►
Description
Any mission-critical workloads require full lifecycle security coverage. A zero-trust security approach can proactively protect your pipeline, supply chain, test environments and the critical production runtime environment. Container applications, the Kubernetes platform (API service, plugins, service mesh, etc.) and hosts themselves also need to be secured as a full cloud-native stack. This session will focus on open, comprehensive, secure and interoperable solutions designed for any Kubernetes environment. In this session we will explore: (i) Securing the Kubernetes Infrastructure, (ii) Supply Chain Security & (iii) Run-Time Security.
A
All
right,
yeah
hi
everyone.
I
think
we
are
back
with
our
last
session
on
the
dev
track
and
I
have
rahul
krishna
with
me
for
this
session.
So
a
quick
introduction
about
rahul
so
he's
a
open
source
technology
evangelist
and
he
has
been
working
with
zeus
for
18
plus
years
and
he's
a
pre-sales
architect.
B
A
A
B
Yeah,
thank
you
for
the
nice
introduction
good
afternoon.
Everyone
and
hope
you
enjoyed
this
session
going
forward.
So
I'll
just
get
down
to
the
point.
In
this
session,
you
will
see
how
you
can
force
to
secure
innovation
with
your
kubernetes
platform
by
leveraging
open,
secure,
comprehensive
and
interoperable
solutions
right.
When
we
look
at
the
container
landscape,
there
are
multiple
areas
that
need
to
be
taken
into
consideration.
B
B
B
Managing
all
the
complexity
that
comes
along
so
the
whole
aim
here
is
to
how
do
you
simplify
managing
the
security
landscape?
How
do
you
make
it
easy
for
it
for
your
developers
and
operators
and
how
can
we
automate
as
much
as
possible
right
so
new
victor
was
acquired
by
souza
last
year
in
2021,
and
at
that
time
it
was
a
proprietary
product
in
last
month
that
is,
may
2022.
We
have
completely
open
sourced
it.
B
So,
let's
look
at
new
vector
and
how
it
provides
full
container
security
security
in
the
container
world
can
largely
be
segregated
into
two
paradigms:
supply
chain
security
and
runtime
security.
The
supply
chain
security
primarily
covers
vulnerability,
scanning
compliance
scanning
and
admission
controls.
B
Many
tools
are
pretty
good
in
this
space,
and
new
vector
is
pretty
much
on
par
with
them,
if
not
better,
when
new
vector
really
excels
is
in
the
runtime
security
space.
Runtime
security
comprises
of
not
just
scanning
the
containers
but
also
scanning
the
orchestrator,
as
well
as
the
host
operating
system.
It
also
covers
thread
based
controls
and
zero
truss
controls.
Now,
what
exactly
do
we
mean
by
thread
based
controls
and
zero
test?
B
Controls
thread
base
controls
always
need
a
signature
for
matching
right,
so
they
could
be
like
your
cvs,
patent
matching
for
data
loss,
preventation
prevention,
patent
matching
for
network
attacks
and
web
application
firewalls
and
your
admission
control
rules,
but
with
thread
this
controls
you're
always
dealing
with
what
is
known
right.
How
do
you
take
care
of
scenarios
where
you
don't
even
know
about
the
attack,
say
a
zero
day
attack
or
some
new
vulnerability
that
has
suddenly
come
up?
B
B
B
B
So,
as
you
are
aware,
inside
the
cumulative
cluster,
there
is
an
explosion
of
east-west
traffic
right,
because
kubernetes
abstracts
away
the
complexities
of
all
of
this
container
to
contain
a
traffic
you
lose
the
visibility
of
this
traffic.
Other
products
will
tell
you
what
is
represented
in
a
manifest
file
or
in
ip
tables,
or
use
port
labels,
or
will
even
use
kernel,
shims,
say
abpf
to
filter
out
all
the
send
and
receive
from
the
current
level
trying
to
represent
what
is
happening
within
the
network.
B
B
You
just
deploy
your
application
and
your
vector
will
automatically
learn
the
behavior
based
on
that
new
vector
will
automatically
generate
the
policy
both
for
network
process
as
well
as
file
access.
Same
can
be
exported
in
the
form
of
security
as
a
code,
and
what
this
allows
you
to
do
is
basically
protect,
provide
you
zero
day,
counter
measures.
So
if
there
are
any
zero
day
attacks
for
which
there
isn't
even
information
available,
you're
still
protected
against
them
because
of
the
new
vector
is
implementing
security,
and
you
can
also
do
packet
packet
capture.
B
So
if
there
is
any
forensic
analysis
that
needs
to
be
done
for
any
sort
of
traffic,
you
can
capture
packet
at
the
container
level
and
analyze
them,
and
the
new
vector
also
has
dlp
data
loss
prevention
capabilities.
So
if
you
have
applications
that
are
using
sensitive
data,
like
credit
card
information,
say
social
security
numbers
and
other
numbers
in
our
context,
you
can
create
patent
matching
rules
and
then
new
vector
can
essentially
ensure
that
none
of
that
data
goes
out
of
your
cluster.
B
Now
the
way
new
vector
works
is
pretty
simple.
You
know
it
works
in
three
modes.
When
you
deploy
new
vector
everything
in
the
cluster
is
automatically
placed
in
a
discover
mode.
The
discover
mode
is
used
to
learn
the
process
and
network
behavior
discover
mode.
Is
a
transitionary
state
meant
for
a
short
duration
during
setup?
That
means
any
new
services
will
be
learned,
even
if
other
services
are
either
in
the
monitor
or
protect
mode.
B
When
you
are
ready
to
establish
the
zero
trust
parameter,
you
can
move
to
the
monitor
mode
right.
So
here
this
is
essentially
what
this
discover
mode
is
learning
identifying
how
the
application
is
behaving
and
when
you
have
done
that
for
a
duration,
say,
maybe
a
few
hours
or
a
day
or
a
couple
of
days,
you
can
establish
the
zero
trust
parameter
by
switching
to
the
monitor
mode.
B
B
And
then
the
next
mode
is
the
protect
mode.
It
takes
monitor
mode
to
the
next
level,
because
now
it
starts
applying
the
blocking
rules
to
those
things
that
are
not
learned
or
that
have
not
been
manually
entered
as
approved
rules
or
processes
right
so
now
the
other
beauty
is
in
the
latest
release.
What
we
have
done
is
you
can
even
define
the
rules
for
moving
applications
from
discover
mode
to
monitor
and
then
to
project.
B
It
runs
on
your
cluster
and
it
runs
on
your
cluster
as
continuous.
So
here
I'm
just
going
to
talk
about
the
new
vector
architecture,
how
it
is
deployed
in
the
kubernetes
cluster
and
how
this
architecture
benefits
you.
So
new
vector
will
deploy
four
containers
and
the
first
one
is
called
the
controller.
B
The
controller
acts
as
the
central
command
of
new
vector,
and
it
is
the
one
that
handles
all
the
api
calls
from
all
the
other
components
of
new
vector,
and
it
is
also
the
only
one
that
is
making
api
calls
to
the
kubernetes
api.
Now.
This
is
a
huge
performance
advantage
for
our
users
over
our
competitors,
because
there
are
not
hundreds
of
thousands
of
api
calls
being
made
to
the
kubernetes
api
hurting
performance
right.
B
The
second
component
that
is
part
of
new
vector,
is
called
scanner,
which
is
responsible
for
yeah.
You
guessed
it
scanning
for
vulnerabilities
and
compliance
with
ci
security
benchmarks.
The
scanner
is
proprietarily
built
for
speed
and
accuracy.
Speed.
In
terms
of
you
know,
the
cv
database
is
contained
within
the
container,
so
there
is
no
network
overhead
while
scanning,
and
the
scanners
can
also
scale
horizontally
to
scan
a
larger
number
of
pods
and
also
to
scan
large
registries
and
accuracy,
basically
comes
from
the
fact
that
the
cv
database
is
updated
every
day
from
15
different
sources.
B
B
The
manager
also
has
a
cli
tool
that
can
also
be
used
for
creating
your
own
automation,
steps
and
then
finally,
the
fourth
component
and
the
most
important
one,
is
what
we
call
as
the
enforcer
the
enforcer
container
gets
deployed
as
a
daemon
set.
So
it's
running
on
all
nodes
in
the
container,
and
it
is
the
one
that
inspects
the
network
traffic
and
enforces
security
policies.
B
B
So,
as
you
can
see,
four
different
components
that
form
new
vector
all
of
them
running
as
container
on
your
own
kubernetes
cluster,
and
this
is
the
most
efficient
position
to
inspect
all
network
traffic.
Validate
the
layer,
7
protocol
block
any
attacks
before
connections
are
even
made
and
before
any
processes
can
be
executed.
B
Translates
into
a
very
high
performance
and
a
high
scalability,
even
in
clusters,
approaching
thousands
of
nodes.
In
fact,
one
of
our
vendors
has
actually
done
this
scalability
testing,
where
new
vector
was
able
to
reach
1000
nodes
in
the
cluster
and
most
of
the
computation
couldn't
scale
beyond
200
or
250
nodes
in
the
cluster.
B
New
vector
is
also
easy
to
deploy,
can
be
deployed
in
multiple
ways
via
helm
or
via
cube
control.
You
can
also
completely
automate
the
installation
using
config
maps
and
either
the
entire
installation
can
be
done
in
about
10
to
15
minutes.
So
it's
just
like
apple
deploying
an
application
on
a
cabinet's
cluster
and
for
those
who
are
using
rancher,
it's
even
easier
because
now
from
within
the
rancher
interface,
you
are
able
to
deploy
new
vector
and
you're
able
to
access
new
vector
from
within
the
natural
interface
right.
B
So
so,
while
we
have
looked
at
comprehensively
securing
the
container
landscape
within
the
cluster,
let's
look
at
some
of
the
other
ways
of
securing
the
cube
with
kubernetes
infrastructure.
So
kubernetes
requires
a
comprehensive
pki
in
order
to
coordinate
certificate
generation
and
signing
for
these
communications
r
key,
which
is
our
capabilities.
Distribution,
includes
all
the
automation
tooling
necessary
to
manage
this
process.
B
The
second
aspect
in
terms
of
security,
is
the
authentication
itself
right.
People
are
the
biggest
security
threat,
so
do
not
use
shared
connection
shared
accounts.
You
can
control
access
to
your
kubernetes
clusters
based
on
identities
in
your
own
central
identity
management
system.
This
way
you
can
reduce
the
operational
burden
of
managing
additional
user
databases
and
you
can
apply
rule
based
access
policies
to
known
identities.
B
B
Another
aspect
where
rancher
excels
is
in
providing
a
very
granular
role-based
access
control
mechanism
which
can
be
applied
at
the
global
level,
which
means
across
all
clusters
or
at
individual
cluster
level
or
at
the
project
or
namespace
level.
Rancher
comes,
as
you
can
see,
from
the
screenshot.
Rancher
comes
with
roles
available
out
of
the
box,
and
you
can
also
create
custom
roles.
B
And
then
rancher
also
provides
you
two
different
methods
of
interacting
with
the
kubernetes
api
in
a
downstream
cluster.
The
first
one
is
individually,
that
is,
rancher
has
its
own
inbuilt
authentication
proxy,
and
this
proxy
validates
the
user's
identity
before
connecting
the
user
with
the
downstream
cluster.
Now
there
is
another
option
of
accessing
the
downstream
cluster
directly.
In
this
case,
if
the
downstream
cluster
has
the
authorized
cluster
endpoint
enabled
the
client
request
can
be
authenticated
by
calling
a
webhook
set
up
by
rancher
during
cluster
provisioning.
B
B
And
then,
lastly,
the
rancher
offers
three
different
kubernetes
distributions
each
for
a
specific
purpose,
so
we
have
rke
which
runs
on
docker.
We
have
rk2,
which
runs
on
container
d
and
a
very
lightweight
capability
distribution
called
k3s,
which
again
runs
on
container
d.
Rt
is
derived
from
a
distribution
called
archae
government,
which
essentially
was
developed
to
meet
the
user
u.s
federal
government
requirements.
B
Rk2
is
ranchers
next
generation,
public
distribution.
It
combines
the
benefits
of
both
rke1
and
k3s.
For
from
k3s,
it
inherits
the
usability
ease
of
operations
and
deployment
model
from
rke1.
It
inherits
close
alignment
with
upstream
kubernetes
so
and
to
meet
the
security
goals.
Rke
provides
default,
defaults
and
configuration
options
that
allow
clusters
to
be
to
pass
the
cs:
benchmark
version,
1.5
or
1.6
with
minimal
operator
intervention
and
rp2
also
enables
fips
140-2
compliance.
B
So,
as
you
have
seen,
suse
offers
open,
compress,
open,
comprehensive,
secure
and
interoperable
solutions
are
designed
for
any
kubernetes
environment
through
the
full
life
cycle,
container,
security,
capabilities
of
new
vector,
the
multi
cluster
management,
capabilities
of
venture
and
a
secure
kubernetes
distribution
in
the
form
of
rke2
and
just
to
reiterate,
all
three
are
completely
open
source.
And
if
you
want
a
supported
department,
suse
offers
subscription
support
for
both
new
vector
as
well
as
venture,
and
then
our
key
to
support
gets
covered
under
the
launcher.
Subscription
itself.