CiliumによるKubernetes Network Policyの実現 CNDT2021

CiliumʹΑΔ Kubernetes Network Policyͷ࣮ݱ 5PNPLJ4VHJVSB

ຊηογϣϯͷ֓ཁ 2 1PE 1PE 1PE

ຊηογϣϯͷ֓ཁ 3 $/*ϓϥάΠϯ 1PE 1PE 1PE 1PEؒͷ௨৴Λ؅ཧ

ຊηογϣϯͷ֓ཁ 4 ❌ $/*ϓϥάΠϯ 1PEؒͷ௨৴Λ؅ཧ 1PE 1PE 1PE

ຊηογϣϯͷ֓ཁ 5 ❌ Ͳ͏΍੍ͬͯޚʁ ઃఆ߲໨ʁ $/*ϓϥάΠϯ 1PEؒͷ௨৴Λ؅ཧ 1PE 1PE 1PE
1PEؒͷ௨৴Λ؅ཧ

ຊฤ΁ 6

Kubernetes 7 ˓ ίϯςφΦʔέετϨʔγϣϯπʔϧ ˔ ෳ਺୆ͷίϯςφΛҰݩ؅ཧ ˓ ίϯςφӡ༻ͷͨΊͷ͜ͱΛͳΜͰ΋΍Δ ˔ ΦʔτώʔϦϯάɾϩʔϦϯάΞοϓσʔτ
˔ ίϯςφʹద༻͢Δઃఆ஋ͷ؅ཧ ˔ ݖݶ؅ཧ ˔ FUD ˓ 1PEؒͷ௨৴ػೳˠ$/*ϓϥάΠϯʹҕৡ ˔ 1PEʹωοτϫʔΫ໊લۭؒΛڞ༗͢Δίϯςφ܈

CNI 8 ˓ $POUBJOFS/FUXPSL*OUFSGBDF ˓ $/$'*ODVCBUJOH1SPKFDU ˓ ίϯςφωοτϫʔΫ*'ͷ؅ཧʹ͓͚Δ࢓༷Λఆٛ ˔ ,VCFSOFUFTઐ༻πʔϧͰ͸ͳ͍
˓ ػೳ ˔ "%%ɿωοτϫʔΫ*'ͷ࡞੒ɾߋ৽ ˔ %&-ɿωοτϫʔΫ*'ͷ࡟আɾߋ৽ͷऔফ ˔ $)&$,ɿظ଴௨Γͷઃఆ͔֬ೝ ˔ 7&34*0/ɿαϙʔτ͍ͯ͠Δ$/*࢓༷ͷόʔδϣϯΛฦ͢

˓ $/*ʹ४ڌͨ͠,VCFSOFUFTͷ ωοτϫʔΫϓϥάΠϯ ˓ $/*όΠφϦ ˔ ίϯςφωοτϫʔΫ*'ͷ؅ཧ ˓ $/*σʔϞϯ ˔
Ϋϥελ಺ͰͷωοτϫʔΫૄ௨Λ؅ཧ ˓ $/*ϓϥάΠϯྫ ˔ $BMJDP ˔ $JMJVN ˔ FUD CNIϓϥάΠϯ 9 $/* ϓϥάΠϯ FUI "%% ωοτϫʔΫ*'ͷ࡞੒ *1ΞυϨεͷׂΓ౰ͯ ܦ࿏ઃఆ

˓ $/*ϓϥάΠϯͷҰͭ ˓ $/$'*ODVCBUJOHQSPKFDU ˓ σʔλϓϨʔϯʹF#1'Λ׆༻ ˓ ར༻ࣄྫ ˔ (,&%BUBQMBOF7
˔ &,4"OZXIFSF Cilium 10

˓ FYUFOEFE#FSLFMFZ1BDLFU'JMUFS ˓ ࣗ෼ͷ࡞੒ͨ͠ϓϩάϥϜΛ -JOVYΧʔωϧ಺ͷ7.Ͱ࣮ߦ ˔ ಠࣗϨδελ໋ྩηοτ ˔ ϓϩάϥϜͷݕࠪػߏ͕͋Γ҆શੑΛอো ˓
Πϕϯτۦಈ ˔ FHύέοτ͕/*$ʹ౸ୡ ˓ $ݴޠͰهड़Մೳ ˔ $MBOH--7. eBPF 11 DMBOHUBSHFUCQG $ݴޠϓϩάϥϜ όΠτίʔυ 7FSJ fi FS +*5$PNQJMFS ΠϕϯτʹԠ࣮ͯ͡ߦ CQG Ϣʔβۭؒ Χʔωϧۭؒ

͜͜·Ͱͷ·ͱΊ 12 ˓ ,VCFSOFUFT͸1PEؒͷ௨৴ػೳΛ $/*ϓϥάΠϯʹҕৡ ˓ $/*ϓϥάΠϯ͸$/*४ڌͷ,VCFSOFUFTϓϥάΠϯ ˔ 1PEؒͷ௨৴ػೳͷఏڙɾ؅ཧΛߦ͏ ˓
$JMJVN͸$/*ϓϥάΠϯͷҰछ ˔ σʔλϓϨʔϯʹF#1'Λ׆༻

Network Policyͱ͸ 13

Kubernetes Network PolicyϦιʔε 14 1PE 1PE 1PE

Kubernetes Network PolicyϦιʔε 15 1PE 1PE 1PE ❌

Kubernetes Network PolicyϦιʔε 16 1PE 1PE 1PE ❌

Kubernetes Network Policyͱ͸ 17 ˓ ,VCFSFOUFTͷϦιʔεͷҰछ ˓ --ͷ௨৴Λ੍ޚ ˔ *1ΞυϨεϙʔτ൪߸
˓ $/*ϓϥάΠϯ͕ରԠ͍ͯ͠Ε͹࢖༻Մೳ ˔ $JMJVN͸ରԠ ˔ 'MBOOFM͸ະରԠ ˓ ུশ͸OFUQPM ˔ LVCFDUMHFUOFUQPM"

Kubernetes Network Policy ྫ 18 ˓ ໊લۭؒ͝ͱʹ࡞੒ ˓ ڐՄϦετ ˓
--ϨϕϧͷϙϦγʔ ˓ *OHSFTTʢ֎͔Β಺ʣɼ&HSFTTʢ಺͔Β֎ʣ ωοτϫʔΫϙϦγʔྫ

Kubernetes Network Policy σϞ 19 6CVOUV /(*/9 ❌ DVSMIUUQ/(*/9@*1

˓ /FUXPSL1PMJDZͷ֦ு ˔ ΧελϜϦιʔε ˓ ໊લۭؒPSΫϥελશମ ˔ $JMJVN/FUXPSL1PMJDZ ˔ $JMJVN$MVTUFSXJEF/FUXPSL1PMJDZ
˓ "MMPX%FOZ྆ํઃఆՄೳ ˓ -ϨϕϧͰͷϙϦγʔΛઃఆՄೳ Cilium Network Policy 20

Cilium Network Policy L3 21 ˓ -BCFMϕʔε ˔ 1PEͷϥϕϧͰࢦఆ ˓
*1$*%3ϕʔε ˓ %/4ϕʔε ˓ 4FSWJDFϕʔε ˓ &OUJUZϕʔε -BCFMϕʔε$JMJVN/FUXPSL1PMJDZྫ

Cilium Network Policy L3 22 ˓ -BCFMϕʔε ˓ *1$*%3ϕʔε ˔
*1ΞυϨε ˔ *1ΞυϨεൣғ ˓ %/4ϕʔε ˓ 4FSWJDFϕʔε ˓ &OUJUZϕʔε *1$*%3ϕʔε$JMJVN/FUXPSL1PMJDZྫ

Cilium Network Policy L3 23 ˓ -BCFMϕʔε ˓ *1$*%3ϕʔε ˓
%/4ϕʔε ˔ '2%/Ͱࢦఆ ˓ 4FSWJDFϕʔε ˓ &OUJUZϕʔε %/4ϕʔε$JMJVN/FUXPSL1PMJDZྫ

%/4ϕʔε ˓ 4FSWJDFϕʔε ˔ ಛఆͷ4FSWJDFϦιʔε΁ͷ௨৴Λ੍ޚ ˓ &OUJUZϕʔε 4FSWJDFϕʔε$JMJVN/FUXPSL1PMJDZྫ

%/4ϕʔε ˓ 4FSWJDFϕʔε ˓ &OUJUZϕʔε ˔ &OUJUZʢଐੑʣͰ௨৴Λ੍ޚ ˗ Ϋϥελ֎ ˗ Ϋϥελ಺ ˗ $JMJVN؅ཧ ˗ $JMJVN؅ཧ֎ ˗ ͳͲ &OUJUZϕʔε$JMJVN/FUXPSL1PMJDZྫ

Cilium Network Policy L4 26 ˓ 5$16%1ϙʔτ൪߸ ˓ *$.1λΠϓ 5$1ϙʔτ൪߸$JMJVN/FUXPSL1PMJDZͷྫ

Cilium Network Policy L4 27 ˓ 5$16%1ϙʔτ൪߸ ˓ *$.1λΠϓ ˔
*$.1ɺ*$.1WͷλΠϓ ˔ GFBUVSFϑϥάΛ༗ޮʹ͢Δ͜ͱͰར༻Մೳ ˔ ͨͩ͠ݱࡏ͸҆ఆಈ࡞͠ͳ͍ͨΊඇਪ঑ *$.1λΠϓ$JMJVN/FUXPSL1PMJDZͷྫ

Cilium Network Policy L7 28 ˓ ڐՄϦετͷΈ ˓ )551 ˔
ύε ˔ ϗετ໊ ˔ ϝιου ˔ ϔομʔ ˓ %/4 ˓ ,BGLB CFUB )551$JMJVN/FUXPSL1PMJDZͷྫ

Cilium Network Policy L7 29 ˓ ڐՄϦετͷΈ ˓ )551 ˓
%/4 ˔ ໊લࢦఆ ˔ ύλʔϯϚον ˓ ,BGLB CFUB %/4$JMJVN/FUXPSL1PMJDZͷྫ

Cilium Network Policy L7 30 ˓ ڐՄϦετͷΈ ˓ )551 ˓
%/4 ˓ ,BGLB CFUB ˔ 3PMF ˔ "1*Ωʔ ˔ "1*όʔδϣϯ ˔ ΫϥΠΞϯτ*% ˔ τϐοΫ ,BGLB$JMJVN/FUXPSL1PMJDZͷྫ

Cilium Network Policy σϞ L7-HTTP 31 6CVOUV /(*/9 ❌ BMMPX
EFOZ

Cilium Network Policyͷ࣮ݱ 32 /FUXPSL1PMJDZΛهड़ͨ͠ ϚχϑΣετϑΝΠϧ DJMJVNQLHLTXBUDIFSTDJMJVN@OFUXPSL@QPMJDZHP ,T8BUDIFSBEE$JMJVN/FUXPSL1PMJDZ7

Cilium Network Policyͷ࣮૷ 33 ϙϦγʔͷݕࠪ Ϣʔβۭؒʢ(Pݴޠʣ DJMJVNQLHa QPMJDZBQJSVMF@WBMJEBUJPOHP 3VMF4BOJUJ[F

Cilium Network Policyͷ࣮૷ 34 ϙϦγʔͷݕࠪ /FUXPSL1PMJDZ F#1'.BQʹ ରԠ͢Δߏ଄ମʹม׵ Ϣʔβۭؒʢ(Pݴޠʣ DJMJVNQLHa
QPMJDZBQJSVMF@WBMJEBUJPOHP 3VMF4BOJUJ[F DJMJVNQLHa FOEQPJOUCQGHP &OEQPJOUBEE1PMJDZ,FZ F#1'.BQʹରԠͨ͠ߏ଄ମ

Cilium Network Policyͷ࣮૷ 35 ϙϦγʔͷݕࠪ F#1'.BQʹରԠͨ͠ߏ଄ମ /FUXPSL1PMJDZ F#1'.BQʹ ରԠ͢Δߏ଄ମʹม׵ F#1'.BQʹ௥Ճ
-͸&OWPZ Ϣʔβۭؒʢ(Pݴޠʣ DJMJVNQLHa QPMJDZBQJSVMF@WBMJEBUJPOHP 3VMF4BOJUJ[F DJMJVNQLHa FOEQPJOUCQGHP &OEQPJOUBEE1PMJDZ,FZ DJMJVNQLHa CQGNBQ@MJOVYHP .BQ6QEBUF

˓ F#1'ϓϩάϥϜؒ΍ϢʔβۭؒϓϩάϥϜͱ σʔλΛڞ༗͢Δ࢓૊Έ ˔ Ϣʔβۭ͔ؒΒ͸γεςϜίʔϧΛൃߦ ˓ LFZWBMVFετΞ eBPF Map 36
F#1' .BQT

Cilium Network Policyͷ࣮૷ 37 ύέοτ Χʔωϧۭؒ

Cilium Network Policyͷ࣮૷ 38 ύέοτ Χʔωϧۭؒ ϔομ৘ใ͔Β ϚοϓΩʔʹରԠ͢Δ ߏ଄ମʹม׵ DJMJVNCQGMJCa
DPOOUSBDLI DU@MPPLVQ DU@MPPLVQ

DPOOUSBDLI DU@MPPLVQ DU@MPPLVQ DJMJVNCQGMJCa QPMJDZI @@QPMJDZ@DBO@BDDFTT

Cilium Network Policyͷ࣮૷ 41 ύέοτ Χʔωϧۭؒ ϔομ৘ใ͔Β ϚοϓΩʔʹରԠ͢Δ ߏ଄ମʹม׵ র߹͢Δ
1PMJDZ.BQ F#1'.BQ %SPQ 1BTT DJMJVNCQGMJCa DPOOUSBDLI DU@MPPLVQ DU@MPPLVQ DJMJVNCQGMJCa QPMJDZI @@QPMJDZ@DBO@BDDFTT

·ͱΊ 42 ˓ /FUXPSL1PMJDZϦιʔεͰ1PEͷ௨৴Λ੍ޚͰ͖Δ ˓ $JMJVN/FUXPSL1PMJDZ͸/FUXPSL1PMJDZͷ֦ு ˔ -ɺ-ɺ-ϙϦγʔ ˓ $JMJVN͸F#1'Λ׆༻ͯ͠/FUXPSL1PMJDZΛ࣮ݱ
˔ F#1'.BQΛ࢖ͬͯϙϦγʔ৘ใΛ఻೻

CiliumによるKubernetes Network Policyの実現 CNDT2021

CiliumによるKubernetes Network Policyの実現 CNDT2021

More Decks by Tomoki Sugiura

Other Decks in Programming

Featured

Transcript