Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Istio RBAC入門
Search
Shunsuke Miyoshi
March 27, 2019
Programming
380
0
Share
Istio RBAC入門
Istio RBACがどういうものかといった説明の簡単バージョン
勉強会にて使用
Shunsuke Miyoshi
March 27, 2019
More Decks by Shunsuke Miyoshi
See All by Shunsuke Miyoshi
RFCの歩き方
smiyoshi
1
330
クラウドネイティブ時代のセキュリティの考え方とIstioによる実装 / cloud native security and istio
smiyoshi
13
3.9k
GitlabとIstioでつくるコンテナネイティブCICD
smiyoshi
1
1.4k
A STORY OF USELESS CRYPTOGRAPHY
smiyoshi
0
170
Advanced Security on Kubernetes with Istio
smiyoshi
0
470
Other Decks in Programming
See All in Programming
Old Dog, New Tricks: The Java 25 Reinvention - JNation
bazlur_rahman
0
140
権限チェックの一貫性を型で守る TypeScript による多層防御
mnch
4
1.1k
TypeSpec で繋ぐ複数プロダクトの型安全
maroon8021
1
360
TAKTでAI駆動開発の品質を設計する
j5ik2o
6
800
CSC307 Lecture 17
javiergs
PRO
0
310
並列実装の現場、2ヶ月間実務でAIを使い倒したAIもPCも私も限界が近い
ming_ayami
0
100
決定論的オーケストレーションの設計と実装 / Design and Implementation of Deterministic Orchestration
nrslib
3
940
IBM Bobを活用したレガシーアプリの最新化
oniak3ibm
PRO
1
170
エージェンティックRAGにAWSで入門しよう!
har1101
5
410
New "Type" system on PicoRuby
pocke
1
440
Datadog × OpenTelemetry 入門と実践のあいだ
kn_to_maxpno
1
140
Signal Forms: Beyond the Basics @ngBaguette 2026 in Paris
manfredsteyer
PRO
0
220
Featured
See All Featured
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
35
3.5k
Building an army of robots
kneath
306
46k
The Language of Interfaces
destraynor
162
27k
Sam Torres - BigQuery for SEOs
techseoconnect
PRO
0
280
Technical Leadership for Architectural Decision Making
baasie
3
400
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
49
10k
Embracing the Ebb and Flow
colly
88
5.1k
The World Runs on Bad Software
bkeepers
PRO
72
12k
So, you think you're a good person
axbom
PRO
2
2k
Exploring the relationship between traditional SERPs and Gen AI search
raygrieselhuber
PRO
2
4k
How People are Using Generative and Agentic AI to Supercharge Their Products, Projects, Services and Value Streams Today
helenjbeal
1
200
Avoiding the “Bad Training, Faster” Trap in the Age of AI
tmiket
0
170
Transcript
Istio RBAC ೖ ࢜௨גࣜձࣾ ࡾ ढ़հ
ࣗݾհ • ࣾձਓ3 • Kubernetesͷٕज़ݕূɾීٴ׆ಈɾΞϓϦ։ൃͳͲ • IstioͷϑΝϯ • KubeCon 2017ͰॳΊͯݟͨ࣌ʹײಈ
• झຯϓϩάϥϚʔ • GitHub: https://github.com/sh-miyoshi • Twitter: https://twitter.com/shmiyoshi
ࠓօ͞Μʹ͓͍͑ͨ͜͠ͱ • ͜ͷઌϚΠΫϩαʔϏεԽͷ͖ͬͱ͘Δ • ͍͔ͭඞͣηΩϡϦςΟ͕ʹͳΔ • Microservices + Security →
1ͭͷղͱͯ͠Istio
ϚΠΫϩαʔϏε࣌ͷηΩϡϦςΟ ֤αʔϏεͦΕͧΕ͕ߴ͍ϨϕϧͰͷηΩϡϦ ςΟΛ࣮ݱ͠ͳ͚ΕͳΒͳ͍
Istio RBAC
Istio RBACͱʁ • IstioͷΞΫηείϯτϩʔϧػೳͷҰͭ • KubernetesͷRBACͱಉ༷͡ͳ͍ํͰ Serviceؒͷ௨৴ͷΞΫηε੍ޚͰ͖Δ (k8sϦιʔεͷΞΫηε੍ޚ) ྫʣserviceAͷGET /pathʹuserA͚ͩΞΫη
εΛڐՄ͢Δͱ͍͏Α͏ͳઃఆ͕Մೳ
Istio RBACͰͰ͖Δ͜ͱ • ServiceͷೝՄ(Authorization) ※ೝূ(Authentication)Istio mTLSͰΔ → ࣗͷService͕ͲͷService(User)ʹΞ ΫηεΛڐ͔͢ΛઃఆͰ͖Δ
Istio RBACͷ͍ํ 1. IstioΛΠϯετʔϧ • ࠓͩͱGKE͕ศར(νΣοΫೖΕΔ͚ͩ) • mTLSΛ༗ޮʹͯ͠ىಈ͢Δ 2. Istio
RBACΛ༗ޮԽ • σϑΥϧτDisableͳͷͰEnableʹ͢ΔͨΊͷ CRDΛk8sʹapply͢Δ • ※༗ޮʹͳΔ·Ͱগ͕͔͔࣌ؒ͠Δ߹͕͋Γ·͢
Istio RBACͷ͍ํ 3. ΞϓϦͷσϓϩΠ • istioctlίϚϯυͰΞϓϦΛσϓϩΠ 4. αʔϏεؒ௨৴ΛڐՄ • CRDͰServiceRoleΛ࡞Δ
• ServiceRoleΛServiceRoleBinding(Istio CRD)Ͱ KubernetesͷServiceAccountʹݖݶΛ͚ͭΔ ͓·͚: ֎෦͔ΒͷΞΫηεΛڐՄ͢Δ • ུ
Let’s Go Demo ! *) https://github.com/sh-miyoshi/sectest खॱsectest/rbac_demo/Apps_RBAC.md
Unhappy Things… • Istio͕େม • ࣦഊͨ࣌͠ϩά͕Ͳ͜ʹग़͍ͯΔ͔ෆ໌ • ίϯϙʔωϯτ͕ଟ͗͢ • ͳʹΛઃఆͨ͠Β͍͍͔͔Βͳ͍ॴ͕͋Δ
• Serviceͷ໊લݻఆɺGatewayʹࢦఆग़དྷΔsecret໊ݻఆ • Istio RBAC·ͩalpha • ༷͕େ͖͘มΘΔ͜ͱɾɾɾ (Istio v0.7 → v0.8ΛͬͯΔਓۤ͠Έ͕Θ͔Δͣ)
·ͱΊ Microservices + Security → Istio RBACͷհ ݱ࣌ͰIstioΛ͏ͷେม͔͚ͩͲଘࡏ Λ͓ͬͯ͘ͱخ͍͜͠ͱ͋Δ͔
smiyoshi
bazlur_rahman
mnch
maroon8021
j5ik2o
javiergs
ming_ayami
nrslib
oniak3ibm
har1101
pocke
kn_to_maxpno
manfredsteyer
rmw
kneath
destraynor
techseoconnect
baasie
mongodb
colly
bkeepers
axbom
raygrieselhuber
.png){kind=avatar}
helenjbeal
tmiket
