Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
CiliumによるKubernetes Network Policyの実現 CNDT2021
Search
Tomoki Sugiura
November 05, 2021
Programming
0
1.2k
CiliumによるKubernetes Network Policyの実現 CNDT2021
Tomoki Sugiura
November 05, 2021
Tweet
Share
More Decks by Tomoki Sugiura
See All by Tomoki Sugiura
naist colloquium-B 2
shanpu
0
220
ricc-20210826
shanpu
0
510
IOT53
shanpu
0
81
RICC-PIoT Workshop 2021
shanpu
0
620
ricc-nii-2020
shanpu
0
120
Cloud Native Kansai #05 LT4
shanpu
1
980
gcpug-kyoto#2-LT1
shanpu
0
670
kubernetes-seminar
shanpu
0
180
KansaiLT2
shanpu
0
240
Other Decks in Programming
See All in Programming
Node-RED を(HTTP で)つなげる MCP サーバーを作ってみた
highu
0
120
Team operations that are not burdened by SRE
kazatohiei
1
310
第9回 情シス転職ミートアップ 株式会社IVRy(アイブリー)の紹介
ivry_presentationmaterials
1
320
技術同人誌をMCP Serverにしてみた
74th
1
650
AI コーディングエージェントの時代へ:JetBrains が描く開発の未来
masaruhr
1
160
ISUCON研修おかわり会 講義スライド
arfes0e2b3c
1
450
RailsGirls IZUMO スポンサーLT
16bitidol
0
190
GitHub Copilot and GitHub Codespaces Hands-on
ymd65536
2
150
10 Costly Database Performance Mistakes (And How To Fix Them)
andyatkinson
0
340
0626 Findy Product Manager LT Night_高田スライド_speaker deck用
mana_takada
0
170
たった 1 枚の PHP ファイルで実装する MCP サーバ / MCP Server with Vanilla PHP
okashoi
1
260
「テストは愚直&&網羅的に書くほどよい」という誤解 / Test Smarter, Not Harder
munetoshi
0
170
Featured
See All Featured
Side Projects
sachag
455
42k
Building Better People: How to give real-time feedback that sticks.
wjessup
367
19k
A Modern Web Designer's Workflow
chriscoyier
695
190k
No one is an island. Learnings from fostering a developers community.
thoeni
21
3.4k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
29
2.7k
The Cost Of JavaScript in 2023
addyosmani
51
8.5k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
29
9.6k
The Pragmatic Product Professional
lauravandoore
35
6.7k
Reflections from 52 weeks, 52 projects
jeffersonlam
351
20k
Put a Button on it: Removing Barriers to Going Fast.
kastner
60
3.9k
Site-Speed That Sticks
csswizardry
10
690
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
331
22k
Transcript
CiliumʹΑΔ Kubernetes Network Policyͷ࣮ݱ 5PNPLJ4VHJVSB
ຊηογϣϯͷ֓ཁ 2 1PE 1PE 1PE
ຊηογϣϯͷ֓ཁ 3 $/*ϓϥάΠϯ 1PE 1PE 1PE 1PEؒͷ௨৴Λཧ
ຊηογϣϯͷ֓ཁ 4 ❌ $/*ϓϥάΠϯ 1PEؒͷ௨৴Λཧ 1PE 1PE 1PE
ຊηογϣϯͷ֓ཁ 5 ❌ Ͳ͏੍ͬͯޚʁ ઃఆ߲ʁ $/*ϓϥάΠϯ 1PEؒͷ௨৴Λཧ 1PE 1PE 1PE
1PEؒͷ௨৴Λཧ
ຊฤ 6
Kubernetes 7 ˓ ίϯςφΦʔέετϨʔγϣϯπʔϧ ˔ ෳͷίϯςφΛҰݩཧ ˓ ίϯςφӡ༻ͷͨΊͷ͜ͱΛͳΜͰΔ ˔ ΦʔτώʔϦϯάɾϩʔϦϯάΞοϓσʔτ
˔ ίϯςφʹద༻͢Δઃఆͷཧ ˔ ݖݶཧ ˔ FUD ˓ 1PEؒͷ௨৴ػೳˠ$/*ϓϥάΠϯʹҕৡ ˔ 1PEʹωοτϫʔΫ໊લۭؒΛڞ༗͢Δίϯςφ܈
CNI 8 ˓ $POUBJOFS/FUXPSL*OUFSGBDF ˓ $/$'*ODVCBUJOH1SPKFDU ˓ ίϯςφωοτϫʔΫ*'ͷཧʹ͓͚Δ༷Λఆٛ ˔ ,VCFSOFUFTઐ༻πʔϧͰͳ͍
˓ ػೳ ˔ "%%ɿωοτϫʔΫ*'ͷ࡞ɾߋ৽ ˔ %&-ɿωοτϫʔΫ*'ͷআɾߋ৽ͷऔফ ˔ $)&$,ɿظ௨Γͷઃఆ͔֬ೝ ˔ 7&34*0/ɿαϙʔτ͍ͯ͠Δ$/*༷ͷόʔδϣϯΛฦ͢
˓ $/*ʹ४ڌͨ͠,VCFSOFUFTͷ ωοτϫʔΫϓϥάΠϯ ˓ $/*όΠφϦ ˔ ίϯςφωοτϫʔΫ*'ͷཧ ˓ $/*σʔϞϯ ˔
ΫϥελͰͷωοτϫʔΫૄ௨Λཧ ˓ $/*ϓϥάΠϯྫ ˔ $BMJDP ˔ $JMJVN ˔ FUD CNIϓϥάΠϯ 9 $/* ϓϥάΠϯ FUI "%% ωοτϫʔΫ*'ͷ࡞ *1ΞυϨεͷׂΓͯ ܦ࿏ઃఆ
˓ $/*ϓϥάΠϯͷҰͭ ˓ $/$'*ODVCBUJOHQSPKFDU ˓ σʔλϓϨʔϯʹF#1'Λ׆༻ ˓ ར༻ࣄྫ ˔ (,&%BUBQMBOF7
˔ &,4"OZXIFSF Cilium 10
˓ FYUFOEFE#FSLFMFZ1BDLFU'JMUFS ˓ ࣗͷ࡞ͨ͠ϓϩάϥϜΛ -JOVYΧʔωϧͷ7.Ͱ࣮ߦ ˔ ಠࣗϨδελ໋ྩηοτ ˔ ϓϩάϥϜͷݕࠪػߏ͕͋Γ҆શੑΛอো ˓
Πϕϯτۦಈ ˔ FHύέοτ͕/*$ʹ౸ୡ ˓ $ݴޠͰهड़Մೳ ˔ $MBOH--7. eBPF 11 DMBOHUBSHFUCQG $ݴޠϓϩάϥϜ όΠτίʔυ 7FSJ fi FS +*5$PNQJMFS ΠϕϯτʹԠ࣮ͯ͡ߦ CQG Ϣʔβۭؒ Χʔωϧۭؒ
͜͜·Ͱͷ·ͱΊ 12 ˓ ,VCFSOFUFT1PEؒͷ௨৴ػೳΛ $/*ϓϥάΠϯʹҕৡ ˓ $/*ϓϥάΠϯ$/*४ڌͷ,VCFSOFUFTϓϥάΠϯ ˔ 1PEؒͷ௨৴ػೳͷఏڙɾཧΛߦ͏ ˓
$JMJVN$/*ϓϥάΠϯͷҰछ ˔ σʔλϓϨʔϯʹF#1'Λ׆༻
Network Policyͱ 13
Kubernetes Network PolicyϦιʔε 14 1PE 1PE 1PE
Kubernetes Network PolicyϦιʔε 15 1PE 1PE 1PE ❌
Kubernetes Network PolicyϦιʔε 16 1PE 1PE 1PE ❌
Kubernetes Network Policyͱ 17 ˓ ,VCFSFOUFTͷϦιʔεͷҰछ ˓ --ͷ௨৴Λ੍ޚ ˔ *1ΞυϨεϙʔτ൪߸
˓ $/*ϓϥάΠϯ͕ରԠ͍ͯ͠Ε༻Մೳ ˔ $JMJVNରԠ ˔ 'MBOOFMະରԠ ˓ ུশOFUQPM ˔ LVCFDUMHFUOFUQPM"
Kubernetes Network Policy ྫ 18 ˓ ໊લۭؒ͝ͱʹ࡞ ˓ ڐՄϦετ ˓
--ϨϕϧͷϙϦγʔ ˓ *OHSFTTʢ֎͔Βʣɼ&HSFTTʢ͔Β֎ʣ ωοτϫʔΫϙϦγʔྫ
Kubernetes Network Policy σϞ 19 6CVOUV /(*/9 ❌ DVSMIUUQ/(*/9@*1
˓ /FUXPSL1PMJDZͷ֦ு ˔ ΧελϜϦιʔε ˓ ໊લۭؒPSΫϥελશମ ˔ $JMJVN/FUXPSL1PMJDZ ˔ $JMJVN$MVTUFSXJEF/FUXPSL1PMJDZ
˓ "MMPX%FOZ྆ํઃఆՄೳ ˓ -ϨϕϧͰͷϙϦγʔΛઃఆՄೳ Cilium Network Policy 20
Cilium Network Policy L3 21 ˓ -BCFMϕʔε ˔ 1PEͷϥϕϧͰࢦఆ ˓
*1$*%3ϕʔε ˓ %/4ϕʔε ˓ 4FSWJDFϕʔε ˓ &OUJUZϕʔε -BCFMϕʔε$JMJVN/FUXPSL1PMJDZྫ
Cilium Network Policy L3 22 ˓ -BCFMϕʔε ˓ *1$*%3ϕʔε ˔
*1ΞυϨε ˔ *1ΞυϨεൣғ ˓ %/4ϕʔε ˓ 4FSWJDFϕʔε ˓ &OUJUZϕʔε *1$*%3ϕʔε$JMJVN/FUXPSL1PMJDZྫ
Cilium Network Policy L3 23 ˓ -BCFMϕʔε ˓ *1$*%3ϕʔε ˓
%/4ϕʔε ˔ '2%/Ͱࢦఆ ˓ 4FSWJDFϕʔε ˓ &OUJUZϕʔε %/4ϕʔε$JMJVN/FUXPSL1PMJDZྫ
Cilium Network Policy L3 24 ˓ -BCFMϕʔε ˓ *1$*%3ϕʔε ˓
%/4ϕʔε ˓ 4FSWJDFϕʔε ˔ ಛఆͷ4FSWJDFϦιʔεͷ௨৴Λ੍ޚ ˓ &OUJUZϕʔε 4FSWJDFϕʔε$JMJVN/FUXPSL1PMJDZྫ
Cilium Network Policy L3 25 ˓ -BCFMϕʔε ˓ *1$*%3ϕʔε ˓
%/4ϕʔε ˓ 4FSWJDFϕʔε ˓ &OUJUZϕʔε ˔ &OUJUZʢଐੑʣͰ௨৴Λ੍ޚ ˗ Ϋϥελ֎ ˗ Ϋϥελ ˗ $JMJVNཧ ˗ $JMJVNཧ֎ ˗ ͳͲ &OUJUZϕʔε$JMJVN/FUXPSL1PMJDZྫ
Cilium Network Policy L4 26 ˓ 5$16%1ϙʔτ൪߸ ˓ *$.1λΠϓ 5$1ϙʔτ൪߸$JMJVN/FUXPSL1PMJDZͷྫ
Cilium Network Policy L4 27 ˓ 5$16%1ϙʔτ൪߸ ˓ *$.1λΠϓ ˔
*$.1ɺ*$.1WͷλΠϓ ˔ GFBUVSFϑϥάΛ༗ޮʹ͢Δ͜ͱͰར༻Մೳ ˔ ͨͩ͠ݱࡏ҆ఆಈ࡞͠ͳ͍ͨΊඇਪ *$.1λΠϓ$JMJVN/FUXPSL1PMJDZͷྫ
Cilium Network Policy L7 28 ˓ ڐՄϦετͷΈ ˓ )551 ˔
ύε ˔ ϗετ໊ ˔ ϝιου ˔ ϔομʔ ˓ %/4 ˓ ,BGLB CFUB )551$JMJVN/FUXPSL1PMJDZͷྫ
Cilium Network Policy L7 29 ˓ ڐՄϦετͷΈ ˓ )551 ˓
%/4 ˔ ໊લࢦఆ ˔ ύλʔϯϚον ˓ ,BGLB CFUB %/4$JMJVN/FUXPSL1PMJDZͷྫ
Cilium Network Policy L7 30 ˓ ڐՄϦετͷΈ ˓ )551 ˓
%/4 ˓ ,BGLB CFUB ˔ 3PMF ˔ "1*Ωʔ ˔ "1*όʔδϣϯ ˔ ΫϥΠΞϯτ*% ˔ τϐοΫ ,BGLB$JMJVN/FUXPSL1PMJDZͷྫ
Cilium Network Policy σϞ L7-HTTP 31 6CVOUV /(*/9 ❌ BMMPX
EFOZ
Cilium Network Policyͷ࣮ݱ 32 /FUXPSL1PMJDZΛهड़ͨ͠ ϚχϑΣετϑΝΠϧ DJMJVNQLHLTXBUDIFSTDJMJVN@OFUXPSL@QPMJDZHP ,T8BUDIFSBEE$JMJVN/FUXPSL1PMJDZ7
Cilium Network Policyͷ࣮ 33 ϙϦγʔͷݕࠪ Ϣʔβۭؒʢ(Pݴޠʣ DJMJVNQLHa QPMJDZBQJSVMF@WBMJEBUJPOHP 3VMF4BOJUJ[F
Cilium Network Policyͷ࣮ 34 ϙϦγʔͷݕࠪ /FUXPSL1PMJDZ F#1'.BQʹ ରԠ͢Δߏମʹม Ϣʔβۭؒʢ(Pݴޠʣ DJMJVNQLHa
QPMJDZBQJSVMF@WBMJEBUJPOHP 3VMF4BOJUJ[F DJMJVNQLHa FOEQPJOUCQGHP &OEQPJOUBEE1PMJDZ,FZ F#1'.BQʹରԠͨ͠ߏମ
Cilium Network Policyͷ࣮ 35 ϙϦγʔͷݕࠪ F#1'.BQʹରԠͨ͠ߏମ /FUXPSL1PMJDZ F#1'.BQʹ ରԠ͢Δߏମʹม F#1'.BQʹՃ
-&OWPZ Ϣʔβۭؒʢ(Pݴޠʣ DJMJVNQLHa QPMJDZBQJSVMF@WBMJEBUJPOHP 3VMF4BOJUJ[F DJMJVNQLHa FOEQPJOUCQGHP &OEQPJOUBEE1PMJDZ,FZ DJMJVNQLHa CQGNBQ@MJOVYHP .BQ6QEBUF
˓ F#1'ϓϩάϥϜؒϢʔβۭؒϓϩάϥϜͱ σʔλΛڞ༗͢ΔΈ ˔ Ϣʔβۭ͔ؒΒγεςϜίʔϧΛൃߦ ˓ LFZWBMVFετΞ eBPF Map 36
F#1' .BQT
Cilium Network Policyͷ࣮ 37 ύέοτ Χʔωϧۭؒ
Cilium Network Policyͷ࣮ 38 ύέοτ Χʔωϧۭؒ ϔομใ͔Β ϚοϓΩʔʹରԠ͢Δ ߏମʹม DJMJVNCQGMJCa
DPOOUSBDLI DU@MPPLVQ DU@MPPLVQ
Cilium Network Policyͷ࣮ 39 ύέοτ Χʔωϧۭؒ ϔομใ͔Β ϚοϓΩʔʹରԠ͢Δ ߏମʹม DJMJVNCQGMJCa
DPOOUSBDLI DU@MPPLVQ DU@MPPLVQ DJMJVNCQGMJCa QPMJDZI @@QPMJDZ@DBO@BDDFTT
Cilium Network Policyͷ࣮ 40 ύέοτ Χʔωϧۭؒ ϔομใ͔Β ϚοϓΩʔʹରԠ͢Δ ߏମʹม DJMJVNCQGMJCa
DPOOUSBDLI DU@MPPLVQ DU@MPPLVQ DJMJVNCQGMJCa QPMJDZI @@QPMJDZ@DBO@BDDFTT
Cilium Network Policyͷ࣮ 41 ύέοτ Χʔωϧۭؒ ϔομใ͔Β ϚοϓΩʔʹରԠ͢Δ ߏମʹม র߹͢Δ
1PMJDZ.BQ F#1'.BQ %SPQ 1BTT DJMJVNCQGMJCa DPOOUSBDLI DU@MPPLVQ DU@MPPLVQ DJMJVNCQGMJCa QPMJDZI @@QPMJDZ@DBO@BDDFTT
·ͱΊ 42 ˓ /FUXPSL1PMJDZϦιʔεͰ1PEͷ௨৴Λ੍ޚͰ͖Δ ˓ $JMJVN/FUXPSL1PMJDZ/FUXPSL1PMJDZͷ֦ு ˔ -ɺ-ɺ-ϙϦγʔ ˓ $JMJVNF#1'Λ׆༻ͯ͠/FUXPSL1PMJDZΛ࣮ݱ
˔ F#1'.BQΛͬͯϙϦγʔใΛ