SlideShare a Scribd company logo

Network policy @ k8s day

Download as PPTX, PDF
C
Chia-Chun Shih

Network Policy in Kubernetes 1.7

Technology
1 of 28
共享 x 安全 = NetworkPolicy ? 施嘉峻 (ccshih) iiiccshih@gmail.com Presented at iThome Kubernetes Day, Sep 20, 2017
About Me @ ccshih # Kubernetes # OpenShift + Red Hat Certificate of Expertise in Platform-as-a-Service (OpenShift Admin) 2
Agenda • Share x Security @ k8s 1.7 (p. 4) • Network Policies (p. 6) • Use cases • How to • Limitations • Adoption Advices (p. 18) • Looking Forward (p. 22) • Takeaway (p. 25) 3 3 cases 1 advice 2 promising tech
Share x Security @ k8s 1.7 Network Policies (Beta from 1.6) RBAC Namespace (GA from 1.7) Virtual cluster Multiple teams or projects Scope of control Role-Based Access Control Attach permissions to roles Bind roles to users Control pods incoming connection Based on Labels Project A Project B Namespace Namespace Pod Pod Admin Role User Role ? 4 *Also matters: Resource Quota, Pod Security Policies 允入
Use Labels to Organize Objects 5 tier=frontend (key-value pairs) tier=backend tier=database env=dev env=qa env=staging env=prod release=stable release=canary Pod Labels … env=prod tier=frontend release=stable env=prod Namespace
First Scenario 6 Pod Pod Pod Pod Pod Pod tier=frontend tier=backend tier=database Namespace b PodPod PodPod Namespace a
Without Network Policy (k8s default) 7 Pod Pod Pod Pod Pod Pod tier=frontend tier=backend tier=database Namespace b PodPod PodPod Namespace a Pod accepts any connection from any namespace
Network Policy Use Case (1) 8 Pod Pod Pod Pod Pod Pod tier=frontend tier=backend tier=database Namespace b PodPod PodPod Namespace a
apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-backend-access-database namespace: b spec: podSelector: matchLabels: tier: database ingress: - from: - podSelector: matchLabels: tier: backend ports: - protocol: TCP port: 3306 Network Policy Example (1) 9 This policy applies to … Allows connection from … to this port Pod Pod Pod Pod Pod Pod tier=frontend tier=backend tier=database Namespace b PodPod PodPod Namespace a
Policy: Network Policy Rules • If no policy applied to a pod • Allow connection from any source • If any policy applied to a pod • Whitelist: Deny all incoming connections, unless source satisfies at least one policies 10 PodPod Pod PodPod Pod No Policy applied Policy:
Network Policy Use Case (2) 11 Pod Pod Pod Pod Pod tier=frontend tier=backend tier=database PodPod PodPod release=canary release=stable Namespace b
Network Policy Example (2) apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-canary-backend-access-database namespace: b spec: podSelector: matchLabels: tier: database release: stable ingress: - from: - podSelector: matchLabels: tier: backend ports: - protocol: TCP port: 3306 12 This policy applies to … Allows connection from … to this port Pod Pod Pod Pod Pod tier=frontend tier=backend tier=database PodPod PodPod release=canary release=stable Namespace b (AND) in the same selector
Network Policy Non-Use Case 13 Pod Pod Pod Pod Pod tier=frontend tier=backend tier=database PodPod PodPod Namespace b-plus Namespace b
Network Policy Non-Example apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: namespace: b … … ingress: - from: - podSelector: matchLabels: tier: backend - namespaceSelector: matchLabels: name: b-plus ports: - protocol: TCP port: 3306 14 Allows connection from …(OR) Pod Pod Pod Pod Pod tier=frontend tier=backend tier=database PodPod PodPod Namespace b-plus Namespace b Need (AND), but NOT supported yet* * https://github.com/kubernetes/kubernetes/issues/50451 in different selector
Network Policy Limitation in K8s 1.7 • A selector can not match both Namespace labels and Pod labels • No Egress Policy • What if your pods are compromised? • Prerequisite: Need support of Container Network Providers 15 Pod (Ingress) (Egress)
Network Providers who Support Network Policy 16 Calico cilium ROMANA WeaveNet &
Note: • Not standard k8s Network Policy • Run with calicoctl, instead of kubectl • Calico also supports Egress policy (not shown here) Calico’s Policy Definition 17 Pod Pod Pod Pod Pod tier=frontend tier=backend tier=database PodPod PodPod Namespace b-plus Namespace bapiVersion: v1 kind: policy metadata: name: allow-b-plus-backend-access-b-database spec: selector: > calico/k8s_ns == 'b' && tier == 'database' ingress: - action: allow source: selector: > calico/k8s_ns == 'b-plus' && tier == 'backend' protocol: tcp destination: ports: [3306] # calicoctl apply -f <FILENAME>
Adoption Advices 18
Adoption Advices • (skipped) Use special labels for network policy • Rethink IP-based packet filter 19
Dynamic Nature of K8s 20 Source: https://www.slideshare.net/gmccance/cern-data-centre-evolution K8s is primarily designed for (Static) (Dynamic) (change IP)
Rethink IP-based packet filter • Pod up/down triggers firewall rule adjustment • Translate application-level policy to network-level policy • Given that Firewall can recognize pod IP 21 IP Source Labels Destination Labels IP IP IP IP IP IP IP IP-based Firewall rules Application-level Policy change frequently
Looking Forward 22
Looking forward (1) • Cilium • Not use IP to define filter • Flexible and Efficient 23 IP Source Labels Destination Labels IP IP IP IP IP IP IP eBPF (Packet Filter) Application-level Policy change frequently (Require Linux Kernel 4.8 ↑) id id
Looking forward (2) 24 • Istio • Each service pod equips with a sidecar container (envoy), which enforces policy Source: https://github.com/istio/auth
Takeaway 25
Takeaway • By default, pod can talk to each other at network level • Network Policy • whitelists pod incoming connection • needs container network provider’s support • can not apply to some cross-namespace scenario • Adoption • security needs as agile as containers • Looking forward • Flavored policy enforcement 26
Contact • iiiccshih@gmail.com 27
References • Network Policy • Official document • Recipes by ahmetb • Calico • Getting started with k8s 28

Recommended

K8s network policy bypass
K8s network policy bypassK8s network policy bypass
K8s network policy bypassKaizhe Huang
 
DockerCon 2017 - Cilium - Network and Application Security with BPF and XDP
DockerCon 2017 - Cilium - Network and Application Security with BPF and XDPDockerCon 2017 - Cilium - Network and Application Security with BPF and XDP
DockerCon 2017 - Cilium - Network and Application Security with BPF and XDPThomas Graf
 
Kernel Recipes 2017 - EBPF and XDP - Eric Leblond
Kernel Recipes 2017 - EBPF and XDP - Eric LeblondKernel Recipes 2017 - EBPF and XDP - Eric Leblond
Kernel Recipes 2017 - EBPF and XDP - Eric LeblondAnne Nicolas
 
Introduction to the Container Network Interface (CNI)
Introduction to the Container Network Interface (CNI)Introduction to the Container Network Interface (CNI)
Introduction to the Container Network Interface (CNI)Weaveworks
 
Kubernetes Networking with Cilium - Deep Dive
Kubernetes Networking with Cilium - Deep DiveKubernetes Networking with Cilium - Deep Dive
Kubernetes Networking with Cilium - Deep DiveMichal Rostecki
 
Deploying CloudStack with Ceph
Deploying CloudStack with CephDeploying CloudStack with Ceph
Deploying CloudStack with CephShapeBlue
 
Deep dive into Kubernetes Networking
Deep dive into Kubernetes NetworkingDeep dive into Kubernetes Networking
Deep dive into Kubernetes NetworkingSreenivas Makam
 
DoS and DDoS mitigations with eBPF, XDP and DPDK
DoS and DDoS mitigations with eBPF, XDP and DPDKDoS and DDoS mitigations with eBPF, XDP and DPDK
DoS and DDoS mitigations with eBPF, XDP and DPDKMarian Marinov
 

Recommended

K8s network policy bypass
K8s network policy bypassK8s network policy bypass
K8s network policy bypassKaizhe Huang
 
DockerCon 2017 - Cilium - Network and Application Security with BPF and XDP
DockerCon 2017 - Cilium - Network and Application Security with BPF and XDPDockerCon 2017 - Cilium - Network and Application Security with BPF and XDP
DockerCon 2017 - Cilium - Network and Application Security with BPF and XDPThomas Graf
 
Kernel Recipes 2017 - EBPF and XDP - Eric Leblond
Kernel Recipes 2017 - EBPF and XDP - Eric LeblondKernel Recipes 2017 - EBPF and XDP - Eric Leblond
Kernel Recipes 2017 - EBPF and XDP - Eric LeblondAnne Nicolas
 
Introduction to the Container Network Interface (CNI)
Introduction to the Container Network Interface (CNI)Introduction to the Container Network Interface (CNI)
Introduction to the Container Network Interface (CNI)Weaveworks
 
Kubernetes Networking with Cilium - Deep Dive
Kubernetes Networking with Cilium - Deep DiveKubernetes Networking with Cilium - Deep Dive
Kubernetes Networking with Cilium - Deep DiveMichal Rostecki
 
Deploying CloudStack with Ceph
Deploying CloudStack with CephDeploying CloudStack with Ceph
Deploying CloudStack with CephShapeBlue
 
Deep dive into Kubernetes Networking
Deep dive into Kubernetes NetworkingDeep dive into Kubernetes Networking
Deep dive into Kubernetes NetworkingSreenivas Makam
 
DoS and DDoS mitigations with eBPF, XDP and DPDK
DoS and DDoS mitigations with eBPF, XDP and DPDKDoS and DDoS mitigations with eBPF, XDP and DPDK
DoS and DDoS mitigations with eBPF, XDP and DPDKMarian Marinov
 
Cilium - Bringing the BPF Revolution to Kubernetes Networking and Security
Cilium - Bringing the BPF Revolution to Kubernetes Networking and SecurityCilium - Bringing the BPF Revolution to Kubernetes Networking and Security
Cilium - Bringing the BPF Revolution to Kubernetes Networking and SecurityThomas Graf
 
Q&A with Confluent Professional Services: Confluent Service Mesh
Q&A with Confluent Professional Services: Confluent Service MeshQ&A with Confluent Professional Services: Confluent Service Mesh
Q&A with Confluent Professional Services: Confluent Service Meshconfluent
 
Implementation &amp; Comparison Of Rdma Over Ethernet
Implementation &amp; Comparison Of Rdma Over EthernetImplementation &amp; Comparison Of Rdma Over Ethernet
Implementation &amp; Comparison Of Rdma Over EthernetJames Wernicke
 
Power-up services with gRPC
Power-up services with gRPCPower-up services with gRPC
Power-up services with gRPCThe Software House
 
Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...
Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...
Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...ContainerDay Security 2023
 
Introduction to Istio Service Mesh
Introduction to Istio Service MeshIntroduction to Istio Service Mesh
Introduction to Istio Service MeshGeorgios Andrianakis
 
BPF: Tracing and more
BPF: Tracing and moreBPF: Tracing and more
BPF: Tracing and moreBrendan Gregg
 
Scaling WebRTC applications with Janus
Scaling WebRTC applications with JanusScaling WebRTC applications with Janus
Scaling WebRTC applications with JanusLorenzo Miniero
 
Cilium - Container Networking with BPF & XDP
Cilium - Container Networking with BPF & XDPCilium - Container Networking with BPF & XDP
Cilium - Container Networking with BPF & XDPThomas Graf
 
HTTP/3 for everyone
HTTP/3 for everyoneHTTP/3 for everyone
HTTP/3 for everyoneDaniel Stenberg
 
QEMU Disk IO Which performs Better: Native or threads?
QEMU Disk IO Which performs Better: Native or threads?QEMU Disk IO Which performs Better: Native or threads?
QEMU Disk IO Which performs Better: Native or threads?Pradeep Kumar
 
eBPF Basics
eBPF BasicseBPF Basics
eBPF BasicsMichael Kehoe
 
WTF is GitOps and Why You Should Care?
WTF is GitOps and Why You Should Care?WTF is GitOps and Why You Should Care?
WTF is GitOps and Why You Should Care?Weaveworks
 
Best practices for Terraform with Vault
Best practices for Terraform with VaultBest practices for Terraform with Vault
Best practices for Terraform with VaultMitchell Pronschinske
 
Room 2 - 3 - Nguyễn Hoài Nam & Nguyễn Việt Hùng - Terraform & Pulumi Comparin...
Room 2 - 3 - Nguyễn Hoài Nam & Nguyễn Việt Hùng - Terraform & Pulumi Comparin...Room 2 - 3 - Nguyễn Hoài Nam & Nguyễn Việt Hùng - Terraform & Pulumi Comparin...
Room 2 - 3 - Nguyễn Hoài Nam & Nguyễn Việt Hùng - Terraform & Pulumi Comparin...Vietnam Open Infrastructure User Group
 
Introduction to eBPF and XDP
Introduction to eBPF and XDPIntroduction to eBPF and XDP
Introduction to eBPF and XDPlcplcp1
 
Kubernetes networking & Security
Kubernetes networking & SecurityKubernetes networking & Security
Kubernetes networking & SecurityVietnam Open Infrastructure User Group
 
How to build a Kubernetes networking solution from scratch
How to build a Kubernetes networking solution from scratchHow to build a Kubernetes networking solution from scratch
How to build a Kubernetes networking solution from scratchAll Things Open
 
Introduction to Kubernetes and Google Container Engine (GKE)
Introduction to Kubernetes and Google Container Engine (GKE)Introduction to Kubernetes and Google Container Engine (GKE)
Introduction to Kubernetes and Google Container Engine (GKE)Opsta
 
Ceph Performance and Sizing Guide
Ceph Performance and Sizing GuideCeph Performance and Sizing Guide
Ceph Performance and Sizing GuideJose De La Rosa
 
Kubernetes Security with Calico and Open Policy Agent
Kubernetes Security with Calico and Open Policy AgentKubernetes Security with Calico and Open Policy Agent
Kubernetes Security with Calico and Open Policy AgentCloudOps2005
 
Kubernetes One-Click Deployment: Hands-on Workshop (Mainz)
Kubernetes One-Click Deployment: Hands-on Workshop (Mainz)Kubernetes One-Click Deployment: Hands-on Workshop (Mainz)
Kubernetes One-Click Deployment: Hands-on Workshop (Mainz)QAware GmbH
 

More Related Content

What's hot

Cilium - Bringing the BPF Revolution to Kubernetes Networking and Security
Cilium - Bringing the BPF Revolution to Kubernetes Networking and SecurityCilium - Bringing the BPF Revolution to Kubernetes Networking and Security
Cilium - Bringing the BPF Revolution to Kubernetes Networking and SecurityThomas Graf
 
Q&A with Confluent Professional Services: Confluent Service Mesh
Q&A with Confluent Professional Services: Confluent Service MeshQ&A with Confluent Professional Services: Confluent Service Mesh
Q&A with Confluent Professional Services: Confluent Service Meshconfluent
 
Implementation &amp; Comparison Of Rdma Over Ethernet
Implementation &amp; Comparison Of Rdma Over EthernetImplementation &amp; Comparison Of Rdma Over Ethernet
Implementation &amp; Comparison Of Rdma Over EthernetJames Wernicke
 
Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...
Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...
Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...ContainerDay Security 2023
 
Introduction to Istio Service Mesh
Introduction to Istio Service MeshIntroduction to Istio Service Mesh
Introduction to Istio Service MeshGeorgios Andrianakis
 
BPF: Tracing and more
BPF: Tracing and moreBPF: Tracing and more
BPF: Tracing and moreBrendan Gregg
 
Scaling WebRTC applications with Janus
Scaling WebRTC applications with JanusScaling WebRTC applications with Janus
Scaling WebRTC applications with JanusLorenzo Miniero
 
Cilium - Container Networking with BPF & XDP
Cilium - Container Networking with BPF & XDPCilium - Container Networking with BPF & XDP
Cilium - Container Networking with BPF & XDPThomas Graf
 
QEMU Disk IO Which performs Better: Native or threads?
QEMU Disk IO Which performs Better: Native or threads?QEMU Disk IO Which performs Better: Native or threads?
QEMU Disk IO Which performs Better: Native or threads?Pradeep Kumar
 
WTF is GitOps and Why You Should Care?
WTF is GitOps and Why You Should Care?WTF is GitOps and Why You Should Care?
WTF is GitOps and Why You Should Care?Weaveworks
 
Best practices for Terraform with Vault
Best practices for Terraform with VaultBest practices for Terraform with Vault
Best practices for Terraform with VaultMitchell Pronschinske
 
Room 2 - 3 - Nguyễn Hoài Nam & Nguyễn Việt Hùng - Terraform & Pulumi Comparin...
Room 2 - 3 - Nguyễn Hoài Nam & Nguyễn Việt Hùng - Terraform & Pulumi Comparin...Room 2 - 3 - Nguyễn Hoài Nam & Nguyễn Việt Hùng - Terraform & Pulumi Comparin...
Room 2 - 3 - Nguyễn Hoài Nam & Nguyễn Việt Hùng - Terraform & Pulumi Comparin...Vietnam Open Infrastructure User Group
 
Introduction to eBPF and XDP
Introduction to eBPF and XDPIntroduction to eBPF and XDP
Introduction to eBPF and XDPlcplcp1
 
How to build a Kubernetes networking solution from scratch
How to build a Kubernetes networking solution from scratchHow to build a Kubernetes networking solution from scratch
How to build a Kubernetes networking solution from scratchAll Things Open
 
Introduction to Kubernetes and Google Container Engine (GKE)
Introduction to Kubernetes and Google Container Engine (GKE)Introduction to Kubernetes and Google Container Engine (GKE)
Introduction to Kubernetes and Google Container Engine (GKE)Opsta
 
Ceph Performance and Sizing Guide
Ceph Performance and Sizing GuideCeph Performance and Sizing Guide
Ceph Performance and Sizing GuideJose De La Rosa
 

What's hot (20)

Cilium - Bringing the BPF Revolution to Kubernetes Networking and Security
Cilium - Bringing the BPF Revolution to Kubernetes Networking and SecurityCilium - Bringing the BPF Revolution to Kubernetes Networking and Security
Cilium - Bringing the BPF Revolution to Kubernetes Networking and Security
 
Q&A with Confluent Professional Services: Confluent Service Mesh
Q&A with Confluent Professional Services: Confluent Service MeshQ&A with Confluent Professional Services: Confluent Service Mesh
Q&A with Confluent Professional Services: Confluent Service Mesh
 
Implementation &amp; Comparison Of Rdma Over Ethernet
Implementation &amp; Comparison Of Rdma Over EthernetImplementation &amp; Comparison Of Rdma Over Ethernet
Implementation &amp; Comparison Of Rdma Over Ethernet
 
Power-up services with gRPC
Power-up services with gRPCPower-up services with gRPC
Power-up services with gRPC
 
Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...
Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...
Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...
 
Introduction to Istio Service Mesh
Introduction to Istio Service MeshIntroduction to Istio Service Mesh
Introduction to Istio Service Mesh
 
BPF: Tracing and more
BPF: Tracing and moreBPF: Tracing and more
BPF: Tracing and more
 
Scaling WebRTC applications with Janus
Scaling WebRTC applications with JanusScaling WebRTC applications with Janus
Scaling WebRTC applications with Janus
 
Cilium - Container Networking with BPF & XDP
Cilium - Container Networking with BPF & XDPCilium - Container Networking with BPF & XDP
Cilium - Container Networking with BPF & XDP
 
HTTP/3 for everyone
HTTP/3 for everyoneHTTP/3 for everyone
HTTP/3 for everyone
 
QEMU Disk IO Which performs Better: Native or threads?
QEMU Disk IO Which performs Better: Native or threads?QEMU Disk IO Which performs Better: Native or threads?
QEMU Disk IO Which performs Better: Native or threads?
 
eBPF Basics
eBPF BasicseBPF Basics
eBPF Basics
 
WTF is GitOps and Why You Should Care?
WTF is GitOps and Why You Should Care?WTF is GitOps and Why You Should Care?
WTF is GitOps and Why You Should Care?
 
Best practices for Terraform with Vault
Best practices for Terraform with VaultBest practices for Terraform with Vault
Best practices for Terraform with Vault
 
Room 2 - 3 - Nguyễn Hoài Nam & Nguyễn Việt Hùng - Terraform & Pulumi Comparin...
Room 2 - 3 - Nguyễn Hoài Nam & Nguyễn Việt Hùng - Terraform & Pulumi Comparin...Room 2 - 3 - Nguyễn Hoài Nam & Nguyễn Việt Hùng - Terraform & Pulumi Comparin...
Room 2 - 3 - Nguyễn Hoài Nam & Nguyễn Việt Hùng - Terraform & Pulumi Comparin...
 
Introduction to eBPF and XDP
Introduction to eBPF and XDPIntroduction to eBPF and XDP
Introduction to eBPF and XDP
 
Kubernetes networking & Security
Kubernetes networking & SecurityKubernetes networking & Security
Kubernetes networking & Security
 
How to build a Kubernetes networking solution from scratch
How to build a Kubernetes networking solution from scratchHow to build a Kubernetes networking solution from scratch
How to build a Kubernetes networking solution from scratch
 
Introduction to Kubernetes and Google Container Engine (GKE)
Introduction to Kubernetes and Google Container Engine (GKE)Introduction to Kubernetes and Google Container Engine (GKE)
Introduction to Kubernetes and Google Container Engine (GKE)
 
Ceph Performance and Sizing Guide
Ceph Performance and Sizing GuideCeph Performance and Sizing Guide
Ceph Performance and Sizing Guide
 

Similar to Network policy @ k8s day

Kubernetes Security with Calico and Open Policy Agent
Kubernetes Security with Calico and Open Policy AgentKubernetes Security with Calico and Open Policy Agent
Kubernetes Security with Calico and Open Policy AgentCloudOps2005
 
Kubernetes One-Click Deployment: Hands-on Workshop (Mainz)
Kubernetes One-Click Deployment: Hands-on Workshop (Mainz)Kubernetes One-Click Deployment: Hands-on Workshop (Mainz)
Kubernetes One-Click Deployment: Hands-on Workshop (Mainz)QAware GmbH
 
stackconf 2021 | Embracing change: Policy-as-code for Kubernetes with OPA and...
stackconf 2021 | Embracing change: Policy-as-code for Kubernetes with OPA and...stackconf 2021 | Embracing change: Policy-as-code for Kubernetes with OPA and...
stackconf 2021 | Embracing change: Policy-as-code for Kubernetes with OPA and...NETWAYS
 
Kerberos, Token and Hadoop
Kerberos, Token and HadoopKerberos, Token and Hadoop
Kerberos, Token and HadoopKai Zheng
 
Big Data Security with Hadoop
Big Data Security with HadoopBig Data Security with Hadoop
Big Data Security with HadoopCloudera, Inc.
 
PRO TALK - Kubernetes Security Workshop.pdf
PRO TALK - Kubernetes Security Workshop.pdfPRO TALK - Kubernetes Security Workshop.pdf
PRO TALK - Kubernetes Security Workshop.pdfAvinashDesireddy
 
Kubernetes Security Workshop
Kubernetes Security WorkshopKubernetes Security Workshop
Kubernetes Security WorkshopMirantis
 
How we can do Multi-Tenancy on Kubernetes
How we can do Multi-Tenancy on KubernetesHow we can do Multi-Tenancy on Kubernetes
How we can do Multi-Tenancy on KubernetesOpsta
 
Opa gatekeeper
Opa gatekeeperOpa gatekeeper
Opa gatekeeperRita Zhang
 
Evolution of security strategies in K8s environments- All day devops
Evolution of security strategies in K8s environments- All day devops Evolution of security strategies in K8s environments- All day devops
Evolution of security strategies in K8s environments- All day devops Jose Manuel Ortega Candel
 
Scientific Computing @ Fred Hutch
Scientific Computing @ Fred HutchScientific Computing @ Fred Hutch
Scientific Computing @ Fred HutchDirk Petersen
 
Building a Kubernetes cluster for a large organisation 101
Building a Kubernetes cluster for a large organisation 101Building a Kubernetes cluster for a large organisation 101
Building a Kubernetes cluster for a large organisation 101Ed Schouten
 
[Call for code] IBM 블록체인을 활용하여 투명하게 구호기금 관리하기 - Hyperledger Fabric v1.1 by 맹개발
[Call for code] IBM 블록체인을 활용하여 투명하게 구호기금 관리하기 - Hyperledger Fabric v1.1 by 맹개발 [Call for code] IBM 블록체인을 활용하여 투명하게 구호기금 관리하기 - Hyperledger Fabric v1.1 by 맹개발
[Call for code] IBM 블록체인을 활용하여 투명하게 구호기금 관리하기 - Hyperledger Fabric v1.1 by 맹개발 Yunho Maeng
 
Kubernetes at (Organizational) Scale
Kubernetes at (Organizational) ScaleKubernetes at (Organizational) Scale
Kubernetes at (Organizational) ScaleJeff Zellner
 
JDO 2019: What you should be aware of before setting up kubernetes on premise...
JDO 2019: What you should be aware of before setting up kubernetes on premise...JDO 2019: What you should be aware of before setting up kubernetes on premise...
JDO 2019: What you should be aware of before setting up kubernetes on premise...PROIDEA
 
Building a dev pipeline using GitHub Actions, Node.js, and AWS ECS Fargate
Building a dev pipeline using GitHub Actions, Node.js, and AWS ECS FargateBuilding a dev pipeline using GitHub Actions, Node.js, and AWS ECS Fargate
Building a dev pipeline using GitHub Actions, Node.js, and AWS ECS Fargatedatree
 
"Enabling Googley microservices with gRPC" VoxxedDays Minsk edition
"Enabling Googley microservices with gRPC" VoxxedDays Minsk edition"Enabling Googley microservices with gRPC" VoxxedDays Minsk edition
"Enabling Googley microservices with gRPC" VoxxedDays Minsk editionAlex Borysov
 
"Enabling Googley microservices with gRPC" Riga DevDays 2018 edition
"Enabling Googley microservices with gRPC" Riga DevDays 2018 edition"Enabling Googley microservices with gRPC" Riga DevDays 2018 edition
"Enabling Googley microservices with gRPC" Riga DevDays 2018 editionAlex Borysov
 
Operating PostgreSQL at Scale with Kubernetes
Operating PostgreSQL at Scale with KubernetesOperating PostgreSQL at Scale with Kubernetes
Operating PostgreSQL at Scale with KubernetesJonathan Katz
 

Similar to Network policy @ k8s day (20)

Kubernetes Security with Calico and Open Policy Agent
Kubernetes Security with Calico and Open Policy AgentKubernetes Security with Calico and Open Policy Agent
Kubernetes Security with Calico and Open Policy Agent
 
Kubernetes One-Click Deployment: Hands-on Workshop (Mainz)
Kubernetes One-Click Deployment: Hands-on Workshop (Mainz)Kubernetes One-Click Deployment: Hands-on Workshop (Mainz)
Kubernetes One-Click Deployment: Hands-on Workshop (Mainz)
 
stackconf 2021 | Embracing change: Policy-as-code for Kubernetes with OPA and...
stackconf 2021 | Embracing change: Policy-as-code for Kubernetes with OPA and...stackconf 2021 | Embracing change: Policy-as-code for Kubernetes with OPA and...
stackconf 2021 | Embracing change: Policy-as-code for Kubernetes with OPA and...
 
Kerberos, Token and Hadoop
Kerberos, Token and HadoopKerberos, Token and Hadoop
Kerberos, Token and Hadoop
 
Big Data Security with Hadoop
Big Data Security with HadoopBig Data Security with Hadoop
Big Data Security with Hadoop
 
PRO TALK - Kubernetes Security Workshop.pdf
PRO TALK - Kubernetes Security Workshop.pdfPRO TALK - Kubernetes Security Workshop.pdf
PRO TALK - Kubernetes Security Workshop.pdf
 
Kubernetes Security Workshop
Kubernetes Security WorkshopKubernetes Security Workshop
Kubernetes Security Workshop
 
How we can do Multi-Tenancy on Kubernetes
How we can do Multi-Tenancy on KubernetesHow we can do Multi-Tenancy on Kubernetes
How we can do Multi-Tenancy on Kubernetes
 
Intro to kubernetes
Intro to kubernetesIntro to kubernetes
Intro to kubernetes
 
Opa gatekeeper
Opa gatekeeperOpa gatekeeper
Opa gatekeeper
 
Evolution of security strategies in K8s environments- All day devops
Evolution of security strategies in K8s environments- All day devops Evolution of security strategies in K8s environments- All day devops
Evolution of security strategies in K8s environments- All day devops
 
Scientific Computing @ Fred Hutch
Scientific Computing @ Fred HutchScientific Computing @ Fred Hutch
Scientific Computing @ Fred Hutch
 
Building a Kubernetes cluster for a large organisation 101
Building a Kubernetes cluster for a large organisation 101Building a Kubernetes cluster for a large organisation 101
Building a Kubernetes cluster for a large organisation 101
 
[Call for code] IBM 블록체인을 활용하여 투명하게 구호기금 관리하기 - Hyperledger Fabric v1.1 by 맹개발
[Call for code] IBM 블록체인을 활용하여 투명하게 구호기금 관리하기 - Hyperledger Fabric v1.1 by 맹개발 [Call for code] IBM 블록체인을 활용하여 투명하게 구호기금 관리하기 - Hyperledger Fabric v1.1 by 맹개발
[Call for code] IBM 블록체인을 활용하여 투명하게 구호기금 관리하기 - Hyperledger Fabric v1.1 by 맹개발
 
Kubernetes at (Organizational) Scale
Kubernetes at (Organizational) ScaleKubernetes at (Organizational) Scale
Kubernetes at (Organizational) Scale
 
JDO 2019: What you should be aware of before setting up kubernetes on premise...
JDO 2019: What you should be aware of before setting up kubernetes on premise...JDO 2019: What you should be aware of before setting up kubernetes on premise...
JDO 2019: What you should be aware of before setting up kubernetes on premise...
 
Building a dev pipeline using GitHub Actions, Node.js, and AWS ECS Fargate
Building a dev pipeline using GitHub Actions, Node.js, and AWS ECS FargateBuilding a dev pipeline using GitHub Actions, Node.js, and AWS ECS Fargate
Building a dev pipeline using GitHub Actions, Node.js, and AWS ECS Fargate
 
"Enabling Googley microservices with gRPC" VoxxedDays Minsk edition
"Enabling Googley microservices with gRPC" VoxxedDays Minsk edition"Enabling Googley microservices with gRPC" VoxxedDays Minsk edition
"Enabling Googley microservices with gRPC" VoxxedDays Minsk edition
 
"Enabling Googley microservices with gRPC" Riga DevDays 2018 edition
"Enabling Googley microservices with gRPC" Riga DevDays 2018 edition"Enabling Googley microservices with gRPC" Riga DevDays 2018 edition
"Enabling Googley microservices with gRPC" Riga DevDays 2018 edition
 
Operating PostgreSQL at Scale with Kubernetes
Operating PostgreSQL at Scale with KubernetesOperating PostgreSQL at Scale with Kubernetes
Operating PostgreSQL at Scale with Kubernetes
 

Recently uploaded

SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentationphoebematthew05
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 

Recently uploaded (20)

SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentation
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 

Network policy @ k8s day

  • 1. 共享 x 安全 = NetworkPolicy ? 施嘉峻 (ccshih) iiiccshih@gmail.com Presented at iThome Kubernetes Day, Sep 20, 2017
  • 2. About Me @ ccshih # Kubernetes # OpenShift + Red Hat Certificate of Expertise in Platform-as-a-Service (OpenShift Admin) 2
  • 3. Agenda • Share x Security @ k8s 1.7 (p. 4) • Network Policies (p. 6) • Use cases • How to • Limitations • Adoption Advices (p. 18) • Looking Forward (p. 22) • Takeaway (p. 25) 3 3 cases 1 advice 2 promising tech
  • 4. Share x Security @ k8s 1.7 Network Policies (Beta from 1.6) RBAC Namespace (GA from 1.7) Virtual cluster Multiple teams or projects Scope of control Role-Based Access Control Attach permissions to roles Bind roles to users Control pods incoming connection Based on Labels Project A Project B Namespace Namespace Pod Pod Admin Role User Role ? 4 *Also matters: Resource Quota, Pod Security Policies 允入
  • 5. Use Labels to Organize Objects 5 tier=frontend (key-value pairs) tier=backend tier=database env=dev env=qa env=staging env=prod release=stable release=canary Pod Labels … env=prod tier=frontend release=stable env=prod Namespace
  • 6. First Scenario 6 Pod Pod Pod Pod Pod Pod tier=frontend tier=backend tier=database Namespace b PodPod PodPod Namespace a
  • 7. Without Network Policy (k8s default) 7 Pod Pod Pod Pod Pod Pod tier=frontend tier=backend tier=database Namespace b PodPod PodPod Namespace a Pod accepts any connection from any namespace
  • 8. Network Policy Use Case (1) 8 Pod Pod Pod Pod Pod Pod tier=frontend tier=backend tier=database Namespace b PodPod PodPod Namespace a
  • 9. apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-backend-access-database namespace: b spec: podSelector: matchLabels: tier: database ingress: - from: - podSelector: matchLabels: tier: backend ports: - protocol: TCP port: 3306 Network Policy Example (1) 9 This policy applies to … Allows connection from … to this port Pod Pod Pod Pod Pod Pod tier=frontend tier=backend tier=database Namespace b PodPod PodPod Namespace a
  • 10. Policy: Network Policy Rules • If no policy applied to a pod • Allow connection from any source • If any policy applied to a pod • Whitelist: Deny all incoming connections, unless source satisfies at least one policies 10 PodPod Pod PodPod Pod No Policy applied Policy:
  • 11. Network Policy Use Case (2) 11 Pod Pod Pod Pod Pod tier=frontend tier=backend tier=database PodPod PodPod release=canary release=stable Namespace b
  • 12. Network Policy Example (2) apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-canary-backend-access-database namespace: b spec: podSelector: matchLabels: tier: database release: stable ingress: - from: - podSelector: matchLabels: tier: backend ports: - protocol: TCP port: 3306 12 This policy applies to … Allows connection from … to this port Pod Pod Pod Pod Pod tier=frontend tier=backend tier=database PodPod PodPod release=canary release=stable Namespace b (AND) in the same selector
  • 13. Network Policy Non-Use Case 13 Pod Pod Pod Pod Pod tier=frontend tier=backend tier=database PodPod PodPod Namespace b-plus Namespace b
  • 14. Network Policy Non-Example apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: namespace: b … … ingress: - from: - podSelector: matchLabels: tier: backend - namespaceSelector: matchLabels: name: b-plus ports: - protocol: TCP port: 3306 14 Allows connection from …(OR) Pod Pod Pod Pod Pod tier=frontend tier=backend tier=database PodPod PodPod Namespace b-plus Namespace b Need (AND), but NOT supported yet* * https://github.com/kubernetes/kubernetes/issues/50451 in different selector
  • 15. Network Policy Limitation in K8s 1.7 • A selector can not match both Namespace labels and Pod labels • No Egress Policy • What if your pods are compromised? • Prerequisite: Need support of Container Network Providers 15 Pod (Ingress) (Egress)
  • 16. Network Providers who Support Network Policy 16 Calico cilium ROMANA WeaveNet &
  • 17. Note: • Not standard k8s Network Policy • Run with calicoctl, instead of kubectl • Calico also supports Egress policy (not shown here) Calico’s Policy Definition 17 Pod Pod Pod Pod Pod tier=frontend tier=backend tier=database PodPod PodPod Namespace b-plus Namespace bapiVersion: v1 kind: policy metadata: name: allow-b-plus-backend-access-b-database spec: selector: > calico/k8s_ns == 'b' && tier == 'database' ingress: - action: allow source: selector: > calico/k8s_ns == 'b-plus' && tier == 'backend' protocol: tcp destination: ports: [3306] # calicoctl apply -f <FILENAME>
  • 19. Adoption Advices • (skipped) Use special labels for network policy • Rethink IP-based packet filter 19
  • 20. Dynamic Nature of K8s 20 Source: https://www.slideshare.net/gmccance/cern-data-centre-evolution K8s is primarily designed for (Static) (Dynamic) (change IP)
  • 21. Rethink IP-based packet filter • Pod up/down triggers firewall rule adjustment • Translate application-level policy to network-level policy • Given that Firewall can recognize pod IP 21 IP Source Labels Destination Labels IP IP IP IP IP IP IP IP-based Firewall rules Application-level Policy change frequently
  • 23. Looking forward (1) • Cilium • Not use IP to define filter • Flexible and Efficient 23 IP Source Labels Destination Labels IP IP IP IP IP IP IP eBPF (Packet Filter) Application-level Policy change frequently (Require Linux Kernel 4.8 ↑) id id
  • 24. Looking forward (2) 24 • Istio • Each service pod equips with a sidecar container (envoy), which enforces policy Source: https://github.com/istio/auth
  • 26. Takeaway • By default, pod can talk to each other at network level • Network Policy • whitelists pod incoming connection • needs container network provider’s support • can not apply to some cross-namespace scenario • Adoption • security needs as agile as containers • Looking forward • Flavored policy enforcement 26
  • 28. References • Network Policy • Official document • Recipes by ahmetb • Calico • Getting started with k8s 28

Editor's Notes

  1. 檔入口
  2. 檔入口
  3. 檔入口
  4. 乖乖, Cattle, 抓交替, 消耗品, 動態, 變化的 IP