Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Istio RBAC入門
Search
Sponsored
·
Your Podcast. Everywhere. Effortlessly.
Share. Educate. Inspire. Entertain. You do you. We'll handle the rest.
→
Shunsuke Miyoshi
March 27, 2019
Programming
0
360
Istio RBAC入門
Istio RBACがどういうものかといった説明の簡単バージョン
勉強会にて使用
Shunsuke Miyoshi
March 27, 2019
Tweet
Share
More Decks by Shunsuke Miyoshi
See All by Shunsuke Miyoshi
RFCの歩き方
smiyoshi
1
290
クラウドネイティブ時代のセキュリティの考え方とIstioによる実装 / cloud native security and istio
smiyoshi
13
3.8k
GitlabとIstioでつくるコンテナネイティブCICD
smiyoshi
1
1.3k
A STORY OF USELESS CRYPTOGRAPHY
smiyoshi
0
170
Advanced Security on Kubernetes with Istio
smiyoshi
0
460
Other Decks in Programming
See All in Programming
Oxlintはいいぞ
yug1224
5
1.3k
MDN Web Docs に日本語翻訳でコントリビュート
ohmori_yusuke
0
650
AIエージェント、”どう作るか”で差は出るか? / AI Agents: Does the "How" Make a Difference?
rkaga
4
2k
インターン生でもAuth0で 認証基盤刷新が出来るのか
taku271
0
190
AtCoder Conference 2025
shindannin
0
1.1k
AI時代のキャリアプラン「技術の引力」からの脱出と「問い」へのいざない / tech-gravity
minodriven
21
7.3k
開発者から情シスまで - 多様なユーザー層に届けるAPI提供戦略 / Postman API Night Okinawa 2026 Winter
tasshi
0
200
AI巻き込み型コードレビューのススメ
nealle
2
350
Data-Centric Kaggle
isax1015
2
780
IFSによる形状設計/デモシーンの魅力 @ 慶應大学SFC
gam0022
1
300
AIフル活用時代だからこそ学んでおきたい働き方の心得
shinoyu
0
140
LLM Observabilityによる 対話型音声AIアプリケーションの安定運用
gekko0114
2
430
Featured
See All Featured
Taking LLMs out of the black box: A practical guide to human-in-the-loop distillation
inesmontani
PRO
3
2k
New Earth Scene 8
popppiees
1
1.5k
Tips & Tricks on How to Get Your First Job In Tech
honzajavorek
0
440
Speed Design
sergeychernyshev
33
1.5k
svc-hook: hooking system calls on ARM64 by binary rewriting
retrage
1
100
10 Git Anti Patterns You Should be Aware of
lemiorhan
PRO
659
61k
The browser strikes back
jonoalderson
0
390
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
46
2.7k
Ruling the World: When Life Gets Gamed
codingconduct
0
140
From Legacy to Launchpad: Building Startup-Ready Communities
dugsong
0
140
GraphQLの誤解/rethinking-graphql
sonatard
74
11k
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
eileencodes
26
3.3k
Transcript
Istio RBAC ೖ ࢜௨גࣜձࣾ ࡾ ढ़հ
ࣗݾհ • ࣾձਓ3 • Kubernetesͷٕज़ݕূɾීٴ׆ಈɾΞϓϦ։ൃͳͲ • IstioͷϑΝϯ • KubeCon 2017ͰॳΊͯݟͨ࣌ʹײಈ
• झຯϓϩάϥϚʔ • GitHub: https://github.com/sh-miyoshi • Twitter: https://twitter.com/shmiyoshi
ࠓօ͞Μʹ͓͍͑ͨ͜͠ͱ • ͜ͷઌϚΠΫϩαʔϏεԽͷ͖ͬͱ͘Δ • ͍͔ͭඞͣηΩϡϦςΟ͕ʹͳΔ • Microservices + Security →
1ͭͷղͱͯ͠Istio
ϚΠΫϩαʔϏε࣌ͷηΩϡϦςΟ ֤αʔϏεͦΕͧΕ͕ߴ͍ϨϕϧͰͷηΩϡϦ ςΟΛ࣮ݱ͠ͳ͚ΕͳΒͳ͍
Istio RBAC
Istio RBACͱʁ • IstioͷΞΫηείϯτϩʔϧػೳͷҰͭ • KubernetesͷRBACͱಉ༷͡ͳ͍ํͰ Serviceؒͷ௨৴ͷΞΫηε੍ޚͰ͖Δ (k8sϦιʔεͷΞΫηε੍ޚ) ྫʣserviceAͷGET /pathʹuserA͚ͩΞΫη
εΛڐՄ͢Δͱ͍͏Α͏ͳઃఆ͕Մೳ
Istio RBACͰͰ͖Δ͜ͱ • ServiceͷೝՄ(Authorization) ※ೝূ(Authentication)Istio mTLSͰΔ → ࣗͷService͕ͲͷService(User)ʹΞ ΫηεΛڐ͔͢ΛઃఆͰ͖Δ
Istio RBACͷ͍ํ 1. IstioΛΠϯετʔϧ • ࠓͩͱGKE͕ศར(νΣοΫೖΕΔ͚ͩ) • mTLSΛ༗ޮʹͯ͠ىಈ͢Δ 2. Istio
RBACΛ༗ޮԽ • σϑΥϧτDisableͳͷͰEnableʹ͢ΔͨΊͷ CRDΛk8sʹapply͢Δ • ※༗ޮʹͳΔ·Ͱগ͕͔͔࣌ؒ͠Δ߹͕͋Γ·͢
Istio RBACͷ͍ํ 3. ΞϓϦͷσϓϩΠ • istioctlίϚϯυͰΞϓϦΛσϓϩΠ 4. αʔϏεؒ௨৴ΛڐՄ • CRDͰServiceRoleΛ࡞Δ
• ServiceRoleΛServiceRoleBinding(Istio CRD)Ͱ KubernetesͷServiceAccountʹݖݶΛ͚ͭΔ ͓·͚: ֎෦͔ΒͷΞΫηεΛڐՄ͢Δ • ུ
Let’s Go Demo ! *) https://github.com/sh-miyoshi/sectest खॱsectest/rbac_demo/Apps_RBAC.md
Unhappy Things… • Istio͕େม • ࣦഊͨ࣌͠ϩά͕Ͳ͜ʹग़͍ͯΔ͔ෆ໌ • ίϯϙʔωϯτ͕ଟ͗͢ • ͳʹΛઃఆͨ͠Β͍͍͔͔Βͳ͍ॴ͕͋Δ
• Serviceͷ໊લݻఆɺGatewayʹࢦఆग़དྷΔsecret໊ݻఆ • Istio RBAC·ͩalpha • ༷͕େ͖͘มΘΔ͜ͱɾɾɾ (Istio v0.7 → v0.8ΛͬͯΔਓۤ͠Έ͕Θ͔Δͣ)
·ͱΊ Microservices + Security → Istio RBACͷհ ݱ࣌ͰIstioΛ͏ͷେม͔͚ͩͲଘࡏ Λ͓ͬͯ͘ͱخ͍͜͠ͱ͋Δ͔
smiyoshi
yug1224
ohmori_yusuke
rkaga
taku271
shindannin
minodriven
tasshi
nealle
isax1015
gam0022
shinoyu
gekko0114
inesmontani
popppiees
honzajavorek
sergeychernyshev
retrage
lemiorhan
jonoalderson
bcantrill
codingconduct
dugsong
sonatard
eileencodes
