SlideShare ist ein Scribd-Unternehmen logo

Kubernetes Security with Calico and Open Policy Agent

CloudOps2005
CloudOps2005

Ray Kao and Kevin Harris from Microsoft presenting ‘Kubernetes Security with Calico and Open Policy Agent’ at the spring 2019 Kubernetes and Cloud Native meetup in Toronto.

Technologie
1 von 23
Downloaden Sie, um offline zu lesen
Network policy • All Pods are non-isolated by default • Flat network. All pods can talk to other pods • Accept traffic from anyone • Multi stage/zone project this could expose security risks • 3 tier webapp. • Front end could technically talk directly to DB tier
Azure Kubernetes Network Policies • Provides micro-segmentation for containers – like NSGs for VMs • Label-based selection of Pods • Policy resource yaml file specifies Ingress and Egress policies • Policies defined for a label • Works in conjunction with Azure CNI • Supports Linux hosts • Supported in aks-engine • Set networkPolicy setting to azure in cluster definition file • Supported on AKS in Preview Azure Policy Manager Azure Policy Manager
Network policy • Pod Selector • PolicyTypes • Ingress, egress Ingress • namespaceSelector • podSelector • ipBlock apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: test-network-policy namespace: default spec: podSelector: matchLabels: role: db policyTypes: - Ingress - Egress ingress: - from: - ipBlock: cidr: 172.17.0.0/16 except: - 172.17.1.0/24 - namespaceSelector: matchLabels: project: myproject - podSelector: matchLabels: role: frontend ports: - protocol: TCP port: 6379 egress: - to: - ipBlock: cidr: 10.0.0.0/24 ports: - protocol: TCP port: 5978
Network policy • Recommend to create default policies that apply to all pods • Default deny all ingress traffic • Default deny all egress traffic. • Allow Specific Traffic (Ingress & Egress)
Calico Global Network Policy apiVersion: projectcalico.org/v3 kind: GlobalNetworkPolicy metadata: name: allow-tcp-6379 spec: selector: role == 'database' types: - Ingress - Egress ingress: - action: Allow protocol: TCP source: selector: role == 'frontend' destination: ports: - 6379 egress: - action: Allow
Calico Global Network Set apiVersion: projectcalico.org/v3 kind: GlobalNetworkSet metadata: name: a-name-for-the-set labels: role: external-database spec: nets: - 198.51.100.0/28 - 203.0.113.0/24
<- Single Rule where two conditions must be met <- two conditions either/or must be met
When to use Azure NSG vs. Kubernetes Network policy • Azure Network Security Groups • Use it to filter North-South traffic, that is, traffic entering and leaving your cluster subnet • Kubernetes Network Policies • Use it to filter East-West traffic, that is, traffic between pods in your cluster
Network Policy Demo • Fruit Categorization App • Web Frontend • ML Backend for image recognition • Signal R as a managed websocket service between FE/BE • Default allow • Create a policy (deny all by default) • Open a policy to communicate between FE/BE services
Open Policy Agent
Dynamic Admission Control • Validating Webhook o Allows you to intercept and validate requests o Can be run in parallel, as they don’t mutate objects o Example use case: restricting resource creation • Mutating Webhook o Executes the mutation by sending requests to webhook server o Matching webhooks are called in serial o Example use case: injecting side cars o Policy Enforcement o Admission Control is policy based on Kubernetes objects. o Network Policy and PodSecurity Policy focus on data plane policy o RBAC is policy enforced on the user
That’s awesome! But…
Sample Admission Webhook
Open Policy Agent Image: openpolicyagent.org • CNCF Hosted Sandbox Project • General purpose policy engine • Can be used across the stack • Declarative policy language (Rego)
Service refers to: • Kubernetes API • Custom API • SSH Daemon • Terraform • Authorization APi Output can be any JSON value: ”true ”request annotated” “ “annotations": { costCenter: 8000 } Input can be any JSON value: "kind": "Service", "metadata": { "annotations": { department: dev } Service OPA Policy (Rego) Data (JSON) Request Enforcement Policy Query Policy Decision Diagram rewritten from: www.openpolicyagent.org
Example Rego Policy • Rego is a policy language and not a programing language, so don’t think about sockets, methods, binary trees, etc. • Think about two things: Logic and Data • Rego logic is all queries. A query finds values for variables that make boolean conditions true. • You write logic to search and combine JSON/YAML data from different sources. deny[{ "id": "conditional-annotation", "resource": {"kind": kind, "namespace": namespace, "name": name}, "resolution": {"patches": p, "message" : "conditional annotation"}, }] { matches[[kind, namespace, name, matched_object]] matched_object.metadata.annotations[”Mr-T"] p = [{"op": "add", "path": "/metadata/annotations/cost-center", "value": ”A-Team"}] }
Who manages all this policy? Ice Kube Acid Burn The Governor Platform Operator Developer OPA Policy Creates And Maintains Deploys Apps Audits Platform
Kubernetes Policy Controller • Kubernetes Policy Controller • Moving to OPA org, as a standard Kubernetes Policy Controller • Authorization module makes it possible to implement a blacklist in front of RBAC • Provides auditing features • Deployment consist of three containers: OPA, kube-mgmt., and Controller • Examples: • Whitelist / blacklist registries. • Not allow conflicting hosts for ingresses. • Label objects based on a user from a department. • Block kubectl exec <pod>
The Good, The Bad, and Gotchas • Good • OPA approach allows you to decouple policy from your applications • General purpose, so can be used outside of Kubernetes context. • Bad • There can be a learning curve to Rego. • Can cause latency, but’s negligible for most apps. (more of a consideration) • Gotchas • Mutating objects need to be handled with care. They can cause unexpected behavior to what the end-user expects.
Takeaways • Focus on security is a must in any Kubernetes deployment. • Help educate Security Teams on how to extend Kubernetes to integrate custom policies. • Treat the Kubernetes cluster as immutable, just like you do with applications. • Multiple ways to accomplish policy • Build all your own logic and utilize dynamic admission control • Utilize Open Policy Agent to simplify deployment and logic for rule sets.
Example Policies • https://github.com/open-policy-agent/contrib

Empfohlen

Securing APIs with Open Policy Agent
Securing APIs with Open Policy AgentSecuring APIs with Open Policy Agent
Securing APIs with Open Policy Agent
Nordic APIs
 
Cloud Monitoring with Prometheus
Cloud Monitoring with PrometheusCloud Monitoring with Prometheus
Cloud Monitoring with Prometheus
QAware GmbH
 
Policy Enforcement on Kubernetes with Open Policy Agent
Policy Enforcement on Kubernetes with Open Policy AgentPolicy Enforcement on Kubernetes with Open Policy Agent
Policy Enforcement on Kubernetes with Open Policy Agent
VMware Tanzu
 
Kubecon 2023 EU - KServe - The State and Future of Cloud-Native Model Serving
Kubecon 2023 EU - KServe - The State and Future of Cloud-Native Model ServingKubecon 2023 EU - KServe - The State and Future of Cloud-Native Model Serving
Kubecon 2023 EU - KServe - The State and Future of Cloud-Native Model Serving
Theofilos Papapanagiotou
 
Opentracing jaeger
Opentracing jaegerOpentracing jaeger
Opentracing jaeger
Oracle Korea
 
Apicurio Registry: Event-driven APIs & Schema governance for Apache Kafka | F...
Apicurio Registry: Event-driven APIs & Schema governance for Apache Kafka | F...Apicurio Registry: Event-driven APIs & Schema governance for Apache Kafka | F...
Apicurio Registry: Event-driven APIs & Schema governance for Apache Kafka | F...
HostedbyConfluent
 
Open Policy Agent Deep Dive Seattle 2018
Open Policy Agent Deep Dive Seattle 2018Open Policy Agent Deep Dive Seattle 2018
Open Policy Agent Deep Dive Seattle 2018
Torin Sandall
 
Apache Camel v3, Camel K and Camel Quarkus
Apache Camel v3, Camel K and Camel QuarkusApache Camel v3, Camel K and Camel Quarkus
Apache Camel v3, Camel K and Camel Quarkus
Claus Ibsen
 

Empfohlen

Securing APIs with Open Policy Agent
Securing APIs with Open Policy AgentSecuring APIs with Open Policy Agent
Securing APIs with Open Policy Agent
Nordic APIs
 
Cloud Monitoring with Prometheus
Cloud Monitoring with PrometheusCloud Monitoring with Prometheus
Cloud Monitoring with Prometheus
QAware GmbH
 
Policy Enforcement on Kubernetes with Open Policy Agent
Policy Enforcement on Kubernetes with Open Policy AgentPolicy Enforcement on Kubernetes with Open Policy Agent
Policy Enforcement on Kubernetes with Open Policy Agent
VMware Tanzu
 
Kubecon 2023 EU - KServe - The State and Future of Cloud-Native Model Serving
Kubecon 2023 EU - KServe - The State and Future of Cloud-Native Model ServingKubecon 2023 EU - KServe - The State and Future of Cloud-Native Model Serving
Kubecon 2023 EU - KServe - The State and Future of Cloud-Native Model Serving
Theofilos Papapanagiotou
 
Opentracing jaeger
Opentracing jaegerOpentracing jaeger
Opentracing jaeger
Oracle Korea
 
Apicurio Registry: Event-driven APIs & Schema governance for Apache Kafka | F...
Apicurio Registry: Event-driven APIs & Schema governance for Apache Kafka | F...Apicurio Registry: Event-driven APIs & Schema governance for Apache Kafka | F...
Apicurio Registry: Event-driven APIs & Schema governance for Apache Kafka | F...
HostedbyConfluent
 
Open Policy Agent Deep Dive Seattle 2018
Open Policy Agent Deep Dive Seattle 2018Open Policy Agent Deep Dive Seattle 2018
Open Policy Agent Deep Dive Seattle 2018
Torin Sandall
 
Apache Camel v3, Camel K and Camel Quarkus
Apache Camel v3, Camel K and Camel QuarkusApache Camel v3, Camel K and Camel Quarkus
Apache Camel v3, Camel K and Camel Quarkus
Claus Ibsen
 
OPA: The Cloud Native Policy Engine
OPA: The Cloud Native Policy EngineOPA: The Cloud Native Policy Engine
OPA: The Cloud Native Policy Engine
Torin Sandall
 
Rego Deep Dive
Rego Deep DiveRego Deep Dive
Rego Deep Dive
Torin Sandall
 
Open Policy Agent
Open Policy AgentOpen Policy Agent
Open Policy Agent
Torin Sandall
 
Designing a complete ci cd pipeline using argo events, workflow and cd products
Designing a complete ci cd pipeline using argo events, workflow and cd productsDesigning a complete ci cd pipeline using argo events, workflow and cd products
Designing a complete ci cd pipeline using argo events, workflow and cd products
Julian Mazzitelli
 
MySQL Monitoring using Prometheus & Grafana
MySQL Monitoring using Prometheus & GrafanaMySQL Monitoring using Prometheus & Grafana
MySQL Monitoring using Prometheus & Grafana
YoungHeon (Roy) Kim
 
Monitoring using Prometheus and Grafana
Monitoring using Prometheus and GrafanaMonitoring using Prometheus and Grafana
Monitoring using Prometheus and Grafana
Arvind Kumar G.S
 
OPA APIs and Use Case Survey
OPA APIs and Use Case SurveyOPA APIs and Use Case Survey
OPA APIs and Use Case Survey
Torin Sandall
 
CNCF opa
CNCF opaCNCF opa
CNCF opa
Juraj Hantak
 
Architecture patterns for distributed, hybrid, edge and global Apache Kafka d...
Architecture patterns for distributed, hybrid, edge and global Apache Kafka d...Architecture patterns for distributed, hybrid, edge and global Apache Kafka d...
Architecture patterns for distributed, hybrid, edge and global Apache Kafka d...
Kai Wähner
 
Policy as Code: IT Governance With HashiCorp Sentinel
Policy as Code: IT Governance With HashiCorp SentinelPolicy as Code: IT Governance With HashiCorp Sentinel
Policy as Code: IT Governance With HashiCorp Sentinel
Mitchell Pronschinske
 
Cloud Monitoring tool Grafana
Cloud Monitoring tool Grafana Cloud Monitoring tool Grafana
Cloud Monitoring tool Grafana
Dhrubaji Mandal ♛
 
Keycloak SSO basics
Keycloak SSO basicsKeycloak SSO basics
Keycloak SSO basics
Juan Vicente Herrera Ruiz de Alejo
 
[오픈소스컨설팅] 서비스 메쉬(Service mesh)
[오픈소스컨설팅] 서비스 메쉬(Service mesh)[오픈소스컨설팅] 서비스 메쉬(Service mesh)
[오픈소스컨설팅] 서비스 메쉬(Service mesh)
Open Source Consulting
 
Karpenter
KarpenterKarpenter
Karpenter
Knoldus Inc.
 
Helm - Application deployment management for Kubernetes
Helm - Application deployment management for KubernetesHelm - Application deployment management for Kubernetes
Helm - Application deployment management for Kubernetes
Alexei Ledenev
 
End to end Machine Learning using Kubeflow - Build, Train, Deploy and Manage
End to end Machine Learning using Kubeflow - Build, Train, Deploy and ManageEnd to end Machine Learning using Kubeflow - Build, Train, Deploy and Manage
End to end Machine Learning using Kubeflow - Build, Train, Deploy and Manage
Animesh Singh
 
Efficient Kubernetes scaling using Karpenter
Efficient Kubernetes scaling using KarpenterEfficient Kubernetes scaling using Karpenter
Efficient Kubernetes scaling using Karpenter
Marko Bevc
 
Admission controllers - PSP, OPA, Kyverno and more!
Admission controllers - PSP, OPA, Kyverno and more!Admission controllers - PSP, OPA, Kyverno and more!
Admission controllers - PSP, OPA, Kyverno and more!
SebastienSEYMARC
 
Introduction to Kong API Gateway
Introduction to Kong API GatewayIntroduction to Kong API Gateway
Introduction to Kong API Gateway
Yohann Ciurlik
 
GitOps - Operation By Pull Request
GitOps - Operation By Pull RequestGitOps - Operation By Pull Request
GitOps - Operation By Pull Request
Kasper Nissen
 
Securing Kubernetes Workloads
Securing Kubernetes WorkloadsSecuring Kubernetes Workloads
Securing Kubernetes Workloads
Jim Bugwadia
 
Intro to kubernetes
Intro to kubernetesIntro to kubernetes
Intro to kubernetes
Faculty of Technical Sciences, University of Novi Sad
 

Weitere ähnliche Inhalte

Was ist angesagt?

Architecture patterns for distributed, hybrid, edge and global Apache Kafka d...
Architecture patterns for distributed, hybrid, edge and global Apache Kafka d...Architecture patterns for distributed, hybrid, edge and global Apache Kafka d...
Architecture patterns for distributed, hybrid, edge and global Apache Kafka d...
Kai Wähner
 
[오픈소스컨설팅] 서비스 메쉬(Service mesh)
[오픈소스컨설팅] 서비스 메쉬(Service mesh)[오픈소스컨설팅] 서비스 메쉬(Service mesh)
[오픈소스컨설팅] 서비스 메쉬(Service mesh)
Open Source Consulting
 
End to end Machine Learning using Kubeflow - Build, Train, Deploy and Manage
End to end Machine Learning using Kubeflow - Build, Train, Deploy and ManageEnd to end Machine Learning using Kubeflow - Build, Train, Deploy and Manage
End to end Machine Learning using Kubeflow - Build, Train, Deploy and Manage
Animesh Singh
 
Efficient Kubernetes scaling using Karpenter
Efficient Kubernetes scaling using KarpenterEfficient Kubernetes scaling using Karpenter
Efficient Kubernetes scaling using Karpenter
Marko Bevc
 

Was ist angesagt? (20)

OPA: The Cloud Native Policy Engine
OPA: The Cloud Native Policy EngineOPA: The Cloud Native Policy Engine
OPA: The Cloud Native Policy Engine
 
Rego Deep Dive
Rego Deep DiveRego Deep Dive
Rego Deep Dive
 
Open Policy Agent
Open Policy AgentOpen Policy Agent
Open Policy Agent
 
Designing a complete ci cd pipeline using argo events, workflow and cd products
Designing a complete ci cd pipeline using argo events, workflow and cd productsDesigning a complete ci cd pipeline using argo events, workflow and cd products
Designing a complete ci cd pipeline using argo events, workflow and cd products
 
MySQL Monitoring using Prometheus & Grafana
MySQL Monitoring using Prometheus & GrafanaMySQL Monitoring using Prometheus & Grafana
MySQL Monitoring using Prometheus & Grafana
 
Monitoring using Prometheus and Grafana
Monitoring using Prometheus and GrafanaMonitoring using Prometheus and Grafana
Monitoring using Prometheus and Grafana
 
OPA APIs and Use Case Survey
OPA APIs and Use Case SurveyOPA APIs and Use Case Survey
OPA APIs and Use Case Survey
 
CNCF opa
CNCF opaCNCF opa
CNCF opa
 
Architecture patterns for distributed, hybrid, edge and global Apache Kafka d...
Architecture patterns for distributed, hybrid, edge and global Apache Kafka d...Architecture patterns for distributed, hybrid, edge and global Apache Kafka d...
Architecture patterns for distributed, hybrid, edge and global Apache Kafka d...
 
Policy as Code: IT Governance With HashiCorp Sentinel
Policy as Code: IT Governance With HashiCorp SentinelPolicy as Code: IT Governance With HashiCorp Sentinel
Policy as Code: IT Governance With HashiCorp Sentinel
 
Cloud Monitoring tool Grafana
Cloud Monitoring tool Grafana Cloud Monitoring tool Grafana
Cloud Monitoring tool Grafana
 
Keycloak SSO basics
Keycloak SSO basicsKeycloak SSO basics
Keycloak SSO basics
 
[오픈소스컨설팅] 서비스 메쉬(Service mesh)
[오픈소스컨설팅] 서비스 메쉬(Service mesh)[오픈소스컨설팅] 서비스 메쉬(Service mesh)
[오픈소스컨설팅] 서비스 메쉬(Service mesh)
 
Karpenter
KarpenterKarpenter
Karpenter
 
Helm - Application deployment management for Kubernetes
Helm - Application deployment management for KubernetesHelm - Application deployment management for Kubernetes
Helm - Application deployment management for Kubernetes
 
End to end Machine Learning using Kubeflow - Build, Train, Deploy and Manage
End to end Machine Learning using Kubeflow - Build, Train, Deploy and ManageEnd to end Machine Learning using Kubeflow - Build, Train, Deploy and Manage
End to end Machine Learning using Kubeflow - Build, Train, Deploy and Manage
 
Efficient Kubernetes scaling using Karpenter
Efficient Kubernetes scaling using KarpenterEfficient Kubernetes scaling using Karpenter
Efficient Kubernetes scaling using Karpenter
 
Admission controllers - PSP, OPA, Kyverno and more!
Admission controllers - PSP, OPA, Kyverno and more!Admission controllers - PSP, OPA, Kyverno and more!
Admission controllers - PSP, OPA, Kyverno and more!
 
Introduction to Kong API Gateway
Introduction to Kong API GatewayIntroduction to Kong API Gateway
Introduction to Kong API Gateway
 
GitOps - Operation By Pull Request
GitOps - Operation By Pull RequestGitOps - Operation By Pull Request
GitOps - Operation By Pull Request
 

Ähnlich wie Kubernetes Security with Calico and Open Policy Agent

Continuous Integration with Amazon ECS and Docker
Continuous Integration with Amazon ECS and DockerContinuous Integration with Amazon ECS and Docker
Continuous Integration with Amazon ECS and Docker
Amazon Web Services
 
Evolution of security strategies in K8s environments- All day devops
Evolution of security strategies in K8s environments- All day devops Evolution of security strategies in K8s environments- All day devops
Evolution of security strategies in K8s environments- All day devops
Jose Manuel Ortega Candel
 
Implementing-SaaS-on-Kubernetes-Michael-Knapp-Andrew-Gao-Capital-One.pdf
Implementing-SaaS-on-Kubernetes-Michael-Knapp-Andrew-Gao-Capital-One.pdfImplementing-SaaS-on-Kubernetes-Michael-Knapp-Andrew-Gao-Capital-One.pdf
Implementing-SaaS-on-Kubernetes-Michael-Knapp-Andrew-Gao-Capital-One.pdf
ssuserf4844f
 
Centralizing Kubernetes and Container Operations
Centralizing Kubernetes and Container OperationsCentralizing Kubernetes and Container Operations
Centralizing Kubernetes and Container Operations
Kublr
 
Kubernetes One-Click Deployment: Hands-on Workshop (Mainz)
Kubernetes One-Click Deployment: Hands-on Workshop (Mainz)Kubernetes One-Click Deployment: Hands-on Workshop (Mainz)
Kubernetes One-Click Deployment: Hands-on Workshop (Mainz)
QAware GmbH
 

Ähnlich wie Kubernetes Security with Calico and Open Policy Agent (20)

Securing Kubernetes Workloads
Securing Kubernetes WorkloadsSecuring Kubernetes Workloads
Securing Kubernetes Workloads
 
Intro to kubernetes
Intro to kubernetesIntro to kubernetes
Intro to kubernetes
 
Secure your K8s cluster from multi-layers
Secure your K8s cluster from multi-layersSecure your K8s cluster from multi-layers
Secure your K8s cluster from multi-layers
 
Kubernetes Internals
Kubernetes InternalsKubernetes Internals
Kubernetes Internals
 
Continuous Integration with Amazon ECS and Docker
Continuous Integration with Amazon ECS and DockerContinuous Integration with Amazon ECS and Docker
Continuous Integration with Amazon ECS and Docker
 
Cloudify workshop at CCCEU 2014
Cloudify workshop at CCCEU 2014 Cloudify workshop at CCCEU 2014
Cloudify workshop at CCCEU 2014
 
CloudStack Tooling Ecosystem – Kiran Chavala, ShapeBlue
CloudStack Tooling Ecosystem – Kiran Chavala, ShapeBlueCloudStack Tooling Ecosystem – Kiran Chavala, ShapeBlue
CloudStack Tooling Ecosystem – Kiran Chavala, ShapeBlue
 
Head in the clouds
Head in the cloudsHead in the clouds
Head in the clouds
 
Power of Azure Devops
Power of Azure DevopsPower of Azure Devops
Power of Azure Devops
 
Evolution of security strategies in K8s environments- All day devops
Evolution of security strategies in K8s environments- All day devops Evolution of security strategies in K8s environments- All day devops
Evolution of security strategies in K8s environments- All day devops
 
BSidesDFW2022-PurpleTeam_Cloud_Identity.pptx
BSidesDFW2022-PurpleTeam_Cloud_Identity.pptxBSidesDFW2022-PurpleTeam_Cloud_Identity.pptx
BSidesDFW2022-PurpleTeam_Cloud_Identity.pptx
 
What's New in Docker - February 2017
What's New in Docker - February 2017What's New in Docker - February 2017
What's New in Docker - February 2017
 
Kubernetes basics and hands on exercise
Kubernetes basics and hands on exerciseKubernetes basics and hands on exercise
Kubernetes basics and hands on exercise
 
2016 07 - CloudBridge Python library (XSEDE16)
2016 07 - CloudBridge Python library (XSEDE16)2016 07 - CloudBridge Python library (XSEDE16)
2016 07 - CloudBridge Python library (XSEDE16)
 
(ATS6-PLAT04) Query service
(ATS6-PLAT04) Query service (ATS6-PLAT04) Query service
(ATS6-PLAT04) Query service
 
Implementing-SaaS-on-Kubernetes-Michael-Knapp-Andrew-Gao-Capital-One.pdf
Implementing-SaaS-on-Kubernetes-Michael-Knapp-Andrew-Gao-Capital-One.pdfImplementing-SaaS-on-Kubernetes-Michael-Knapp-Andrew-Gao-Capital-One.pdf
Implementing-SaaS-on-Kubernetes-Michael-Knapp-Andrew-Gao-Capital-One.pdf
 
Centralizing Kubernetes and Container Operations
Centralizing Kubernetes and Container OperationsCentralizing Kubernetes and Container Operations
Centralizing Kubernetes and Container Operations
 
Anthos Security: modernize your security posture for cloud native applications
Anthos Security: modernize your security posture for cloud native applicationsAnthos Security: modernize your security posture for cloud native applications
Anthos Security: modernize your security posture for cloud native applications
 
Kubernetes One-Click Deployment: Hands-on Workshop (Mainz)
Kubernetes One-Click Deployment: Hands-on Workshop (Mainz)Kubernetes One-Click Deployment: Hands-on Workshop (Mainz)
Kubernetes One-Click Deployment: Hands-on Workshop (Mainz)
 
Microservices, Continuous Delivery, and Elasticsearch at Capital One
Microservices, Continuous Delivery, and Elasticsearch at Capital OneMicroservices, Continuous Delivery, and Elasticsearch at Capital One
Microservices, Continuous Delivery, and Elasticsearch at Capital One
 

Mehr von CloudOps2005

Mehr von CloudOps2005 (20)

Defense in Depth: Securing your new Kubernetes cluster from the challenges th...
Defense in Depth: Securing your new Kubernetes cluster from the challenges th...Defense in Depth: Securing your new Kubernetes cluster from the challenges th...
Defense in Depth: Securing your new Kubernetes cluster from the challenges th...
 
Human No, Machine Yes: Welcome to the CDF with Incremental Confidence
Human No, Machine Yes: Welcome to the CDF with Incremental ConfidenceHuman No, Machine Yes: Welcome to the CDF with Incremental Confidence
Human No, Machine Yes: Welcome to the CDF with Incremental Confidence
 
The Salmon Algorithm Spawning with Kubernetes
The Salmon Algorithm Spawning with KubernetesThe Salmon Algorithm Spawning with Kubernetes
The Salmon Algorithm Spawning with Kubernetes
 
Own your Destiny in the Cloud - Ian Rae - Cloud Native Day Montreal 2019
Own your Destiny in the Cloud - Ian Rae - Cloud Native Day Montreal 2019Own your Destiny in the Cloud - Ian Rae - Cloud Native Day Montreal 2019
Own your Destiny in the Cloud - Ian Rae - Cloud Native Day Montreal 2019
 
Plateformes et infrastructure infonuagique natif de ville de Montréall
Plateformes et infrastructure infonuagique natif de ville de MontréallPlateformes et infrastructure infonuagique natif de ville de Montréall
Plateformes et infrastructure infonuagique natif de ville de Montréall
 
Using Rook to Manage Kubernetes Storage with Ceph
Using Rook to Manage Kubernetes Storage with CephUsing Rook to Manage Kubernetes Storage with Ceph
Using Rook to Manage Kubernetes Storage with Ceph
 
Kafka on Kubernetes
Kafka on KubernetesKafka on Kubernetes
Kafka on Kubernetes
 
Kubernetes: Crossing the Chasm
Kubernetes: Crossing the ChasmKubernetes: Crossing the Chasm
Kubernetes: Crossing the Chasm
 
Distributed Logging with Kubernetes
Distributed Logging with KubernetesDistributed Logging with Kubernetes
Distributed Logging with Kubernetes
 
Advanced Deployment Strategies with Kubernetes and Istio
Advanced Deployment Strategies with Kubernetes and IstioAdvanced Deployment Strategies with Kubernetes and Istio
Advanced Deployment Strategies with Kubernetes and Istio
 
GitOps with ArgoCD
GitOps with ArgoCDGitOps with ArgoCD
GitOps with ArgoCD
 
Kubernetes Services are sooo Yesterday!
Kubernetes Services are sooo Yesterday!Kubernetes Services are sooo Yesterday!
Kubernetes Services are sooo Yesterday!
 
Amazon EKS: the good, the bad, and the ugly
Amazon EKS: the good, the bad, and the uglyAmazon EKS: the good, the bad, and the ugly
Amazon EKS: the good, the bad, and the ugly
 
Kubernetes, Terraform, Vault, and Consul
Kubernetes, Terraform, Vault, and ConsulKubernetes, Terraform, Vault, and Consul
Kubernetes, Terraform, Vault, and Consul
 
SIG Multicluster and the Path to Federation
SIG Multicluster and the Path to FederationSIG Multicluster and the Path to Federation
SIG Multicluster and the Path to Federation
 
To Russia with Love: Deploying Kubernetes in Exotic Locations On Prem
To Russia with Love: Deploying Kubernetes in Exotic Locations On PremTo Russia with Love: Deploying Kubernetes in Exotic Locations On Prem
To Russia with Love: Deploying Kubernetes in Exotic Locations On Prem
 
Operator SDK for K8s using Go
Operator SDK for K8s using GoOperator SDK for K8s using Go
Operator SDK for K8s using Go
 
How to Handle your Kubernetes Upgrades
How to Handle your Kubernetes UpgradesHow to Handle your Kubernetes Upgrades
How to Handle your Kubernetes Upgrades
 
Kubernetes and Cloud Native Meetup - March, 2019
Kubernetes and Cloud Native Meetup - March, 2019Kubernetes and Cloud Native Meetup - March, 2019
Kubernetes and Cloud Native Meetup - March, 2019
 
Prometheus and Thanos
Prometheus and ThanosPrometheus and Thanos
Prometheus and Thanos
 

Kürzlich hochgeladen

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Overkill Security
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 

Kürzlich hochgeladen (20)

ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 

Kubernetes Security with Calico and Open Policy Agent

  • 1.
  • 2. Network policy • All Pods are non-isolated by default • Flat network. All pods can talk to other pods • Accept traffic from anyone • Multi stage/zone project this could expose security risks • 3 tier webapp. • Front end could technically talk directly to DB tier
  • 3. Azure Kubernetes Network Policies • Provides micro-segmentation for containers – like NSGs for VMs • Label-based selection of Pods • Policy resource yaml file specifies Ingress and Egress policies • Policies defined for a label • Works in conjunction with Azure CNI • Supports Linux hosts • Supported in aks-engine • Set networkPolicy setting to azure in cluster definition file • Supported on AKS in Preview Azure Policy Manager Azure Policy Manager
  • 4. Network policy • Pod Selector • PolicyTypes • Ingress, egress Ingress • namespaceSelector • podSelector • ipBlock apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: test-network-policy namespace: default spec: podSelector: matchLabels: role: db policyTypes: - Ingress - Egress ingress: - from: - ipBlock: cidr: 172.17.0.0/16 except: - 172.17.1.0/24 - namespaceSelector: matchLabels: project: myproject - podSelector: matchLabels: role: frontend ports: - protocol: TCP port: 6379 egress: - to: - ipBlock: cidr: 10.0.0.0/24 ports: - protocol: TCP port: 5978
  • 5. Network policy • Recommend to create default policies that apply to all pods • Default deny all ingress traffic • Default deny all egress traffic. • Allow Specific Traffic (Ingress & Egress)
  • 6. Calico Global Network Policy apiVersion: projectcalico.org/v3 kind: GlobalNetworkPolicy metadata: name: allow-tcp-6379 spec: selector: role == 'database' types: - Ingress - Egress ingress: - action: Allow protocol: TCP source: selector: role == 'frontend' destination: ports: - 6379 egress: - action: Allow
  • 7. Calico Global Network Set apiVersion: projectcalico.org/v3 kind: GlobalNetworkSet metadata: name: a-name-for-the-set labels: role: external-database spec: nets: - 198.51.100.0/28 - 203.0.113.0/24
  • 8. <- Single Rule where two conditions must be met <- two conditions either/or must be met
  • 9. When to use Azure NSG vs. Kubernetes Network policy • Azure Network Security Groups • Use it to filter North-South traffic, that is, traffic entering and leaving your cluster subnet • Kubernetes Network Policies • Use it to filter East-West traffic, that is, traffic between pods in your cluster
  • 10. Network Policy Demo • Fruit Categorization App • Web Frontend • ML Backend for image recognition • Signal R as a managed websocket service between FE/BE • Default allow • Create a policy (deny all by default) • Open a policy to communicate between FE/BE services
  • 12.
  • 13. Dynamic Admission Control • Validating Webhook o Allows you to intercept and validate requests o Can be run in parallel, as they don’t mutate objects o Example use case: restricting resource creation • Mutating Webhook o Executes the mutation by sending requests to webhook server o Matching webhooks are called in serial o Example use case: injecting side cars o Policy Enforcement o Admission Control is policy based on Kubernetes objects. o Network Policy and PodSecurity Policy focus on data plane policy o RBAC is policy enforced on the user
  • 16. Open Policy Agent Image: openpolicyagent.org • CNCF Hosted Sandbox Project • General purpose policy engine • Can be used across the stack • Declarative policy language (Rego)
  • 17. Service refers to: • Kubernetes API • Custom API • SSH Daemon • Terraform • Authorization APi Output can be any JSON value: ”true ”request annotated” “ “annotations": { costCenter: 8000 } Input can be any JSON value: "kind": "Service", "metadata": { "annotations": { department: dev } Service OPA Policy (Rego) Data (JSON) Request Enforcement Policy Query Policy Decision Diagram rewritten from: www.openpolicyagent.org
  • 18. Example Rego Policy • Rego is a policy language and not a programing language, so don’t think about sockets, methods, binary trees, etc. • Think about two things: Logic and Data • Rego logic is all queries. A query finds values for variables that make boolean conditions true. • You write logic to search and combine JSON/YAML data from different sources. deny[{ "id": "conditional-annotation", "resource": {"kind": kind, "namespace": namespace, "name": name}, "resolution": {"patches": p, "message" : "conditional annotation"}, }] { matches[[kind, namespace, name, matched_object]] matched_object.metadata.annotations[”Mr-T"] p = [{"op": "add", "path": "/metadata/annotations/cost-center", "value": ”A-Team"}] }
  • 19. Who manages all this policy? Ice Kube Acid Burn The Governor Platform Operator Developer OPA Policy Creates And Maintains Deploys Apps Audits Platform
  • 20. Kubernetes Policy Controller • Kubernetes Policy Controller • Moving to OPA org, as a standard Kubernetes Policy Controller • Authorization module makes it possible to implement a blacklist in front of RBAC • Provides auditing features • Deployment consist of three containers: OPA, kube-mgmt., and Controller • Examples: • Whitelist / blacklist registries. • Not allow conflicting hosts for ingresses. • Label objects based on a user from a department. • Block kubectl exec <pod>
  • 21. The Good, The Bad, and Gotchas • Good • OPA approach allows you to decouple policy from your applications • General purpose, so can be used outside of Kubernetes context. • Bad • There can be a learning curve to Rego. • Can cause latency, but’s negligible for most apps. (more of a consideration) • Gotchas • Mutating objects need to be handled with care. They can cause unexpected behavior to what the end-user expects.
  • 22. Takeaways • Focus on security is a must in any Kubernetes deployment. • Help educate Security Teams on how to extend Kubernetes to integrate custom policies. • Treat the Kubernetes cluster as immutable, just like you do with applications. • Multiple ways to accomplish policy • Build all your own logic and utilize dynamic admission control • Utilize Open Policy Agent to simplify deployment and logic for rule sets.