Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Taking the Work out of Network Policy

Taking the Work out of Network Policy

This talk, based on learnings from real-world implementations with customers large and small, shares common patterns for Kubernetes network policies, compare the extensions to the basic policy API available in Calico and Cilium (and when you would want to use them), and show how, with the help of some simple open source tools, you can automatically create a working set of policies for your application.


Andy Randall

July 20, 2021


  1. Presented to you by: KubeSec Enterprise Online A Webinar Series

    www.aquasec.com |@AquaSecTeam | #KubeSec2021
  2. Housekeeping Housekeeping To ask a question click on the Question

    button to the right hand chat menu Questions A recording of this session will be made available to all attendees Recording Feedback on the webinar series, topics you’d like to see, welcome at kubesec@aquasec.com Feedback www.aquasec.com |@AquaSecTeam | #KubeSec2021
  3. @andrew_randall @iaguis @kinvolkio Taking the Work out of Network Policy

    KubeSec Enterprise Online | 25 March 2021
  4. @andrew_randall @iaguis @kinvolkio Hi, we are... andy randall chief commercial

    officer iago lópez galeiras co-founder & director, cloud native infrastructure @ kinvolk the Kubernetes Linux experts
  5. @andrew_randall @iaguis @kinvolkio Flossing 🥦 🥕 🍏 🌽 🍌 Five-a-Day

    Network Policy ✓ Reduces attack surface area ✓ Helps prevent intrusion ✓ Helps prevent data exfiltration ✓ Promotes cluster and career health ✓ Good source of vitamins, minerals & dietary fiber ✓ Helps prevent heart disease, stroke & cancer ✓ Increases longevity ✓ Tastes good ✓ Oral health ✓ Helps prevent gum disease ✓ Helps prevent decay ✓ Keep your teeth
  6. @andrew_randall @iaguis @kinvolkio What is Network Policy Network policies specify

    how groups of pods are allowed to communicate with each other and other network endpoints. You can think of them as the Kubernetes equivalent of a firewall. - Viswajith Venugopal (Stackrox)
  7. @andrew_randall @iaguis @kinvolkio POLL: Network policies in your clusters? (a)

    Yup, all locked down (b) Got a few but not all (c) Nope, maybe someday
  8. Poll Question… www.aquasec.com |@AquaSecTeam | #KubeSec2021

  9. @andrew_randall @iaguis @kinvolkio Less than 1 in 3 K8s users

    have secured their clusters with Network Policies (Excluding 🍿) 🤔 25.6% 🔒 30.6% 󰤇 43.8%
  10. @andrew_randall @iaguis @kinvolkio 45% of Americans eat five servings a

    day of fruits and vegetables
  11. @andrew_randall @iaguis @kinvolkio Limiting traffic to an application https://github.com/ahmetb/kubernetes-network-policy-recipes

  12. @andrew_randall @iaguis @kinvolkio Allow traffic from external clients (only) https://github.com/ahmetb/kubernetes-network-policy-recipes

  13. @andrew_randall @iaguis @kinvolkio Implementations OVN Network Policy Manager

  14. @andrew_randall @iaguis @kinvolkio Extensions to Network Policy ❏ Global (cluster-wide)

    policy ❏ Application layer policy (http/grpc rules) ❏ Host policy ❏ More selectors (service accounts) ❏ More protocols (e.g. ICMP) ❏ Allow or deny (+ ordering) ❏ Network Sets (defined set of CIDRs) ❏ Packet handling (e.g. disable conntrack) ❏ Cluster-wide policy ❏ L7 policy (http, grpc, kafka, memcached, cassandra, extendable via Go extensions) ❏ Host policy ❏ More selectors (Service, Entity, DNS, cloud metadata) ❏ More protocols (e.g. ICMP) ❏ SSL termination / cert injection ❏ DDoS protection via denylist (ingress) ❏ Deny rules (beta) ❏ Packet handling (e.g. disable conntrack) + all the product-specific features (e.g. for monitoring/troubleshooting) — this is not an exhaustive comparison of these projects!
  15. @andrew_randall @iaguis @kinvolkio Host policy example (Calico)

  16. @andrew_randall @iaguis @kinvolkio DNS policy example (Cilium)

  17. @andrew_randall @iaguis @kinvolkio Challenges with network policy 1. Getting the

    syntax just right ✓ ❌
  18. @andrew_randall @iaguis @kinvolkio Challenges with network policy 1. Getting the

    syntax just right 2. Knowing what should be allowed to talk with what (Not forgetting DNS…) If only there were tools to help with this…
  19. @andrew_randall @iaguis @kinvolkio 💻 DEMO TIME 🕰

  20. @andrew_randall @iaguis @kinvolkio 📣 Call to Action!! 🔌 Use a

    CNI plugin that supports network policy 🔍 Capture flows and identify potential policies 🔒 Lock down ingress to only those pods which should be exposed outside of the namespace 🔥 Apply host policies to protect your nodes (esp. if there are no other firewalls/security groups) 🙋 Integrate defining network policy into your developers’ release process 🦷 Floss regularly 🥦 Eat 5 servings of fruit & veg each day
  21. @andrew_randall @iaguis @kinvolkio Useful Resources Kinvolk Inspektor Gadget github.com/kinvolk/inspektor-gadget Cilium

    Hubble & Network Policy Editor github.com/cilium/hubble & editor.cilium.io Get started with Calico network policy & host protection tutorial docs.projectcalico.org/security/calico-network-policy docs.projectcalico.org/security/tutorials/protect-hosts Ahmet’s unofficial guide and network policy recipes ahmet.im/blog/kubernetes-network-policy/ github.com/ahmetb/kubernetes-network-policy-recipes Jamie Oliver’s healthy meal recipes www.jamieoliver.com/recipes/category/healthy-recipes/
  22. @andrew_randall @iaguis @kinvolkio Q & A www.aquasec.com |@AquaSecTeam | #KubeSec2021

  23. @andrew_randall @iaguis @kinvolkio That’s a wrap for KubeSec Online 2021!

    www.aquasec.com |@AquaSecTeam | #KubeSec2021 All sessions on demand at: kubesec.aquasec.com/enterprise_online_na_2021