SlideShare a Scribd company logo

Network Policies

inovex GmbH
inovex GmbH

Trust is good, control is better – A short story about Network Policies. Abstract: Probably everybody who uses Kubernetes in a productive environment with multiple users possibly has looked at policies. Often the operators of the cluster(s) just trust the policies but in some cases it might be useful to control if the policies actually have taken action and often there are just to many Policies in the cluster setup to manually test them all (and obviously you don’t want to do this). Testing the effectiveness of the Network Policies can be done in different approaches. In this talk we will show you the benefits and drawbacks of different approaches and what solution we finally chose. Also we will show you some other tools and how they complement our solution. As a takeaway you will get an overview of different testing strategies for policies, as well as understanding challenges in testing policies in general and the Kubernetes ecosystem. Event: ContainerDays 2019 Datum: 26.06.2019 Speaker: Johannes M. Scheuermann, Maximilian Bischoff (beide inovex) Mehr Tech-Vorträge: inovex.de/vortraege Mehr Tech-Artikel: inovex.de/blog

Technology
1 of 30
Download to read offline
Trust is good, control is better A short story about Network Policies Maximilian Bischoff, Johannes M. Scheuermann Hamburg, 26. June 2019
Maximilian Bischoff Unofficial: Chaos Monkey @johscheuer 2 Cloud Platform Engineer Cloud Platform Engineer Johannes M. Scheuermann
What can you expect ? ● Get an overview about challenges with network policies ● Get an overview on different aspects of testing / validating your setup 3
What about you? 4
Why should I test my network policies? 5
Why should I test my policies ? Many adjustment screws https://www.pexels.com/photo/colorful-toothed-wheels-1711986
Why should I test my policies ? Kubernetes doesn’t implement the policies 7 kube-apiserver Netpol CNI Plugin Read NetPol Implements them
Why should I test my policies ? Kubernetes doesn’t implement the policies 8 kube-apiserver CNI Plugin Read NetPol No Feedback ! Netpol Implements them
Why should I test my policies ? I choose you ! This list is not complete!9
... spec: ingress: - from: - namespaceSelector: matchLabels: team: operations podSelector: matchLabels: type: monitoring Why should I test? Hard to read policies https://github.com/ahmetb/kubernetes-network-policy-recipes/blob/master/07-allow-traffic-from-some-pods-in-another-namespace.md10 ... spec: ingress: - from: - namespaceSelector: matchLabels: team: operations - podSelector: matchLabels: type: monitoring and or
Node Why should I test my policies ? Component updates 11 kube-proxy iptables CNI-Plugins Node kube-proxy ipvs CNI-Plugins Node kube-proxy iptables CNI-Plugins v1 Node kube-proxy iptables CNI-Plugins v2
Node Why should I test my policies ? Component updates 12 kube-proxy iptables CNI-Plugins Node kube-proxy ipvs CNI-Plugins Node kube-proxy iptables CNI-Plugins v1 Node kube-proxy iptables CNI-Plugins v2 Is everything still working after an update?
Node Why should I test my policies ? Component updates 13 kube-proxy iptables CNI-Plugins Node kube-proxy ipvs CNI-Plugins Node kube-proxy iptables CNI-Plugins v1 Node kube-proxy iptables CNI-Plugins v2 Conformance tests don’t test network policies!
What to test 14
What to test 15 Policy Policy Policy SDN Control Plane Data Plane Conformance - Effect of policies - Synchronisation
How to test 16
How to test 17 Policy Policy Policy SDN Control Plane Data Plane Conformance - Effect of policies - Synchronisation
Testing strategies Copy-pod 18 kind: pod apiVersion: v1 metadata: name: foo namespace: default labels: app: foo spec: containers: - name: foo image: foo:latest ... kind: pod apiVersion: v1 metadata: name: foo-test-copy namespace: default labels: app: foo testing.framework: “” spec: containers: - name: test image: test/runner:latest ... copy
Testing strategies Docker networking 19 foo pausefoo test- runner
Testing strategies Linux namespaces 20 pause (of pod foo) test- runner underlying OS ... Network IPC CGroup ... IPC CGroup
kubectl exec -it foo -- wget -qO - --timeout=2 http://bar.default wget: download timed out Manually https://github.com/ahmetb/kubernetes-network-policy-recipes/blob/master/03-deny-all-non-whitelisted-traffic-in-the-namespace.md21 kind: NetworkPolicy apiVersion: networking.k8s.io/v1 metadata: name: default-deny-all namespace: default spec: podSelector: {} ingress: [] default foo barbar
node 1 netassert https://github.com/controlplaneio/netassert22 default foo barbar config.yaml --- k8s: deployment: default:foo: default:bar: TCP:80 ssh docker run --net ... test.js nmap netassert
node 1 illuminatio 23 default foo barbar API Server nsenter results test.py nmap illuminatio
kind: NetworkPolicy apiVersion: networking.k8s.io/v1 metadata: name: demo namespace: default spec: podSelector: matchLabels: app: prometheus ingress: ... Test case generation Preface 24 isolated from every pod except for those matching
Test case generation Two kinds of tests 25 pod A app=prometheus pod B app=grafana pod C ... spec: podSelector: matchLabels: app: prometheus ingress: - from: - podSelector: matchLabels: app: grafana
pod A app=prometheus Test case generation Multiple policies 26 pod B team=ops app=foo ... spec: podSelector: matchLabels: app: prometheus ingress: - from: - podSelector: matchLabels: app: grafana ... spec: podSelector: {} ingress: - from: - podSelector: matchLabels: team: ops namespaceSelector: {} ?
Wrap up 27
How do these tools complement 28 Policy Policy Policy kubeaudit/ SDN Control Plane Data Plane netassert/illuminatio
Recap ● Test your assumptions! ● Regression testing makes your life easier ● Network Policies are still hard to get right ○ Missing feedback ○ Does it work for Services and Pods? 29
Thank You Maximilian Bischoff IT Engineering & Operations inovex GmbH Ludwig-Erhard-Allee 6 76131 Karlsruhe maximilian.bischoff@ inovex.de Johannes Scheuermann IT Engineering & Operations inovex GmbH Ludwig-Erhard-Allee 6 76131 Karlsruhe johannes.scheuermann@ inovex.de

Recommended

CNCF App-Delivery SIG Presentation - Litmus Chaos Engineering
CNCF App-Delivery SIG Presentation - Litmus Chaos EngineeringCNCF App-Delivery SIG Presentation - Litmus Chaos Engineering
CNCF App-Delivery SIG Presentation - Litmus Chaos Engineering
Umasankar Mukkara
 
TFI2014 Session II - Requirements for SDN - Brian Field
TFI2014 Session II - Requirements for SDN - Brian FieldTFI2014 Session II - Requirements for SDN - Brian Field
TFI2014 Session II - Requirements for SDN - Brian Field
Colorado Internet Society (CO ISOC)
 
Introduction to robot framework
Introduction to robot frameworkIntroduction to robot framework
Introduction to robot framework
Chonlasith Jucksriporn
 
Blockchain Hyperledger Lab
Blockchain Hyperledger LabBlockchain Hyperledger Lab
Blockchain Hyperledger Lab
Dev_Events
 
Performance profiling and testing of symfony application 2
Performance profiling and testing of symfony application 2Performance profiling and testing of symfony application 2
Performance profiling and testing of symfony application 2
Andrew Yatsenko
 
SHARE 2014, Pittsburgh Using policies to manage critical cics resources
SHARE 2014, Pittsburgh Using policies to manage critical cics resourcesSHARE 2014, Pittsburgh Using policies to manage critical cics resources
SHARE 2014, Pittsburgh Using policies to manage critical cics resources
nick_garrod
 
PTS2022-Talk-19-MobSF-for-penetration-testers_0.pdf
PTS2022-Talk-19-MobSF-for-penetration-testers_0.pdfPTS2022-Talk-19-MobSF-for-penetration-testers_0.pdf
PTS2022-Talk-19-MobSF-for-penetration-testers_0.pdf
Shadowman Kung
 
story_of_bpf-1.pdf
story_of_bpf-1.pdfstory_of_bpf-1.pdf
story_of_bpf-1.pdf
hegikip775
 

Recommended

CNCF App-Delivery SIG Presentation - Litmus Chaos Engineering
CNCF App-Delivery SIG Presentation - Litmus Chaos EngineeringCNCF App-Delivery SIG Presentation - Litmus Chaos Engineering
CNCF App-Delivery SIG Presentation - Litmus Chaos Engineering
Umasankar Mukkara
 
TFI2014 Session II - Requirements for SDN - Brian Field
TFI2014 Session II - Requirements for SDN - Brian FieldTFI2014 Session II - Requirements for SDN - Brian Field
TFI2014 Session II - Requirements for SDN - Brian Field
Colorado Internet Society (CO ISOC)
 
Introduction to robot framework
Introduction to robot frameworkIntroduction to robot framework
Introduction to robot framework
Chonlasith Jucksriporn
 
Blockchain Hyperledger Lab
Blockchain Hyperledger LabBlockchain Hyperledger Lab
Blockchain Hyperledger Lab
Dev_Events
 
Performance profiling and testing of symfony application 2
Performance profiling and testing of symfony application 2Performance profiling and testing of symfony application 2
Performance profiling and testing of symfony application 2
Andrew Yatsenko
 
SHARE 2014, Pittsburgh Using policies to manage critical cics resources
SHARE 2014, Pittsburgh Using policies to manage critical cics resourcesSHARE 2014, Pittsburgh Using policies to manage critical cics resources
SHARE 2014, Pittsburgh Using policies to manage critical cics resources
nick_garrod
 
PTS2022-Talk-19-MobSF-for-penetration-testers_0.pdf
PTS2022-Talk-19-MobSF-for-penetration-testers_0.pdfPTS2022-Talk-19-MobSF-for-penetration-testers_0.pdf
PTS2022-Talk-19-MobSF-for-penetration-testers_0.pdf
Shadowman Kung
 
story_of_bpf-1.pdf
story_of_bpf-1.pdfstory_of_bpf-1.pdf
story_of_bpf-1.pdf
hegikip775
 
MuleSoft_Meetup_Brisbane_2022-06-01_SonarQube_CataloguingAPIs.pptx
MuleSoft_Meetup_Brisbane_2022-06-01_SonarQube_CataloguingAPIs.pptxMuleSoft_Meetup_Brisbane_2022-06-01_SonarQube_CataloguingAPIs.pptx
MuleSoft_Meetup_Brisbane_2022-06-01_SonarQube_CataloguingAPIs.pptx
BrianFraser29
 
Cumulus Networks: Automating Network Configuration
Cumulus Networks: Automating Network ConfigurationCumulus Networks: Automating Network Configuration
Cumulus Networks: Automating Network Configuration
Cumulus Networks
 
Workshop: Introduction to Web Components & Polymer
Workshop: Introduction to Web Components & Polymer Workshop: Introduction to Web Components & Polymer
Workshop: Introduction to Web Components & Polymer
John Riviello
 
Cross Context Scripting attacks & exploitation
Cross Context Scripting attacks & exploitationCross Context Scripting attacks & exploitation
Cross Context Scripting attacks & exploitation
Roberto Suggi Liverani
 
Dev confus.2020 compliance operator
Dev confus.2020 compliance operatorDev confus.2020 compliance operator
Dev confus.2020 compliance operator
jaormx
 
Chicago Docker Meetup Presentation - Mediafly
Chicago Docker Meetup Presentation - MediaflyChicago Docker Meetup Presentation - Mediafly
Chicago Docker Meetup Presentation - Mediafly
Mediafly
 
LibreSocial - P2P Framework for Social Networks - Overview
LibreSocial - P2P Framework for Social Networks - OverviewLibreSocial - P2P Framework for Social Networks - Overview
LibreSocial - P2P Framework for Social Networks - Overview
Kalman Graffi
 
Troubleshooting for Intent-based Networking
Troubleshooting for Intent-based NetworkingTroubleshooting for Intent-based Networking
Troubleshooting for Intent-based Networking
Open Networking Summit
 
Optimizing Your CI Pipelines
Optimizing Your CI PipelinesOptimizing Your CI Pipelines
Optimizing Your CI Pipelines
Sebastian Witowski
 
Michele Italy Talk
Michele Italy TalkMichele Italy Talk
Michele Italy TalkMichele Fattoruso
 
DevOps with Serverless
DevOps with ServerlessDevOps with Serverless
DevOps with Serverless
Yan Cui
 
End-to-end testing in complex GitOps environments
End-to-end testing in complex GitOps environmentsEnd-to-end testing in complex GitOps environments
End-to-end testing in complex GitOps environments
Etienne Tremel
 
Advanced deployment scenarios
Advanced deployment scenariosAdvanced deployment scenarios
Advanced deployment scenarios
Sergio Navarro Pino
 
Lior rotkovitch ASM WAF unified learning – building policy with asm v12
Lior rotkovitch ASM WAF unified learning – building policy with asm v12Lior rotkovitch ASM WAF unified learning – building policy with asm v12
Lior rotkovitch ASM WAF unified learning – building policy with asm v12
Lior Rotkovitch
 
Introduction of eBPF - 時下最夯的Linux Technology
Introduction of eBPF - 時下最夯的Linux Technology Introduction of eBPF - 時下最夯的Linux Technology
Introduction of eBPF - 時下最夯的Linux Technology
Jace Liang
 
This is the way - Holistic (Network) Automation
This is the way - Holistic (Network) AutomationThis is the way - Holistic (Network) Automation
This is the way - Holistic (Network) Automation
Maximilan Wilhelm
 
5 Thomas Magedanz
5 Thomas Magedanz5 Thomas Magedanz
5 Thomas MagedanzFire Conference 2010
 
ENPM808 Independent Study Final Report - amaster 2019
ENPM808 Independent Study Final Report - amaster 2019ENPM808 Independent Study Final Report - amaster 2019
ENPM808 Independent Study Final Report - amaster 2019
Alexander Master
 
Plugins And Making Your Own
Plugins And Making Your OwnPlugins And Making Your Own
Plugins And Making Your Own
Lambert Beekhuis
 
Robot framework
Robot frameworkRobot framework
Robot framework
Rochak Bhalla
 
lldb – Debugger auf Abwegen
lldb – Debugger auf Abwegenlldb – Debugger auf Abwegen
lldb – Debugger auf Abwegen
inovex GmbH
 
Are you sure about that?! Uncertainty Quantification in AI
Are you sure about that?! Uncertainty Quantification in AIAre you sure about that?! Uncertainty Quantification in AI
Are you sure about that?! Uncertainty Quantification in AI
inovex GmbH
 

More Related Content

Similar to Network Policies

MuleSoft_Meetup_Brisbane_2022-06-01_SonarQube_CataloguingAPIs.pptx
MuleSoft_Meetup_Brisbane_2022-06-01_SonarQube_CataloguingAPIs.pptxMuleSoft_Meetup_Brisbane_2022-06-01_SonarQube_CataloguingAPIs.pptx
MuleSoft_Meetup_Brisbane_2022-06-01_SonarQube_CataloguingAPIs.pptx
BrianFraser29
 
Cumulus Networks: Automating Network Configuration
Cumulus Networks: Automating Network ConfigurationCumulus Networks: Automating Network Configuration
Cumulus Networks: Automating Network Configuration
Cumulus Networks
 
Workshop: Introduction to Web Components & Polymer
Workshop: Introduction to Web Components & Polymer Workshop: Introduction to Web Components & Polymer
Workshop: Introduction to Web Components & Polymer
John Riviello
 
Cross Context Scripting attacks & exploitation
Cross Context Scripting attacks & exploitationCross Context Scripting attacks & exploitation
Cross Context Scripting attacks & exploitation
Roberto Suggi Liverani
 
Dev confus.2020 compliance operator
Dev confus.2020 compliance operatorDev confus.2020 compliance operator
Dev confus.2020 compliance operator
jaormx
 
Chicago Docker Meetup Presentation - Mediafly
Chicago Docker Meetup Presentation - MediaflyChicago Docker Meetup Presentation - Mediafly
Chicago Docker Meetup Presentation - Mediafly
Mediafly
 
LibreSocial - P2P Framework for Social Networks - Overview
LibreSocial - P2P Framework for Social Networks - OverviewLibreSocial - P2P Framework for Social Networks - Overview
LibreSocial - P2P Framework for Social Networks - Overview
Kalman Graffi
 
Troubleshooting for Intent-based Networking
Troubleshooting for Intent-based NetworkingTroubleshooting for Intent-based Networking
Troubleshooting for Intent-based Networking
Open Networking Summit
 
Optimizing Your CI Pipelines
Optimizing Your CI PipelinesOptimizing Your CI Pipelines
Optimizing Your CI Pipelines
Sebastian Witowski
 
DevOps with Serverless
DevOps with ServerlessDevOps with Serverless
DevOps with Serverless
Yan Cui
 
End-to-end testing in complex GitOps environments
End-to-end testing in complex GitOps environmentsEnd-to-end testing in complex GitOps environments
End-to-end testing in complex GitOps environments
Etienne Tremel
 
Advanced deployment scenarios
Advanced deployment scenariosAdvanced deployment scenarios
Advanced deployment scenarios
Sergio Navarro Pino
 
Lior rotkovitch ASM WAF unified learning – building policy with asm v12
Lior rotkovitch ASM WAF unified learning – building policy with asm v12Lior rotkovitch ASM WAF unified learning – building policy with asm v12
Lior rotkovitch ASM WAF unified learning – building policy with asm v12
Lior Rotkovitch
 
Introduction of eBPF - 時下最夯的Linux Technology
Introduction of eBPF - 時下最夯的Linux Technology Introduction of eBPF - 時下最夯的Linux Technology
Introduction of eBPF - 時下最夯的Linux Technology
Jace Liang
 
This is the way - Holistic (Network) Automation
This is the way - Holistic (Network) AutomationThis is the way - Holistic (Network) Automation
This is the way - Holistic (Network) Automation
Maximilan Wilhelm
 
ENPM808 Independent Study Final Report - amaster 2019
ENPM808 Independent Study Final Report - amaster 2019ENPM808 Independent Study Final Report - amaster 2019
ENPM808 Independent Study Final Report - amaster 2019
Alexander Master
 
Plugins And Making Your Own
Plugins And Making Your OwnPlugins And Making Your Own
Plugins And Making Your Own
Lambert Beekhuis
 
Robot framework
Robot frameworkRobot framework
Robot framework
Rochak Bhalla
 

Similar to Network Policies (20)

MuleSoft_Meetup_Brisbane_2022-06-01_SonarQube_CataloguingAPIs.pptx
MuleSoft_Meetup_Brisbane_2022-06-01_SonarQube_CataloguingAPIs.pptxMuleSoft_Meetup_Brisbane_2022-06-01_SonarQube_CataloguingAPIs.pptx
MuleSoft_Meetup_Brisbane_2022-06-01_SonarQube_CataloguingAPIs.pptx
 
Cumulus Networks: Automating Network Configuration
Cumulus Networks: Automating Network ConfigurationCumulus Networks: Automating Network Configuration
Cumulus Networks: Automating Network Configuration
 
Workshop: Introduction to Web Components & Polymer
Workshop: Introduction to Web Components & Polymer Workshop: Introduction to Web Components & Polymer
Workshop: Introduction to Web Components & Polymer
 
Cross Context Scripting attacks & exploitation
Cross Context Scripting attacks & exploitationCross Context Scripting attacks & exploitation
Cross Context Scripting attacks & exploitation
 
Dev confus.2020 compliance operator
Dev confus.2020 compliance operatorDev confus.2020 compliance operator
Dev confus.2020 compliance operator
 
Chicago Docker Meetup Presentation - Mediafly
Chicago Docker Meetup Presentation - MediaflyChicago Docker Meetup Presentation - Mediafly
Chicago Docker Meetup Presentation - Mediafly
 
LibreSocial - P2P Framework for Social Networks - Overview
LibreSocial - P2P Framework for Social Networks - OverviewLibreSocial - P2P Framework for Social Networks - Overview
LibreSocial - P2P Framework for Social Networks - Overview
 
Troubleshooting for Intent-based Networking
Troubleshooting for Intent-based NetworkingTroubleshooting for Intent-based Networking
Troubleshooting for Intent-based Networking
 
Optimizing Your CI Pipelines
Optimizing Your CI PipelinesOptimizing Your CI Pipelines
Optimizing Your CI Pipelines
 
Michele Italy Talk
Michele Italy TalkMichele Italy Talk
Michele Italy Talk
 
DevOps with Serverless
DevOps with ServerlessDevOps with Serverless
DevOps with Serverless
 
End-to-end testing in complex GitOps environments
End-to-end testing in complex GitOps environmentsEnd-to-end testing in complex GitOps environments
End-to-end testing in complex GitOps environments
 
Advanced deployment scenarios
Advanced deployment scenariosAdvanced deployment scenarios
Advanced deployment scenarios
 
Lior rotkovitch ASM WAF unified learning – building policy with asm v12
Lior rotkovitch ASM WAF unified learning – building policy with asm v12Lior rotkovitch ASM WAF unified learning – building policy with asm v12
Lior rotkovitch ASM WAF unified learning – building policy with asm v12
 
Introduction of eBPF - 時下最夯的Linux Technology
Introduction of eBPF - 時下最夯的Linux Technology Introduction of eBPF - 時下最夯的Linux Technology
Introduction of eBPF - 時下最夯的Linux Technology
 
This is the way - Holistic (Network) Automation
This is the way - Holistic (Network) AutomationThis is the way - Holistic (Network) Automation
This is the way - Holistic (Network) Automation
 
5 Thomas Magedanz
5 Thomas Magedanz5 Thomas Magedanz
5 Thomas Magedanz
 
ENPM808 Independent Study Final Report - amaster 2019
ENPM808 Independent Study Final Report - amaster 2019ENPM808 Independent Study Final Report - amaster 2019
ENPM808 Independent Study Final Report - amaster 2019
 
Plugins And Making Your Own
Plugins And Making Your OwnPlugins And Making Your Own
Plugins And Making Your Own
 
Robot framework
Robot frameworkRobot framework
Robot framework
 

More from inovex GmbH

lldb – Debugger auf Abwegen
lldb – Debugger auf Abwegenlldb – Debugger auf Abwegen
lldb – Debugger auf Abwegen
inovex GmbH
 
Are you sure about that?! Uncertainty Quantification in AI
Are you sure about that?! Uncertainty Quantification in AIAre you sure about that?! Uncertainty Quantification in AI
Are you sure about that?! Uncertainty Quantification in AI
inovex GmbH
 
Why natural language is next step in the AI evolution
Why natural language is next step in the AI evolutionWhy natural language is next step in the AI evolution
Why natural language is next step in the AI evolution
inovex GmbH
 
WWDC 2019 Recap
WWDC 2019 RecapWWDC 2019 Recap
WWDC 2019 Recap
inovex GmbH
 
Interpretable Machine Learning
Interpretable Machine LearningInterpretable Machine Learning
Interpretable Machine Learning
inovex GmbH
 
Jenkins X – CI/CD in wolkigen Umgebungen
Jenkins X – CI/CD in wolkigen UmgebungenJenkins X – CI/CD in wolkigen Umgebungen
Jenkins X – CI/CD in wolkigen Umgebungen
inovex GmbH
 
AI auf Edge-Geraeten
AI auf Edge-GeraetenAI auf Edge-Geraeten
AI auf Edge-Geraeten
inovex GmbH
 
Prometheus on Kubernetes
Prometheus on KubernetesPrometheus on Kubernetes
Prometheus on Kubernetes
inovex GmbH
 
Deep Learning for Recommender Systems
Deep Learning for Recommender SystemsDeep Learning for Recommender Systems
Deep Learning for Recommender Systems
inovex GmbH
 
Azure IoT Edge
Azure IoT EdgeAzure IoT Edge
Azure IoT Edge
inovex GmbH
 
Representation Learning von Zeitreihen
Representation Learning von ZeitreihenRepresentation Learning von Zeitreihen
Representation Learning von Zeitreihen
inovex GmbH
 
Talk to me – Chatbots und digitale Assistenten
Talk to me – Chatbots und digitale AssistentenTalk to me – Chatbots und digitale Assistenten
Talk to me – Chatbots und digitale Assistenten
inovex GmbH
 
Künstlich intelligent?
Künstlich intelligent?Künstlich intelligent?
Künstlich intelligent?
inovex GmbH
 
Dev + Ops = Go
Dev + Ops = GoDev + Ops = Go
Dev + Ops = Go
inovex GmbH
 
Das Android Open Source Project
Das Android Open Source ProjectDas Android Open Source Project
Das Android Open Source Project
inovex GmbH
 
Machine Learning Interpretability
Machine Learning InterpretabilityMachine Learning Interpretability
Machine Learning Interpretability
inovex GmbH
 
Performance evaluation of GANs in a semisupervised OCR use case
Performance evaluation of GANs in a semisupervised OCR use casePerformance evaluation of GANs in a semisupervised OCR use case
Performance evaluation of GANs in a semisupervised OCR use case
inovex GmbH
 
People & Products – Lessons learned from the daily IT madness
People & Products – Lessons learned from the daily IT madnessPeople & Products – Lessons learned from the daily IT madness
People & Products – Lessons learned from the daily IT madness
inovex GmbH
 
Infrastructure as (real) Code – Manage your K8s resources with Pulumi
Infrastructure as (real) Code – Manage your K8s resources with PulumiInfrastructure as (real) Code – Manage your K8s resources with Pulumi
Infrastructure as (real) Code – Manage your K8s resources with Pulumi
inovex GmbH
 
Remote First – Der Arbeitsplatz in der Cloud
Remote First – Der Arbeitsplatz in der CloudRemote First – Der Arbeitsplatz in der Cloud
Remote First – Der Arbeitsplatz in der Cloud
inovex GmbH
 

More from inovex GmbH (20)

lldb – Debugger auf Abwegen
lldb – Debugger auf Abwegenlldb – Debugger auf Abwegen
lldb – Debugger auf Abwegen
 
Are you sure about that?! Uncertainty Quantification in AI
Are you sure about that?! Uncertainty Quantification in AIAre you sure about that?! Uncertainty Quantification in AI
Are you sure about that?! Uncertainty Quantification in AI
 
Why natural language is next step in the AI evolution
Why natural language is next step in the AI evolutionWhy natural language is next step in the AI evolution
Why natural language is next step in the AI evolution
 
WWDC 2019 Recap
WWDC 2019 RecapWWDC 2019 Recap
WWDC 2019 Recap
 
Interpretable Machine Learning
Interpretable Machine LearningInterpretable Machine Learning
Interpretable Machine Learning
 
Jenkins X – CI/CD in wolkigen Umgebungen
Jenkins X – CI/CD in wolkigen UmgebungenJenkins X – CI/CD in wolkigen Umgebungen
Jenkins X – CI/CD in wolkigen Umgebungen
 
AI auf Edge-Geraeten
AI auf Edge-GeraetenAI auf Edge-Geraeten
AI auf Edge-Geraeten
 
Prometheus on Kubernetes
Prometheus on KubernetesPrometheus on Kubernetes
Prometheus on Kubernetes
 
Deep Learning for Recommender Systems
Deep Learning for Recommender SystemsDeep Learning for Recommender Systems
Deep Learning for Recommender Systems
 
Azure IoT Edge
Azure IoT EdgeAzure IoT Edge
Azure IoT Edge
 
Representation Learning von Zeitreihen
Representation Learning von ZeitreihenRepresentation Learning von Zeitreihen
Representation Learning von Zeitreihen
 
Talk to me – Chatbots und digitale Assistenten
Talk to me – Chatbots und digitale AssistentenTalk to me – Chatbots und digitale Assistenten
Talk to me – Chatbots und digitale Assistenten
 
Künstlich intelligent?
Künstlich intelligent?Künstlich intelligent?
Künstlich intelligent?
 
Dev + Ops = Go
Dev + Ops = GoDev + Ops = Go
Dev + Ops = Go
 
Das Android Open Source Project
Das Android Open Source ProjectDas Android Open Source Project
Das Android Open Source Project
 
Machine Learning Interpretability
Machine Learning InterpretabilityMachine Learning Interpretability
Machine Learning Interpretability
 
Performance evaluation of GANs in a semisupervised OCR use case
Performance evaluation of GANs in a semisupervised OCR use casePerformance evaluation of GANs in a semisupervised OCR use case
Performance evaluation of GANs in a semisupervised OCR use case
 
People & Products – Lessons learned from the daily IT madness
People & Products – Lessons learned from the daily IT madnessPeople & Products – Lessons learned from the daily IT madness
People & Products – Lessons learned from the daily IT madness
 
Infrastructure as (real) Code – Manage your K8s resources with Pulumi
Infrastructure as (real) Code – Manage your K8s resources with PulumiInfrastructure as (real) Code – Manage your K8s resources with Pulumi
Infrastructure as (real) Code – Manage your K8s resources with Pulumi
 
Remote First – Der Arbeitsplatz in der Cloud
Remote First – Der Arbeitsplatz in der CloudRemote First – Der Arbeitsplatz in der Cloud
Remote First – Der Arbeitsplatz in der Cloud
 

Recently uploaded

UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
DianaGray10
 
The Metaverse and AI: how can decision-makers harness the Metaverse for their...
The Metaverse and AI: how can decision-makers harness the Metaverse for their...The Metaverse and AI: how can decision-makers harness the Metaverse for their...
The Metaverse and AI: how can decision-makers harness the Metaverse for their...
Jen Stirrup
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
Jemma Hussein Allen
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
Dorra BARTAGUIZ
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
SOFTTECHHUB
 
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofszkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
Alex Pruden
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Paige Cruz
 
Quantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIsQuantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIs
Vlad Stirbu
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
mikeeftimakis1
 
Free Complete Python - A step towards Data Science
Free Complete Python - A step towards Data ScienceFree Complete Python - A step towards Data Science
Free Complete Python - A step towards Data Science
RinaMondal9
 
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfSAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
Peter Spielvogel
 
UiPath Community Day Dubai: AI at Work..
UiPath Community Day Dubai: AI at Work..UiPath Community Day Dubai: AI at Work..
UiPath Community Day Dubai: AI at Work..
UiPathCommunity
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
91mobiles
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
James Anderson
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
Sri Ambati
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
Aftab Hussain
 

Recently uploaded (20)

UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
 
The Metaverse and AI: how can decision-makers harness the Metaverse for their...
The Metaverse and AI: how can decision-makers harness the Metaverse for their...The Metaverse and AI: how can decision-makers harness the Metaverse for their...
The Metaverse and AI: how can decision-makers harness the Metaverse for their...
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
 
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofszkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
 
Quantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIsQuantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIs
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
 
Free Complete Python - A step towards Data Science
Free Complete Python - A step towards Data ScienceFree Complete Python - A step towards Data Science
Free Complete Python - A step towards Data Science
 
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfSAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
 
UiPath Community Day Dubai: AI at Work..
UiPath Community Day Dubai: AI at Work..UiPath Community Day Dubai: AI at Work..
UiPath Community Day Dubai: AI at Work..
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
 

Network Policies

  • 1. Trust is good, control is better A short story about Network Policies Maximilian Bischoff, Johannes M. Scheuermann Hamburg, 26. June 2019
  • 2. Maximilian Bischoff Unofficial: Chaos Monkey @johscheuer 2 Cloud Platform Engineer Cloud Platform Engineer Johannes M. Scheuermann
  • 3. What can you expect ? ● Get an overview about challenges with network policies ● Get an overview on different aspects of testing / validating your setup 3
  • 5. Why should I test my network policies? 5
  • 6. Why should I test my policies ? Many adjustment screws https://www.pexels.com/photo/colorful-toothed-wheels-1711986
  • 7. Why should I test my policies ? Kubernetes doesn’t implement the policies 7 kube-apiserver Netpol CNI Plugin Read NetPol Implements them
  • 8. Why should I test my policies ? Kubernetes doesn’t implement the policies 8 kube-apiserver CNI Plugin Read NetPol No Feedback ! Netpol Implements them
  • 9. Why should I test my policies ? I choose you ! This list is not complete!9
  • 10. ... spec: ingress: - from: - namespaceSelector: matchLabels: team: operations podSelector: matchLabels: type: monitoring Why should I test? Hard to read policies https://github.com/ahmetb/kubernetes-network-policy-recipes/blob/master/07-allow-traffic-from-some-pods-in-another-namespace.md10 ... spec: ingress: - from: - namespaceSelector: matchLabels: team: operations - podSelector: matchLabels: type: monitoring and or
  • 11. Node Why should I test my policies ? Component updates 11 kube-proxy iptables CNI-Plugins Node kube-proxy ipvs CNI-Plugins Node kube-proxy iptables CNI-Plugins v1 Node kube-proxy iptables CNI-Plugins v2
  • 12. Node Why should I test my policies ? Component updates 12 kube-proxy iptables CNI-Plugins Node kube-proxy ipvs CNI-Plugins Node kube-proxy iptables CNI-Plugins v1 Node kube-proxy iptables CNI-Plugins v2 Is everything still working after an update?
  • 13. Node Why should I test my policies ? Component updates 13 kube-proxy iptables CNI-Plugins Node kube-proxy ipvs CNI-Plugins Node kube-proxy iptables CNI-Plugins v1 Node kube-proxy iptables CNI-Plugins v2 Conformance tests don’t test network policies!
  • 15. What to test 15 Policy Policy Policy SDN Control Plane Data Plane Conformance - Effect of policies - Synchronisation
  • 17. How to test 17 Policy Policy Policy SDN Control Plane Data Plane Conformance - Effect of policies - Synchronisation
  • 18. Testing strategies Copy-pod 18 kind: pod apiVersion: v1 metadata: name: foo namespace: default labels: app: foo spec: containers: - name: foo image: foo:latest ... kind: pod apiVersion: v1 metadata: name: foo-test-copy namespace: default labels: app: foo testing.framework: “” spec: containers: - name: test image: test/runner:latest ... copy
  • 20. Testing strategies Linux namespaces 20 pause (of pod foo) test- runner underlying OS ... Network IPC CGroup ... IPC CGroup
  • 21. kubectl exec -it foo -- wget -qO - --timeout=2 http://bar.default wget: download timed out Manually https://github.com/ahmetb/kubernetes-network-policy-recipes/blob/master/03-deny-all-non-whitelisted-traffic-in-the-namespace.md21 kind: NetworkPolicy apiVersion: networking.k8s.io/v1 metadata: name: default-deny-all namespace: default spec: podSelector: {} ingress: [] default foo barbar
  • 23. node 1 illuminatio 23 default foo barbar API Server nsenter results test.py nmap illuminatio
  • 24. kind: NetworkPolicy apiVersion: networking.k8s.io/v1 metadata: name: demo namespace: default spec: podSelector: matchLabels: app: prometheus ingress: ... Test case generation Preface 24 isolated from every pod except for those matching
  • 25. Test case generation Two kinds of tests 25 pod A app=prometheus pod B app=grafana pod C ... spec: podSelector: matchLabels: app: prometheus ingress: - from: - podSelector: matchLabels: app: grafana
  • 26. pod A app=prometheus Test case generation Multiple policies 26 pod B team=ops app=foo ... spec: podSelector: matchLabels: app: prometheus ingress: - from: - podSelector: matchLabels: app: grafana ... spec: podSelector: {} ingress: - from: - podSelector: matchLabels: team: ops namespaceSelector: {} ?
  • 28. How do these tools complement 28 Policy Policy Policy kubeaudit/ SDN Control Plane Data Plane netassert/illuminatio
  • 29. Recap ● Test your assumptions! ● Regression testing makes your life easier ● Network Policies are still hard to get right ○ Missing feedback ○ Does it work for Services and Pods? 29
  • 30. Thank You Maximilian Bischoff IT Engineering & Operations inovex GmbH Ludwig-Erhard-Allee 6 76131 Karlsruhe maximilian.bischoff@ inovex.de Johannes Scheuermann IT Engineering & Operations inovex GmbH Ludwig-Erhard-Allee 6 76131 Karlsruhe johannes.scheuermann@ inovex.de