►
From YouTube: StackRox Office Hours (E3): Kubernetes Network Policies
Description
An important step in securing Kubernetes is reducing the attack surface by enabling network policies. But it's easy to make mistakes in building those YAML files.
Join our Office Hours to get your K8s networking questions answered. We'll start with some simple practical steps to secure your Kubernetes first, and then take your live questions. Ask our subject matter experts about:
- Applying policies to isolate pods
- Best practices on ingress and egress policies
A
A
A
A
Good
morning,
good
afternoon,
good
evening
welcome
to
another
episode
of
the
stackrock's
office
hours.
This
is
episode
three
and
I'm
here
with
amanda
dewaktar
to
talk
about
kubernetes
network
policies,
I'm
chris
short,
your
host
with
the
most
here
on
red
hat,
live
streaming.
Mandar
introduce
yourself
to
the
audience.
It's
your
first
time
on
the
channel,
so
you
know
feel
free
divulge.
B
B
I
joined
red
hat
via
the
acquisition
of
stack
rocks
and
I've
been
with
stackrocks
for
just
over
two
years
and
contributing
to
almost
all
the
components
of
stack
rocks,
network
segmentation
policy
management,
risk,
computation
and
outside
my
work.
I
enjoy
being
active
trail
running
cycling,
kayaking.
So
if
you're
in
the
bay
area-
and
you
know
want
to
join
with
me,
hit
me
up.
A
Nice
things
I
used
to
be
able
to
do
so:
kubernetes
network
policies
there's
a
lot
to
them
right,
but
you're
gonna
break
it
down
for
us.
So
how
do
you
wanna
do
this.
B
Cool,
so
what
I'm
gonna
do
is
share
my
screen
and
kind
of
walk
through
a
a
short
and
sweet
demo,
not
too
complex.
Basically,
it
will
take
us
through
how
to
write
network
policies
and
what
are
some
things
to
look
for
when
you're,
writing
and
enforcing
network
policies
all
right.
So,
first
of
all
what
what
are
these
you
know,
what
is
a
kubernetes
network
policy
right?
So,
in
the
simplistic
terms,
it's
basically
a
means
of
controlling
inbound
and
outbound
traffic.
B
You
know
from
the
parts
perspective
right
to
other
pods
or
to
the
internet
right,
and
this
is
achieved
via
something
called
as
labels
and
selectors
and
widely
used
by
various
kubernetes
resources
right,
such
as
services
as
well
so
kubernetes
network
policies
and
humanities
like
fogs,
are
very
like
they're,
like
the
the
network.
B
Policies
are
like
the
guiding
angels
wherever
whatever
is
the
label,
you
know
the
network
and
if
the
network
policy
kind
of
sees
it
satisfying
it,
it
will
just
you
know,
stick
to
it,
so
that
is
one
very
crucial
piece
that
is
also
important
in
you
know
identifying.
How
are
you
going
to
segment
the
applications
right?
So
what
I'll
do
now
is
basically
jump
into
you
know
demo.
So
basically,
let's
create
a
namespace,
so
that
I
can
you
know,
show
whatever
I
yeah
yeah.
B
So
by
default,
no
network
policies
are,
you
know,
enforced
right
I
mean
there
are
some
cni
plug-ins
are
managed,
kubernetes
services
which,
like
deploy
or
claim
to
deploy,
you
know
default
network
policies,
but
those
are
essentially
allowing
all
the
inbound
and
outbound
traffic
right.
So
basically
it's
doing
it,
it's
not
enforcing
or
it's
not.
You
know
limiting
any
traffic
right.
B
So
it's
as
as
it's
its
behavior
is,
as
there
is
no
network
policy
right
and
kubernetes
network
policies
being
name-spaced
has
actually
a
huge
advantage,
although
there
are
like
some
limitations,
but
it
also
has
a
huge
advantage
when
we
are
thinking
like
kubernetes
has
been
a
game
changer
in
like
how
we
like
deploy
and
maintain
applications
right
or
even
to
a
certain
extent
how
we
write
applications
right.
Everything
is
very
application,
centric
right
and
the
basic
principle
being.
B
You
know
you
know
the
applications
of
the
parts
like
serve
the
purpose
and
you
know
disappear
right
and
with
this
namespace
kind
of
environment
you
know
multiple
teams,
you
know
you
know.
Having
these,
you
know
different
name
space
working
in
their
own
name,
spaces
kind
of
allows.
You
kind
of
provides
this
natural
way
of
segmentation,
and
that
is
something
you
know.
One
needs
to
keep
in
mind
when
writing
kubernetes
network
policies
and
how
you
can
take
advantage
of
network
policies
being
name-spaced
right.
B
We
will
talk
about
some
limitations
and
how
we
can
you
know
overcome
them
later
in
the
during
the
demo,
but
you
know
for
now:
let's
get
started
with
that.
So
what
I'm
gonna
do
is
I'm
gonna
create
a
very
you
know,
simple.
B
You
know,
environment
in
a
mocking,
there's
like
a
database,
there's
a
middle
layer
or
the
service
layer,
and
there
is
the
front
end.
You
know
the
typical
okay.
B
B
All
right
so
le
so
we
have
our
db,
I
mean
it's
essentially
an
nginx
and
app.
You
know
which
for
demo
purposes,
I
I'm
I'm,
you
know
treating
it
as
a
db.
Then.
A
B
Which
is
basically
serving
okay,
so
the
issue
was,
we
did
not
create
it
in
the
namespace.
A
B
Yes,
the
first
rule
right
all
right.
So,
let's.
B
All
right,
so,
let's
create
the
service
called
catalog,
which
is
basically
you
know,
acting
something
like
you
know,
providing
a
catalog
of
products,
and
so
what
we
have
is
now
we
have
two
parts.
You
know
one
is
behaving
as
a
database
right.
It's
an
engineering,
fine
and
one
is
behaving
as
catalog
right
so
right
now
there
is
no
network
policy
enforced
in
this
particular
namespace
right.
So
if
I
go
into.
B
A
B
Out
to
the
internet-
and
you
know
I
should
be
able
to
reach
out
to
the
other.
You
know
pods.
However,
right
now
I've
not
exposed
any
other
pod.
You
know
as
service
like
so
what
I'll
do
is.
I
will
expose
db
on
port
80.
Okay
and
of
course
we
are
up
oops
there.
B
B
Into
catalog
and
try
to
get
db,
I
should
be
able
to
reach
to
it.
Okay,
so
basically
this
what
it's
demonstrating
is,
I
deployed
my
applications
right
without
enforcing
kubernetes
network
policies
right
and
it's
not
controlling
any
traffic.
It's
open
to
the
entire
internet,
and
you
know
communicating
open
to
you,
know
any
kind
of
intrusion,
and
you
know
I
think,
unwanted
things
right.
B
So
there
are
two
approaches
to
this:
when
you're
writing
kubernetes
policies
right,
you
can
start
off
by
having
a
deny
all
policy
in
place
which,
which
means
basically
deny
all
the
inbound
and
outbound
traffic
right
when
you're
deploying
a
new
application,
let's
say
in
a
test
environment,
you
know
like
it's
not
going
to
be
used
immediately
right
and
what
you
want
to
understand
is
okay.
You
want
to
see
how
your
application
is.
You
know
kind
of
reacting
to
that,
deny
all
policy
right.
How
is
it
failing?
B
A
B
Whether
if
you're
just
failing,
if
you
know
silent
logging
or
whether
it's
crashing
and
things
like
that
right,
but
the
other
side
of
the
coin
is
writing.
Kubernetes
network
policies
can
be
a
daunting
task
and
I
agree
to
it.
You
know
many
a
times
you
know
developers,
you
know
kind
of
shared
the
responsibility
to
the
administrators,
and
you
know
there
is.
There
could
be
a
possibility
that
there's
no
proper
check
between
you
know
how
the
applications
are
moving
forward.
You
know.
B
The
other,
the
other
approach
is,
like
you
know,
put
it
in
a
test
bed.
You
know
with
allow
all
and
observe
how
the
application
is
behaving.
You
know,
for
let's
say
an
up
a
window.
You
know
where
all
the
application
is
trying
to
reach.
So
this
is
going
to
be
your
baseline
right
and
identify
if
that
baseline
is
even
something
that
you
anticipated
or
even
something
that
you
expected
yeah.
B
B
Exactly
and
then
kind
of
reverse
engineer:
you
know
kind
of
scope
it
down
by
putting
in
place.
You
know
some
network
policies,
you
know
and
things
like
that.
So,
for
example,
what
I'm
gonna
do
now
is.
I
have
okay.
Let
me
first
show
I
have
a
deny
all
policy
here:
okay,.
B
Pretty
simple:
it's
selecting
all
the
pods
in
the
namespace
demo
and
not
allowing
any
traffic
right.
So
another
thing
another
point
I
should
be
touching
on
is
network
policies
are
basically
like
based
on
the
rules
of
allow
list.
You
know
what
must
be
allowed
right.
You
cannot
have
rules
such
as
you
know,
block
these,
can
block
only
xyz
connections
and
allow
everything
else.
You
need
to
be
explicit
on
what
you
are
going
to
allow
what
you
want
to
be
a
lot
right.
B
So
since
there
are
no,
the
rules
here
essentially
is
telling,
like
you
know,
a
lot
of
you
know
like
we
don't
have
any
rules,
so
you
know
kind
of
block
everything.
So
what
I'm
going
to
do
is
take
that
policy
and
reply.
B
Yes,
I'm
going
to
lose
my
I'm
yeah,
I'm
going
gonna
lose
my
trp,
my
customer
base
when
they're
trying
to
shop
from
my
wonderful
catalog.
B
B
And
it
should
feel
all
right
cool
so
right
now
we
have
like
a
completely
isolated
name
space,
anything
any
new
deployment
or
any
existing
deployment
or
pod
in
this
name.
Space
cannot
have
an
inbound
or
an
outbound
connection
to
anything
else
right.
So
this
is
like
you
know,
in
ideal
world.
You
know
you
would
start
here.
You
know,
you
know
how
your
application
is
supposed
to
behave.
So
you
start
from
the
most
restrictive
network
policy
and
then
kind
of
move
outwards
right.
B
So,
as
I
already
okay
so
exposed
the
db
service,
you
know-
and
I
want
my
you
know-
catalog
to
basically
query
the
db
and
you
know
like
get
some
records
out
of
it.
So
basically,
what
now
I
need
to
do
is
allow
ingress
on
db,
like
you
know,
from
catalog
right
right,
so
that
I
can
explicitly.
A
B
Those
two
exactly
exactly
so
that
I
can
fulfill
those
queries.
You
know.
So,
let's
try
to
do
that.
I
have
pre-built
this
yaml
file.
Writing
yamls
are
kind
of
sensitive.
I
can
understand
a
pain
you
know
like
even
an
indentation
could
make
a
huge
difference.
Don't
try.
B
B
What
this
policy
is
informing
right,
so
it's
it's
and
it
will
be
enforced
in
the
namespace
demo
and
on
the
pods
which
have
label
app
is
equals
to
them
db
right
and
it's
a
ingress
policy
right
telling
that
okay,
I
love
all
the
ingress
from
the
pods
which
are
labeled
app
is
equals
to
catalog,
and
this
is
the
scenario
we
want
to
support
right
now
right,
so
let's
just
go
ahead
and
apply
that
policy
all
right.
B
B
All
right,
so,
as
you
can
see,
there
are
like
two
network
policies.
Right
one
is
denying
all
the
traffic
one
is
allowing
a
you
know:
traffic
to
the
pod
db
right.
So
one
would
question
like
you
know
how
you
know
what
what
is
an
effective
network
policy
like
what
should
happen
when
I
have
multiple
network
policies
right.
B
So
one
thing
is
out
of
question
like
I
created
both
these
policies.
Scope
to
this
name
says
for
this
namespace
demo
right
so
the
namespace
policies,
the
effective
namespace
policy,
is
basically
the
disjunction
of
all
the
rules.
So
basically,
if
I
have
a
policy
saying,
okay,
don't
allow
like
do
not
allow
any
traffic
ingress
traffic
and
I
have-
and
if
I
have
another
policy
saying:
okay,
allow
ingress
traffic.
So
it's
like
a
true
and
a
false
right.
B
A
disjunction,
you're
gonna,
what's
gonna
happen
is
the
effective
network
policy
is
going
to
allow
ingress.
You
know
for
that
particular
form.
So
that's
how
network
policies
work
and
how
it
plays.
How
is
it
how
it
is
important
is
like
one
needs
to
pay
attention
on
how
you're
right
writing
network
policies
like
keep
it
simple.
You
know
don't
write
a
network
policy
which
is
trying
to
address
everything.
You
know
like
having
100
lines
of
rule
100
rules
in
it,
don't
make
it
too
complex,
because.
B
Network
policies,
being
you
know,
kind
of
a
challenge
in
the
first
place.
If
something
breaks
it's
gonna,
be
you
know
difficult
to
identify.
You
know
how
it's
you
know.
What
rule
you
know
what's
rule
is
breaking
you
know
things
like
that,
so
have
network
policies
scoped
to
the
functionality
like
what
did
it,
what
you
know
what's
it's
supposed
to
do
you
know
if
it
is
supposed
to
work
on
a
pod
like,
let's
say
in
in
this
case
a
db
pod.
You
know
scope
it
down
to
that
deployment.
B
A
B
B
B
Get
to
it,
okay,
so
I
have
an
inverse
policy
on
db,
but
somehow
I'm
not
able
to
reach
it
via.
You
know,
catalog,
you
know
from
catalog
and
the
answer
is
you
have
a
umbrella
network
policy
blocking
connection
for
all
the
other?
You
know
pods,
you
know
so
now.
What
I
have
to
do
is,
I
have
to
explicitly
add
a
network
policy
to
allow
egress
from
catalog
right
so
that
so
when
you're
writing
network
policies,
it's
it's
almost
like
you.
You
define
the
behavior
on
both
the
ends.
You
you
right.
B
You
have
an
ingress
policy
on
once
on
on
a
pod,
you
kind
of
have
to
have,
like
a
you,
know,
a
egress
policy,
a
complimentary
egress
policy
on
the
other
end
with
you
know,
which,
which
you
want
to
communicate
with
us.
So.
B
A
B
Exactly
and
the
reason
why
is
I
started
off
with
the
more
you
know,
most
restrictive
policy
right?
If
I
remove
that
restriction
right,
then
I
all
I
can
reach
to
db
from
catalog
and
you
can.
We
can
walk
through
that
as
well
right,
but
since
I'm,
starting
with
the
most
restrictive
policy
and
I'm
you
know
opening
one
door
at
a
time,
I
know
what
I'm
doing.
I
know
what
I'm
opening
up
right.
B
You
know
through
these
explicit
rules
in
the
network
policies
right,
so
I
have
this
network
policy
for
catalog.
Again,
it's
saying
you
know
allow
all
the
you
know.
I
love
the
egress
from
catalog
to
the
pods.
Having
a
label
app
is
equals
to
db.
B
Writing
ingress
policies
has
been
like
is
traditionally
kind
of
straightforward,
but
when
it
comes
to
egress
policies,
it
becomes
slightly
challenging
because,
for
one
reason
being
you
may
not
like
one
may
not
know
how
the
application
is
exactly
behaving
like
what
does
it
take
for
the
application
to
work
properly?
Where
does
it
need
to
reach
out?
Does
it
need
to
reach
out
to
you
know
gke
bucket
to
get
some?
You
know
data
for
at
start-up
time,
but
the
most
primary
thing
is
most
likely
it
will.
B
You
know
it
has
to
reach.
It
has
to
be
able
to
reach
to
a
dns
server
right
to
be
able
to
resolve.
You
know
what
you
know:
the
pods
and
external
endpoints
as
well.
So
if
I
correct
right
so,
if
I
do
not
have
this
rule
right,
basically,
if
I
try
to
reach
the
pod,
you
know
using
like
the
the
name
right.
B
It's
gonna
fail
right
because
I
cannot
reach
to
the
dns
and
that's
the
most
important
note
to
make
right
when
you're
writing
an
egress
policy
make
sure
you
can
reach
to
the
dns
server
right,
whether
it
be
cube,
dns
or
other
dns
servers
that
you're
used
make
sure
you're
not
blocking
that
right.
Now
there
are
caveats
of
this
rule.
Basically,
it's
allowing
you
know
traffic
to
all
the
parts
on
453.
B
You
know
by
labeling
the
cube
system
name
space
and
you
know,
like
kind
of
making
the
rule
translating
the
rule
to
you
know
only
reach
out
to
cube
dns
and
you
know,
keep
system
name
space,
but
for
now
I'll
just
leave
it
as
is
and
move
ahead
all
right.
B
B
Yes,
so
we
could
reach
out
to
the
db
pod
right
and
we
could
reach
out
to
the
db
pod,
not
using
the
ip
address,
because
we
have
not
blocked
the
path
to
the
dns
right.
So
this
is
you
know.
This
is
like
a
very
simple
kind
of
demo.
I
had.
I
have
like
couple
of
more
network
policies
here.
I
would
specifically
like
to
you
know,
like
maybe
show
another
one
right.
So,
as
I
said
you
know,
yaml
can
be
confusing.
This
is
another
form
of.
B
Yes
right
so
so
it's
I
came
across
like
a
very
there's,
a
very
good
meme
out
there,
which
says,
like
oh
there's,
like
a
kubernetes
which,
like
a
cat,
is
wearing
cube
right,
yeah
and
it
says,
like
oh,
you
said
like
just
yaml-
would
be
sufficient
right,
but
it's
not
the.
A
B
So
both
are
essentially
denying
you
know
the
traffic
both
ways
on
all
the
parts
in
this
namespace
demo
right,
but
you
know
like
there
are
different
ways
how
it
it
it
is
written.
So
you
know
knowing
like
testing
out
the
network
policies
is
always
you
know
critical.
B
What
you're
writing
you
know
the
yamas?
It's
it's
very
important.
Like
you
test
out,
you
know
how
the
the
yaml
that
you
have
written
you
know
ends
up
being
right.
So
yeah
I
mean
this
was
the
short
and
sweet
demo.
I
had
yeah
and
let's
I
mean
this
is
an
office
hour.
I
believe
yeah.
A
Yeah,
if
you
have
questions,
feel
free
to
ask
them
so
amanda.
In
your
example,
the
you
open
port
53,
but
I
feel
like
there's
a
better
way
to
do
that.
Right,
like
I,
would
just
open
up
port
53
to
cube
dns
cube
system
to
the
you
know,
api
on
port,
80
or
443.
Depending
upon
the
situation,
I
mean.
How
else
can
you
like
make
that
rule
better,
tighter
kind
of
thing.
B
B
First
of
all,
you
need
to
make
sure
that
you
know
if
you
want
to
scope
it
to
something
make
sure
that
that
particular
pod
has
appropriate
labels
right
generally
users,
you
know,
create
namespaces
and
you
know:
do
not
label
them
people,
folks,
like
label
pods,
you
know
deployments
and
other
things
because
most
likely
they'll
expose
it
through
human
services
like
load,
balancer
and
things
like
that,
but
namespaces
right.
So
then
you
also
got
to
like
label
the
namespace
right.
So
let's,
let's
actually
try
to
do
that.
B
Let's
see
if
I
can
actually
do
that
without
okay,
so
we
have
cube
system
okay,
so
I'm
going
to
list
p
parts
in
the
cube
system
right.
So
we
have
the
cube
system
sting
right
there.
Let's
describe
cube
system.
B
And
see
if
it
got
anything
nope,
so
we
have
this
label
namespace
metadata,
styrofox,
io,
cube
system,
so
I
have
stack,
rocks
the
advanced
cluster
security
instance
running
in
this
particular
kubernetes
cluster,
which
applied
the
label.
You
know
we
do
that,
but
otherwise
you
wouldn't
see
this
label.
So
let's
pick
that
label
and
kind
of
work.
Our
way
how
we
can
scope
down
the
dns
rule
right
all
right.
So
what
I
want
to
tell
it
is
namespace.
B
Okay,
so
scope
it
down
right.
So
I
want
to
scope
it
down,
match
the
label.
B
Blah
blah
blah
right
name
space
is
equals
to
so
answer
right.
So
now
what
so?
Now
we
have
scope
it
down
slightly
right.
So
what
it's
telling
what
this
network
policy
is
informing
is
allow
egress
traffic
to
put
53
for
all
the
pods
to
all
the
parts
in
namespace.
You
know
having
carrying
this
label
right
all
right,
so
it's
still
like
okay.
You
know
you
can
still
reach
out
to
all
the
parts
in
your
dns
namespace
right,
so
we
might
need
to
scope
it
down
further
right.
B
So
let's
say:
let's
describe
you
know
what
cube
dns
looks
like.
B
So
there's
a
label
here
which
we
can
likely
use.
You
know
its
app
is
equals
cube
dns.
Now
I
want
to
also
talk
about.
You
know
labeling.
You
know
what
what
what
are
some
basic.
B
Rules
or
tips
that
one
should
you
know
be
aware
of
when
you
want
to
segment
the
network
policies
or
basically
your
applications,
all
right,
so
I'm
going
to
cut
it
again
just
to
so
that
we
have
it
on
the
screen
all
right.
So
what
we
have
now
is
we
have
a
network
policy.
You
know,
scoped
down
to
parts.
B
Having
cube
the
kids
app
is
equal
to
cube
dns
label
on
sorry
in
namespace
having
that
particular
you
know
label
right,
but
the
caveat
to
this
is:
although
I've
scoped
down
my
network
policy-
and
if
someone
is
going
to
you
know,
add
a
pod
with
the
exact
same
label,
it's
going
to
start
allowing
egress
traffic
to
that
label
as
well
right
that
part
as
well
right.
B
So
there
are
two
parts
to
this
right:
writing,
network
policies,
enforcing
network
policies
and
how
you
write
those
network
policies,
but
the
other
part
is
enforcing
who
can
write
a
network
policies
and
who
can
label
resources
in
your
environment
right.
Otherwise,
you
know
anyone
having
you
know
those
permissions
to
introduce
new
network
policies
or
introduce
new
or
update
the
pods
with
new
labels
can
basically
go
around
the
wall
that
you're
trying
to
create
right,
and
there
are
a
couple
of
ways
to
kind
of
achieve
that
enforcement.
B
You
can
have
an
admission
controller
in
place
that
kind
of
restricts.
You
know,
creation
of
so
you
know
like
updation
of
those
resources
or
like
creation
of
network
policies,
like
you
know,
or
you
can
also
use
like
kubernetes,
our
back
rules
to
basically
kind
of
scope
down.
B
You
know
who
can
do
what
right
like
remember
the
principle
of
least
privilege
the
the
way
you're
going
to
achieve
security
is
by
adhering
to
that
principle
right,
for
example,
if
I
had
these
network
policies
in
place
right
and
then,
if
I
let
me
just
show,
I
love
all.
If
I
go
ahead,
if
someone
is
able
to
apply
this
policy,
all
my
effort
is
waste.
A
B
Right
because
it's
going
to
allow
all
inbound
and
outbound
traffic,
you
know
to
this
particular
namespace
right,
so
so
so
they're
like
you
know,
so
that
that's
another
important
thing
you
know
how
you
are
going
to
complement
the
network.
Security
through
network
policies
is
kind
of
having
some
kind
of
enforcement
and
adhering
to
the
principle
of
release.
B
You
know
privileges.
You
know
so
that
people
cannot
go
around
that
wall
you're
trying
to
create.
A
B
There
unfortunately,
no
yeah
there,
no
it's
because
network
policies
are
something
you
know,
application
of
it
like
they're
meant
to
be
application.
Hours
they're
meant
to
be
focused
on.
You
know,
application
right
what
works
in
one
environment?
Well,
let's
say
you
have
cassandra
and
things
like
that,
and
you
know
like
you.
What
works
for
that
particular
environment
will
not
work
for
other
environment,
but
there
are
these.
You
know
basic
there.
Are
these
basic
points
right?
What
to
look
at
right?
B
Let
me,
actually,
you
know,
go
to
that
right,
like
this
slide.
Okay,
now
this
is
not
an
exhaustive
list.
I've
just
tried
my
best
to
in
a
list
couple
of
things
which
I
feel
are
important
to
look
at
when
you're
writing
network
policies
right.
B
So,
first
of
all,
you
don't
want
to
block
reaching
out
to,
like
you
know,
kubernetes
api
server
right
dns,
like
the
dns
servers.
You
know
that
your
application
is
going
to
depend
on
the
you
know
the
ports
that
you
want
open
so
that,
if
it
is
serving
serving,
you
know
like
workloads
on
the
internet.
You
know
you
want
to
keep
them
open
right.
If
you
have
like
exposed
behind
a
load
balancer,
maybe
you
want
you
know
like
most
likely.
B
You
will
want
to
have
these
health
and
health
check
endpoints
open
so
that
you
can
know
you
know
whether
your
services,
you
know
your
apps,
are
healthy
things
like
that.
B
So
they're,
like
some,
you
know
basic
the
basic
things
that
when
one
can
start
at
and
like
work
their
way
towards
it
and
like
again
reiterating
you
know
like
one
can
deploy
the
application
in
in
a
test
page
like
observe
how
it's
behaving
you
know
for
a
certain
time
window
and
identify
you
know
how
you
know
whether
it's
meeting
the
expectation
right
and
kind
of
reversing
like
start
your
way,
you
know
backwards,
like
start
scoping
it
down.
B
So
definitely
I
mean
testing
network
policies
is
a
crucial
thing.
You
do
not
want
to
break
applications
in
production,
yeah.
B
But
I
also
want
to
you
know,
highlight
one
thing
here:
like
network
policies,
you
know
like
the
declarative
nature
of
kubernetes
and
how
you
write
applications
or
how
you
kind
of
deal
with
the
resources
in
kubernetes.
I
think
it's
in
a
way
kind
of
pushing
developers
to
you
know
kind
of
start,
moving
the
security
from
administrator
to
the
application
development
like
basically
those
who
are
you
know,
like
developing
application,
know
the
architecture
of
that
application
and
how
that
app
is
supposed
to
behave.
B
You
know
the
best
right,
so
you
know
it
basically
shifts
enforcing
security.
You
know
in
the
early
phases
of
applications
life
cycle
right.
You
know
it
very
well
start
in
you
know
during
the
development
of
the
application
as
well
right.
So
that's
I
see
it
as
an
advantage.
I
see
kubernetes
network
policies
and
the
nature
of
it
being
the
declarative
nature
of
it
being
an
advantage.
B
You
know
to
you
know,
allow
anyone
like
to
enable
the
developers
to
kind
of
you
know
take
that
responsibility,
shoulder
that
responsibility
to
enforce
security
early
on.
B
A
A
Yeah
so
routes
and
cooper
and
openshift
land
are
like
ingresses
and
kubernetes
land.
They
actually
predate
ingress.
So
this
is
something
that
red
hat
had
to
create
to.
A
Need
when
openshift
was
launched
so
route,
specific
security,
annotations
and
things
like
that
are
all
documented
on
this
page
I
feel
like
and
locking
things
down.
There
is
as
easy
with
a
admission
policy,
so
making
sure
that
you
know
the
the
ingress
is
good
to
go.
It's
not.
B
A
B
Yeah
yeah
there
are,
like
you
know,
like
not.
Everything
is
green
with
a
network
policies
like
there
are
some
pain
points
right,
like
network
policies
are
name
space,
name,
space,
scope,
right,
scalability
right
is
one
of
the
challenge
right
you,
for
example,
you
know
the
standard
dns
like
allow
egress
traffic
to
dns.
If
something
probably
would
be
natural
to
throughout
the
organization
right
and
teams
deploying
their
applications
in
different
name
spaces,
you
know,
might
most
likely
you
know
want
to
have
that
template
right.
B
So
there
are,
you
know
like
each.
There
are
these
cni
plugins
and
different
managed.
Kubernetes
services.
Have
you
know
different
choice
of
cna
plugins,
but
these
cni's
cni
plugins
have
something
called
as
like
global
network
policies
or
like
cluster
level,
network
policy
and
hdmi
plugin
uses
different
terminology.
You
know
that
kind
of
addresses
the
concern
of
scalability
right.
B
Let's
say
if
someone
wants
a
workflow
such
as
you
know,
when
any
application
that
is
deployed
must
you
know
have,
must
allow
egress
to
you
know
the
dns
servers
of
that
organization.
Things
like
that
right,
so
these
cni
plug-ins
kind
of
enable
it
and
the
kubernetes
network
policies
work
in
work.
Handy-Down
with,
like
this
network,
cni
plug-in
the
cns
specific
network
policies
right.
So
it's
it's
a
it's
a
complimentary,
you
know
feature
and
most
cni
plugins.
B
You
know
like
have
you
know
things
like
visibility
as
well?
Right,
like
you,
have
deployed
a
network
policy.
What
next?
Should
you
sit
back
right?
That's
that's
some!
That's
something
always
get
asked
right
like
how
do
you?
How
do
I,
you
know,
kind
of
observe
the
environment
and
how
do
I
kind
of
adapt?
And
how
do
I
update
my
network
policies,
for
example,
like
celium,
has
a
very
awesome.
B
You
know
like
network
observability,
I'm
not
sure
whether
it's
like
a
paid
thing
or
not,
but
they
have
like
some
logs
network
policy
logs,
which
basically
have
like
custom
metadata
telling
okay,
which
network
policy
allowed
or
denied
a
connection
from
what
part
to
what
part
you
know
things
like
that.
I
believe
you
know
it
it's
because
you
know,
there's
ebpf
and
ebpf
has
been
like
you'll
see
it
being
used
in
more
and
more
places,
because
you
know
it
the
enriched
data
that
you
can
get
using.
B
That
has
been
advantageous.
I
think
gke
data
data
plane
v2,
has
that
feature
as
well.
Celium
has
calico
also
introduced
that
so
kubernetes
network
policies
limit
their
limitations.
You
know,
look
at
you
know:
cni
plug-ins,
their
network
policies.
You
know
to
kind
of
reduce
the
repetitive
work
of
let's
say
a
cicd
pipeline.
You
know
things
like
that
and
observe
observability
right.
So
that's
another
important
aspect
to
that.
A
Very
good
point:
I
just
linked
and
chat
folks
to
the
last
episode
where
we
talked
about
evpf
and
implementing
security
and
monitoring
on
kubernetes
with
it
so
feel
free
to
check
that
out
at
your
leisure.
You
can
always
find
us
at
our
webpage,
which
is
such
a
simple
link
here.
A
Live
streaming
type
today,
great,
so
yeah,
no
other
questions
from
the
audience.
I
I
feel
like
naveen.
If
I
haven't
answered
your
question,
please
let
me
know
and
I'll
ask
mandar,
but
he
was
asking
you
know:
how
do
I
get
things
out
of
the
cluster
basically
or
have
access
to
things
if
a
connectivity.
B
A
Occurred
like
so
between,
I
guess.
I
think
he
I'm
thinking
he
means
between
nodes,
but.
B
Let
me
think
of
like.
Let
me
put
out
some
couple
of
points,
so
is:
can
you
access
the
you
know
the
audit
logs,
the
you
know,
the
community?
The
api
server
maintains
a
log
of
all
the
you
know,
requests
that
are
coming
to
it
right
I
mean
essentially
when
you,
when
I'm
running
a
cube
cattle,
you
know
create
namespace
or
git
bar.
B
It's
essentially,
you
know
a
rest
call
to
the
api
server
right
and
everything
gets
logged
in
there
managed
kubernetes
services
most
if
I'm
not
wrong.
Most
like
most
likely
have
the
feature
the
logging
feature
turned
on
by
default.
So
that's
like
one
good
starting
point
and
network
policies
are
not
going
to
deny
or
not
going
to
block.
B
You
know
any
communication
between
the
pods
and
the
node
that
the
part
is
residing
on
right.
So
if
you
can
get
on
to
the
node,
you
know
you
can,
you
know,
run
queue
petal
and
if
you're
having
admin
privileges,
you
can
keep
cuddle
and
kind
of
diagnose,
get
the
application
logs
and
things
like
that.
A
So
I've
got
a
question
in
here:
does
stack,
rocks
or
now
advanced
cluster
security
help
automate
the
management
of
these
network
policies
rather
than
having
to
manually,
create
them.
B
Let
me
know
if
you
can
see
the
advanced
cluster
security,
okay
cool,
so
one
of
the
most
you
know
talked
about
a
feature
of
stack
rocks.
Is
a
network
observability
network
segmentation
right,
as
you
can
see
here,
I'm
not
sure
if
you
can
see
where
I'm
hovering,
but
basically
top
left.
There
are
like
three
kinds
of
views
active
allowed
and
all
right,
so
the
active
view
is
basically
showing
all
the
connections
that
are
active
right
now.
B
You
know,
so
that's
like
a
good
way
of
you
know
of
observing,
like
you
know
how
my
applications
are
connecting.
Let's
say
this
is
a
test.
Basically,
I'm
testing
out.
You
know
how
my
application
is
communicating.
You
know
this
is
the
view
we
provide
details
about.
You
know
what
port
and
whether
it's
an
egress
connection,
the
protocol
and
things
like
that.
We
also
added
support
for
a
kind
of
scoping
or
making
it
explicit
to
which
ciders
your
application
is
trying
to
reach
out
to
you
know
outside
your
cluster.
B
So
this
is
about
active
connections.
So,
coming
back
to
that
question
right
so
a
loud
view.
Kind
of
provides
that
the
space
of
how
your
applications
or
what
all
kind
of
connections
your
application
can
have
right.
As
you
can
see
like
you
know,
there
are
different.
Let
me
zoom
in
so
these
boxes
or
the
squares
are
name
spaces
and
these
you
know
filled
circles
or
dots
are
your
cards
and
deployments,
and
each
of
them
is
having
like
a
different
legend
right
right.
B
So,
basically,
as
you
can
see,
if
I
hover
over
db,
if,
if,
if
we
go
back
like,
I
had
a
inverse
policy
in
place
for
db
it,
and
it
would
only
allow
connections
from
catalog-
and
you
can
see
right-
it
cannot
reach
out
to
the
external
world.
You
cannot
see
that
arrow
right.
So
same
thing
like
you
know,
like
you
know,
other
part,
I
think
this
when
this
was
the
one
which
I
created
now
you
can
go
to
network
policy
simulator.
B
Okay,
so
we
have
this
demo
cluster
and
the
associated
namespaces.
What
you
can
you'll
see
multiple
options
here
and
what
you
can
do
with
these
is
first
view:
what
are
the
active
yamls
right?
So
these
are
the
policies
that
I
applied
to
the
namespace
demo
right.
So
I
can
see
what
are
my
you
know:
network
policies
in
this
particular
name
space.
B
I
can
edit
those
network
policies
and
upload
them
here
and
see
how
it
is
you
know
taking
effect,
you
know
how
it's
changing
right,
so
there
are
ways
to
basically
like
upload
a
network
policy
right.
Okay,
let
me
see
if
I
can
navigate
to
the
folder.
I
believe.
A
A
B
So
this
is
another
way
to
you
know,
make
sure
like
how
your
network
policy
is
behaving
and
whether
it's
you
know
kind
of
meeting
the
expectation
without
breaking
the
application
right
and
then
you
can.
You
know,
like
tweak
the
network
policy.
If
it
is
not,
you
know,
meeting
the
expectation
scope
it
down,
scoop
it
up
and
then
see
it,
and
then
you
can
also
apply
it
right
like.
B
If
I
apply
this,
it's
going
to
start
allowing
connections
to
you
know
it's
basically
going
to
allow
all
the
ingress
and
egress
so
stack
rocks
pro
is
a
very
good
tooling
around.
You
know
alleviating
those
pains
of
writing
network
policies.
You
can
also
generate
network
policies.
Let's
say
you
did
not
have
any
network
policy
or
you
had
some
network
policies
in
place.
B
You
can
select
a
time
window
like
let's
say
I
want
to
generate
a
network
policy
based
on
the
connections
made
to
the
app
in
past
hour
right,
so
I
go
to
network
policy.
Simulator
click
generate
and
simulate
network
policies.
It
says
you
know,
no
network
policies
are
needed
to
be
created
or
related,
because
literally
I
have
enough
allow
all
of.
B
So
this
is
a
very
good.
You
know,
tooling,
from
stack
rocks
to
kind
of
you
know,
play
with
network
policies,
be
you
know
and
build
network
policies.
Yeah.
A
B
B
And
stackrocks
I
mean,
has
a
couple
of
more
things
like
network
baseline,
so
I
mean
this
demo
has
not
been
running
for
a
very
long
time.
I
just
spun
it
up
right
before
this
meet.
So
basically
something
like
we
have
an
observability
window
during
which
we
observe
the
connections
to
an
app
and
kind
of
lock
it
down
and
any
new
connections
you
know
or
any
connections
deviating
from
that
baseline
are
highlighted
as
anomalous
connections.
To
basically
asking
you
hey
is
this
something
you
anticipated?
B
If
you
anticipated
it?
Okay,
you
can
mark
it
as
a
baseline.
You
can
move
it
to
the
baseline.
If
not,
then
probably
you
will
need
to
update
your
network
policy,
because
you
know
someone
is
trying
to
reach
to
your
app
right
yeah.
So
that's
you
know
another
cool,
tooling,
from
stack
rocks.
You
know
to
observe
beyond
the
period
beyond
the
period
of
like
you
know,
you
have
applied
the
network
policies,
but
what
next
right.
A
B
B
So
we
do
not
analyze
packets,
so
we
observe
connections.
You
know
we
observe
the
connection
information.
Basically
the
end
point
you
know,
like
the
end
point
information
the
protocol
and
things
like
that.
We
do
not
perform
analysis
on
packets.
Like
you
know,
if
you
have
like,
I
know
there
are
some.
You
know
there
are
like
these
firewalls
you,
which
perform
packet,
analysis
and
kind
of
block
or
allow
connections
based
on
that.
It's
not
that
granular.
B
But
what
we
want
to
make
sure
is,
you
can
see
the
connections
coming
from
an
endpoint
and
make
a
decision
whether
that
endpoint
can
be
trusted,
allow
it
or
don't
allow
it
right
and
once
you
have
that
rule
for
that
connection
and
since
network
policies
are
basically
like
sitting
at
the
edge
of
the
application
like
the
guarding
angel
right,
even
if
someone
kind
of
breaks
into
you
know
an
app,
you
know
a
pod,
it
makes
it
difficult
for
to
move
laterally.
B
You
know
kind
of
go
to
the
other
apps
and
you
know
kind
of.
A
That
blast
radius
gets
a
lot
smaller,
though
exactly
tighter
those
policies
are
yeah.
Exactly
like
allowing
you
know,
some
people
do
have
or
intermix
right.
You
know
dev
and
stage
and
prod
across
the
fleet
of
clusters.
Not
that
right,
you
know,
there's
anything
wrong
with
that,
but
usually
prefer
prod
on
its
own
cluster.
So
you
wouldn't
want
your
dev
stuff.
Talking
to
your.
You
know,
prod
stuff
or
even
your
stage
stuff
potentially
right
like
or
there
would
only
be
one
kind
of
lateral
movement
of
package.
B
A
Into
the
various
environments,
so
yeah
there's
a
lot
of
power
and
a
lot
of
potential
here,
and
I
think
I
believe.
B
I
believe
that
has
been
the
underlying
principle
with
you
know
things
kubernetes
right.
It
has
made
it
more
explicit.
You
know
why
namespaces,
why
application
focus?
You
know
why
things
need
to
be.
You
know
focused
around
applications,
it's
because
it
should
be
in
that
way
right.
Your
application
is
driving.
You
know
like
should
be
driving.
You
know
the
decisions
on.
You
know
like
how
what's
the
environment
you
should
be
talking
to,
and
things
like
that.
A
And
and
that's
how
it
should
be
right,
like
we
shouldn't
be
saying,
you
know:
hey
developer,
what
vm
size
do
you
need,
and
that
be
the
extent
of
the
knowledge
that
we
have
of
that
system.
You
know
other
than
patches
that
are
applied
to
it
or
whatever,
like
we
should
understand
the
traffic
coming
in
and
out
of
it
we
should
understand.
You
know
syscalls,
to
an
extent
of
what's
you
know
being
called
and
if
that's
you
know.
B
A
For
that
application
so
doing
the
profiling
is
a
really
good
feature
right,
so
you
can
actually
sit
there
and
say:
hey
developer.
Can
you
know
if
you're
not
the
developer,
looking
at
it
at
the
time,
you
could
go
back
and
say:
hey
team.
Is
this
expected
like
right?
This
kind
of
looks
weird
to
me:
is
that
legit
or
not,
because
you
never
know
right
like.
A
B
Yeah,
I
would
like
to
you
know,
make
some
like
special
mentions
of
the
a
couple
of
things
there
are
like
a
couple
of
blogs
written
by
my
colleagues.
They've
also
been
submitted
to
cncf
around.
You
know
what
are
the
best
practices
for
in
writing,
ingress
and
egress
network
policies-
and
you
know
this
github
resource-
is
something
that
I
you
know
love
this
person
is,
I
guess,
network
policy
enthusiast
and
he
has
put
out
a
bunch
of
samples
recipes.
B
You
know
like
of
network
policies
and
how
they
behave.
It's.
I
would
recommend
everyone
to
like
check
it
out
and
it's
good
in
you
know
kind
of
understanding.
You
know
and
learning
for,
and
I
mean
I
put
out
some
resources
here,
but
definitely
this
is
not
an
exhaustive
list
and
I
do
not
want
to
stand
behind
any
man
particularly
managed
kubernetes
service
or
a
cni
plug-in,
but
you
know
like
these
are
some
most
commonly
used.
Cni
plug-ins
and
you
know
managed
services,
so
you
know
good
starting
point.
B
If
someone
wants
to
look
at,
you
know
the
cni
interface
and
things
like
that,
you
can
go
to
their
github.
I've
also
put
links
to
network
policy
logging.
That
is
something
new
addressing
the
question
like
how
should
I
detect
intrusion?
How
should
I
adapt
my
network
policies.
A
A
B
Last
but
not
least,
you
definitely
we
look
forward
to
you
know
contributors
to
the
stack
rocks
community.
You
can
go
to
snackrocks.io
reach
out
to
us
write
blogs.
You
know
like
if
you
have
any
cool
ideas
on
talks.
Things
like
that
and
if
someone
is
interested
in
looking
at
red
hat,
advanced
cluster
security
product,
you
can
go
to
this
link
and
request
a
demo.
B
A
B
If
you
love
kubernetes
and
if
you
want
to
work
in
you
know,
security
space
definitely
go
to
this
link
put
in
the
keywords:
advanced
cluster
security,
and
you
will
see
a
list
of
openings.
B
Our
team
is
looking
to
hire
good
engineers,
so
either
you
can
go
there
or
again.
You
can
reach
me
out,
like
linkedin
or
any
other
means
and
I'll
make
sure
it's
conveyed
to
appropriate
people
in
the
organization.
B
A
Awesome
demo
great
work
and
we'll
see
you
and
well
we'll
see
y'all
on
a
next
month.
I
think
this
is
monthly
show
last
I
checked.
I
forget
yes,
yes,
so
many
shows
so
yeah
folks.
If
I
don't
see
you
between
now
and
next
time,
stay
safe
out
there
and
mandar.
Thank
you
again
for
coming
on
really
appreciate
it.
My.