►
From YouTube: Kubernetes cluster security and network observability
Description
In this session, we will review the steps required to secure a Kubernetes cluster and establish network observability.
Topics that will be covered in this session:
* Understand Kubernetes Cluster Architecture
* Namespace isolation
* Role Based Access Control
* Policy design
* Networking flow logs
* Calico, fluent-bit integration
Previous sessions can be found
https://www.youtube.com/@ProjectCalico/streams
https://github.com/frozenprocess/calico_live
Like to learn more about Kubernetes?
https://github.com/frozenprocess/Tigera-Presentations
Hands-on Kubernetes workshops
https://www.tigera.io/tutorials/
#kubernetes #cncf #k8s #policy
B
A
A
D
C
B
C
A
B
B
B
A
A
B
B
Here,
no
so
now
I
should
be
able
to
yep
connect
to
my
cluster.
All
right,
we
talked
about
this.
Our
cluster
is
not
ready.
Well,
the
problem
is
that
we
don't
have
a
cni
if
you
want
to
know
how
I
Know
It.
Please
watch
the
previous
session,
which
we
talk
about
this
in
details,
and
there
is
also
a
workshop
that
you
can
complete
in
order
to
figure
out.
B
A
B
B
B
Public
Image
repositories
from
the
internet.
Now,
how
do
I
know
that?
Well
the
installation
manifest
for
Tiger
operator.
If
you
look
at
it
a
little
bit
closely,
you
can
see
the
image
repository
is
Qui.
Now,
since
we
are
going
to
secure
this
cluster,
it
would
be
way
better
to
host
everything
on
our
own
private
repository.
So
let
me
just
quickly
spin
up
another
VM,
and
that
would
play
the
role
of
repository
for
us.
D
B
A
B
A
B
B
Oh
I
need
to
add
the
images.
Sorry
push
the
images
to
repository,
which
is
going
to
be
with
which
is
going
to
be
with
my
local
docker
now
in
order
to
push
them.
I
would
also
need
to
make
some
modifications
to
my
local
Docker.
You
would
have
to
do
the
same
if
you
are
using
a
private
certificate
for
your
Docker
for
your
private
repository
as
you
can
see,
Docker
tried
to
push,
but
due
to
its
configuration,
it
wasn't
able
to
do
this
now.
The
fix
is.
B
C
B
B
This
is
the
component
architecture
now
in
here
these
are
the
whoa,
so
these
are
the
different
components
that
are
in
play
when
you
install
Calico
and
depending
on
which
feature
did
you
turn
on
these
would
be
running
in
your
cluster,
for
instance,
if
you're
using
bgp,
then
bird
would
talk
to
either
other
Road,
routers
or
other
notes.
It
depends
on
your
configuration,
but
anyway,
these
are
all
the
things
that
you
would
need
in
order
to
figure
out
what.
B
A
B
B
B
Instead,
taifa
would
talk
to
the
API
server
and
all
calico
nodes
would
securely
talk
to
typha
in
order
to
get
their
own.
The
information
required
next
one
is
Cube
controllers.
Well,
Cube
controllers
is
a
Prometheus
sort
of
information
export
that
gives
the
gives
you
information
about
the
stuff
that
are
running
inside
Calico,
for
instance,
how
many
pods
are
running
or
what
is
like
how?
What
is
the
number
of
policies
that
are
in
effect
in
your
cluster?
A
B
A
C
E
A
B
D
D
A
B
B
The
other
one
is
no
driver
register,
which
would
be
everything
that
we
would
need
in
order
to
communicate
with
the
node
CSI.
Is
the
file
system
driver
in
order
to
offer
a
way
to
interact
with
the
file
system?
If
you
remember
from
the
previous
session,
Calico
would
call
on
CSI
and
not
the
crime
scene
investigator,
but
the
file
system,
and
it
would
communicate
with
your
underlying
file
system.
B
B
B
B
A
B
B
E
B
D
B
B
Create
your
name
a
space:
that's
all
it
is
now
when
I
talk,
name
and
space
isolation,
it
is
not
on
a
networking
level,
it
is
on
an
application
sort
of
layer,
so
your
applications
will
be
confined
to
this
name
space.
If
you
add
them,
if
you
add
the
name,
space
in
your
workload
manifests
now
in
terms
of
our
back.
B
Our
back
is
the
way
that
kubernetes
is
the
default
way
that
most
kubernetes
clusters
try
to
permit
or
deny
or
or
see
how
permissions
are
done
and
try
to
apply
them
to
your
res
to
your
cluster
resources.
So,
for
instance,
if
I
one
two
deploy
a
monitoring
solution,
I
would
create
a
cluster
role,
which
would
be
a
row
that
would
affect
my
cluster
as
a
whole.
So
I
don't
need
to
go
to
each
note
in
order
to
create
a
permission.
B
D
B
Accept
access
and
how
you
want
to
access
them.
For
instance,
here
my
cluster
role
wants
to
access
all
the
API
groups,
but
the
only
thing
that
it
needs
to
communicate
with
is
slash
metrics,
which
is
the
default
way
for
applications
that
are
using
Prometheus
to
export
their
information.
Now,
because
API
groups
of,
like
all
sorts,
is
a
little
bit
loose,
we
tie
this
cluster
roll
to
certain
resources,
so
all
API
groups,
however
only
endpoints
services
and
pause
now
next
stop
would
be
creating
service
accounts.
B
E
B
A
E
B
Right
so
the
cluster
roll
binding
is
telling
kubernetes
for
the
cluster
role
that
we
created,
which
was
Calico
Prometheus
user
stuff
that
can
use.
It
are
service
accounts
with
this
name,
and
in
this
name
space
after
you
create
this.
You
actually
interacted
with
your
back.
You
created
a
user
row
and
glued
these
together,
and
now
you
can
use
this
name
or
service
account
for
your
workloads.
A
B
I
go
through
all
the
steps
and
then
you
need
to
pass
in
order
to
get
this
infrastructure
in
place.
You
will
have
a
security
thing,
a
security
team
which
has
access
to
right
or
modify
all
your
kubernetes,
kubernetes
and
Calico
policies,
and
you
would
have
three
three
themes
that
can
interact
only
within
their
own
namespaces.
B
So
what
this
setup?
You
can
actually
have
separation
of
power,
and
each
team
can
start
writing
their
own
network
policies
depending
on
their
application
or
workloads
that
they
are
developing
or
operating
or
maintaining,
and
you
would
be
the
one
that
sets
the
actual
theme
of
the
cluster
like
what
are
the
things
that
are
permitted
or
not.
B
A
B
And
this
part,
which
is
policy
design,
is
going
to
take
a
lot
of
time
I'm
assuming
now.
What
is?
How
can
I
describe
positive
design
all
right,
so
policy
design
whenever
you
are
using
kubernetes?
There
are
multiple
resources
inside
your
cluster
and
outside
your
cluster.
Now
you
need
to
figure
out
what
needs
to
what
resource
needs
to
talk
to
what
resource,
what
other
resources
and
you
need
to
basically
tune
your
policies
in
order
to
only
permit
the
things
that
needs
to
be
permitted
and
deny
everything
else.
B
So
this
is
path
to
zero
trust.
Just
clarify
writing
the
perfect
policies
will
not
be
achieving
zero
trusts
or
a
trust
has
multiple
steps.
For
instance,
you
need
to
I,
don't
know
two-factor,
authentication,
I,
don't
know
biometric
authentication,
all
sorts
of
things
that
can
secure
your
environment.
However,
this
would
be
one
of
the
steps
in
order
to
achieve
zero
trust.
Now
sorry,
foreign.
B
B
B
E
B
Calico
offers
a
network
policy
resource
and
a
Global
Network
policy
resource
the
network
policy,
resource
Works
in
name
spaces
and
a
Global
Network
policy
works
for
your
cluster
as
a
whole.
Now
the
network
policy
that
Calico
offers
has
better
utilities
that
allows
you
to
pinpoint
what
traffic
needs
to
be
either
permitted
or
blocked.
B
B
For
instance,
if
you're
working
with
a
workload,
then
your
Ingress
and
egress
are
respective.
With
the
perspective
of
that
workload,
if
you're
talking
about
the
host,
then
your
Ingress
and
egress
are,
with
the
perspective
of
that
host,
now
we'll
get
into
that
in
a
minute.
But
this
is
basically
what
you
need
to.
E
B
E
B
Since
my
environment
is
a
test
environment,
I'm
gonna,
first
of
all
create
a
Fail-Safe.
Now
my
fail
Seth,
my
failsafe
would
be
Global
Network
policy
that
would
sorry
to
affect
the
whole
cluster,
not
explicitly
I'm.
Creating
a
final
allow.
Everything
and
I
wanted
to
be
at
the
bottom
of
my
policy
evaluation
and
I
needed
to
allow
everything.
B
B
B
This
is
a
Calico
attribute
which
is
set,
which
says
everything
that
has
a
name
should
be
included,
so
every
traffic
flow
that
happens
inside
the
cluster.
If
it
is
coming
from
an
amospace,
then
I
want
to
do
something
to
it.
Now,
if
you
remember,
I
talked
about
the
rules
Now.
What
are
my
rules?
I've
got
two
sort
of
rules
for
this
policy.
One
is
for
the
incoming
the
other
one
is
for
the
outgoing
now.
B
A
B
B
B
A
B
B
E
D
B
No
X
on
this
flow,
so
it
could
be
namespace.
A
name
is
just
B.
It
could
be
on
another
node.
We
don't
care
as
long
as
it
as
it's
happening,
and
it's
going
to
the
DNS
Parts
a
lot
of
them.
So
how
did
I
do
it
I?
Did
it
with
this
explicit
ola
now,
every
other
thing
that
that
is
going
to
happen
in
a
name
space
of
or
for
a
name
is
based
resource
deny
it.
So
what
that
means?
B
If
my
pod
wants
to
talk
to
another
pod
on
a
name,
space
deny
it
as
you
can
see,
there
is
only
one
permit
here.
If
my
pod
wants
to
talk
to
internet
deny
it
if
the
internet
is
trying
to
get
to
my
pod
deny
it
so
what
one
policy
be
basically
secured,
almost
everything
now,
why
did
I
say
almost
everything?
B
B
B
B
For
instance,
Port
6444:
this
is
Cube
API
server
if
I'm
correct,
Port,
1999,
90,
99
I'm,
assuming
this
is
some
sort
of
metric
for
Calico,
but
we'll
get
to
that
in
a
minute.
But
again,
all
these
things
are
on
my
Local
Host,
not
inside
my
cluster,
and
these
are
using
ports,
and
these
are
talking
to
other
stuff
either
inside
my
cluster
or
somebody
outside
my
cluster
and
I
have
no
clue
how
to
secure.
D
B
So
for
this
part,
you
need
to
turn
on
host
endpoint
policies.
Host
endpoint
policies
are
a
way
to
glue
your
policies
to
non-name-based
resources.
All
right.
So,
let's
get
started.
I'm
gonna
write
another
policy
now
in
this
one,
I'm
gonna
tweak
some
of
the
stuff.
So
again,
this
is
a
Global
Network
policy.
Apparently
I
wanted
to
affect
everything
in
my
cluster,
so
all
the
nodes,
but
the
selector
this
time
is
kubernetes
io-os.
Now
this
might
be
familiar
to
you.
Where
have
you
seen
it?
E
B
If
you
see
a
traffic
and
it
is
it,
has
this
label
on
doesn't
matter
what
is
the
second
part
I'm
just
interested
in
the
first
part,
that
is
a
traffic
that
I
want
to
do
something
to
it
now.
What
I
want
to
do
is
I
want
to
specifically
allow
both
incoming
and
outgoing
for
that
traffic
to
my
local
host
IP
addresses
what
are
localhost
IP
addresses.
B
E
C
A
A
A
B
E
B
B
Now
we
only
used
Global
Network
policies,
which
is
the
whole
cluster
now
from
time
to
time,
you
need
to
be
more
specific
and
for
a
policy,
what
is
actually
important
is
to
for
you
to
be
as
specific
as
you
can
be
now
here:
I'm,
creating
a
network
policy
which
is
a
namespaced
one,
I
want
it
to
affect
Calico
API
server,
if
you
remember
I'm
sure
that
devops
engineers
in
the
Stream
wrote
it
down.
This
is
the
Gateway
for
everything.
B
B
B
B
Here
is
the
visual
representation
of
the
policy,
so
inside
a
cluster,
my
notes
have
a
name
is
Place
Calico
system.
So
if
a
pod
that
has
this
label
in
Calico
system
name
is
Pace
tries
to
send
out
we're
talking
with
the
perspective
of
that
part,
so
igorous
tries
to
send
out
a
packet
or
a
stream
or
a
flow
to
Coop
API
server
on
Port
6443.