►
Description
Any mission-critical workloads require full lifecycle security coverage. A zero-trust security approach can proactively protect your pipeline, supply chain, test environments and the critical production runtime environment. Container applications, the Kubernetes platform (API service, plugins, service mesh, etc.) and hosts themselves also need to be secured as a full cloud-native stack. This session will focus on open, comprehensive, secure and interoperable solutions designed for any Kubernetes environment. In this session we will explore: (i) Securing the Kubernetes Infrastructure, (ii) Supply Chain Security & (iii) Run-Time Security.
A
All
right,
yeah
hi
everyone.
I
think
we
are
back
with
our
last
session
on
the
dev
track
and
I
have
rahul
krishna
with
me
for
this
session.
So
a
quick
introduction
about
rahul
so
he's
a
open
source
technology
evangelist
and
he
has
been
working
with
zeus
for
18
plus
years
and
he's
a
pre-sales
architect.
B
A
A
B
Yeah,
thank
you
for
the
nice
introduction
good
afternoon.
Everyone
and
hope
you
enjoyed
this
session
going
forward.
So
I'll
just
get
down
to
the
point.
In
this
session,
you
will
see
how
you
can
force
to
secure
innovation
with
your
kubernetes
platform
by
leveraging
open,
secure,
comprehensive
and
interoperable
solutions
right.
When
we
look
at
the
container
landscape,
there
are
multiple
areas
that
need
to
be
taken
into
consideration.
B
What
privileges
do
the
container
instances
run
with
basic
people?
It
is
runtime,
secure
enough
vulnerabilities
in
the
container
images
and
how
you
remediate
or
handle
them.
B
How
do
you
set
up
the
right
network
policies
to
protect
your
applications
and
not
to
forget
the
node
operating
system
on
which
everything
is
running,
so
it's
all
about
managing
the
risk
across
the
landscape
and,
while
doing
so,
how
do
you
make
it
easy
for
your
developers
or
operators
to
implement
the
security
in
your
environment?
B
B
Open
source,
complete
container
management
platform
for
capabilities
can
manage
any
kubernetes
distribution
running
anywhere,
and
it
gives
you
all
the
tools
to
do
to
do
so
and
then
rk2
is
a
cnc
and
certified
free,
kubernetes
distribution
that
focuses
on
security
and
compliance
and
all
three
are
completely
open
source
and
sugar
support
subscriptions
are
available
for
new
vector
and
rancher,
while
rp2
comes
as
part
of
the
branches
subscription.
B
Now
there
are
various
ways
to
implement
security
and
one
of
the
challenges
with
security
is,
you
know
the
ever
changing
security,
landscape,
newer
and
newer
threats
coming
trying
to
keep
up
with
it
and
at
the
same
time
you
know.
B
Managing
all
the
complexity
that
comes
along
so
the
whole
aim
here
is
to
how
do
you
simplify
managing
the
security
landscape?
How
do
you
make
it
easy
for
it
for
your
developers
and
operators
and
how
can
we
automate
as
much
as
possible
right
so
new
victor
was
acquired
by
souza
last
year
in
2021,
and
at
that
time
it
was
a
proprietary
product
in
last
month
that
is,
may
2022.
We
have
completely
open
sourced
it.
B
So,
let's
look
at
new
vector
and
how
it
provides
full
container
security
security
in
the
container
world
can
largely
be
segregated
into
two
paradigms:
supply
chain
security
and
runtime
security.
The
supply
chain
security
primarily
covers
vulnerability,
scanning
compliance
scanning
and
admission
controls.
B
Many
tools
are
pretty
good
in
this
space,
and
new
vector
is
pretty
much
on
par
with
them,
if
not
better,
when
new
vector
really
excels
is
in
the
runtime
security
space.
Runtime
security
comprises
of
not
just
scanning
the
containers
but
also
scanning
the
orchestrator,
as
well
as
the
host
operating
system.
It
also
covers
thread
based
controls
and
zero
truss
controls.
Now,
what
exactly
do
we
mean
by
thread
based
controls
and
zero
test?
B
Controls
thread
base
controls
always
need
a
signature
for
matching
right,
so
they
could
be
like
your
cvs,
patent
matching
for
data
loss,
preventation
prevention,
patent
matching
for
network
attacks
and
web
application
firewalls
and
your
admission
control
rules,
but
with
thread
this
controls
you're
always
dealing
with
what
is
known
right.
How
do
you
take
care
of
scenarios
where
you
don't
even
know
about
the
attack,
say
a
zero
day
attack
or
some
new
vulnerability
that
has
suddenly
come
up?
B
You
would
be
able
to
impose
threat
based
controls
only
once
you
know
about
the
vulnerability,
so
zero
truss
controls
is
is
comes
to
your
rescue.
Zero
truss
controls
already
have
a
signature
for
matching.
That
is
your
own
application
behavior.
B
B
B
So
what
susan
invector
allows
you
to
do
is
one
have
complete
network
visibility
in
your
environment,
implement
zero
test
protections,
protect
against
any
anomalies
in
network
process
or
file
access,
protect
you
against
data
loss
prevention,
very
useful
from
a
compliance
perspective
and,
yes,
we
do
support
air
gap
environments
and
can
be
easily
can
easily
be
deployed
on
any
kubernetes
distribution.
B
Now,
let's
look
at
how
do
we
implement
zero
truss
controls
right,
and
this
is
the
most
interesting
piece
about
new
vector.
B
So,
as
you
are
aware,
inside
the
cumulative
cluster,
there
is
an
explosion
of
east-west
traffic
right,
because
kubernetes
abstracts
away
the
complexities
of
all
of
this
container
to
contain
a
traffic
you
lose
the
visibility
of
this
traffic.
Other
products
will
tell
you
what
is
represented
in
a
manifest
file
or
in
ip
tables,
or
use
port
labels,
or
will
even
use
kernel,
shims,
say
abpf
to
filter
out
all
the
send
and
receive
from
the
current
level
trying
to
represent
what
is
happening
within
the
network.
B
Right
so
a
new
vector
offers
you
full
visibility
into
both
north
south,
as
well
as
east-west
traffic
within
your
cluster
and
new
vector
comes
with
its
patented
deep
inspection,
type
d
packet
inspection
technology
that
allows
you
to
monitor
not
just
layer,
3
and
layer,
4
traffic,
but
also
understand
the
label.
B
Clear
7
protocols
and
processes
that
are
running
inside
the
container
new
vector
can
allow
you
to
block
control
traffic
between
containers
running
inside
a
pod
new
vector
can
understand
more
than
35
odd
layer,
7
application
protocols
and
more
than
and
can
protect
you
against
more
than
23
different
network
based
attacks
and
because
new
vector
is
the
only
container
security
platform
using
network
traffic
traffic
as
its
source
of
truth.
B
B
You
just
deploy
your
application
and
your
vector
will
automatically
learn
the
behavior
based
on
that
new
vector
will
automatically
generate
the
policy
both
for
network
process
as
well
as
file
access.
Same
can
be
exported
in
the
form
of
security
as
a
code,
and
what
this
allows
you
to
do
is
basically
protect,
provide
you
zero
day,
counter
measures.
So
if
there
are
any
zero
day
attacks
for
which
there
isn't
even
information
available,
you're
still
protected
against
them
because
of
the
new
vector
is
implementing
security,
and
you
can
also
do
packet
packet
capture.
B
So
if
there
is
any
forensic
analysis
that
needs
to
be
done
for
any
sort
of
traffic,
you
can
capture
packet
at
the
container
level
and
analyze
them,
and
the
new
vector
also
has
dlp
data
loss
prevention
capabilities.
So
if
you
have
applications
that
are
using
sensitive
data,
like
credit
card
information,
say
social
security
numbers
and
other
numbers
in
our
context,
you
can
create
patent
matching
rules
and
then
new
vector
can
essentially
ensure
that
none
of
that
data
goes
out
of
your
cluster.
B
Now
the
way
new
vector
works
is
pretty
simple.
You
know
it
works
in
three
modes.
When
you
deploy
new
vector
everything
in
the
cluster
is
automatically
placed
in
a
discover
mode.
The
discover
mode
is
used
to
learn
the
process
and
network
behavior
discover
mode.
Is
a
transitionary
state
meant
for
a
short
duration
during
setup?
That
means
any
new
services
will
be
learned,
even
if
other
services
are
either
in
the
monitor
or
protect
mode.
B
When
you
are
ready
to
establish
the
zero
trust
parameter,
you
can
move
to
the
monitor
mode
right.
So
here
this
is
essentially
what
this
discover
mode
is
learning
identifying
how
the
application
is
behaving
and
when
you
have
done
that
for
a
duration,
say,
maybe
a
few
hours
or
a
day
or
a
couple
of
days,
you
can
establish
the
zero
trust
parameter
by
switching
to
the
monitor
mode.
B
Now,
monitor
mode
will
use
the
established
rules
that
it
learned
during
the
discover
phase
and
it
will
as
well
as
the
process
behavior,
and
then
it
will
start
sending
out
alerts
based
of
any
anomalous
behavior
that
it
has
detected
so
any
connection
that
it
doesn't
know
about
from
its
from
the
discover
mode
or
any
process
access
or
file
access.
B
B
And
then
the
next
mode
is
the
protect
mode.
It
takes
monitor
mode
to
the
next
level,
because
now
it
starts
applying
the
blocking
rules
to
those
things
that
are
not
learned
or
that
have
not
been
manually
entered
as
approved
rules
or
processes
right
so
now
the
other
beauty
is
in
the
latest
release.
What
we
have
done
is
you
can
even
define
the
rules
for
moving
applications
from
discover
mode
to
monitor
and
then
to
project.
B
You
can
define
durations
and
say:
okay,
any
application
that
comes
in
or
gets
deployed
on
the
cluster
runs
in
the
discover
mode
for
a
defined
duration
and
after
that
it
automatically
is
switched
into
monitor
mode
and
then
again
for
a
defined
duration,
and
then
you
can
also
define
that
it
automatically
gets
switched
into
the
protector.
B
So
that's
another
neat
thing
that
that
is
available
in
in
new
vector
now.
B
Right
so
yeah,
that's
just
representing
all
the
the
the
dna
behavior
now
nuvector's
architecture
is
also
interesting
because,
as
I
said
for
implementing
new
vector,
you
know
it
doesn't
use
any
injection,
it
doesn't
use
any
agent
or
a
side
car.
B
It
runs
on
your
cluster
and
it
runs
on
your
cluster
as
continuous.
So
here
I'm
just
going
to
talk
about
the
new
vector
architecture,
how
it
is
deployed
in
the
kubernetes
cluster
and
how
this
architecture
benefits
you.
So
new
vector
will
deploy
four
containers
and
the
first
one
is
called
the
controller.
B
The
controller
acts
as
the
central
command
of
new
vector,
and
it
is
the
one
that
handles
all
the
api
calls
from
all
the
other
components
of
new
vector,
and
it
is
also
the
only
one
that
is
making
api
calls
to
the
kubernetes
api.
Now.
This
is
a
huge
performance
advantage
for
our
users
over
our
competitors,
because
there
are
not
hundreds
of
thousands
of
api
calls
being
made
to
the
kubernetes
api
hurting
performance
right.
B
The
second
component
that
is
part
of
new
vector,
is
called
scanner,
which
is
responsible
for
yeah.
You
guessed
it
scanning
for
vulnerabilities
and
compliance
with
ci
security
benchmarks.
The
scanner
is
proprietarily
built
for
speed
and
accuracy.
Speed.
In
terms
of
you
know,
the
cv
database
is
contained
within
the
container,
so
there
is
no
network
overhead
while
scanning,
and
the
scanners
can
also
scale
horizontally
to
scan
a
larger
number
of
pods
and
also
to
scan
large
registries
and
accuracy,
basically
comes
from
the
fact
that
the
cv
database
is
updated
every
day
from
15
different
sources.
B
The
third
container
is
the
manager
container,
which
essentially
provides
the
the
user
interface
for
new
vector.
Now,
it's
worth
noting
that
you
see
in
new
vector
the
new
vector
ui
is
also
being
delivered
via
api
calls
from
the
controller.
B
So
yes,
this
means
that
you
can
automate
and
integrate
anything
into
new
vector
via
apis.
B
The
manager
also
has
a
cli
tool
that
can
also
be
used
for
creating
your
own
automation,
steps
and
then
finally,
the
fourth
component
and
the
most
important
one,
is
what
we
call
as
the
enforcer
the
enforcer
container
gets
deployed
as
a
daemon
set.
So
it's
running
on
all
nodes
in
the
container,
and
it
is
the
one
that
inspects
the
network
traffic
and
enforces
security
policies.
B
You
will
notice
that
the
enforcer
is
sitting
pretty
close
to
the
virtual
switch
box
on
the
cluster
node.
This
is
where
new
vectors
patented
ability
to
transparently
inspect
network
traffic
comes
into
play.
It
can
collect
processes
from
every
container
and
it
can
enforce
the
policies.
B
So,
as
you
can
see,
four
different
components
that
form
new
vector
all
of
them
running
as
container
on
your
own
kubernetes
cluster,
and
this
is
the
most
efficient
position
to
inspect
all
network
traffic.
Validate
the
layer,
7
protocol
block
any
attacks
before
connections
are
even
made
and
before
any
processes
can
be
executed.
B
Translates
into
a
very
high
performance
and
a
high
scalability,
even
in
clusters,
approaching
thousands
of
nodes.
In
fact,
one
of
our
vendors
has
actually
done
this
scalability
testing,
where
new
vector
was
able
to
reach
1000
nodes
in
the
cluster
and
most
of
the
computation
couldn't
scale
beyond
200
or
250
nodes
in
the
cluster.
B
New
vector
is
also
easy
to
deploy,
can
be
deployed
in
multiple
ways
via
helm
or
via
cube
control.
You
can
also
completely
automate
the
installation
using
config
maps
and
either
the
entire
installation
can
be
done
in
about
10
to
15
minutes.
So
it's
just
like
apple
deploying
an
application
on
a
cabinet's
cluster
and
for
those
who
are
using
rancher,
it's
even
easier
because
now
from
within
the
rancher
interface,
you
are
able
to
deploy
new
vector
and
you're
able
to
access
new
vector
from
within
the
natural
interface
right.
B
So
so,
while
we
have
looked
at
comprehensively
securing
the
container
landscape
within
the
cluster,
let's
look
at
some
of
the
other
ways
of
securing
the
cube
with
kubernetes
infrastructure.
So
kubernetes
requires
a
comprehensive
pki
in
order
to
coordinate
certificate
generation
and
signing
for
these
communications
r
key,
which
is
our
capabilities.
Distribution,
includes
all
the
automation
tooling
necessary
to
manage
this
process.
B
The
second
aspect
in
terms
of
security,
is
the
authentication
itself
right.
People
are
the
biggest
security
threat,
so
do
not
use
shared
connection
shared
accounts.
You
can
control
access
to
your
kubernetes
clusters
based
on
identities
in
your
own
central
identity
management
system.
This
way
you
can
reduce
the
operational
burden
of
managing
additional
user
databases
and
you
can
apply
rule
based
access
policies
to
known
identities.
B
B
Another
aspect
where
rancher
excels
is
in
providing
a
very
granular
role-based
access
control
mechanism
which
can
be
applied
at
the
global
level,
which
means
across
all
clusters
or
at
individual
cluster
level
or
at
the
project
or
namespace
level.
Rancher
comes,
as
you
can
see,
from
the
screenshot.
Rancher
comes
with
roles
available
out
of
the
box,
and
you
can
also
create
custom
roles.
B
And
then
rancher
also
provides
you
two
different
methods
of
interacting
with
the
kubernetes
api
in
a
downstream
cluster.
The
first
one
is
individually,
that
is,
rancher
has
its
own
inbuilt
authentication
proxy,
and
this
proxy
validates
the
user's
identity
before
connecting
the
user
with
the
downstream
cluster.
Now
there
is
another
option
of
accessing
the
downstream
cluster
directly.
In
this
case,
if
the
downstream
cluster
has
the
authorized
cluster
endpoint
enabled
the
client
request
can
be
authenticated
by
calling
a
webhook
set
up
by
rancher
during
cluster
provisioning.
B
B
And
then,
lastly,
the
rancher
offers
three
different
kubernetes
distributions
each
for
a
specific
purpose,
so
we
have
rke
which
runs
on
docker.
We
have
rk2,
which
runs
on
container
d
and
a
very
lightweight
capability
distribution
called
k3s,
which
again
runs
on
container
d.
Rt
is
derived
from
a
distribution
called
archae
government,
which
essentially
was
developed
to
meet
the
user
u.s
federal
government
requirements.
B
Rk2
is
ranchers
next
generation,
public
distribution.
It
combines
the
benefits
of
both
rke1
and
k3s.
For
from
k3s,
it
inherits
the
usability
ease
of
operations
and
deployment
model
from
rke1.
It
inherits
close
alignment
with
upstream
kubernetes
so
and
to
meet
the
security
goals.
Rke
provides
default,
defaults
and
configuration
options
that
allow
clusters
to
be
to
pass
the
cs:
benchmark
version,
1.5
or
1.6
with
minimal
operator
intervention
and
rp2
also
enables
fips
140-2
compliance.
B
So,
as
you
have
seen,
suse
offers
open,
compress,
open,
comprehensive,
secure
and
interoperable
solutions
are
designed
for
any
kubernetes
environment
through
the
full
life
cycle,
container,
security,
capabilities
of
new
vector,
the
multi
cluster
management,
capabilities
of
venture
and
a
secure
kubernetes
distribution
in
the
form
of
rke2
and
just
to
reiterate,
all
three
are
completely
open
source.
And
if
you
want
a
supported
department,
suse
offers
subscription
support
for
both
new
vector
as
well
as
venture,
and
then
our
key
to
support
gets
covered
under
the
launcher.
Subscription
itself.
B
And
then,
before
I
leave,
I
would
like
to
invite
you
all
to
join
the
suze
and
rancher
community.
It's
a
place
where
you
can
develop
your
knowledge.
You
can
develop
your
hands-on
skills.
You
can
network
with
the
others
in
the
community.
B
Every
month
you
can
explore
a
new
theme,
that's
supported
by
a
wide
variety
of
content,
including
guest
speakers,
training,
training
classes,
office
hours
and
more
and
you
can
join.
You
can
invite
your
prayers.
You
can
invite
your
partners,
you
can
invite
your
prospects,
it's
open
for
everyone.
B
The
url
is
community.souza.com
and
also
remember
to
join
the
the
slack
network
that
rancher
runs.
B
This
is
a
community
network
that
translates
so
you
can
simply
go
to
slack.transfer.io
and
and
join
the
network
to
get
the
latest
information
on
both
rancher
and
a
new
vector,
and
if
you
want
to
participate
in
new
vector
or
if
you
want
to
try
out
new
vector,
I
would
recommend
you
to
visit
the
documentation
site,
open
docs.newvictor.com
and
you
will
find
complete
instructions
on
deploying
new
vector
and
how
you
can
deploy
it
on
various
different
capabilities
distributions
and
all
the
new
vector
images,
as
well
as
rancher
images
are
hosted
on
docker
hub
so
and-
and
one
thing
that
I
should
not
forget
to
mention
is
that
there
is
no
feature
difference
between
the
free
version
and
the
paid
subscription
version
right.
B
It's
just
a
difference
in
the
the
support
services
that
you
get.
Otherwise
the
software
remains
the
same
right,
and
with
that
I
would
like
to
conclude
my
session.