►
Description
Kubernetes makes it easy to deploy, manage and monitor your cloud native applications. Security can be a challenge in such a dynamic, containerised environment, though.
Website: https://www.suse.com/de-de/
Organized by @Microsoft @kubermatic7173 @SysEleven
Thanks to our sponsors @CapgeminiGlobal, @gardenio, @sysdig, @SUSE, @anynines, @redhat, nginx, serve-u
A
Thank
you,
so
kubernetes
is
becoming
more
and
more
yeah
used
everywhere
and
oftentimes.
It
also
means
you,
don't
only
have
one
or
two
classes,
but
lots
of
them
because
of
different
environments,
different
industry
PCS,
with
different
capabilities,
some
some
workers
running
in
the
clouds,
some
workloads
running
on
premise
somewhere
in
a
data
center.
You
maybe
have
different
teams
or
regulations
where
you
have
to
split
off
applications
in
different
clusters.
A
Additionally,
when
we
talk
about
security
with
in
terms
of
kubernetes,
we
also
have
some
challenges.
As
we
said,
containers
are
becoming
more
and
more
prevalent.
They
are
being
more
and
more
used,
but
a
lot
of
the
traditional
security
tools
that
we
have
been
using
in
the
industry.
Don't
work
so
well
with
kubernetes
anymore,
because
the
workloads
are
a
lot
more
flexible.
The
container
could
be
running
on
one
node
at
one
point
in
time
and
10
minutes
later
on.
A
An
additional
complexity
there
is
that
kubernetes
is
very
good
at
abstracting
the
complex
things
of
having
networking
between
applications
away
from
you.
It
just
works
usually,
but
the
downside
of
this
is
great,
because
I
don't
want
to
care
what
network
I
want
to
actually
run
my
application.
A
The
downside
of
this,
you
have
a
lot
less
visibility
with
just
standard
tools,
because
it's
just
magic,
it
works,
but
if
you
actually
want
to
dive
deep
down
in
what
who's
communicating
with
whom
and
how
and
maybe
also
then
introduce
security
restrictions
in
there
at
least
kubernetes
out
of
the
box,
doesn't
give
you
anything.
A
So
when
we
talk
about
security
kubernetes,
they
are
basically
two
areas
where
we
have
to
think
about
hardening.
We
have
to
think
about
secure
configuration.
The
first
is
the
kubernetes
cluster
itself,
because
again
the
kubernetes
API
as
a
prime
target.
If
you
can
get
in
there,
you're
basically
root
inside
of
the
kubernetes
cluster,
and
you
can
then
do
a
lot
of
things
even
going
so
far
as
yeah.
Let's
say
you
get
into
the
kubernetes
API.
A
You
are
root
there,
you,
probably
if
you're
running
on
a
cloud
provider,
you
can
get
access
to
the
cloud
credentials
and
your
rooted
or
you
have
privileged
actions
access
at
the
cloud
provider.
You
can
start
booting
up
VMS
and
then
do
crypto
mining
very
common
attack
actually,
and
you
have
to
make
sure
that
you
configure
your
kubernetes
cluster
in
a
way
that
it's
yeah
secure.
A
You
have
to
keep
it
up
to
date
and
there
are
tons
of
tools
that
can
help
you
with
that
and
I
just
put
in
all
the
ones
I
could
think
about
last
night
and
a
lot
of
them
also
sponsors
here
that
help
you
keep
your
kubernetes
clusters
configured
securely
to
configure
all
the
security
policies
securely
to
call
the
figure,
robust
access
controls
securely
and
so
on.
A
That's
not
what
I
want
to
focus
on
today,
because
yeah,
that's
probably
like
a
two
three
year
old
topic,
or
so
then
it
was
cool
but
but
also
became
much
more
apparent,
especially
with
the
latest
attacks
and
latest
supply
chain.
A
Attacks,
for
example,
is
that
it's
also
vitally
important
to
actually
secure
your
applications
running
inside
of
kubernetes,
and
there
are
also
a
couple
tools
that
already
do
this
in
various
forms,
with
various
features
also
some
of
them
sponsors
here
and
as
one
example
of
these,
to
show
you
how
you
can
use
them
and
where
these
tools
can
secure.
You
I
picked
one
new
Vector
because
first
of
all,
I
know
it
best,
but
also
because
it's
completely
open
source
and
in
the
process
of
actually
being
submitted
to
the
cncf
under
the
name.
A
Open,
zero
trust.
So
it's
not
propriety.
There
are
no
paid
features.
You
can
just
start
using
it.
That's
why
I
decided
to
focus
on
it.
What
these
tools
are
doing
again,
these
various
different
features
and
various
degrees,
but
the
concepts
are
the
same,
is
to
secure
first
of
all,
the
supply
chain
of
your
container
images.
A
Let's
dive
a
bit
deeper
into
both
and,
let's
start
with
the
supply
chain.
The
usual
software
supply
chain
looks
like
this.
You
have
the
developer,
they
write
some
code
and
at
some
point
they
committed
to
a
git
repository,
and
then
you
usually
have
some
kind
of
CSV
pipeline,
probably
not
in
Jenkins
anymore.
That
then
perform
some
tests
on
the
written
software
and
at
the
end
builds
a
container
image,
and
this
is
the
first
time
where
I
was
a
supply
chain
security.
A
Software
tool-
you
can
hook
in
you
can
say
hey
when
the
image
was
being
built.
I
want
to
directly
scan
this.
This
is
a
trivia
case
we
just
I
just
asked
before
for
those
who
are
not
here,
who
is
already
using
kind
of
like
a
security
tool,
trivia
came
up
quite
a
lot.
This
is
a
trivia
case
where
you
can
just
scan
the
image
and
it
checks
your
image
against
the
CBE
database,
and
if
there
are
whatever
it
is,
you
can
just
fail
the
build.
A
Solutions
can
hook
in
and
scan
your
images
for
non-verbilities,
so
that
if
your
image
is
for
three
five
days
in
the
registry
or
for
a
few
weeks
and
at
some
point
there
isn't
automatic
popping
up
you
get
alerted
and
you
get
a
notification
that
this
is
the
case
and
then
at
some
point
your
image
needs
to
get
into
production
and
the
first
thing
where
these
security
tools,
like,
for
example,
newvector
opens
your
trust
can
hook
in,
is
an
admission
control,
because
you
can
already
say
if
you
want
in
your
kubernetes
cluster,
to
register
a
admission
control
book
and
then
say:
okay,
every
time
a
new
pod
is
being
deployed,
check
the
image
and
check
the
image
if
it
has
already
a
def.
A
Okay,
if
there
are
any
cves
inside
of
the
image
that
are
older
than
seven
days
and
that
don't
have
any
patch
yet,
which
means
the
developer
didn't
have
even
a
chance
to
patch
the
security
monarchy,
then
forbid
the
deployment
and
deny
it
otherwise
allow
it,
because
maybe
you
actually
don't
understand
in
the
way
of
the
developer,
actually
fixing
some
bugs
or
deploying
something
or
things
scaling
up
to
begin
with,
and
the
last
step
then
with
supply
chain
security
is
at
some
point.
A
Your
image
is
running
inside
of
the
cluster,
and
that
is
sometimes
always
forgotten,
because
when
it's
running
in
the
cloud
into
the
class,
that's
also
important
to
scan
it
there,
because
it's
running
there
for
days
or
weeks
or
months
sometimes,
and
you
also
want
to
make
sure
that
you
actually
know
something
is
running
in
production
and
you
have
lots
of
images
running
in
production.
So,
even
if
you
scan
the
register,
you
maybe
don't
know
which
version
is
currently
running
in
which
class
sandwich
environment.
A
So
if
something
is
in
production,
you
really
want
to
be
alerted
there.
That's
something
bad
has
happened,
and
this
image
scanning
is
really
important
to
do
this
in
all
of
these
levels,
because
you
don't
want
to
produce
unsecured
software,
where
you
know
that
there
is
a
security
vulnerability
inside
of
that.
A
But
it's
not
enough,
because
there
are
cases
where
there
is
a
vulnerability,
a
security
problem
and
it's
not
public
yet,
and
people
still
can
get
in
into
your
system,
or
maybe
you
can't
patch
it
yet
because
some
dependencies
can't
be
updated
because
your
application
is
not
working
with
this
new
library
and
it's
a
huge
rewrite
and
would
take
you
four
weeks.
On
the
other
hand,
this
application
may
be
vitally
important.
A
You
can't
just
take
it
offline,
so
now
then
you'll
have
to
maybe
do
something
else
to
still
ensure
Security
in
your
system
and
I
always
like
to
also
like
as
an
analogy
I
like
the
picture
of.
If
you
just
do
image
scanning
in
the
real
world,
it
means
if
there
is
a
bank
robbery
and
a
security
guard,
then
checks
someone
coming
in
checks,
The,
Bank,
Robbers
for
their
identity
and
then
compares
the
bank
robber
with
a
list
of
non-bank
robbers
and
I,
say:
oh
this
bank
robbers.
A
This
person
is
not
on
the
list
of
non-bank
robbers.
So
it's
fine.
It's
probably
all
good
and
I.
Let
them
in
which
yeah,
that's
still
bank
robbers
right.
So
just
relying
on
image
scanning
is
really
not
enough.
Also,
everyone
does
image
scanning
every
of
the
controllers
security
tools.
There's
image
scanning
everyone
is
doing
it
kind
of
the
same
way
and
they're
doing
it.
For
with
various
CV
databases,
you
may
even
have
different
results.
You
may
even
want
to
have
use
multiple
scanners,
it's
kind
of
the
bread
and
butter
of
container
security.
A
You
also
have
to
protect
against
the
unknown,
and
with
that
we
come
to
the
important
and
thing
runtime
security
and
when
I
just
checked
before
the
talk
started,
I
think
no
one
did
runtime
security.
Yet
in
kubernetes
clusters
you
can
do
runtime
security
with
two
different
things
based
on
threads,
that
you
know
and
threads
that
you
don't
know
these.
These
threat
based
controls
is
scanning
for
images
for
CBS.
A
We
already
covered
that,
but
also
things
like
adding
a
web
application
firewall
or
data
loss
prevention
in
front
of
your
containers
to,
for
example,
not
allow
known
attacks
like
xss
SQL
injection,
just
blocking
them
before
they
reach
your
container
or
this
data
loss
prevention
may
be
scanning
your
traffic
and
if
there's
a
credit
card
number
in
the
outgoing
traffic,
you
want
to
block
the
request,
because
their
credit
card
numbers
should
never
leave
your
system
yeah.
There's
protection
against
no
network
attacks.
A
You
have
to
do
same
as
admission
control,
and
this
is
one
thing
also
vitally
important
to
know
to
do
this,
but
again
not
enough,
because
even
if
you
scan
all
your
traffic,
if
you
have
a
web
application
firewall
in
front
of
it,
if
there's
a
new
attack,
Vector
a
new
payload,
something
like
look
for
JE
local
shell
coming
in
that
you
don't
have
any
protection
against
any
replication
fiberwoods
against
people
can
get
in,
and
that's
where
the
second
column
here,
zero
trust
comes
in
where
you
can
then
also
protect
and
create
a
rule
set
based
on
the
network
activity,
the
process,
execution
and
the
file
access
of
the
applications
running
inside
of
a
container
and
then
basically
block
everything
else.
A
That
is
not
normal.
Basically,
it's
creating
favorable
rules
right
and
process
execution
rules,
that's
nothing
new!
What
new
comes
new
here
is
where
how
modern
security
tools
can
help
you
create
to
create
these
rules,
and
here
now
we're
going
to
into
more
like
an
example
how
new
Vector
does
it,
because
newvector
has
an
automated
learning
mode
with
which
you
can,
which
that
it
can
help
you
to
create
these
rule?
A
Sets
of
what
is
allowed
in
network
connections,
what
is
allowed
in
file
access
and
what
is
allowed
in
process
execution
new
vector
hooks
in
into
the
complete
Network
stack
of
a
kubernetes
cluster?
That
means
the
traffic
inside
of
a
cluster
between
pods
and
containers,
the
so-called
East-West
traffic,
but
also
the
north-south
traffic
for
traffic
going
into
the
cluster
from
the
outside,
from
some
external
system,
the
internet,
or
the
intranet,
or
also
traffic,
going
from
your
cluster
to
external
systems
again
and
then
on
this
traffic.
A
New
Vector
does
the
packet
inspection,
which
means
on
layer,
3
and
layer
4
that
it
knows
which
applications
which
components
connect
to
other
which
other
components
but
not
only
on
which
IP
and
which
Port
they're
connecting
to
but
also
which
protocol
they
are
speaking
on
this
connection.
So
this
is
a
MySQL
connection.
Is
it
DNS?
Is
it
HTTP
and
then
also
can
protect
against
that
and
only
allow,
for
example,
DNS
traffic
on
a
connection
that
DNS
before
and
it's
looking
at
the
executed
processes
and
access
files?
A
And
what
does
the
packet
inspection
allows?
You
is,
first
of
all
to
automatically
learn
the
known
Behavior.
We
will
cover
this
in
a
minute
in
a
more
detail
and
auto
generate
security
policies,
which
of
course,
you
can
also
then
distribute
a
Securities
code
and
you
can
change
manually
and
then
it
can
protect
against
any
zero
days
or
Unknown
cves
by
not
allowing
anything
to
happen
inside
of
a
container
that
is
not
covered
by
rules.
A
So
if
an
attacker
even
can
come
in
into
the
container,
maybe
then
they
may
be
able
to
get
a
shell
or
if
you
forbid
executing,
not
even
that,
but
then
you
can
forbid
a
running
curl.
You
can
forbid
running
wget.
You
can
forbid
downloading
some
scripts
from
to
from
some
external
system
that
you
don't
know
about.
You
can
forbid
accessing
some
files
to
do
some
kind
of
privilege
escalation.
A
You
can
forbid
also
communicating
to
other
external
systems
that
you
don't
know
of.
So
even
if
a
ticket
comes
in,
they
can
do
a
lot
less.
A
One
thing
that
makes
new
Vector
a
bit
unique
compared
to
others
is
that
it's
not
using
ebpf
or
sidecars
or
kernel
extensions,
but
it's
just
using
directly
the
network
stack
and
the
standard
protocols
and
actually
also
looks
at
the
complete
payload.
So
not
only
at
the
metadata
would
connect
to
room,
then
also
the
exact
payload.
What
is
actually
done
over
the
connection,
and
with
that
you
can
do
things
like
a
package
capture
automatically
and
also
scan
the
or
complete
traffic
with
web
application,
firewall
or
data
loss
prevention,
as
I
explained
yeah.
A
Just
these
are
not
that
important.
These
are,
for
example,
the
threats
that
can
automatically
detect
I
want
to
cover
more
how
this
automated
learning
can
help
you
build
up
this
rule
set,
because
if
you
want
to
create
for
50
different
parts
in
your
cluster,
firewall
rules
manually,
that's
kind
of
annoying
and
then
something
changes,
and
you
forget
about
this,
and
then
you
block
something
and
your
developers
are
unhappy.
A
So,
with
automated
learning
you
can
have
either
you
complete
cluster
or
certain
parts
in
different
modes
in
new
Vector.
The
first
one
is
a
Discover
Mode
in
this
cover
mode.
New
Vector
listens
on
the
process,
execution
file,
access
and
also
on
the
network
communication
and
expects
that
every
connection
that
has
been
made
every
process
that's
been
executed
is
standard,
normal
behavior
and
it
automatically
creates
a
rule
set
for
you.
A
You
should,
of
course,
do
this
and
run
the
Discover
Mode
only
in
an
environment,
you
trust
not
in
an
production
environment
where
maybe
an
attack
has
already
in
because
then
you
they
take
us
building
up
the
rule
set
for
you,
probably
not
a
good
idea
when
you're
happy
with
the
rule
set
and
of
course
some.
Maybe
you
do
this
in
a
trusted
environment
or
you
manually
review
it,
and
maybe
you
add
one
or
two
more
rules
that
were
forgotten
because
no
one
executed
the
connection
to
the
third
party
payment
API.
A
When
testing
been
done,
I've
been
there
done
that
you
can
switch
either
the
complete
system
or
individual
pods
to
a
monitor
mode.
Then
new
Vector
stops
learning
new
behavior
and
learning
new
rules,
and
if
something
is
happening
that
is
not
covered
by
rules
such
as
a
file
access,
a
network
connection
or
a
process
execution,
it
will
alert
you.
A
Let's
have
a
look
at
this
and
to
show
you
how
this
works.
Oh,
okay,
so,
first
of
all,
new
Vector
is
very
easy
to
install
I'm
running
it
here
in
a
cluster
managed
by
Ranger.
New
Vector
has
no
dependency
on
Rancho,
it's
just
a
home
shot.
You
can
install
it
on
any
kubernetes
cluster,
vanilla,
kubernetes,
you
name
it
right.
It's
just
a
home
shot.
A
Your
vector
comes
with
a
nice
UI
that
can
help
you
visualize
the
security
of
your
system
and
set
everything
up.
But
of
course,
there
is
also
an
API
and
you
can
also
configure
things
with
kubernetes
manifests.
You
can
automate
this
completely.
A
Let's
have
a
look
at
the
scanning
results.
First,
so
here
under
assets,
you
have
Scan
results
for
everything
that
makes
your
kubernetes
cluster.
So,
first
of
all
the
kubernetes
version
itself,
if
that
had
any
known
cves,
it
would
show
them
here.
It
also
scans
the
nodes
that
make
your
cluster,
like
all
the
worker
nodes,
for
example,
and
all
the
control
play
nodes
and
for
every
nodes.
You
can
then
also
see
the
vulnerabilities
and
cves
that
are
in
packages
on
these
nodes.
A
So
here,
for
example,
you
can
see
I
have
app
armor
installed
here
directly
on
the
Node
and
I
really
should
update
this
there's,
even
a
fixed
version
of
it,
for
this
already
and
for
every
CBE.
Of
course,
I
can
also
click
here
on
the
details
and
get
a
description
and
also
a
link
to
the
cve
source,
so
that
I
can
then
maybe
make
a
decision.
Is
it
something
I
really
really
have
to
patch?
A
Now
also
maybe
can
do
next
week
during
the
scheduled
patch
run,
new
Vector
doesn't
only
scan
for
cves
and
security
vulnerabilities,
but
also
for
compliance.
So
on
all
levels.
You
also
have
compliance
checks
built
in
you
can
configure
which
checks
are
important
for
you.
These
are
based
on
the
CIS
checks
by
default,
and
you
can
also
create
your
own
checks.
A
If
you
wanted
to-
and
here
you
can
see
it's
my
node
in
my
kubernetes
cluster
node,
actually
configured
correctly
and
you
can
see
some
things
are
not
because
I
don't
know,
rotate
certificates
is
set
to
false.
It
should
be
set
to
true
according
to
the
CIS
scans,
and
then
I
also
can
act
upon
that
same
four
containers.
These
are
the
containers
running
inside
of
my
cluster.
You
can
see
these
are
all
the
pots
in
my
cluster
here
and
maybe
let's
filter
this
down
to
one
to
make
this
a
bit
easier
to
see.
A
So
here
we
have
a
recommendation
service
port
and
you
can
see
there
are
two
containers
in
the
spot,
an
istio
proxy,
because
this
is
actually
running
SQL
as
a
service
mesh
and
the
server
container,
which
is
the
actual
application
running
opening
up
a
TCP
port
on
Port
8080..
You
can
also
see
that
this
one
currently
is
in
this
cover
mode,
and
we
come
to
this
later.
So
when
I
click
on
this
here,
I
also
have
again
the
same
UI
with
the
list
of
all
the
security
varieties.
A
A
So
I
really
should
update
this
here
and
the
same
thing
also
there
are
compliance
checks
that
are
being
executed,
so
you
can
also
see
the
file
permissions
inside
of
the
container
image
are
kind
of
broad,
so
maybe
that's
something
I
should
fix,
and
you
can
also
hook
up
your
Registries.
So
here
you
can
see
a
couple
container
Registries
that
are
being
added
here
and
for
every
container
registry.
You
can
also
see
which
images
are
in
there
and
I.
A
Don't
know,
let's
find
try
to
find
one
that
actually
worked
with
scanning
okay,
but
you
can.
You
can
see
all
the
content
images
here
and
you
can
see
here.
I
think
the
last
scan
failed
because
I
don't
know,
I
did
something
weird,
but
you
can
see
here.
There
are
also
244
availability.
You
can
get
the
same.
A
Details
there's
also
a
different
view,
which
is
kind
of
interesting
for
a
lot
of
organizations,
because
you
can
also
do
users
the
other
way
around
and
compile
yourself
a
list
of
all
the
no
security
vulnerabilities
in
your
system,
and
then
you
have
all
the
CVS
listed
here
again
quite
a
lot
in
this
cluster
and
if
you
click
on
one,
you
have
then
the
components
that
are
impacted
by
this.
The
container
images
in
your
registry,
the
containers
running
in
your
system
and
if
there
were
nodes,
impacted
and
packaged
on
that.
A
That
would
also
be
the
case
here
and
you
can
even
export
this
as
a
CSV
file
or
a
PDF
and
then
send
this
to
some
security,
auditor
or
so
and
to
tell
them.
This
is
the
state
of
my
system
and
the
same
with
compliance.
You
also
have
a
compliance
report
that
gives
you
all
the
compliance
violations,
or
maybe
also
reported.
So
it
says
there
are
no
compliance
violations
and
then
you
also
can
export
this
as
a
PDF
as
a
CSV
and
send
system
to
other
people
via
email
to
tell
them
hey.
A
We
are
secure
or
we
are
not
secure,
because
I
hadn't
talked
about
this
before.
Let's
quickly
check
compliance,
so
you
can.
There
are
all
the
standard,
compliancy
rules,
PCI
gdpr
hibernist,
already
its
profiles
in
here
and
then
you
can
choose
if
you
wanna
just
do
all
compliancy
checks
or
only
the
ones
that
are
used
in
the
PCI
standard,
or
only
the
ones
are
used
in
gdr
power
standard
and
configure
it
to
your
liking
and,
of
course,
also
add
your
you
of
course,
also
get
notification
notifications.
A
So
every
time
some
compliancy
check
reported
a
compliancy
violation
or
some
check
introduces
cve,
you
get
a
notification
here,
and
that
which
tells
you
hey
here
is,
for
example,
BusyBox
has
a
c
has
a
lot
of
CVS
in
here,
and
you
really
should
fix
this
and
update
this.
And,
of
course,
these
notifications
can
be
viewed
in
the
UI
but
also
sent
to
external
systems
so
that
you
don't
have
to
look
at
the
UI
anymore,
but
maybe
get
the
message
in
slack
or
whatever
you're,
using
in
a
song
Channel.
A
So
that's
scanning
again
red
and
butter.
So
let's
look
at
the
important
stuff,
which
is
what
happens
during
the
runtime.
If
I
go
here
to
policies,
you
can
also
see
there
are
what
things
that
I
can
do
with
configure
admission
control
hooks.
As
I
talked
about
earlier,
you
can
configure
web
application
firewall,
sensors
and
data
loss
prevention
sensors
here.
But
let's
maybe
look
here
at
the
group
section,
which
is
this
similar
view,
what
we
had
with
image
scanning
before.
But
it
shows
me
all
of
my
pots
and
again
this
recommendation
service.
A
But
now
here
I
get
the
actual,
because
it's
in
this
cover
mode
learned,
behavior,
I,
see
all
the
Learned
rules
for
executed
processes.
So
you
can
see.
There
is,
for
example,
bash
here
that
is
probably
used
in
the
container
image.
Then
Envoy
for
the
istio
proxy
is
in
here
and
then
some
python
application
that
is
in
here
when
you
scroll
through
this,
and
we
can
also
filter
this.
You
can
see
because
it's
important,
there's
no
curl
or
wget
that
has
been
learned
file
access.
A
There
are
no
files
accessed
by
the
application,
because
it's
just
not
reading
anything
from
the
file
system
when
it's
executed.
So
then
our
rules
here
new
Vector
automatically
has
some
predefined
rules,
though
for
the
standard
stuff
that
should
never
be
accessed
or
never
be
written
to.
For
example,
you
should
not
modify
the
resolve
comp
inside
of
the
container
or
access
the
EDC
password
e
file,
or
something
like
this.
So
these
are
automatically
created
in
every
container
because
it
makes
sense
and
network
rules.
A
We
have
them
a
set
of
rules
that
has
been
learned
of
which
component
communicates
with
which
other
components.
So
we
can,
for
example,
see
here.
This
is
the
recommendation
service
because
of
this
zoomed
in
a
bit.
It's
RSC,
but
here
the
recommendation
service
communicates
with
core
DNS
instead
of
the
cluster
and
does
the
DNS
protocol
that
has
been
learned
and
is
currently
allowed.
A
So
that's
maybe
I
can
also
here
switch
the
mode
So.
Currently
we
can
also
see
here
it's
in
this
cover
mode
and
if
I
go
back
and
now
go
to
the
port
in
here,
filter
for
this
and
go
to
one
of
the
recommendation,
servers
and
I'm
just
executing
a
shell
in
here.
So
this
is
qctl
exec
right
just
it's
easier
for
me
to
click
it
three
times
than
type
it
and
now
I'm
doing
a
wget
to
google.com
and
it
works.
A
If
we
go
back
to
new
vector
and
refresh
this
year,
we
can
now
see
there
is,
should
be,
and
let's
see,
why
do
I
see
one
series?
Okay,
so
wget
is
now
in
here
and
I
actually
was
surprised
that
I
didn't
see
a
Network
rule.
A
Oh
no!
It's
here,
I,
just
missed
it
because
it
zoomed
in
so
there's
also
a
new
Network
rule
that
was
just
created
like
a
couple
seconds
ago
from
the
recommendation
service
to
the
external
system,
which
is
google.com.
A
You
can
do
this
manually.
You
can
also
do
this
automatically
and,
let's
maybe
go
back
to
the
process
rules
and
let's
remove
wget,
because
I
actually
didn't
want
to
allow
that.
And
if
we
go
back
to
our
shell
inside
of
the
container
and
execute
just
the
same
thing,
it
still
works.
I
still
get
a
connection.
I
can
still
download
the
index
HTML
file
by
the
way
I'm
using
wget,
because
quality
is
not
inside
of
the
image
and
it
doesn't
matter
so
much
which
process
I
use
for
the
demonstration.
A
A
And
if
we
go
back
to
our
groups
here
and
oh
I
want
to
filter
here
for
the
recommendation
service
and
if
I,
just
switch
the
mode
to
protect
mode,
submit
bam
and
I
go
back
in
here
and
now
the
process
directly
killed.
I
can't
execute
that
I
will
get
anymore.
Of
course,
I
again
get
a
notification
in
here,
a
security
event,
and
now
it's
critical
and
the
action
is
not
alert
but
deny
because
it
was
actually
blocked
and
from
here
if
I
wanted
to.
A
I
can
also
quickly
review
this
Rule
and
say:
oh
I've
actually
forgot
that
this
process
should
be
executed,
because
it's
vitally
important
that
W
get
this
can
be
executed
here.
So
I
deploy
a
new
rule
allowing
this
again
so
now
it
works,
and,
let's
maybe,
as
a
second
example,
go
to
our
Network
rules
here
and
also
that's
filter
for
recommendation
service
and
let's
remove
the
rule
that
allows
the
communication
from
the
recommendation
source
to
to
the
external
system.
In
this
case,
google.com
and
save
this.
A
But
and
if
I
did
everything
correctly
now
the
connection
times
out
and
you
can't
connect
to
it
anymore,
of
course
you
can
click
this
all
together
in
the
UI,
but
you
can
also
take
any
group
and
Export
this
as
a
kubernetes,
manifest
to
put
it
into
any
git
repository
in
your
CSV
pipeline
to
roll
it
out
to
other
clusters,
and
you
can
also
say,
hey
in
a
staging
cluster
I
want
to
learn
it
then
I'm
going
to
export
it
into
protect
as
a
protect
mode
for
my
production
clusters,
so
tons
of
possibilities
to
automate.
A
All
of
that,
thank
you
for
the
whole
system.
Here,
there's
also
another
nice
view
on
it.
A
If
we
go
to
this
network
activity
page-
which
this
gives
me
a
visualization
of
my
complete
cluster-
and
it
looks
a
bit
messy
because
I
have
tons
of
stuff
deployed
in
my
cluster,
so
that
let's
just
filter
it
down
to
the
let's
filter
it
down
to
the
namespace,
where
I'm
having
this
recommendation
service
in
so
still
a
bit
messy,
because
it's
a
microservice
application,
but
you
can
kind
of
see
this
green
one
is
the
recommendation
service
that
is
currently
in
protect
mode.
A
The
blue
ones
are
other
microservices
that
also
do
lots
of
communication
back
and
forth
that
are
currently
in
Discover
Mode.
You
can
also
quickly
see
everything
has
a
red
bubble
here,
which
means
there
are
no
CVS
in
it.
So
I
really
should
do
something
about
this,
and
you
also
can
see
all
the
communication
lines
and
you'll
see,
for
example,
from
the
recommendation
service.
There
are
red
lines,
which
means
there
is
currently
there
was
something
blocked
already
and
also
from
here.
I
can
have
a
look
at
all
the
details.
A
I
can,
for
example,
oops
I.
I
can
also
quickly
change
the
mode
from
here.
I
can
completely
quarantine
a
pot,
for
example,
to
block
directly
with
one
click
or
network
communication
to
this
container.
If
something
bad
happens
can
also
do
this
automatically
and
one
additional
nice
feature
I
just
want
to
highlight
because
can
become
very
handy
as
I
can.
I
can
also
do
packet
capture
directly
here
from
the
UI,
which
means
I
just
picked.
One
pot
oops
again
packet
capture,
okay,
I
picked
one
pot
and
I
can
now
start.
A
I
actually
hope
this
email
service
actually
gets
traffic
I
can
start
doing
packet.
Capture
and
I
have
a
load
generator
that
does
some
requests
against
this
and
I
can
download
myself
a
pcap
file,
and
this
pcap
file
I
can
open
in
oh
it's
right
on
just
in
BioShock
or
any
other
tool
that
supports
pcap
and
then
I
can
spec
the
complete
Network
traffic.
A
That
was
done
during
that
time
to
analyze
what
was
actually
the
communication
in
there
and
if
the
spoil
example,
no
network
attack
being
being
detected
like
an
SQL
injection
for,
for
example,
I
would
get
this
package
captures
also
automatically,
and
this
is
one
of
the
beauties
of
not
using
something
like
ebpf
or
using
any
kind
of
sidecast
by
actually
actually
looking
at
the
network
stack
because
you
can
have
easily
access
to
these
features.
Of
course,
you
can
also
use
TCP
dump
you
can
SSH
into,
but
then
you
have
to
SSH
into
the
node.
A
You
have
to
find
out
which
node
to
ssh2
first,
then,
you
have
to
Google
again
I
get
this
I
have
to
Google
how
to
work
use
tcv
dump.
Then
you
have
to
find
the
right
network
interface.
You
have
to
figure
out
how
to
connect
to
the
right
Network
namespace,
and
then
it's
going
to
be
really
messy,
and
this
way
it's
maybe
a
bit
easier
to
consume.
A
Okay,
yeah!
That's
what
I
wanted
to
show
in
the
demo
again.
There
are
a
couple
more
features
in
here
with
that
we
haven't
covered
with
emission
controls
automatically
reacting
on
security,
detecting
security
risks,
replication,
firewall
data
loss
prevention
and
so
on.
A
If
you
want
to
try
this
out,
there
are
some
good
resources,
there's
of
course,
the
new
Vector
home
page,
which
is
a
bit
more
marketing,
probably
more
interesting
for
all
the
Technic
people
here
is
the
documentation
and
again
installing
it
is
just
running
Helm
install
and
then
you
have
an
inside
of
a
cluster
and
by
default
it
when
you
don't
change
anything,
it
doesn't
do
anything,
it
doesn't
block
anything,
it
will
just
start
scanning
stuff
and
it
will
just
start
building
up
the
rule
set
because
by
default,
if
everything
is
in
the
skull
mode
first,
because
we
don't
want
to
destroy
your
system
just
by
installing
a
security
solution,
tool
and
again
completely
open
source
and
current
in
the
process
of
being
submitted
to
the
cncf
yeah.
A
That's
what
I
wanted
to
show
and
if
you
have
any
questions
we
can.
We
have
a
couple
minutes
left,
so
we
can
do
them
now
and
also
I'm
here
all
day,
so
feel
free
to
find
me
any
point
in
time,
maybe
outside
where
it's
a
bit.
The
climate
is
a
bit
better
and
first
of
all,
thank
you
for
your
attention
and
coming
with
this
tutorial
in
the
morning.