Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
ricc-20210826
Search
Tomoki Sugiura
August 26, 2021
Programming
0
510
ricc-20210826
Tomoki Sugiura
August 26, 2021
Tweet
Share
More Decks by Tomoki Sugiura
See All by Tomoki Sugiura
CiliumによるKubernetes Network Policyの実現 CNDT2021
shanpu
0
1.2k
naist colloquium-B 2
shanpu
0
220
IOT53
shanpu
0
79
RICC-PIoT Workshop 2021
shanpu
0
620
ricc-nii-2020
shanpu
0
120
Cloud Native Kansai #05 LT4
shanpu
1
980
gcpug-kyoto#2-LT1
shanpu
0
670
kubernetes-seminar
shanpu
0
180
KansaiLT2
shanpu
0
230
Other Decks in Programming
See All in Programming
LINEヤフー データグループ紹介
lycorp_recruit_jp
0
1.2k
たった 1 枚の PHP ファイルで実装する MCP サーバ / MCP Server with Vanilla PHP
okashoi
1
210
AWS CDKの推しポイント 〜CloudFormationと比較してみた〜
akihisaikeda
3
320
ASP.NETアプリケーションのモダナイズ インフラ編
tomokusaba
1
420
Team topologies and the microservice architecture: a synergistic relationship
cer
PRO
0
1.1k
Create a website using Spatial Web
akkeylab
0
310
Go1.25からのGOMAXPROCS
kuro_kurorrr
1
820
GoのGenericsによるslice操作との付き合い方
syumai
3
690
XP, Testing and ninja testing
m_seki
3
210
Rubyでやりたい駆動開発 / Ruby driven development
chobishiba
1
470
C++20 射影変換
faithandbrave
0
540
システム成長を止めない!本番無停止テーブル移行の全貌
sakawe_ee
1
150
Featured
See All Featured
Designing for Performance
lara
609
69k
Designing Experiences People Love
moore
142
24k
Done Done
chrislema
184
16k
Become a Pro
speakerdeck
PRO
28
5.4k
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
eileencodes
26
2.9k
Fashionably flexible responsive web design (full day workshop)
malarkey
407
66k
The Art of Delivering Value - GDevCon NA Keynote
reverentgeek
15
1.5k
Stop Working from a Prison Cell
hatefulcrawdad
270
20k
Balancing Empowerment & Direction
lara
1
380
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
35
2.4k
GraphQLとの向き合い方2022年版
quramy
49
14k
Why Our Code Smells
bkeepers
PRO
337
57k
Transcript
Cilium Explicit Allow- Listing for ICMP GSoC 2021 3*$$ୈҰճݚڀ߹॓ /"*454%-BC.
ਿӜஐج
֓ཁ 2 ˓ (PPHMF4VNNFSPG$PEFʢ(4P$ʣʹࢀՃ͠·ͨ͠ ˓ $JMJVNͱ͍͏ωοτϫʔΫ044ͷػೳՃΛ୲ ˔ *$.1ύέοτͷϑΟϧλʔػೳ ˓ ͜ͷൃදͰ$JMJVNػೳͷ࣮ʹ͍ͭͯհ
Google Summer of CodeʢGSoCʣ 3 ˓ (PPHMFओ࠵ͷֶੜͷ044ߩݙΛࢧԉ͢ΔϓϩάϥϜ ˓ ֶੜϦετΞοϓ͞Εͨ044ʹରͯ͠ػೳՃͷ ϓϩϙʔβϧΛఏग़
˓ ࠾͞ΕͨΒʙ݄ͷिؒͰ࣮ ˔ ϝϯλʔ͋Γ ˓ தؒ৹ࠪɼ࠷ऴ৹ࠪͦΕͧΕ௨Δ͝ͱʹใۚ ˓ $JMJVNωοτϫʔΫϙϦγʔͷ*$.1ରԠ
Cilium 4 ˓ ,VCFSOFUFTͷ$/*ϓϥάΠϯͷҰछ ˔ IUUQTHJUIVCDPNDJMJVNDJMJVN ˓ ॲཧج൫ʹF#1'Λ༻ ˓ $/*ϓϥάΠϯք۾ͷதͰΞπ͍ଘࡏ
˔ (,&EBUBQMBOFWʹ࠾༻ ˔ $/$'JODVCBUJOHQSPKFDUొਃத ˗ IUUQTHJUIVCDPNDODGUPDQVMM ˔ ຊͰ͋·ΓΘΕͯͳ͍ ҹ 🥺
Kubernetes 5 ˓ ίϯςφΦʔέετϨʔγϣϯπʔϧͷσϑΝΫτ ˓ ෳͷίϯςφɺෳͷϊʔυΛཧ ˔ εέδϡʔϦϯά ˔ ࣗಈ෮چ
˔ ϘϦϡʔϜͷׂΓͯ ˔ FUD ˓ એݴతૢ࡞ͱϦίϯαΠϧϧʔϓʢௐϧʔϓʣ ˓ ΦϖϨʔλͷΈΛͬͯίϯςφҎ֎ ཧ ˔ ίϯςφΦʔέετϨʔγϣϯͰ͖Δπʔϧ
KubernetesͱCNIϓϥάΠϯ 6 ˓ ,VCFSOFUFTίϯςφͷωοτϫʔΫ*'ͷ࡞Λ֎෦ ϓϥάΠϯʹ͍ͤͯΔ ˔ ͦΕΛ୲͏ͷ͕$POUBJOFS/FUXPSL*OUFSGBDFʢ$/*ʣ ϓϥάΠϯ ˔ $/*ϓϥάΠϯ,VCFSOFUFTઐ༻πʔϧͰͳ͍
˓ 1PEʢ㲈$POUBJOFSʣੜ࣌ʹ,VCFMFU͕$/*ϓϥάΠϯ Λىಈ ˓ $/*ϓϥάΠϯͷൣғ͋͘·Ͱ*'ͷ࡞͕ͩ ωοτϫʔΫपΓͷॾʑΛ୲͍ͬͯΔ
KubernetesͱCNIϓϥάΠϯ 7 ˓ $/*ͷఆٛ͜͜ ˓ $/*ͷఏڙ͖͢ػೳ ˔ "%% ˗ ίϯςφʹωοτϫʔΫ*'ΛՃPSߋ৽
˔ %&- ˗ ίϯςφͷωοτϫʔΫ*'ΛআPS6OEP ˔ $)&$, ˗ ίϯςφͷωοτϫʔΫ*'ͷঢ়ଶ֬ೝ ˔ 7&34*0/ ˗ $/*ϓϥάΠϯͷόʔδϣϯ֬ೝ
දతͳCNIϓϥάΠϯ 8 ˓ 'MBOOFM ˓ $BMJDP ˓ 8FBWF ˓ $JMJVN
Ciliumͷಛ 9 ˓ F#1'Λॲཧج൫ʹ׆༻ ˔ 9%1ʹΑΔύέοτॲཧͷߴԽ ˗ JQUBCMFTΑΓύϑΥʔϚϯεߴ ˔ ௨৴ଳҬཧ
˔ ॆ࣮ͨ͠ࢹػೳ ˓ ΤϯυϙΠϯτͷ*%ϕʔεཧʢOPU*1ΞυϨεʣ ˔ LT্ͷΞϓϦέʔγϣϯ*1ΞυϨε͕සൟʹมΘΔ
eBPF 10 ˓ FYUFOEFE#FSLFMFZ1BDLFU'JMUFS ˔ 1BDLFU'JMUFSͱݴ͍ͭͭγεςϜίʔϧͷϑΟϧλϦϯάΛ ͨ͠ΓϓϩάϥϜͷτϨʔγϯάΛͨ͠Γ ˓ ಠ໋ࣗྩηοτΛͬͨΧʔωϧԾϚγϯͰ࣮ߦ ˔
γεςϜ7.͡Όͳͯ͘ϓϩηε7. ˔ ϓϩάϥϜͷݕࠪػߏ͕͋Δ ˓ $ݴޠͰهड़ ˓ ࠷ۙF#1''PVOEBUJPO͕-JOVY'PVOEBUJOࡿԼʹ Ͱ͖ͨ
Kubernetesʹ͓͚ΔNetwork Policy 11 ˓ $/*ϓϥάΠϯ͕ػೳΛ͍࣋ͬͯΕ༻Մೳ ˓ ҎԼͷཁૉͰϗϫΠτϦετΛ࡞ ˔ *1ΞυϨε ˔
໊લۭؒ ˔ ϥϕϧ ˔ ϙʔτ൪߸ /FUXPSL1PMJDZྫ
Cilium Network PolicyʢCNPʣ 12 ˓ $/1,VCFSOFUFT/FUXPSL1PMJDZͷ֦ு ˔ 4FSWJDF ˔ &OUJUZ
˔ '2%/ ˔ -ʢ)551ɼ,BGLBʣ ˔ FUD ˓ BMMPXEFOZ྆ํՄೳ -$/1ͷྫ
CNPͱICMP 13 ˓ ͔͠͠*$.1ͷBMMPXEFOZػೳͳ͔ͬͨ ˔ -ͷBMMPXϧʔϧΛ࡞Δͱ-ࣗಈతʹઃఆ͞ΕΔ ˠ*$.1શͯυϩοϓ ˓ ແ͍ͳΒ࡞Ζ͏
Ciliumʹ͓͚ΔPolicyͷ࣮ݱ 14 /FUXPSL1PMJDZΛهड़ͨ͠ ϚχϑΣετϑΝΠϧ
Ciliumʹ͓͚ΔPolicyͷ࣮ݱ 15 ਖ਼͍͔͠νΣοΫ F#1'.BQߏମ (P Ϣʔβۭ֤ؒϊʔυʹͯ /1༻F#1'.BQʹ ରԠ͢Δߏମʹม F#1'.BQʹՃ
Ciliumʹ͓͚ΔPolicyͷ࣮ݱ 16 ύέοτ F#1'.BQ Χʔωϧۭؒ ϔομΛಡΈऔͬͯ ߏମʹม F#1'.BQLFZ র߹͢Δ 1BTT
%SPQ
ICMP Policyͷ࣮1 17 ਖ਼͍͔͠νΣοΫ Ϣʔβۭ֤ؒϊʔυʹͯ /1༻F#1'.BQʹ ରԠ͢Δߏମʹม F#1'.BQʹՃ *$.1ϑΟʔϧυͷνΣοΫ *$.1UZQFΛ%FTU1PSUʹೖΕΔ
ICMP Policyͷ࣮2 18 ύέοτ F#1'.BQ Χʔωϧۭؒ ϔομΛಡΈऔͬͯ ߏମʹม F#1'.BQLFZ র߹͢Δ
1BTT %SPQ *$.1ϔομΛಡΈऔΓ
ICMP Policyͷ࣮3 19 ˓ ৄͪ͘͜͠Β ˔ IUUQTHJTUHJUIVCDPNDIF[TIBOQV DBDBDDGBGGDBE
ۤ࿑ϙΠϯτ 20 ˓ F#1'ϓϩάϥϜαΠζʢ໋ྩʣͷ੍ݶ͋Γ ˔ ΧʔωϧόʔδϣϯʹΑͬͯҧ͏ͷͰͦΕͧΕͰ֬ೝ ˔ ͜ͷ੍ݶʹΑΓ*$.1ϑΟϧλʔԾ࣮ঢ়ଶ🥺 ˓ ʢ୭͔͕͕$*յ͢ͱࣗͷมߋΛϚʔδͯ͠Β͑ͳ͍ʣ
·ͱΊ 21 ˓ ,VCFSOFUFTωοτϫʔΫػೳΛ$/*ϓϥάΠϯʹҕ ˓ $JMJVNF#1'Λͬͨ$/*ϓϥάΠϯͷҰͭ ˓ F#1'ͷ੍ݶ͔Β*$.1ϑΟϧλʔػೳԾ࣮ঢ়ଶ ˓ (4P$ऴΘΓ·͕ͨ͠ɼ͏ͪΐͬͱؤுΓ·͢
❤