Slide 1

Slide 1 text

Presented to you by: KubeSec Enterprise Online A Webinar Series www.aquasec.com |@AquaSecTeam | #KubeSec2021

Slide 2

Slide 2 text

Housekeeping Housekeeping To ask a question click on the Question button to the right hand chat menu Questions A recording of this session will be made available to all attendees Recording Feedback on the webinar series, topics you’d like to see, welcome at [email protected] Feedback www.aquasec.com |@AquaSecTeam | #KubeSec2021

Slide 3

Slide 3 text

@andrew_randall @iaguis @kinvolkio Taking the Work out of Network Policy KubeSec Enterprise Online | 25 March 2021

Slide 4

Slide 4 text

@andrew_randall @iaguis @kinvolkio Hi, we are... andy randall chief commercial officer iago lópez galeiras co-founder & director, cloud native infrastructure @ kinvolk the Kubernetes Linux experts

Slide 5

Slide 5 text

@andrew_randall @iaguis @kinvolkio Flossing 🥦 🥕 🍏 🌽 🍌 Five-a-Day Network Policy ✓ Reduces attack surface area ✓ Helps prevent intrusion ✓ Helps prevent data exfiltration ✓ Promotes cluster and career health ✓ Good source of vitamins, minerals & dietary fiber ✓ Helps prevent heart disease, stroke & cancer ✓ Increases longevity ✓ Tastes good ✓ Oral health ✓ Helps prevent gum disease ✓ Helps prevent decay ✓ Keep your teeth

Slide 6

Slide 6 text

@andrew_randall @iaguis @kinvolkio What is Network Policy Network policies specify how groups of pods are allowed to communicate with each other and other network endpoints. You can think of them as the Kubernetes equivalent of a firewall. - Viswajith Venugopal (Stackrox)

Slide 7

Slide 7 text

@andrew_randall @iaguis @kinvolkio POLL: Network policies in your clusters? (a) Yup, all locked down (b) Got a few but not all (c) Nope, maybe someday

Slide 8

Slide 8 text

Poll Question… www.aquasec.com |@AquaSecTeam | #KubeSec2021

Slide 9

Slide 9 text

@andrew_randall @iaguis @kinvolkio Less than 1 in 3 K8s users have secured their clusters with Network Policies (Excluding 🍿) 🤔 25.6% 🔒 30.6% 󰤇 43.8%

Slide 10

Slide 10 text

@andrew_randall @iaguis @kinvolkio 45% of Americans eat five servings a day of fruits and vegetables

Slide 11

Slide 11 text

@andrew_randall @iaguis @kinvolkio Limiting traffic to an application https://github.com/ahmetb/kubernetes-network-policy-recipes

Slide 12

Slide 12 text

@andrew_randall @iaguis @kinvolkio Allow traffic from external clients (only) https://github.com/ahmetb/kubernetes-network-policy-recipes

Slide 13

Slide 13 text

@andrew_randall @iaguis @kinvolkio Implementations OVN Network Policy Manager

Slide 14

Slide 14 text

@andrew_randall @iaguis @kinvolkio Extensions to Network Policy ❏ Global (cluster-wide) policy ❏ Application layer policy (http/grpc rules) ❏ Host policy ❏ More selectors (service accounts) ❏ More protocols (e.g. ICMP) ❏ Allow or deny (+ ordering) ❏ Network Sets (defined set of CIDRs) ❏ Packet handling (e.g. disable conntrack) ❏ Cluster-wide policy ❏ L7 policy (http, grpc, kafka, memcached, cassandra, extendable via Go extensions) ❏ Host policy ❏ More selectors (Service, Entity, DNS, cloud metadata) ❏ More protocols (e.g. ICMP) ❏ SSL termination / cert injection ❏ DDoS protection via denylist (ingress) ❏ Deny rules (beta) ❏ Packet handling (e.g. disable conntrack) + all the product-specific features (e.g. for monitoring/troubleshooting) — this is not an exhaustive comparison of these projects!

Slide 15

Slide 15 text

@andrew_randall @iaguis @kinvolkio Host policy example (Calico)

Slide 16

Slide 16 text

@andrew_randall @iaguis @kinvolkio DNS policy example (Cilium)

Slide 17

Slide 17 text

@andrew_randall @iaguis @kinvolkio Challenges with network policy 1. Getting the syntax just right ✓ ❌

Slide 18

Slide 18 text

@andrew_randall @iaguis @kinvolkio Challenges with network policy 1. Getting the syntax just right 2. Knowing what should be allowed to talk with what (Not forgetting DNS…) If only there were tools to help with this…

Slide 19

Slide 19 text

@andrew_randall @iaguis @kinvolkio 💻 DEMO TIME 🕰

Slide 20

Slide 20 text

@andrew_randall @iaguis @kinvolkio 📣 Call to Action!! 🔌 Use a CNI plugin that supports network policy 🔍 Capture flows and identify potential policies 🔒 Lock down ingress to only those pods which should be exposed outside of the namespace 🔥 Apply host policies to protect your nodes (esp. if there are no other firewalls/security groups) 🙋 Integrate defining network policy into your developers’ release process 🦷 Floss regularly 🥦 Eat 5 servings of fruit & veg each day

Slide 21

Slide 21 text

@andrew_randall @iaguis @kinvolkio Useful Resources Kinvolk Inspektor Gadget github.com/kinvolk/inspektor-gadget Cilium Hubble & Network Policy Editor github.com/cilium/hubble & editor.cilium.io Get started with Calico network policy & host protection tutorial docs.projectcalico.org/security/calico-network-policy docs.projectcalico.org/security/tutorials/protect-hosts Ahmet’s unofficial guide and network policy recipes ahmet.im/blog/kubernetes-network-policy/ github.com/ahmetb/kubernetes-network-policy-recipes Jamie Oliver’s healthy meal recipes www.jamieoliver.com/recipes/category/healthy-recipes/

Slide 22

Slide 22 text

@andrew_randall @iaguis @kinvolkio Q & A www.aquasec.com |@AquaSecTeam | #KubeSec2021

Slide 23

Slide 23 text

@andrew_randall @iaguis @kinvolkio That’s a wrap for KubeSec Online 2021! www.aquasec.com |@AquaSecTeam | #KubeSec2021 All sessions on demand at: kubesec.aquasec.com/enterprise_online_na_2021