BPF (Berkeley Packet Filter) is becoming the fastest growing technology in the Linux kernel and is revolutionizing networking, security and tracing. At the same time, the rise of container-based orchestration platforms such as Kubernetes is creating demand for routing, load-balancing & security infrastructure that is highly scalable, application-aware, and resilient.
This talk introduces the open source project Cilium - a modern networking and security platform for microservices. Cilium is built on top of BPF and provides Linux native networking and security services with application protocol awareness. Cilium works hand in hand with application proxies such as Envoy and the services management orchestration layer Istio to provide infrastructure services in a transparent manner and with minimal overhead. This talk will discuss the challenges of exposing services via APIs and the solution that Cilium provides to enforce least privilege security.
5. Network Security
has barely evolved
$ iptables -A INPUT -p tcp
-s 15.15.15.3 --dport 80
-m conntrack --ctstate NEW
-j ACCEPT
The world still runs on iptables
matching IPs and ports:
8. Gordon wants to build a service
to tweet out all job offerings.
We’re Hiring!
Tweet
Service
9. GET /healthz
GET /jobs/{id}
GET /applicants/{job-id}
POST /jobs
API
GET /jobs/{id}
Jobs API
Service
Tweet
Service
The Jobs API service has all the
data Gordon needs.
10. GET /healthz
GET /jobs/{id}
GET /applicants/{job-id}
POST /jobs
API
GET /jobs/331
GET /jobs/{id}
Jobs API
Service
Tweet
Service
Gordon uses the GET /jobs/ API call
11. GET /healthz
GET /jobs/{id}
GET /applicants/{job-id}
POST /jobs
API
GET /jobs/331
GET /jobs/{id}
TLS Jobs API
Service
Tweet
Service
Developer etiquette.
Super simple stuff.
Gordon uses mutual TLS Auth
Good thinking Gordon
12. L3/L4
GET /healthz
GET /jobs/{id}
GET /applicants/{job-id}
POST /jobs
API
GET /jobs/331
The security team has L3/L4 network security
in place for all services
GET /jobs/{id}
Jobs API
Service
Tweet
Service
TLS
iptables -s 10.1.1.1
-p tcp --dport 80
-j ACCEPT
13. Gordon could
POST /jobs or GET /applicants
(mistakenly or haphazardly).
POTUS job available!
Tweet
Service
14. Jobs API
Service
L3/L4
GET /healthz
GET /jobs/{id}
GET /applicants/{job-id}
POST /jobs
API
exposed
exposed
exposed
GET /jobs/331
Large parts of the API are still
exposed unnecessarily
Tweet
Service
GET /jobs/{id}
TLS
iptables -s 10.1.1.1
-p tcp --dport 80
-j ACCEPT
16. GET /healthz
GET /jobs/{id}
GET /applicants/{job-id}
POST /jobs
API
GET /jobs/331
Back to the drawing board…
GET /jobs/{id}
TLS Jobs API
Service
Tweet
Service
17. L3/L4
GET /healthz
GET /jobs/{id}
GET /applicants/{job-id}
POST /jobs
API
GET /jobs/331
Least privilege security for microservices
GET /jobs/{id}
FROM “TurtleTweets”
ALLOW “GET /jobs/”
TLS Jobs API
Service
Tweet
Service