Presented to you by: KubeSec Enterprise Online A Webinar Series www.aquasec.com |@AquaSecTeam | #KubeSec2021

Housekeeping Housekeeping To ask a question click on the Question button to the right hand chat menu Questions A recording of this session will be made available to all attendees Recording Feedback on the webinar series, topics you’d like to see, welcome at [email protected] Feedback www.aquasec.com |@AquaSecTeam | #KubeSec2021

@andrew_randall @iaguis @kinvolkio Taking the Work out of Network Policy KubeSec Enterprise Online | 25 March 2021

@andrew_randall @iaguis @kinvolkio Hi, we are... andy randall chief commercial officer iago lópez galeiras co-founder & director, cloud native infrastructure @ kinvolk the Kubernetes Linux experts

@andrew_randall @iaguis @kinvolkio Flossing 🥦 🥕 🍏 🌽 🍌 Five-a-Day Network Policy ✓ Reduces attack surface area ✓ Helps prevent intrusion ✓ Helps prevent data exfiltration ✓ Promotes cluster and career health ✓ Good source of vitamins, minerals & dietary fiber ✓ Helps prevent heart disease, stroke & cancer ✓ Increases longevity ✓ Tastes good ✓ Oral health ✓ Helps prevent gum disease ✓ Helps prevent decay ✓ Keep your teeth

@andrew_randall @iaguis @kinvolkio What is Network Policy Network policies specify how groups of pods are allowed to communicate with each other and other network endpoints. You can think of them as the Kubernetes equivalent of a firewall. - Viswajith Venugopal (Stackrox)

@andrew_randall @iaguis @kinvolkio POLL: Network policies in your clusters? (a) Yup, all locked down (b) Got a few but not all (c) Nope, maybe someday

Poll Question… www.aquasec.com |@AquaSecTeam | #KubeSec2021

@andrew_randall @iaguis @kinvolkio Less than 1 in 3 K8s users have secured their clusters with Network Policies (Excluding 🍿) 🤔 25.6% 🔒 30.6% 󰤇 43.8%

@andrew_randall @iaguis @kinvolkio 45% of Americans eat five servings a day of fruits and vegetables

@andrew_randall @iaguis @kinvolkio Limiting traffic to an application https://github.com/ahmetb/kubernetes-network-policy-recipes

@andrew_randall @iaguis @kinvolkio Allow traffic from external clients (only) https://github.com/ahmetb/kubernetes-network-policy-recipes

@andrew_randall @iaguis @kinvolkio Implementations OVN Network Policy Manager

@andrew_randall @iaguis @kinvolkio Extensions to Network Policy ❏ Global (cluster-wide) policy ❏ Application layer policy (http/grpc rules) ❏ Host policy ❏ More selectors (service accounts) ❏ More protocols (e.g. ICMP) ❏ Allow or deny (+ ordering) ❏ Network Sets (defined set of CIDRs) ❏ Packet handling (e.g. disable conntrack) ❏ Cluster-wide policy ❏ L7 policy (http, grpc, kafka, memcached, cassandra, extendable via Go extensions) ❏ Host policy ❏ More selectors (Service, Entity, DNS, cloud metadata) ❏ More protocols (e.g. ICMP) ❏ SSL termination / cert injection ❏ DDoS protection via denylist (ingress) ❏ Deny rules (beta) ❏ Packet handling (e.g. disable conntrack) + all the product-specific features (e.g. for monitoring/troubleshooting) — this is not an exhaustive comparison of these projects!

@andrew_randall @iaguis @kinvolkio Host policy example (Calico)

@andrew_randall @iaguis @kinvolkio DNS policy example (Cilium)

@andrew_randall @iaguis @kinvolkio Challenges with network policy 1. Getting the syntax just right ✓ ❌

@andrew_randall @iaguis @kinvolkio Challenges with network policy 1. Getting the syntax just right 2. Knowing what should be allowed to talk with what (Not forgetting DNS…) If only there were tools to help with this…

@andrew_randall @iaguis @kinvolkio 💻 DEMO TIME 🕰

@andrew_randall @iaguis @kinvolkio 📣 Call to Action!! 🔌 Use a CNI plugin that supports network policy 🔍 Capture flows and identify potential policies 🔒 Lock down ingress to only those pods which should be exposed outside of the namespace 🔥 Apply host policies to protect your nodes (esp. if there are no other firewalls/security groups) 🙋 Integrate defining network policy into your developers’ release process 🦷 Floss regularly 🥦 Eat 5 servings of fruit & veg each day

@andrew_randall @iaguis @kinvolkio Useful Resources Kinvolk Inspektor Gadget github.com/kinvolk/inspektor-gadget Cilium Hubble & Network Policy Editor github.com/cilium/hubble & editor.cilium.io Get started with Calico network policy & host protection tutorial docs.projectcalico.org/security/calico-network-policy docs.projectcalico.org/security/tutorials/protect-hosts Ahmet’s unofficial guide and network policy recipes ahmet.im/blog/kubernetes-network-policy/ github.com/ahmetb/kubernetes-network-policy-recipes Jamie Oliver’s healthy meal recipes www.jamieoliver.com/recipes/category/healthy-recipes/

@andrew_randall @iaguis @kinvolkio Q & A www.aquasec.com |@AquaSecTeam | #KubeSec2021

@andrew_randall @iaguis @kinvolkio That’s a wrap for KubeSec Online 2021! www.aquasec.com |@AquaSecTeam | #KubeSec2021 All sessions on demand at: kubesec.aquasec.com/enterprise_online_na_2021