►
From YouTube: Kubernetes cluster security and network observability
Description
In this session, we will review the steps required to secure a Kubernetes cluster and establish network observability.
Topics that will be covered in this session:
* Understand Kubernetes Cluster Architecture
* Namespace isolation
* Role Based Access Control
* Policy design
* Networking flow logs
* Calico, fluent-bit integration
Previous sessions can be found
https://www.youtube.com/@ProjectCalico/streams
https://github.com/frozenprocess/calico_live
Like to learn more about Kubernetes?
https://github.com/frozenprocess/Tigera-Presentations
Hands-on Kubernetes workshops
https://www.tigera.io/tutorials/
#kubernetes #cncf #k8s #policy
B
Everyone,
let
me.
B
Apologies,
there
was
a
mix
of
and
some
technical
difficulties
with
the
live
event
link
the
previous
one,
so
I
had
to
create
a
new
one,
all
right
so
today,
apparently
we're
talking
about
kubernetes
cluster
architecture
name
is
space
isolation,
role,
based
access
control,
rbac,
all
right
policy,
Design.
B
Right,
don't
know
about
you,
but
I'm
gonna
learn
some
stuff
all
right.
So
let
me
figure
out
where.
A
A
D
C
B
Right
so,
in
our
last
session
we
talked
about
containers,
we
created
cluster
and
we
figured
out
how
these
workloads
and
cluster
components
can
talk
to
each
other.
Well,
now
that
we
know
how
to.
C
A
B
B
In
in
kubernetes
in
kubernetes,
there
are
nodes
that
have
different
roles.
The
control
plane
is
the
brain
of
the
operation.
It
hosts
components
such
as
the
cloud
control
manager
or
controller
manager.
B
B
Now
it's,
on
the
other
hand,
run
a
couplet
process
which
is
a
way
to
send
information
to
the
API
manager
and
to
the
API
server
and
talk
with
the
control
plane
about
the
things
that
they
are
doing.
B
So
all
these
components
that
I
talked
about
needs
to
talk
to
each
other
in
one
way
or
another.
For
instance,
kublet
in
the
node
side
uses
a
TCP
port
in
order
to
communicate
with
the
API
server.
B
Now
don't
worry
about
the
ports
and
stuff
we're
gonna
dig
into
it
in
a
minute,
but
the
whole
idea
is
that
every
thing
can
talk
to
each
other,
so
the
orchestration,
the
orchestrator
which
is
kubernetes,
can
deploy
your
workloads
and
figure
out
what
needs
to
be
done
in
order
for
you
to
have
your
awesome
workload
running
now,.
A
A
B
B
Here,
no
so
now
I
should
be
able
to
yep
connect
to
my
cluster.
All
right,
we
talked
about
this.
Our
cluster
is
not
ready.
Well,
the
problem
is
that
we
don't
have
a
cni
if
you
want
to
know
how
I
Know
It.
Please
watch
the
previous
session,
which
we
talk
about
this
in
details,
and
there
is
also
a
workshop
that
you
can
complete
in
order
to
figure
out.
B
If
you
remember
tiger
operator
is
the
brain
of
the
operation,
it
will
be
your.
It
will
be
your
friend
in
order
to
install
Calico,
and
you
will
instruct
what
you
need
and
a
tiger
operator
takes
care
of
the
business,
and
you
know
the
door
configures
everything
and
deploys
the.
A
B
That
we're
gonna
need
the
Calico
manifest.
So
in
order
to
get
the
tiger
operator
manifest,
you
can
go
to
the
documentation
website.
B
Now
after
it
is
installed,
we're
gonna
do
something
else
as
well.
Alright!
So,
right
now
our
cluster
is
using
the.
B
Public
Image
repositories
from
the
internet.
Now,
how
do
I
know
that?
Well
the
installation
manifest
for
Tiger
operator.
If
you
look
at
it
a
little
bit
closely,
you
can
see
the
image
repository
is
Qui.
Now,
since
we
are
going
to
secure
this
cluster,
it
would
be
way
better
to
host
everything
on
our
own
private
repository.
So
let
me
just
quickly
spin
up
another
VM,
and
that
would
play
the
role
of
repository
for
us.
D
B
All
right
so
doc,
stud
tiger.
It's
all
you
need,
depending
on
what
version
of
Calico
you're
running
open
source
Enterprise,
which
has
a
lot
of
features
in
Calgary
club,
which
offers
more
features.
Select
your
variation
then
and
install
Calico,
kubernetes
and
quick
start
you'll.
A
B
A
B
Note
another
VM
private
repo,
which
will
host
r
images
all
right.
So
one
thing
to
mention
in
order
to
send
our
images
to
Repository
I
need
to
add
the
image.
B
Oh
I
need
to
add
the
images.
Sorry
push
the
images
to
repository,
which
is
going
to
be
with
which
is
going
to
be
with
my
local
docker
now
in
order
to
push
them.
I
would
also
need
to
make
some
modifications
to
my
local
Docker.
You
would
have
to
do
the
same
if
you
are
using
a
private
certificate
for
your
Docker
for
your
private
repository
as
you
can
see,
Docker
tried
to
push,
but
due
to
its
configuration,
it
wasn't
able
to
do
this
now.
The
fix
is.
B
B
All
right
so
similar
to
kubernetes
Calico
has
a
lot
of
components.
C
B
B
This
is
the
component
architecture
now
in
here
these
are
the
whoa,
so
these
are
the
different
components
that
are
in
play
when
you
install
Calico
and
depending
on
which
feature
did
you
turn
on
these
would
be
running
in
your
cluster,
for
instance,
if
you're
using
bgp,
then
bird
would
talk
to
either
other
Road,
routers
or
other
notes.
It
depends
on
your
configuration,
but
anyway,
these
are
all
the
things
that
you
would
need
in
order
to
figure
out
what.
B
Inside
your
cluster,
but
again
I'm
getting
ahead
of
myself,
we'll
talk
about
everything
in
a
minute
and
we
will
write
policies
that
hopefully
works
all
right.
So
after.
A
B
Right
so
now
that
it's
trying
to
push
all
the
components,
let's
talk
about
the
components,
so
first
one
is
taifa.
Taifa
is
similar
to
a
database
cache,
so
it
communicates
with
the
API
server
and
all
your
Calico
nodes
will
talk
to
typha
instead
of
API
server.
B
B
Instead,
taifa
would
talk
to
the
API
server
and
all
calico
nodes
would
securely
talk
to
typha
in
order
to
get
their
own.
The
information
required
next
one
is
Cube
controllers.
Well,
Cube
controllers
is
a
Prometheus
sort
of
information
export
that
gives
the
gives
you
information
about
the
stuff
that
are
running
inside
Calico,
for
instance,
how
many
pods
are
running
or
what
is
like
how?
What
is
the
number
of
policies
that
are
in
effect
in
your
cluster?
A
B
B
I
can
actually
show
you
so
all
right,
so
multi-pass,
shell,
node.
A
B
All
right
so
it's
Etsy
net,
dot,
d,
sorry
c,
cni,
net.d,
yeah,
here
stuff
that
would
go
in
here
and
the
it
will
also
populate.
C
E
A
B
D
D
A
B
Right
so
we'll
come
back
to
this
I
need
to
install
Calico,
but
these
are
cni.
Where
is
it
so?
C
and
I
is
those
files,
the
cni
plugins
and
everything
that
you
would
need.
B
The
other
one
is
no
driver
register,
which
would
be
everything
that
we
would
need
in
order
to
communicate
with
the
node
CSI.
Is
the
file
system
driver
in
order
to
offer
a
way
to
interact
with
the
file
system?
If
you
remember
from
the
previous
session,
Calico
would
call
on
CSI
and
not
the
crime
scene
investigator,
but
the
file
system,
and
it
would
communicate
with
your
underlying
file
system.
B
B
The
other
one
is
POD
to
demon,
which
is
flex
volume.
This
is
a
deprecated
version
of
file
system.
Csi
is
the
successor,
so
we're
now
worried
about
that.
This
is
removed
in
the
later
versions,
as
it
is
not
supported
anymore
by
kubernetes
Calico
API
server,
which
is
something
interesting.
B
Overview,
it's
a
HTTP
server
that
allows
you
to
interact
with
the
Calico
API
groups
and
all
the
stuff
that
we
store
in
the
data
store.
So
if
you're
a
devops,
this
is,
if
you're
a
devops
engineer,
or
you
want
to
automate
something.
This
is
the
place
to
look
for,
there's
actually
a
API.
B
All
right,
let's
get
out
of
this
one
now
I,
need
to
install
Calico.
B
B
B
Let's
go
to
the
next
step,
oh
by
the
way,
if
you.
A
B
B
I've
mentioned
to
Tiger
operator,
so
it
was
what
I
did
was
just
like
inside
my
installation.
Manifest
I
asked
the
tiger
operator
to
install
everything
from
the
private
registry.
That's
all
you
need
to
do
just
like
bam.
Everything
goes
together.
E
B
Right
so
next
step
would
be.
B
Architecture,
hopefully
name
is
space
isolation.
If
you
got
any
questions
by
the
way,
just
shoot
it
in
the
chat.
Hopefully
I
know
the
answer,
but
with
my
experience,
I
usually
don't.
However,
I
can
get
someone
like
brighter
to
answer
you.
D
B
Know
all
right
now
name
is
face
isolation,
if
you
remember
in
our
previous
in
our
previous
session,
I
talked
about
famous
faces,
so
pretty
much.
All
you
need
to
do
is
just
create.
B
B
Create
your
name
a
space:
that's
all
it
is
now
when
I
talk,
name
and
space
isolation,
it
is
not
on
a
networking
level,
it
is
on
an
application
sort
of
layer,
so
your
applications
will
be
confined
to
this
name
space.
If
you
add
them,
if
you
add
the
name,
space
in
your
workload
manifests
now
in
terms
of
our
back.
B
Our
back
is
the
way
that
kubernetes
is
the
default
way
that
most
kubernetes
clusters
try
to
permit
or
deny
or
or
see
how
permissions
are
done
and
try
to
apply
them
to
your
res
to
your
cluster
resources.
So,
for
instance,
if
I
one
two
deploy
a
monitoring
solution,
I
would
create
a
cluster
role,
which
would
be
a
row
that
would
affect
my
cluster
as
a
whole.
So
I
don't
need
to
go
to
each
note
in
order
to
create
a
permission.
B
D
B
Accept
access
and
how
you
want
to
access
them.
For
instance,
here
my
cluster
role
wants
to
access
all
the
API
groups,
but
the
only
thing
that
it
needs
to
communicate
with
is
slash
metrics,
which
is
the
default
way
for
applications
that
are
using
Prometheus
to
export
their
information.
Now,
because
API
groups
of,
like
all
sorts,
is
a
little
bit
loose,
we
tie
this
cluster
roll
to
certain
resources,
so
all
API
groups,
however
only
endpoints
services
and
pause
now
next
stop
would
be
creating
service
accounts.
B
E
B
A
E
B
Right
so
the
cluster
roll
binding
is
telling
kubernetes
for
the
cluster
role
that
we
created,
which
was
Calico
Prometheus
user
stuff
that
can
use.
It
are
service
accounts
with
this
name,
and
in
this
name
space
after
you
create
this.
You
actually
interacted
with
your
back.
You
created
a
user
row
and
glued
these
together,
and
now
you
can
use
this
name
or
service
account
for
your
workloads.
B
How
we
can
see
it,
there
is
a.
A
B
The
block
so
basically
I
go
through
the
steps
that
you
need
to.
B
I
go
through
all
the
steps
and
then
you
need
to
pass
in
order
to
get
this
infrastructure
in
place.
You
will
have
a
security
thing,
a
security
team
which
has
access
to
right
or
modify
all
your
kubernetes,
kubernetes
and
Calico
policies,
and
you
would
have
three
three
themes
that
can
interact
only
within
their
own
namespaces.
B
So
what
this
setup?
You
can
actually
have
separation
of
power,
and
each
team
can
start
writing
their
own
network
policies
depending
on
their
application
or
workloads
that
they
are
developing
or
operating
or
maintaining,
and
you
would
be
the
one
that
sets
the
actual
theme
of
the
cluster
like
what
are
the
things
that
are
permitted
or
not.
B
So
if
somebody
goes
off
and
tries
to
I,
don't
know
create
a
workload
that
talks
more
than
it's
supposed
to
your
overall
cluster
roles
would
deny
it
anyway,
all
the
commands
and
everything
is
in
there,
but
again
I'm
getting
ahead
of
myself.
So
let's
come
back
to
our
own
Journey.
A
B
And
this
part,
which
is
policy
design,
is
going
to
take
a
lot
of
time
I'm
assuming
now.
What
is?
How
can
I
describe
positive
design
all
right,
so
policy
design
whenever
you
are
using
kubernetes?
There
are
multiple
resources
inside
your
cluster
and
outside
your
cluster.
Now
you
need
to
figure
out
what
needs
to
what
resource
needs
to
talk
to
what
resource,
what
other
resources
and
you
need
to
basically
tune
your
policies
in
order
to
only
permit
the
things
that
needs
to
be
permitted
and
deny
everything
else.
B
So
this
is
path
to
zero
trust.
Just
clarify
writing
the
perfect
policies
will
not
be
achieving
zero
trusts
or
a
trust
has
multiple
steps.
For
instance,
you
need
to
I,
don't
know
two-factor,
authentication,
I,
don't
know
biometric
authentication,
all
sorts
of
things
that
can
secure
your
environment.
However,
this
would
be
one
of
the
steps
in
order
to
achieve
zero
trust.
Now
sorry,
foreign.
E
All
right,
so
where
was
I
policy
now.
B
When
you
are
trying
to
write
policies
with
any
cni,
you
would
have
I'm
assuming
multiple
options.
One
of
the
options
is
kubernetes
Network
policies.
Now
kubernetes
Network
policies
are
a
great
tool
to
secure
stuff,
but
they
have
some
limitations
and
in
order
to
figure
out
kubernetes.
B
Let's
say
we
want
to
do
something
that
is
not
possible
with
kubernetes
netflow
policies.
Well,
plug-in
cni,
like
Calico,
would
allow
you
to
write
more
complicated
policies.
B
With
any,
this
can
actually
be
conveyed
to
kubernetes
by
the
header
of
your
manifest
that
you
are
trying
to
execute.
For
instance,
kubernetes
policy
uses
networking,
cates.iov1
API
version,
and
the
kind
is
Network
policy.
E
B
Calico
offers
a
network
policy
resource
and
a
Global
Network
policy
resource
the
network
policy,
resource
Works
in
name
spaces
and
a
Global
Network
policy
works
for
your
cluster
as
a
whole.
Now
the
network
policy
that
Calico
offers
has
better
utilities
that
allows
you
to
pinpoint
what
traffic
needs
to
be
either
permitted
or
blocked.
B
Now
each
policy
that
you
write
will
have
a
rule
or
multiple
rules.
These
rules
will
affect
either
your
Ingress
traffic,
which
is
incoming
or
outgoing,
which
is
egress.
So
when
I
talk
about
incoming
and
outgoing,
it
depends
on
your
perspective.
B
For
instance,
if
you're
working
with
a
workload,
then
your
Ingress
and
egress
are
respective.
With
the
perspective
of
that
workload,
if
you're
talking
about
the
host,
then
your
Ingress
and
egress
are,
with
the
perspective
of
that
host,
now
we'll
get
into
that
in
a
minute.
But
this
is
basically
what
you
need
to.
E
B
Now,
when
you're
using
Calico
policies,
one
of
the
things
that
is
an
addition
which
is
not
percent,
which
is
not
in
which
is
not
possible
with
kubernetes
kubernetes
policies-
is
the
order
number
now.
The
order
number
is
a
way
for
you
to
tell
your
policy
engine
Calico.
B
What
policy
needs
to
be
looked
at
when
priority,
for
instance,
if
you
want
to
deny
everything
you
can
create
a
policy
with
the
order
of
10,
then
all
other
policies
that
happens
after
it
would
no
longer
work,
because
you
have
a
specific
match
and
everything
would
be
denied
anyway.
E
B
B
Since
my
environment
is
a
test
environment,
I'm
gonna,
first
of
all
create
a
Fail-Safe.
Now
my
fail
Seth,
my
failsafe
would
be
Global
Network
policy
that
would
sorry
to
affect
the
whole
cluster,
not
explicitly
I'm.
Creating
a
final
allow.
Everything
and
I
wanted
to
be
at
the
bottom
of
my
policy
evaluation
and
I
needed
to
allow
everything.
B
Now
the
next
step
would
be
securing
my
namespace
resources
again
when
you're
thinking
about
a
cluster.
There
are
resources
that
are
namespaced.
These
are
your
workloads.
B
And
endpoints
Services:
these
are
in
name
spaces.
Even
if
you
create
a
workload
without
a
name
space,
it
would
go
to
the
default
name
space.
So,
in
order
to
do
that,
all
I
need
to
do
is
to
create
Global
Network
policy
that
uses
namespace
selector
Calico.
B
This
is
a
Calico
attribute
which
is
set,
which
says
everything
that
has
a
name
should
be
included,
so
every
traffic
flow
that
happens
inside
the
cluster.
If
it
is
coming
from
an
amospace,
then
I
want
to
do
something
to
it.
Now,
if
you
remember,
I
talked
about
the
rules
Now.
What
are
my
rules?
I've
got
two
sort
of
rules
for
this
policy.
One
is
for
the
incoming
the
other
one
is
for
the
outgoing
now.
B
B
I
have
I've
got
like
workloads
that
need
to
communicate
with
the
DNS
server
or
some
other
sort
of
services
to
just
you
know,
run
so
here
for
my
egress
I'm,
actually
adding
a
row,
you
know
and
I'm
saying
you
know
what
I
want
to
deny
all
the
egress
traffic,
however,
make
an
exception
now
explicitly
allow
everything
that
is
happening
on
a
UDP
protocol
on
Port
53
and
it's
going
to
Kate's
app
Coupe.
A
B
B
B
A
B
B
E
B
So
inside
my
cluster,
if
a
pod
wants
to
talk
to
the
core
DNS
Parts,
which
are
in
charge
of
DNS,
allow
them,
as
you
can
see,
there.
D
B
No
X
on
this
flow,
so
it
could
be
namespace.
A
name
is
just
B.
It
could
be
on
another
node.
We
don't
care
as
long
as
it
as
it's
happening,
and
it's
going
to
the
DNS
Parts
a
lot
of
them.
So
how
did
I
do
it
I?
Did
it
with
this
explicit
ola
now,
every
other
thing
that
that
is
going
to
happen
in
a
name
space
of
or
for
a
name
is
based
resource
deny
it.
So
what
that
means?
B
If
my
pod
wants
to
talk
to
another
pod
on
a
name,
space
deny
it
as
you
can
see,
there
is
only
one
permit
here.
If
my
pod
wants
to
talk
to
internet
deny
it
if
the
internet
is
trying
to
get
to
my
pod
deny
it
so
what
one
policy
be
basically
secured,
almost
everything
now,
why
did
I
say
almost
everything?
B
B
The
host
processes,
if
I
come
to
one
of
the
nodes
and
do
a
PS,
so
everything
that
is
running
here
is
sorry.
Most
of
the
things
that
are
running
here
are
not
seen
as
name
is
based.
These
are.
B
These
are
processes
that
are
running
on
host
everything
that
you
create
in
your
kubernetes
cluster
and
add
a
host
Network
tag
to
it.
That
will
be
something
that
would
run
on
the
host
so.
B
For
instance,
Port
6444:
this
is
Cube
API
server
if
I'm
correct,
Port,
1999,
90,
99
I'm,
assuming
this
is
some
sort
of
metric
for
Calico,
but
we'll
get
to
that
in
a
minute.
But
again,
all
these
things
are
on
my
Local
Host,
not
inside
my
cluster,
and
these
are
using
ports,
and
these
are
talking
to
other
stuff
either
inside
my
cluster
or
somebody
outside
my
cluster
and
I
have
no
clue
how
to
secure.
D
B
At
the
moment,
with
the
namespace
policy,
so
now
what
I
need
to
do
is
figure
out
a
way
to
add
these
resources,
to
my
name
is
basis
or
find
a
glue
for
addressing
these.
B
So
for
this
part,
you
need
to
turn
on
host
endpoint
policies.
Host
endpoint
policies
are
a
way
to
glue
your
policies
to
non-name-based
resources.
All
right.
So,
let's
get
started.
I'm
gonna
write
another
policy
now
in
this
one,
I'm
gonna
tweak
some
of
the
stuff.
So
again,
this
is
a
Global
Network
policy.
Apparently
I
wanted
to
affect
everything
in
my
cluster,
so
all
the
nodes,
but
the
selector
this
time
is
kubernetes
io-os.
Now
this
might
be
familiar
to
you.
Where
have
you
seen
it?
E
B
It
it
took
some
tries
but
found
it
so
I'm
saying
to
my
policy
engine
Calico.
B
If
you
see
a
traffic
and
it
is
it,
has
this
label
on
doesn't
matter
what
is
the
second
part
I'm
just
interested
in
the
first
part,
that
is
a
traffic
that
I
want
to
do
something
to
it
now.
What
I
want
to
do
is
I
want
to
specifically
allow
both
incoming
and
outgoing
for
that
traffic
to
my
local
host
IP
addresses
what
are
localhost
IP
addresses.
B
B
By
the
Kate's
tree
server,
which
is
my
kubernetes
distro
binary
now.
E
B
Localhost
socket
is
created
with
for
a
Calico
note.
Now
you
might
be
asking.
C
A
A
A
E
Policy
now
the
policy
so
with.
B
B
E
B
B
Now
we
only
used
Global
Network
policies,
which
is
the
whole
cluster
now
from
time
to
time,
you
need
to
be
more
specific
and
for
a
policy,
what
is
actually
important
is
to
for
you
to
be
as
specific
as
you
can
be
now
here:
I'm,
creating
a
network
policy
which
is
a
namespaced
one,
I
want
it
to
affect
Calico
API
server,
if
you
remember
I'm
sure
that
devops
engineers
in
the
Stream
wrote
it
down.
This
is
the
Gateway
for
everything.
B
B
Now,
how
can
I
do
that
well,
similar
to
the
global
Network
policy,
I
write
selector,
which
is
in
all
these
traffics.
If
the
destination
is
to
this
resource,
which
we
examine.
This
is
my
node,
a
node
with
a
label
that
has
kubernetes.io
slash
OS.
B
And
if
the
port
is
six
four
four
three,
so
this
is
for
Calico
API
server
to
talk
to
my
kubernetes
API
server.
Now
there
is
a
secret
sauce
that
you
need
to
add
for
this
particular
policies
which
are
and
namespaced
resource
to
a
non-names
based
resource,
and
that
is
namespace
selector
global.
B
This
basically
tells
the
policy
engine
that
you
need
to
figure
out
a
way
for
these
two
thing
from
different
world
to
talk
to
each
other,
I,
don't
care
how
you
do
it
just
do
it,
and
with
that
we're
gonna
come
back
to
the.
B
Here
is
the
visual
representation
of
the
policy,
so
inside
a
cluster,
my
notes
have
a
name
is
Place
Calico
system.
So
if
a
pod
that
has
this
label
in
Calico
system
name
is
Pace
tries
to
send
out
we're
talking
with
the
perspective
of
that
part,
so
igorous
tries
to
send
out
a
packet
or
a
stream
or
a
flow
to
Coop
API
server
on
Port
6443.
B
A
B
For
the
last
session,
this
session
after
I'm
done
I'm,
going
to
add
a
recap
with
all
the
commands
and
stuff
and
explanations
that
I
gave
and
hopefully
for
the
next
session,
we
will
get
back
to.