Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
CiliumによるKubernetes Network Policyの実現 CNDT2021
Search
Tomoki Sugiura
November 05, 2021
Programming
0
1.2k
CiliumによるKubernetes Network Policyの実現 CNDT2021
Tomoki Sugiura
November 05, 2021
Tweet
Share
More Decks by Tomoki Sugiura
See All by Tomoki Sugiura
naist colloquium-B 2
shanpu
0
220
ricc-20210826
shanpu
0
530
IOT53
shanpu
0
87
RICC-PIoT Workshop 2021
shanpu
0
640
ricc-nii-2020
shanpu
0
130
Cloud Native Kansai #05 LT4
shanpu
1
1k
gcpug-kyoto#2-LT1
shanpu
0
680
kubernetes-seminar
shanpu
0
180
KansaiLT2
shanpu
0
260
Other Decks in Programming
See All in Programming
Flutterと Vibe Coding で個人開発!
hyshu
1
270
新世界の理解
koriym
0
140
オープンセミナー2025@広島LT技術ブログを続けるには
satoshi256kbyte
0
130
Claude Codeで実装以外の開発フロー、どこまで自動化できるか?失敗と成功
ndadayo
2
1.4k
Oracle Database Technology Night 92 Database Connection control FAN-AC
oracle4engineer
PRO
1
210
RDoc meets YARD
okuramasafumi
2
120
Google I/O recap web編 大分Web祭り2025
kponda
0
2.9k
Rancher と Terraform
fufuhu
0
110
TanStack DB ~状態管理の新しい考え方~
bmthd
2
340
Dart 参戦!!静的型付き言語界の隠れた実力者
kno3a87
0
210
Claude Codeで挑むOSSコントリビュート
eycjur
0
180
CSC305 Summer Lecture 12
javiergs
PRO
0
120
Featured
See All Featured
Practical Orchestrator
shlominoach
190
11k
How STYLIGHT went responsive
nonsquared
100
5.7k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
667
120k
Java REST API Framework Comparison - PWX 2021
mraible
33
8.8k
We Have a Design System, Now What?
morganepeng
53
7.7k
Faster Mobile Websites
deanohume
309
31k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
PRO
183
54k
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
358
30k
The Invisible Side of Design
smashingmag
301
51k
Connecting the Dots Between Site Speed, User Experience & Your Business [WebExpo 2025]
tammyeverts
8
480
Producing Creativity
orderedlist
PRO
347
40k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
131
19k
Transcript
CiliumʹΑΔ Kubernetes Network Policyͷ࣮ݱ 5PNPLJ4VHJVSB
ຊηογϣϯͷ֓ཁ 2 1PE 1PE 1PE
ຊηογϣϯͷ֓ཁ 3 $/*ϓϥάΠϯ 1PE 1PE 1PE 1PEؒͷ௨৴Λཧ
ຊηογϣϯͷ֓ཁ 4 ❌ $/*ϓϥάΠϯ 1PEؒͷ௨৴Λཧ 1PE 1PE 1PE
ຊηογϣϯͷ֓ཁ 5 ❌ Ͳ͏੍ͬͯޚʁ ઃఆ߲ʁ $/*ϓϥάΠϯ 1PEؒͷ௨৴Λཧ 1PE 1PE 1PE
1PEؒͷ௨৴Λཧ
ຊฤ 6
Kubernetes 7 ˓ ίϯςφΦʔέετϨʔγϣϯπʔϧ ˔ ෳͷίϯςφΛҰݩཧ ˓ ίϯςφӡ༻ͷͨΊͷ͜ͱΛͳΜͰΔ ˔ ΦʔτώʔϦϯάɾϩʔϦϯάΞοϓσʔτ
˔ ίϯςφʹద༻͢Δઃఆͷཧ ˔ ݖݶཧ ˔ FUD ˓ 1PEؒͷ௨৴ػೳˠ$/*ϓϥάΠϯʹҕৡ ˔ 1PEʹωοτϫʔΫ໊લۭؒΛڞ༗͢Δίϯςφ܈
CNI 8 ˓ $POUBJOFS/FUXPSL*OUFSGBDF ˓ $/$'*ODVCBUJOH1SPKFDU ˓ ίϯςφωοτϫʔΫ*'ͷཧʹ͓͚Δ༷Λఆٛ ˔ ,VCFSOFUFTઐ༻πʔϧͰͳ͍
˓ ػೳ ˔ "%%ɿωοτϫʔΫ*'ͷ࡞ɾߋ৽ ˔ %&-ɿωοτϫʔΫ*'ͷআɾߋ৽ͷऔফ ˔ $)&$,ɿظ௨Γͷઃఆ͔֬ೝ ˔ 7&34*0/ɿαϙʔτ͍ͯ͠Δ$/*༷ͷόʔδϣϯΛฦ͢
˓ $/*ʹ४ڌͨ͠,VCFSOFUFTͷ ωοτϫʔΫϓϥάΠϯ ˓ $/*όΠφϦ ˔ ίϯςφωοτϫʔΫ*'ͷཧ ˓ $/*σʔϞϯ ˔
ΫϥελͰͷωοτϫʔΫૄ௨Λཧ ˓ $/*ϓϥάΠϯྫ ˔ $BMJDP ˔ $JMJVN ˔ FUD CNIϓϥάΠϯ 9 $/* ϓϥάΠϯ FUI "%% ωοτϫʔΫ*'ͷ࡞ *1ΞυϨεͷׂΓͯ ܦ࿏ઃఆ
˓ $/*ϓϥάΠϯͷҰͭ ˓ $/$'*ODVCBUJOHQSPKFDU ˓ σʔλϓϨʔϯʹF#1'Λ׆༻ ˓ ར༻ࣄྫ ˔ (,&%BUBQMBOF7
˔ &,4"OZXIFSF Cilium 10
˓ FYUFOEFE#FSLFMFZ1BDLFU'JMUFS ˓ ࣗͷ࡞ͨ͠ϓϩάϥϜΛ -JOVYΧʔωϧͷ7.Ͱ࣮ߦ ˔ ಠࣗϨδελ໋ྩηοτ ˔ ϓϩάϥϜͷݕࠪػߏ͕͋Γ҆શੑΛอো ˓
Πϕϯτۦಈ ˔ FHύέοτ͕/*$ʹ౸ୡ ˓ $ݴޠͰهड़Մೳ ˔ $MBOH--7. eBPF 11 DMBOHUBSHFUCQG $ݴޠϓϩάϥϜ όΠτίʔυ 7FSJ fi FS +*5$PNQJMFS ΠϕϯτʹԠ࣮ͯ͡ߦ CQG Ϣʔβۭؒ Χʔωϧۭؒ
͜͜·Ͱͷ·ͱΊ 12 ˓ ,VCFSOFUFT1PEؒͷ௨৴ػೳΛ $/*ϓϥάΠϯʹҕৡ ˓ $/*ϓϥάΠϯ$/*४ڌͷ,VCFSOFUFTϓϥάΠϯ ˔ 1PEؒͷ௨৴ػೳͷఏڙɾཧΛߦ͏ ˓
$JMJVN$/*ϓϥάΠϯͷҰछ ˔ σʔλϓϨʔϯʹF#1'Λ׆༻
Network Policyͱ 13
Kubernetes Network PolicyϦιʔε 14 1PE 1PE 1PE
Kubernetes Network PolicyϦιʔε 15 1PE 1PE 1PE ❌
Kubernetes Network PolicyϦιʔε 16 1PE 1PE 1PE ❌
Kubernetes Network Policyͱ 17 ˓ ,VCFSFOUFTͷϦιʔεͷҰछ ˓ --ͷ௨৴Λ੍ޚ ˔ *1ΞυϨεϙʔτ൪߸
˓ $/*ϓϥάΠϯ͕ରԠ͍ͯ͠Ε༻Մೳ ˔ $JMJVNରԠ ˔ 'MBOOFMະରԠ ˓ ུশOFUQPM ˔ LVCFDUMHFUOFUQPM"
Kubernetes Network Policy ྫ 18 ˓ ໊લۭؒ͝ͱʹ࡞ ˓ ڐՄϦετ ˓
--ϨϕϧͷϙϦγʔ ˓ *OHSFTTʢ֎͔Βʣɼ&HSFTTʢ͔Β֎ʣ ωοτϫʔΫϙϦγʔྫ
Kubernetes Network Policy σϞ 19 6CVOUV /(*/9 ❌ DVSMIUUQ/(*/9@*1
˓ /FUXPSL1PMJDZͷ֦ு ˔ ΧελϜϦιʔε ˓ ໊લۭؒPSΫϥελશମ ˔ $JMJVN/FUXPSL1PMJDZ ˔ $JMJVN$MVTUFSXJEF/FUXPSL1PMJDZ
˓ "MMPX%FOZ྆ํઃఆՄೳ ˓ -ϨϕϧͰͷϙϦγʔΛઃఆՄೳ Cilium Network Policy 20
Cilium Network Policy L3 21 ˓ -BCFMϕʔε ˔ 1PEͷϥϕϧͰࢦఆ ˓
*1$*%3ϕʔε ˓ %/4ϕʔε ˓ 4FSWJDFϕʔε ˓ &OUJUZϕʔε -BCFMϕʔε$JMJVN/FUXPSL1PMJDZྫ
Cilium Network Policy L3 22 ˓ -BCFMϕʔε ˓ *1$*%3ϕʔε ˔
*1ΞυϨε ˔ *1ΞυϨεൣғ ˓ %/4ϕʔε ˓ 4FSWJDFϕʔε ˓ &OUJUZϕʔε *1$*%3ϕʔε$JMJVN/FUXPSL1PMJDZྫ
Cilium Network Policy L3 23 ˓ -BCFMϕʔε ˓ *1$*%3ϕʔε ˓
%/4ϕʔε ˔ '2%/Ͱࢦఆ ˓ 4FSWJDFϕʔε ˓ &OUJUZϕʔε %/4ϕʔε$JMJVN/FUXPSL1PMJDZྫ
Cilium Network Policy L3 24 ˓ -BCFMϕʔε ˓ *1$*%3ϕʔε ˓
%/4ϕʔε ˓ 4FSWJDFϕʔε ˔ ಛఆͷ4FSWJDFϦιʔεͷ௨৴Λ੍ޚ ˓ &OUJUZϕʔε 4FSWJDFϕʔε$JMJVN/FUXPSL1PMJDZྫ
Cilium Network Policy L3 25 ˓ -BCFMϕʔε ˓ *1$*%3ϕʔε ˓
%/4ϕʔε ˓ 4FSWJDFϕʔε ˓ &OUJUZϕʔε ˔ &OUJUZʢଐੑʣͰ௨৴Λ੍ޚ ˗ Ϋϥελ֎ ˗ Ϋϥελ ˗ $JMJVNཧ ˗ $JMJVNཧ֎ ˗ ͳͲ &OUJUZϕʔε$JMJVN/FUXPSL1PMJDZྫ
Cilium Network Policy L4 26 ˓ 5$16%1ϙʔτ൪߸ ˓ *$.1λΠϓ 5$1ϙʔτ൪߸$JMJVN/FUXPSL1PMJDZͷྫ
Cilium Network Policy L4 27 ˓ 5$16%1ϙʔτ൪߸ ˓ *$.1λΠϓ ˔
*$.1ɺ*$.1WͷλΠϓ ˔ GFBUVSFϑϥάΛ༗ޮʹ͢Δ͜ͱͰར༻Մೳ ˔ ͨͩ͠ݱࡏ҆ఆಈ࡞͠ͳ͍ͨΊඇਪ *$.1λΠϓ$JMJVN/FUXPSL1PMJDZͷྫ
Cilium Network Policy L7 28 ˓ ڐՄϦετͷΈ ˓ )551 ˔
ύε ˔ ϗετ໊ ˔ ϝιου ˔ ϔομʔ ˓ %/4 ˓ ,BGLB CFUB )551$JMJVN/FUXPSL1PMJDZͷྫ
Cilium Network Policy L7 29 ˓ ڐՄϦετͷΈ ˓ )551 ˓
%/4 ˔ ໊લࢦఆ ˔ ύλʔϯϚον ˓ ,BGLB CFUB %/4$JMJVN/FUXPSL1PMJDZͷྫ
Cilium Network Policy L7 30 ˓ ڐՄϦετͷΈ ˓ )551 ˓
%/4 ˓ ,BGLB CFUB ˔ 3PMF ˔ "1*Ωʔ ˔ "1*όʔδϣϯ ˔ ΫϥΠΞϯτ*% ˔ τϐοΫ ,BGLB$JMJVN/FUXPSL1PMJDZͷྫ
Cilium Network Policy σϞ L7-HTTP 31 6CVOUV /(*/9 ❌ BMMPX
EFOZ
Cilium Network Policyͷ࣮ݱ 32 /FUXPSL1PMJDZΛهड़ͨ͠ ϚχϑΣετϑΝΠϧ DJMJVNQLHLTXBUDIFSTDJMJVN@OFUXPSL@QPMJDZHP ,T8BUDIFSBEE$JMJVN/FUXPSL1PMJDZ7
Cilium Network Policyͷ࣮ 33 ϙϦγʔͷݕࠪ Ϣʔβۭؒʢ(Pݴޠʣ DJMJVNQLHa QPMJDZBQJSVMF@WBMJEBUJPOHP 3VMF4BOJUJ[F
Cilium Network Policyͷ࣮ 34 ϙϦγʔͷݕࠪ /FUXPSL1PMJDZ F#1'.BQʹ ରԠ͢Δߏମʹม Ϣʔβۭؒʢ(Pݴޠʣ DJMJVNQLHa
QPMJDZBQJSVMF@WBMJEBUJPOHP 3VMF4BOJUJ[F DJMJVNQLHa FOEQPJOUCQGHP &OEQPJOUBEE1PMJDZ,FZ F#1'.BQʹରԠͨ͠ߏମ
Cilium Network Policyͷ࣮ 35 ϙϦγʔͷݕࠪ F#1'.BQʹରԠͨ͠ߏମ /FUXPSL1PMJDZ F#1'.BQʹ ରԠ͢Δߏମʹม F#1'.BQʹՃ
-&OWPZ Ϣʔβۭؒʢ(Pݴޠʣ DJMJVNQLHa QPMJDZBQJSVMF@WBMJEBUJPOHP 3VMF4BOJUJ[F DJMJVNQLHa FOEQPJOUCQGHP &OEQPJOUBEE1PMJDZ,FZ DJMJVNQLHa CQGNBQ@MJOVYHP .BQ6QEBUF
˓ F#1'ϓϩάϥϜؒϢʔβۭؒϓϩάϥϜͱ σʔλΛڞ༗͢ΔΈ ˔ Ϣʔβۭ͔ؒΒγεςϜίʔϧΛൃߦ ˓ LFZWBMVFετΞ eBPF Map 36
F#1' .BQT
Cilium Network Policyͷ࣮ 37 ύέοτ Χʔωϧۭؒ
Cilium Network Policyͷ࣮ 38 ύέοτ Χʔωϧۭؒ ϔομใ͔Β ϚοϓΩʔʹରԠ͢Δ ߏମʹม DJMJVNCQGMJCa
DPOOUSBDLI DU@MPPLVQ DU@MPPLVQ
Cilium Network Policyͷ࣮ 39 ύέοτ Χʔωϧۭؒ ϔομใ͔Β ϚοϓΩʔʹରԠ͢Δ ߏମʹม DJMJVNCQGMJCa
DPOOUSBDLI DU@MPPLVQ DU@MPPLVQ DJMJVNCQGMJCa QPMJDZI @@QPMJDZ@DBO@BDDFTT
Cilium Network Policyͷ࣮ 40 ύέοτ Χʔωϧۭؒ ϔομใ͔Β ϚοϓΩʔʹରԠ͢Δ ߏମʹม DJMJVNCQGMJCa
DPOOUSBDLI DU@MPPLVQ DU@MPPLVQ DJMJVNCQGMJCa QPMJDZI @@QPMJDZ@DBO@BDDFTT
Cilium Network Policyͷ࣮ 41 ύέοτ Χʔωϧۭؒ ϔομใ͔Β ϚοϓΩʔʹରԠ͢Δ ߏମʹม র߹͢Δ
1PMJDZ.BQ F#1'.BQ %SPQ 1BTT DJMJVNCQGMJCa DPOOUSBDLI DU@MPPLVQ DU@MPPLVQ DJMJVNCQGMJCa QPMJDZI @@QPMJDZ@DBO@BDDFTT
·ͱΊ 42 ˓ /FUXPSL1PMJDZϦιʔεͰ1PEͷ௨৴Λ੍ޚͰ͖Δ ˓ $JMJVN/FUXPSL1PMJDZ/FUXPSL1PMJDZͷ֦ு ˔ -ɺ-ɺ-ϙϦγʔ ˓ $JMJVNF#1'Λ׆༻ͯ͠/FUXPSL1PMJDZΛ࣮ݱ
˔ F#1'.BQΛͬͯϙϦγʔใΛ