Cloud Native University NA 2025: From Squire to Network Knight - Defending the Kubernetes Castle the Cloud Native Way

Transcript

1. From Squire to Network Knight Defending the Kubernetes Castle the

   Cloud Native Way Donia Chaiehloudj SW Engineer and Community, Isovalent @Cisco

2. The Wide-Open Castle 0 Security in Kubernetes Cluster

3. Firewalls Controls accesses... External: Ingress traffic to the target machine

   Internal: between machines on your server

4. Perimeter Firewalls Why Old Defenses Fail in Kubernetes Cluster Dynamic:

   pods come and go, IPs change East–west traffic dominates Multi-tenant workloads make static rules useless

5. Level 0: No Network Policy Network Squire, eager but... Tuntrained

   apprentice, running around the open castle with no armor.

6. Organise your Kubernetes Castle ... Before routing traffic Think class

   of workloads AI workoads Frontend Backend UI Databases

7. Organise your Kubernetes Castle ... Before routing traffic Think class

   of workloads AI workoads Frontend Backend UI Databases Separate resources logically per namespace

8. Organise your Kubernetes Castle ... Before routing traffic Think class

   of workloads AI workoads Frontend Backend UI Databases Separate resources logically per namespace Label your resources in thoughtful way

9. NetworkPolicies: The Cloud Native way Securing and routing the entrances...

   Define network rules as code instead of cables apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-frontend-to-backend namespace: castle The Royal Decree: What This Is

10. NetworkPolicies: The Cloud Native way Securing and routing the entrances...

    apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-frontend-to-backend namespace: castle spec: podSelector: matchLabels: role: backend policyTypes: - Ingress The Royal Decree: What This Is The Assignment of Guards: Who and What Direction Define network rules as code instead of cables

11. NetworkPolicies: The Cloud Native way Securing and routing the entrances...

    apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-frontend-to-backend namespace: castle spec: podSelector: matchLabels: role: backend policyTypes: - Ingress ingress: - from: - podSelector: matchLabels: role: frontend ports: - protocol: TCP port: 8080 The Royal Decree: What This Is The Assignment of Guards: Who and What Direction The Guest List: Who May Enter and How Define network rules as code instead of cables

12. NetworkPolicies: The Cloud Native way apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata:

    name: allow-frontend-to-backend-policy namespace: castle spec: podSelector: matchLabels: role: backend policyTypes: - Ingress ingress: - from: - podSelector: matchLabels: role: frontend ports: - protocol: TCP port: 8080 Kubernetes Network Policy Example Front Back External App

13. The L3/L4 Gatekeer learns to close the gates and set

    basic rules. Level 0: No Network Policy Level 1: Kubernetes Network Policy

14. Core CNIs Multi-Network & Cloud Lightweight & Legacy Cilium –

    eBPF-based networking, security & observability Multus – Multiple CNIs per pod (Calico, Cilium, SR-IOV…) Weave Net – Simple, self-healing overlay with policy Calico – Flexible overlay/BGP networking with policies Canal – Flannel networking + Calico policy Flannel – Basic overlay network for pod connectivity Antrea – OVS-based networking & NetworkPolicy Cloud CNIs – Native VPC networking (AWS, Azure, GCP, Terway) OVN-Kubernetes – OVS/OVN overlay & load balancing Enterprise CNIs – SDN integration (NSX-T, ACI) NetworkPolicies: The Cloud Native way Go Beyond with Container Network Interface Plugins

15. Cilium: Leveling Up Your Armor CNI = a modern firewall

16. src: https://isovalent.com/blog/post/intro-to-cilium-network-policies/ NetworkPolicies: The Cloud Native way Go Beyond with

    Container Network Interface Plugins

17. Cilium: Leveling Up Your Armor Identity is your strength

18. Cilium: Select on Endpoint Prevent from invaders... Deny All role

    = queen role = assistant role = invader

19. Cilium: Select on Endpoint Prevent from invaders... Deny All role

    = queen role = assistant role = invader

20. Cilium: Select on Endpoint apiVersion: "cilium.io/v2" kind: CiliumNetworkPolicy metadata: name:

    default-deny-all namespace: app spec: endpointSelector: {} ingress: [] Prevent from invaders... Deny All External App frontend pods backend pods

21. Cilium: Select on Endpoint Let the fighters join the battle!

    .... But keep the Queen inaccessible role = queen role = assistant role = fighter

22. Cilium: Select on Endpoint apiVersion: "cilium.io/v2" kind: CiliumNetworkPolicy metadata: name:

    "allow-frontend-backend" spec: endpointSelector: matchLabels: role: "backend" ingress: - fromEndpoints: - matchLabels: role: "frontend" Let the fighters join the battle! .... But keep the Queen inaccessible External App frontend pods backend pods

23. Cilium: L4 Filtering on TCP Protocol Guard at the doors

    apiVersion: "cilium.io/v2" kind: CiliumNetworkPolicy metadata: name: "l4-rule" spec: endpointSelector: matchLabels: role: frontend egress: - toPorts: - ports: - port: "443" protocol: TCP frontend pods backend pods :443

24. Cilium: L7 Filtering on HTTP ... Be more speficic role

    = queen role = assistant GET /letters role = queen role = assistant GET /queen role = queen role = assistant PUT /letters

25. Cilium: L7 Filtering on HTTP Route with Egress Allow apiVersion:

    "cilium.io/v2" kind: CiliumNetworkPolicy metadata: name: frontend-egress-policy namespace: castle spec: endpointSelector: matchLabels: role: frontend egress: - toEndpoints: - matchLabels: role: backend toPorts: - ports: - port: "8080" protocol: TCP rules: http: - method: "GET" path: "^/letters$" - method: "PUT" path: "^/letters$" role=frontend GET /letters role=backend backend pod frontend pod PUT /letters backend pod frontend pod GET /queen backend pod frontend pod

26. Cilium: L7 Filtering on HTTP Protect with Ingress Policy role=frontend

    GET /letters role=backend backend pod frontend pod PUT /letters backend pod frontend pod GET /queen backend pod frontend pod apiVersion: "cilium.io/v2" kind: CiliumNetworkPolicy metadata: name: backend-ingress-policy namespace: castle spec: endpointSelector: matchLabels: role: backend egress: - fromEndpoints: - matchLabels: role: frontend toPorts: - ports: - port: "8080" protocol: TCP rules: http: - method: "GET" path: "^/letters$" - method: "PUT" path: "^/letters$"

27. Cilium: L7 Filtering per DNS The Queen, the Messenger -

    Fetch the Doctor Address role = messenger role = queen Fetch the doctor Fetch Doctor Address

28. Cilium: L7 Filtering per DNS The Queen, the Messenger -

    Fetch the Doctor Address role = messenger role = queen Fetch the doctor Doctor Address Doctor Address Fetch Doctor Address

29. Fetch Doctor Cilium: L7 Filtering per DNS The Queen, the

    Messenger - Fetch the Doctor role = messenger role = queen External Doctor

30. Cilium: L7 Filtering per DNS The Queen, the Messenger role=backend

    backend pod kube-dns pod apiVersion: "cilium.io/v2" kind: CiliumNetworkPolicy metadata: name: backend-egress-fqdn namespace: castle spec: endpointSelector: matchLabels: role: backend egress: - toEndpoints: - matchLabels: "k8s:io.kubernetes.pod.namespace": kube-system "k8s:k8s-app": kube-dns toPorts: - ports: - port: "53" protocol: ANY rules: dns: - matchPattern: "*" - toFQDNs: - matchPattern: "betterhelp.com" toPorts: - ports: - port: "443" protocol: TCP

31. Cilium: L7 Filtering per DNS The Queen, the Messenger Fetch

    Doctor Address role=backend backend pod kube-dns pod https://betterhelp.com apiVersion: "cilium.io/v2" kind: CiliumNetworkPolicy metadata: name: backend-egress-fqdn namespace: castle spec: endpointSelector: matchLabels: role: backend egress: - toEndpoints: - matchLabels: "k8s:io.kubernetes.pod.namespace": kube-system "k8s:k8s-app": kube-dns toPorts: - ports: - port: "53" protocol: ANY rules: dns: - matchPattern: "*" - toFQDNs: - matchPattern: "betterhelp.com" toPorts: - ports: - port: "443" protocol: TCP

32. Cilium: L7 Filtering per DNS The Queen, the Messenger Fetch

    Doctor Address External DNS role=backend backend pod kube-dns pod https://betterhelp.com https://betterhelp.com {https://betterhelp.com: 192.168.10.2} apiVersion: "cilium.io/v2" kind: CiliumNetworkPolicy metadata: name: backend-egress-fqdn namespace: castle spec: endpointSelector: matchLabels: role: backend egress: - toEndpoints: - matchLabels: "k8s:io.kubernetes.pod.namespace": kube-system "k8s:k8s-app": kube-dns toPorts: - ports: - port: "53" protocol: ANY rules: dns: - matchPattern: "*" - toFQDNs: - matchPattern: "betterhelp.com" toPorts: - ports: - port: "443" protocol: TCP

33. Cilium: L7 Filtering per DNS The Queen, the Messenger Fetch

    Doctor Address External DNS 192.168.10.2 role=backend backend pod kube-dns pod https://betterhelp.com 192.168.10.2 https://betterhelp.com {https://betterhelp.com: 192.168.10.2} apiVersion: "cilium.io/v2" kind: CiliumNetworkPolicy metadata: name: backend-egress-fqdn namespace: castle spec: endpointSelector: matchLabels: role: backend egress: - toEndpoints: - matchLabels: "k8s:io.kubernetes.pod.namespace": kube-system "k8s:k8s-app": kube-dns toPorts: - ports: - port: "53" protocol: ANY rules: dns: - matchPattern: "*" - toFQDNs: - matchPattern: "betterhelp.com" toPorts: - ports: - port: "443" protocol: TCP

34. Cilium: L7 Filtering per DNS The Queen, the Messenger role=backend

    kube-dns pod backend pod https://betterhelp.com apiVersion: "cilium.io/v2" kind: CiliumNetworkPolicy metadata: name: backend-egress-fqdn namespace: castle spec: endpointSelector: matchLabels: role: backend egress: - toEndpoints: - matchLabels: "k8s:io.kubernetes.pod.namespace": kube-system "k8s:k8s-app": kube-dns toPorts: - ports: - port: "53" protocol: ANY rules: dns: - matchPattern: "*" - toFQDNs: - matchPattern: "betterhelp.com" toPorts: - ports: - port: "443" protocol: TCP

35. Queen Pod King Pod Cilium: Namespaces organisation CiliumClusterwideNetworkPolicy Castle Cluster

    Namespace Royalty Namespace Messenger Messenger Pods CNP CCNP CNP

36. Cilium: Namespaces organisation CiliumClusterwideNetworkPolicy

37. Level 0: No Network Policy Level 1: Kubernetes Network Policy

    Level 2: Cilium Network Policy Network Knight, the fully trained defender ...using intelligence to keep the kingdom safe.

38. 🏰 The Tenets of the Network Knight Principles to Remember...

    1️⃣ Thou Shalt Protect Every Pod in Thy Realm Every Pod must be covered by a Network Policy, lest open paths invite unwanted guests. 2️⃣ Thou Shalt Be Precise in Thy Rules A careless label may open the gates to the wrong visitors. 3️⃣ Thou Shalt Deny by Default and Grant by Grace The stronghold stands firm when trust is earned, not assumed. 4️⃣ Thou Shalt Keep Watch and Update Thy Defenses Review thy policies often, for what was safe yesterday may be perilous today. 5️⃣ Thou Shalt Test Thy Defenses with Thine Own Hand Verify each rule and path, that thy guards are not asleep at their post.

39. @doniacld ebpf.io @ciliumproject @isovalent Resources and Credits Feedback is a

    gift! Special Thanks 🙏 https://kubernetes.io/docs/tasks/administer-cluster/declare-network-policy/ https:/isovalent.com/blog/post/intro-to-cilium-network-policies/