)&$,ɿظ௨Γͷઃఆ͔֬ೝ ˔ 7&34*0/ɿαϙʔτ͍ͯ͠Δ$/*༷ͷόʔδϣϯΛฦ͢
˓ $/*ʹ४ڌͨ͠,VCFSOFUFTͷ ωοτϫʔΫϓϥάΠϯ ˓ $/*όΠφϦ ˔ ίϯςφωοτϫʔΫ*'ͷཧ ˓ $/*σʔϞϯ ˔
ΫϥελͰͷωοτϫʔΫૄ௨Λཧ ˓ $/*ϓϥάΠϯྫ ˔ $BMJDP ˔ $JMJVN ˔ FUD CNIϓϥάΠϯ 9 $/* ϓϥάΠϯ FUI "%% ωοτϫʔΫ*'ͷ࡞ *1ΞυϨεͷׂΓͯ ܦ࿏ઃఆ
˓ $/*ϓϥάΠϯͷҰͭ ˓ $/$'*ODVCBUJOHQSPKFDU ˓ σʔλϓϨʔϯʹF#1'Λ׆༻ ˓ ར༻ࣄྫ ˔ (,&%BUBQMBOF7
˔ &,4"OZXIFSF Cilium 10
˓ FYUFOEFE#FSLFMFZ1BDLFU'JMUFS ˓ ࣗͷ࡞ͨ͠ϓϩάϥϜΛ -JOVYΧʔωϧͷ7.Ͱ࣮ߦ ˔ ಠࣗϨδελ໋ྩηοτ ˔ ϓϩάϥϜͷݕࠪػߏ͕͋Γ҆શੑΛอো ˓
Πϕϯτۦಈ ˔ FHύέοτ͕/*$ʹ౸ୡ ˓ $ݴޠͰهड़Մೳ ˔ $MBOH--7. eBPF 11 DMBOHUBSHFUCQG $ݴޠϓϩάϥϜ όΠτίʔυ 7FSJ fi FS +*5$PNQJMFS ΠϕϯτʹԠ࣮ͯ͡ߦ CQG Ϣʔβۭؒ Χʔωϧۭؒ
͜͜·Ͱͷ·ͱΊ 12 ˓ ,VCFSOFUFT1PEؒͷ௨৴ػೳΛ $/*ϓϥάΠϯʹҕৡ ˓ $/*ϓϥάΠϯ$/*४ڌͷ,VCFSOFUFTϓϥάΠϯ ˔ 1PEؒͷ௨৴ػೳͷఏڙɾཧΛߦ͏ ˓
$JMJVN$/*ϓϥάΠϯͷҰछ ˔ σʔλϓϨʔϯʹF#1'Λ׆༻
Network Policyͱ 13
Kubernetes Network PolicyϦιʔε 14 1PE 1PE 1PE
Kubernetes Network PolicyϦιʔε 15 1PE 1PE 1PE ❌
Kubernetes Network PolicyϦιʔε 16 1PE 1PE 1PE ❌
Kubernetes Network Policyͱ 17 ˓ ,VCFSFOUFTͷϦιʔεͷҰछ ˓ --ͷ௨৴Λ੍ޚ ˔ *1ΞυϨεϙʔτ൪߸
˓ $/*ϓϥάΠϯ͕ରԠ͍ͯ͠Ε༻Մೳ ˔ $JMJVNରԠ ˔ 'MBOOFMະରԠ ˓ ུশOFUQPM ˔ LVCFDUMHFUOFUQPM"
Kubernetes Network Policy ྫ 18 ˓ ໊લۭؒ͝ͱʹ࡞ ˓ ڐՄϦετ ˓
--ϨϕϧͷϙϦγʔ ˓ *OHSFTTʢ֎͔Βʣɼ&HSFTTʢ͔Β֎ʣ ωοτϫʔΫϙϦγʔྫ
Kubernetes Network Policy σϞ 19 6CVOUV /(*/9 ❌ DVSMIUUQ/(*/9@*1
˓ /FUXPSL1PMJDZͷ֦ு ˔ ΧελϜϦιʔε ˓ ໊લۭؒPSΫϥελશମ ˔ $JMJVN/FUXPSL1PMJDZ ˔ $JMJVN$MVTUFSXJEF/FUXPSL1PMJDZ
˓ "MMPX%FOZ྆ํઃఆՄೳ ˓ -ϨϕϧͰͷϙϦγʔΛઃఆՄೳ Cilium Network Policy 20
Cilium Network Policy L3 21 ˓ -BCFMϕʔε ˔ 1PEͷϥϕϧͰࢦఆ ˓
*1$*%3ϕʔε ˓ %/4ϕʔε ˓ 4FSWJDFϕʔε ˓ &OUJUZϕʔε -BCFMϕʔε$JMJVN/FUXPSL1PMJDZྫ
Cilium Network Policy L3 22 ˓ -BCFMϕʔε ˓ *1$*%3ϕʔε ˔
*1ΞυϨε ˔ *1ΞυϨεൣғ ˓ %/4ϕʔε ˓ 4FSWJDFϕʔε ˓ &OUJUZϕʔε *1$*%3ϕʔε$JMJVN/FUXPSL1PMJDZྫ
Cilium Network Policy L3 23 ˓ -BCFMϕʔε ˓ *1$*%3ϕʔε ˓
%/4ϕʔε ˔ '2%/Ͱࢦఆ ˓ 4FSWJDFϕʔε ˓ &OUJUZϕʔε %/4ϕʔε$JMJVN/FUXPSL1PMJDZྫ
Cilium Network Policy L3 24 ˓ -BCFMϕʔε ˓ *1$*%3ϕʔε ˓
%/4ϕʔε ˓ 4FSWJDFϕʔε ˔ ಛఆͷ4FSWJDFϦιʔεͷ௨৴Λ੍ޚ ˓ &OUJUZϕʔε 4FSWJDFϕʔε$JMJVN/FUXPSL1PMJDZྫ
Cilium Network Policy L3 25 ˓ -BCFMϕʔε ˓ *1$*%3ϕʔε ˓
%/4ϕʔε ˓ 4FSWJDFϕʔε ˓ &OUJUZϕʔε ˔ &OUJUZʢଐੑʣͰ௨৴Λ੍ޚ ˗ Ϋϥελ֎ ˗ Ϋϥελ ˗ $JMJVNཧ ˗ $JMJVNཧ֎ ˗ ͳͲ &OUJUZϕʔε$JMJVN/FUXPSL1PMJDZྫ
Cilium Network Policy L4 26 ˓ 5$16%1ϙʔτ൪߸ ˓ *$.1λΠϓ 5$1ϙʔτ൪߸$JMJVN/FUXPSL1PMJDZͷྫ
Cilium Network Policy L4 27 ˓ 5$16%1ϙʔτ൪߸ ˓ *$.1λΠϓ ˔
*$.1ɺ*$.1WͷλΠϓ ˔ GFBUVSFϑϥάΛ༗ޮʹ͢Δ͜ͱͰར༻Մೳ ˔ ͨͩ͠ݱࡏ҆ఆಈ࡞͠ͳ͍ͨΊඇਪ *$.1λΠϓ$JMJVN/FUXPSL1PMJDZͷྫ
Cilium Network Policy L7 28 ˓ ڐՄϦετͷΈ ˓ )551 ˔
ύε ˔ ϗετ໊ ˔ ϝιου ˔ ϔομʔ ˓ %/4 ˓ ,BGLB CFUB )551$JMJVN/FUXPSL1PMJDZͷྫ
Cilium Network Policy L7 29 ˓ ڐՄϦετͷΈ ˓ )551 ˓
%/4 ˔ ໊લࢦఆ ˔ ύλʔϯϚον ˓ ,BGLB CFUB %/4$JMJVN/FUXPSL1PMJDZͷྫ
Cilium Network Policy L7 30 ˓ ڐՄϦετͷΈ ˓ )551 ˓
%/4 ˓ ,BGLB CFUB ˔ 3PMF ˔ "1*Ωʔ ˔ "1*όʔδϣϯ ˔ ΫϥΠΞϯτ*% ˔ τϐοΫ ,BGLB$JMJVN/FUXPSL1PMJDZͷྫ
Cilium Network Policy σϞ L7-HTTP 31 6CVOUV /(*/9 ❌ BMMPX
EFOZ
Cilium Network Policyͷ࣮ݱ 32 /FUXPSL1PMJDZΛهड़ͨ͠ ϚχϑΣετϑΝΠϧ DJMJVNQLHLTXBUDIFSTDJMJVN@OFUXPSL@QPMJDZHP ,T8BUDIFSBEE$JMJVN/FUXPSL1PMJDZ7
Cilium Network Policyͷ࣮ 33 ϙϦγʔͷݕࠪ Ϣʔβۭؒʢ(Pݴޠʣ DJMJVNQLHa QPMJDZBQJSVMF@WBMJEBUJPOHP 3VMF4BOJUJ[F
Cilium Network Policyͷ࣮ 34 ϙϦγʔͷݕࠪ /FUXPSL1PMJDZ F#1'.BQʹ ରԠ͢Δߏମʹม Ϣʔβۭؒʢ(Pݴޠʣ DJMJVNQLHa
QPMJDZBQJSVMF@WBMJEBUJPOHP 3VMF4BOJUJ[F DJMJVNQLHa FOEQPJOUCQGHP &OEQPJOUBEE1PMJDZ,FZ F#1'.BQʹରԠͨ͠ߏମ
Cilium Network Policyͷ࣮ 35 ϙϦγʔͷݕࠪ F#1'.BQʹରԠͨ͠ߏମ /FUXPSL1PMJDZ F#1'.BQʹ ରԠ͢Δߏମʹม F#1'.BQʹՃ
-&OWPZ Ϣʔβۭؒʢ(Pݴޠʣ DJMJVNQLHa QPMJDZBQJSVMF@WBMJEBUJPOHP 3VMF4BOJUJ[F DJMJVNQLHa FOEQPJOUCQGHP &OEQPJOUBEE1PMJDZ,FZ DJMJVNQLHa CQGNBQ@MJOVYHP .BQ6QEBUF
˓ F#1'ϓϩάϥϜؒϢʔβۭؒϓϩάϥϜͱ σʔλΛڞ༗͢ΔΈ ˔ Ϣʔβۭ͔ؒΒγεςϜίʔϧΛൃߦ ˓ LFZWBMVFετΞ eBPF Map 36
F#1' .BQT
Cilium Network Policyͷ࣮ 37 ύέοτ Χʔωϧۭؒ
Cilium Network Policyͷ࣮ 38 ύέοτ Χʔωϧۭؒ ϔομใ͔Β ϚοϓΩʔʹରԠ͢Δ ߏମʹม DJMJVNCQGMJCa
DPOOUSBDLI DU@MPPLVQ DU@MPPLVQ
Cilium Network Policyͷ࣮ 39 ύέοτ Χʔωϧۭؒ ϔομใ͔Β ϚοϓΩʔʹରԠ͢Δ ߏମʹม DJMJVNCQGMJCa
DPOOUSBDLI DU@MPPLVQ DU@MPPLVQ DJMJVNCQGMJCa QPMJDZI @@QPMJDZ@DBO@BDDFTT
Cilium Network Policyͷ࣮ 40 ύέοτ Χʔωϧۭؒ ϔομใ͔Β ϚοϓΩʔʹରԠ͢Δ ߏମʹม DJMJVNCQGMJCa
DPOOUSBDLI DU@MPPLVQ DU@MPPLVQ DJMJVNCQGMJCa QPMJDZI @@QPMJDZ@DBO@BDDFTT
Cilium Network Policyͷ࣮ 41 ύέοτ Χʔωϧۭؒ ϔομใ͔Β ϚοϓΩʔʹରԠ͢Δ ߏମʹม র߹͢Δ
1PMJDZ.BQ F#1'.BQ %SPQ 1BTT DJMJVNCQGMJCa DPOOUSBDLI DU@MPPLVQ DU@MPPLVQ DJMJVNCQGMJCa QPMJDZI @@QPMJDZ@DBO@BDDFTT
·ͱΊ 42 ˓ /FUXPSL1PMJDZϦιʔεͰ1PEͷ௨৴Λ੍ޚͰ͖Δ ˓ $JMJVN/FUXPSL1PMJDZ/FUXPSL1PMJDZͷ֦ு ˔ -ɺ-ɺ-ϙϦγʔ ˓ $JMJVNF#1'Λ׆༻ͯ͠/FUXPSL1PMJDZΛ࣮ݱ
˔ F#1'.BQΛͬͯϙϦγʔใΛ