Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Istio RBAC入門
Search
Sponsored
·
Ship Features Fearlessly
Turn features on and off without deploys. Used by thousands of Ruby developers.
→
Shunsuke Miyoshi
March 27, 2019
Programming
370
0
Share
Istio RBAC入門
Istio RBACがどういうものかといった説明の簡単バージョン
勉強会にて使用
Shunsuke Miyoshi
March 27, 2019
More Decks by Shunsuke Miyoshi
See All by Shunsuke Miyoshi
RFCの歩き方
smiyoshi
1
310
クラウドネイティブ時代のセキュリティの考え方とIstioによる実装 / cloud native security and istio
smiyoshi
13
3.9k
GitlabとIstioでつくるコンテナネイティブCICD
smiyoshi
1
1.4k
A STORY OF USELESS CRYPTOGRAPHY
smiyoshi
0
170
Advanced Security on Kubernetes with Istio
smiyoshi
0
460
Other Decks in Programming
See All in Programming
Running Swift without an OS
kishikawakatsumi
0
850
AWSコミュニティ活動は顧客のクラウド推進に効くのか / Do AWS community activities help customers adopt the cloud?
seike460
PRO
0
150
Angular Signal Forms
debug_mode
0
110
[RubyKaigi 2026] Require Hooks
palkan
1
220
Coding as Prompting Since 2025
ragingwind
0
840
Vibe하게 만드는 Flutter GenUI App With ADK , 박제창, BWAI Incheon 2026
itsmedreamwalker
0
550
ついに来た!本格的なマルチクラウド時代の Google Cloud
maroon1st
0
210
CDK Deployのための ”反響定位”
watany
5
800
The Monolith Strikes Back: Why AI Agents ❤️ Rails Monoliths
serradura
0
340
Spec Driven Development | AI Summit Vilnius
danielsogl
PRO
1
110
年間50登壇、単著出版、雑誌寄稿、Podcast出演、YouTube、CM、カンファレンス主催……全部やってみたので面白さ等を比較してみよう / I’ve tried them all, so let’s compare how interesting they are.
nrslib
4
800
YJITとZJITにはイカなる違いがあるのか?
nakiym
0
240
Featured
See All Featured
The Invisible Side of Design
smashingmag
303
52k
HDC tutorial
michielstock
2
630
AI Search: Where Are We & What Can We Do About It?
aleyda
0
7.4k
Google's AI Overviews - The New Search
badams
0
980
Digital Projects Gone Horribly Wrong (And the UX Pros Who Still Save the Day) - Dean Schuster
uxyall
0
1.2k
How to make the Groovebox
asonas
2
2.1k
Noah Learner - AI + Me: how we built a GSC Bulk Export data pipeline
techseoconnect
PRO
0
160
The Organizational Zoo: Understanding Human Behavior Agility Through Metaphoric Constructive Conversations (based on the works of Arthur Shelley, Ph.D)
kimpetersen
PRO
0
310
Skip the Path - Find Your Career Trail
mkilby
1
110
Understanding Cognitive Biases in Performance Measurement
bluesmoon
32
2.9k
Neural Spatial Audio Processing for Sound Field Analysis and Control
skoyamalab
0
270
The State of eCommerce SEO: How to Win in Today's Products SERPs - #SEOweek
aleyda
2
10k
Transcript
Istio RBAC ೖ ࢜௨גࣜձࣾ ࡾ ढ़հ
ࣗݾհ • ࣾձਓ3 • Kubernetesͷٕज़ݕূɾීٴ׆ಈɾΞϓϦ։ൃͳͲ • IstioͷϑΝϯ • KubeCon 2017ͰॳΊͯݟͨ࣌ʹײಈ
• झຯϓϩάϥϚʔ • GitHub: https://github.com/sh-miyoshi • Twitter: https://twitter.com/shmiyoshi
ࠓօ͞Μʹ͓͍͑ͨ͜͠ͱ • ͜ͷઌϚΠΫϩαʔϏεԽͷ͖ͬͱ͘Δ • ͍͔ͭඞͣηΩϡϦςΟ͕ʹͳΔ • Microservices + Security →
1ͭͷղͱͯ͠Istio
ϚΠΫϩαʔϏε࣌ͷηΩϡϦςΟ ֤αʔϏεͦΕͧΕ͕ߴ͍ϨϕϧͰͷηΩϡϦ ςΟΛ࣮ݱ͠ͳ͚ΕͳΒͳ͍
Istio RBAC
Istio RBACͱʁ • IstioͷΞΫηείϯτϩʔϧػೳͷҰͭ • KubernetesͷRBACͱಉ༷͡ͳ͍ํͰ Serviceؒͷ௨৴ͷΞΫηε੍ޚͰ͖Δ (k8sϦιʔεͷΞΫηε੍ޚ) ྫʣserviceAͷGET /pathʹuserA͚ͩΞΫη
εΛڐՄ͢Δͱ͍͏Α͏ͳઃఆ͕Մೳ
Istio RBACͰͰ͖Δ͜ͱ • ServiceͷೝՄ(Authorization) ※ೝূ(Authentication)Istio mTLSͰΔ → ࣗͷService͕ͲͷService(User)ʹΞ ΫηεΛڐ͔͢ΛઃఆͰ͖Δ
Istio RBACͷ͍ํ 1. IstioΛΠϯετʔϧ • ࠓͩͱGKE͕ศར(νΣοΫೖΕΔ͚ͩ) • mTLSΛ༗ޮʹͯ͠ىಈ͢Δ 2. Istio
RBACΛ༗ޮԽ • σϑΥϧτDisableͳͷͰEnableʹ͢ΔͨΊͷ CRDΛk8sʹapply͢Δ • ※༗ޮʹͳΔ·Ͱগ͕͔͔࣌ؒ͠Δ߹͕͋Γ·͢
Istio RBACͷ͍ํ 3. ΞϓϦͷσϓϩΠ • istioctlίϚϯυͰΞϓϦΛσϓϩΠ 4. αʔϏεؒ௨৴ΛڐՄ • CRDͰServiceRoleΛ࡞Δ
• ServiceRoleΛServiceRoleBinding(Istio CRD)Ͱ KubernetesͷServiceAccountʹݖݶΛ͚ͭΔ ͓·͚: ֎෦͔ΒͷΞΫηεΛڐՄ͢Δ • ུ
Let’s Go Demo ! *) https://github.com/sh-miyoshi/sectest खॱsectest/rbac_demo/Apps_RBAC.md
Unhappy Things… • Istio͕େม • ࣦഊͨ࣌͠ϩά͕Ͳ͜ʹग़͍ͯΔ͔ෆ໌ • ίϯϙʔωϯτ͕ଟ͗͢ • ͳʹΛઃఆͨ͠Β͍͍͔͔Βͳ͍ॴ͕͋Δ
• Serviceͷ໊લݻఆɺGatewayʹࢦఆग़དྷΔsecret໊ݻఆ • Istio RBAC·ͩalpha • ༷͕େ͖͘มΘΔ͜ͱɾɾɾ (Istio v0.7 → v0.8ΛͬͯΔਓۤ͠Έ͕Θ͔Δͣ)
·ͱΊ Microservices + Security → Istio RBACͷհ ݱ࣌ͰIstioΛ͏ͷେม͔͚ͩͲଘࡏ Λ͓ͬͯ͘ͱخ͍͜͠ͱ͋Δ͔
smiyoshi
kishikawakatsumi
seike460
debug_mode
palkan
ragingwind
itsmedreamwalker
maroon1st
watany
serradura
danielsogl
nrslib
nakiym
smashingmag
michielstock
aleyda
badams
uxyall
asonas
techseoconnect
kimpetersen
mkilby
bluesmoon
skoyamalab
