Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
Cloud Native Computing Foundation / Cloud Native SecurityCon NA 2022 / 28 Oct 2022
Cloud Native Computing Foundation / Cloud Native SecurityCon NA 2022 / 28 Oct 2022
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: Keynote: Crossing the Kubernetes Network Policy Chasm - Michael Foster, Red Hat, StackRox

Description

Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2023 in Amsterdam, The Netherlands from April 17-21. Learn more at https://kubecon.io​. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Keynote: Crossing the Kubernetes Network Policy Chasm - Michael Foster, Red Hat, Community Lead - StackRox

Isolating pods with Kubernetes network policies is a vital activity in securing the Kubernetes cluster. The technology has been around since 2017, and yet organizations often make very limited use of it, leaving workloads with over-privileged ingress and egress rights. Why is that? Well, identifying the right networking requirements of individual workloads is challenging to begin with, and operationalizing the task across Dev, Sec and Ops is not trivial. In this talk we will explain how open source technology helps development and security teams automate the process using machine generated Kubernetes network policies, along with human authored policies to govern them. The resulting Kubernetes network policies become part of the GitOps process to provision Kubernetes clusters, helping organizations cross this chasm.

A

Awesome folks, um thank you, Andrew for the amazing opening remarks, and next we have our keynote uh from Michael. Foster Michael will be talking about crossing the kubernetes network policy jasm. So let's hear it from Michael I got hope. This is.

B

Working hello, hello, yes, crosnicasm, building a bridge. Whatever analogy you want to use, as he said, I'm Michael, Foster I, am the community lead for the stack Rocks, open source project I'm, also a pmm at Red, Hat and looking forward to an exciting week very happy, actually I'm speaking first right and get it out of the way you're, very nice?

B

Okay. So let's first talk about why the chasm exists. Network policies today are very efficient and managing pod to pod communication. Network rules for namespaces setting various IP blocks, they're also additive permissions right we default, deny everything and then we add the network policies on top to allow traffic. Now there is a pretty serious challenge with this process, because the rules are additive. The communication between the teams tend to break down. The developers need specific rules for their applications. The security teams don't necessarily know that.

B

Maybe the network security team doesn't even know what kubernetes is and they're trying to tell you what ports and protocols you can and can't use, and it isn't until the dev test or even staging environments that the developers find this out. So we want to be able to have a solution that can fix the human problem and say where we can actually leverage the technology like this today because, as they say, kubernetes Network policy is more of a communication challenge with a powerful tool all right.

B

So what I and the MP guard project propose is a flexible workflow for the devsec organizations, a process where the security teams can define a system policy for their kubernetes clusters and teams, different ports and protocols, what's allowed, what isn't where developers, operators or automated systems can generate kubernetes policies and validate them against the security team automatically and asynchronously, and then lastly, we want to deploy and test from git making updates in our automated pipelines anyway.

B

So if the security team updates it, the developers will know exactly what ports and policies have changed, and so the MP guard project was designed with this workflow in mind. Let's take a look, so the mpguard project seeps the simple seeks to simplify the experience of creating and maintaining the K-8 Network policies and to help meet this challenge. We want to automate the generation without having to run the application code, so we want to integrate into the application's CI CD pipeline, ensuring Network policies get gets updated whenever the required cluster connectivity changes.

B

So you can see it there. First for the workflow the automatic synthesis stage it takes into the application's configuration files. Your deployment manifests your services things like that. We also want to pair it up with maybe what's the typical traffic that you're seeing and the security teams can do this All automatically without the developer being involved or if the developer wants to generate them first as well, you can generate and check them in so the first stage is of the flow also proposes the updated Network policy connectivity restrictions in the form of network policy resources.

B

Second, the review and modify stage, so the proposed network activity is presented to the devops team for the review. This presentation can be graphic, a concise textual report or simply the actual Network policy yaml file. So you think about it. Security team goes sets specific ports and policies that they allow the developer or operations team can just automatically check it. Against what they already have in their manifest generate a network policy, we can check that in we can validate it against it.

B

If we get the green light, then it goes to test if it doesn't, maybe it breaks the pipeline. There's a lot of flexibility in how you want to bring this into your workflow.

B

So again, users can make changes to the proposed connectivity and then these changes can be automatically updated. Let's say the security team has decided a certain Port is not allowed and you have a massive organization with a lot of clusters. Well, then, we need to make a change and make sure that all of our Network policies across are validated. We can do this automatically in a CI CD pipeline.

B

So for that workflow we want to be able to help simplify and scale it I know it's like the best buzzword ever, but really it's about allowing the operations and devops teams to have the flexibility of how they implement it, because we want the security teams to feel safe in the applications that are running now.

B

To sum it up, I'll keep it quick because it's early Monday morning and the coffee's kicking in so if you'd like to see the project in action I'll be outside at the red hat Booth, you can also download the stack Rocks open source platform is free to use. It has the developer preview flag in action right now. If you want to check it out again, like I said free to use, and you can also take a look at the MP guard project, it's a project on its own as well and then I know.

B

We have a couple. Other people I want to give a shout out to.

A

And Luke.

B

Heinz is in here he's doing six store con tomorrow at 9, 15. I'll, be there checking him out too and again I'll be at the red hat Booth outside. If you want to learn more and see it in action, but thank you so much. Everyone.