Taking the Work out of Network Policy

Transcript

1. Presented to you by: KubeSec Enterprise Online A Webinar Series

   www.aquasec.com |@AquaSecTeam | #KubeSec2021

2. Housekeeping Housekeeping To ask a question click on the Question

   button to the right hand chat menu Questions A recording of this session will be made available to all attendees Recording Feedback on the webinar series, topics you’d like to see, welcome at [email protected] Feedback www.aquasec.com |@AquaSecTeam | #KubeSec2021

3. @andrew_randall @iaguis @kinvolkio Taking the Work out of Network Policy

   KubeSec Enterprise Online | 25 March 2021

4. @andrew_randall @iaguis @kinvolkio Hi, we are... andy randall chief commercial

   officer iago lópez galeiras co-founder & director, cloud native infrastructure @ kinvolk the Kubernetes Linux experts

5. @andrew_randall @iaguis @kinvolkio Flossing 🥦 🥕 🍏 🌽 🍌 Five-a-Day

   Network Policy ✓ Reduces attack surface area ✓ Helps prevent intrusion ✓ Helps prevent data exfiltration ✓ Promotes cluster and career health ✓ Good source of vitamins, minerals & dietary fiber ✓ Helps prevent heart disease, stroke & cancer ✓ Increases longevity ✓ Tastes good ✓ Oral health ✓ Helps prevent gum disease ✓ Helps prevent decay ✓ Keep your teeth

6. @andrew_randall @iaguis @kinvolkio What is Network Policy Network policies specify

   how groups of pods are allowed to communicate with each other and other network endpoints. You can think of them as the Kubernetes equivalent of a firewall. - Viswajith Venugopal (Stackrox)

7. @andrew_randall @iaguis @kinvolkio POLL: Network policies in your clusters? (a)

   Yup, all locked down (b) Got a few but not all (c) Nope, maybe someday

8. Poll Question… www.aquasec.com |@AquaSecTeam | #KubeSec2021

9. @andrew_randall @iaguis @kinvolkio Less than 1 in 3 K8s users

   have secured their clusters with Network Policies (Excluding 🍿) 🤔 25.6% 🔒 30.6% 󰤇 43.8%

10. @andrew_randall @iaguis @kinvolkio 45% of Americans eat five servings a

    day of fruits and vegetables

11. @andrew_randall @iaguis @kinvolkio Limiting traffic to an application https://github.com/ahmetb/kubernetes-network-policy-recipes

12. @andrew_randall @iaguis @kinvolkio Allow traffic from external clients (only) https://github.com/ahmetb/kubernetes-network-policy-recipes

13. @andrew_randall @iaguis @kinvolkio Implementations OVN Network Policy Manager

14. @andrew_randall @iaguis @kinvolkio Extensions to Network Policy ❏ Global (cluster-wide)

    policy ❏ Application layer policy (http/grpc rules) ❏ Host policy ❏ More selectors (service accounts) ❏ More protocols (e.g. ICMP) ❏ Allow or deny (+ ordering) ❏ Network Sets (defined set of CIDRs) ❏ Packet handling (e.g. disable conntrack) ❏ Cluster-wide policy ❏ L7 policy (http, grpc, kafka, memcached, cassandra, extendable via Go extensions) ❏ Host policy ❏ More selectors (Service, Entity, DNS, cloud metadata) ❏ More protocols (e.g. ICMP) ❏ SSL termination / cert injection ❏ DDoS protection via denylist (ingress) ❏ Deny rules (beta) ❏ Packet handling (e.g. disable conntrack) + all the product-specific features (e.g. for monitoring/troubleshooting) — this is not an exhaustive comparison of these projects!

15. @andrew_randall @iaguis @kinvolkio Host policy example (Calico)

16. @andrew_randall @iaguis @kinvolkio DNS policy example (Cilium)

17. @andrew_randall @iaguis @kinvolkio Challenges with network policy 1. Getting the

    syntax just right ✓ ❌

18. @andrew_randall @iaguis @kinvolkio Challenges with network policy 1. Getting the

    syntax just right 2. Knowing what should be allowed to talk with what (Not forgetting DNS…) If only there were tools to help with this…

19. @andrew_randall @iaguis @kinvolkio 💻 DEMO TIME 🕰

20. @andrew_randall @iaguis @kinvolkio 📣 Call to Action!! 🔌 Use a

    CNI plugin that supports network policy 🔍 Capture flows and identify potential policies 🔒 Lock down ingress to only those pods which should be exposed outside of the namespace 🔥 Apply host policies to protect your nodes (esp. if there are no other firewalls/security groups) 🙋 Integrate defining network policy into your developers’ release process 🦷 Floss regularly 🥦 Eat 5 servings of fruit & veg each day

21. @andrew_randall @iaguis @kinvolkio Useful Resources Kinvolk Inspektor Gadget github.com/kinvolk/inspektor-gadget Cilium

    Hubble & Network Policy Editor github.com/cilium/hubble & editor.cilium.io Get started with Calico network policy & host protection tutorial docs.projectcalico.org/security/calico-network-policy docs.projectcalico.org/security/tutorials/protect-hosts Ahmet’s unofficial guide and network policy recipes ahmet.im/blog/kubernetes-network-policy/ github.com/ahmetb/kubernetes-network-policy-recipes Jamie Oliver’s healthy meal recipes www.jamieoliver.com/recipes/category/healthy-recipes/

22. @andrew_randall @iaguis @kinvolkio Q & A www.aquasec.com |@AquaSecTeam | #KubeSec2021

23. @andrew_randall @iaguis @kinvolkio That’s a wrap for KubeSec Online 2021!

    www.aquasec.com |@AquaSecTeam | #KubeSec2021 All sessions on demand at: kubesec.aquasec.com/enterprise_online_na_2021