SlideShare a Scribd company logo

Cloud Native Bern 05.2023 — Zero Trust Visibility

Raphaël PINSON
Raphaël PINSON

As the adoption of Kubernetes continues to grow, so does the need for securing containerized applications and their data. One effective security model that has gained popularity is Zero Trust Networking, which assumes that all resources, devices and users are untrusted, and access to resources is granted only after proper authentication and authorization. However, implementing Zero Trust Networking in Kubernetes can be challenging, given the dynamic nature of containerized workloads and the complexity of network policies. In this presentation, we will explore how to implement Zero Trust Networking in Kubernetes using Cilium, Hubble & Grafana. We will start by setting up Cilium on a Kubernetes cluster, which provides network security by enforcing identity-based access control policies using eBPF. Next, we will export Network Policy Verdict metrics using Hubble, which allows us to visualize network policies and track security events in real-time. Finally, we will use a Grafana dashboard to visualize these metrics and demonstrate how to secure a Kubernetes namespace without affecting existing traffic in the namespace. By the end of this presentation, attendees will have a good understanding of the importance of Zero Trust Networking in Kubernetes and how to implement it using Cilium, Hubble & Grafana. They will also learn how to secure a Kubernetes namespace and monitor network policies using a Grafana dashboard.

Technology
1 of 40
Download to read offline
Zero Trust Networking in Kubernetes Using Cilium, Hubble & Grafana Raphaël Pinson | @raphink | @raphink@mastodon.social Solutions Architect, Isovalent
Key Questions when Enterprises Adopting Network Policy ● Where to start? ● How to troubleshoot Network Policies? ● How to stay up-to-date with Network Policies while applications evolve? ● How to prevent application teams from simple allowing everything? ● How can security teams prove that default deny policies are enforced? ● How can security teams be alerted on denied connections?
There is no “Easy Road” for Adopting Network Policy ● Default Deny ○ Each service-to-service communication explicitly allowed ○ But high chance of misconfiguration ⇒ application unavailability and high adoption friction ● Better Approach: Focus on Risk Reduction ○ Define metrics for Risk Exposure ○ Focus on the most security sensitive namespaces first ○ Leverage network observability to identify which network policy patterns easily reduce risk with minimal friction.
Who am I Raphaël Pinson Solutions Architect @ Isovalent CNCF Ambassador
⬢ Cilium & eBPF ⬢ Network Policies Strategies ⬢ Network Policies Observability Zero Trust Networking Using Cilium, Hubble & Grafana
Tutorials Getting started guides and examples. cilium.io networkpolicy.io What this talk is NOT about: Network Policy 101 Tools Learn how to create Network Policies for Kubernetes editor.cilium.io Labs isovalent.com/labs This session IS about strategies to overcome the operational & organizational challenges of adopting Network Policy in complex an enterprise environments.
⬢ Cilium & eBPF ⬢ Network Policies Strategies ⬢ Network Policies Observability Zero Trust Networking Using Cilium, Hubble & Grafana
● Open Source Projects ● Company behind Cilium ● Provides Cilium Enterprise
Makes the Linux kernel programmable in a secure and efficient way. “What JavaScript is to the browser, eBPF is to the Linux Kernel”
Run eBPF programs on events Attachment points ● Kernel functions (kprobes) ● Userspace functions (uprobe) ● System calls ● Tracepoints ● Sockets (data level) ● Network devices (packet level) ● Network device (DMA level) [XDP] ● ...
What is Cilium? At the foundation of Cilium is the new Linux kernel technology eBPF, which enables the dynamic insertion of powerful security, visibility, and networking control logic within Linux itself. Besides providing traditional network level security, the flexibility of BPF enables security on API and process level to secure communication within a container or pod. Read More ● Networking & Load-Balancing ○ CNI, Kubernetes Services, Multi-cluster, VM Gateway ● Network Security ○ Network Policy, Identity-based, Encryption ● Observability ○ Metrics, Flow Visibility, Service Dependency
- Networking - Security - Observability - Service Mesh & Ingress -based: Foundation Created by Technology
⬢ Cilium & eBPF ⬢ Network Policies Strategies ⬢ Network Policies Observability Zero Trust Networking Using Cilium, Hubble & Grafana
Application Teams & Multi-tenancy ● A Kubernetes cluster is often used by multiple teams, each managing one or more services. ● Each team has one or more namespaces to run their applications. ● Applying network policy at namespace level is a common first step in enabling multi-tenancy. Note: Not always 1-to-1 team-to-namespace. Team may be a namespace-label, or pod label within a larger namespace, but same concept applies.
Key Types of Kubernetes Network Risk Exposure
Risk Reduction Example - Wide blast radius
Risk Reduction Example - Limited blast radius
Measuring Risk: Prioritization Concrete Measurements to guide prioritization ● # of services reachable via Cluster Ingress with no matching traffic. ● # of services reachable from other namespaces with no matching traffic. ● # of services with access to External Networks or Internet with no matching connections.
The Cost of “Overfitting” ● Strong network observability tools enables you to translate each observed flow into a rule. ● However, simplified approaches to translating traffic flow to rule tend to be cumbersome and brittle. ● Why?: ○ IPs for services outside the cluster can change or are opaque. ○ App dependencies or shared services: kube-dns, external logging, vaults servers are required by all apps. Creating pair-wise rules leads to friction and bloat. ○ Communication within a single app/team. Complex and frequent change. Leads to increased number of rules which change frequently.
Best Practices - DNS Rules DNS-aware Cilium Network Policies for External Services which IPs frequently change.
Initial “Coarse-Grained” Per-Namespace Strategy Pattern to avoid “overfitting” 1. Allow all ingress/egress communication within a namespace 2. Use Hubble Observability data to identify and permit: a. Which (service + port) within the namespace are “public services”: ■ Allow from cluster-only. ■ Allow from “world” (type LB/NP) or ingress namespace. b. Egress Access to: ■ Other services in the cluster (optional, limit ports). ■ Other services in the external private network (optional, limit ports). ■ Other services on the Internet (optional, limit ports). 3. Coarse-grained nature of policies ⇒ policies need only change rarely
Key Pattern: Baseline vs. Per-Namespace Policies ● Default deny ingress/egress. ● Allow all ingress/egress within namespace. ● Egress to “public services” ○ cluster-wide shared services (e.g. kube-dns, prometheus). ○ external shared CIDR/DNS (logging, monitoring, vault, etc.) ● Often implemented by CiliumClusterWideNetworkPolicies Global Baseline Policies ● Per-service ingress (limited by port): ○ Exposed within cluster via ClusterIP service. ○ Exposed externally via ingress or Load-Balancer/NodePort. ● Namespace-specific egress: ○ No access. ○ Egress to specific CIDR/DNS + port ○ Unrestricted access on specific ports (fallback). Per-Namespace Policies
Example Baseline + Coarse-grained Per Namespace Policies
Transitioning from “Coarse” to “Fine-Grained” Policies ● Prioritize namespaces based on: ○ Most security-sensitive applications ○ Measurement of exposure vs. used connectivity ● Transition for egress outside the cluster: ○ Access to all private network -> Access to specific FQDNs or smaller CIDRs (with port) ○ Access to Internet -> Access to specific FQDNs or small CIDRs (with port) ● Transitions within the cluster: ○ Shift rules that allow all to/from cluster to allowing to/from specific namespaces or services.
Example Baseline + Fine-grained Per Namespace Policies
⬢ Cilium & eBPF ⬢ Network Policies Strategies ⬢ Network Policies Observability Zero Trust Networking Using Cilium, Hubble & Grafana
Hubble Overview
Cilium + Hubble ❤ Grafana
Using Hubble Observability Data to Build Policies
Hubble Network Policy Editor
Cilium Policy Verdicts in Grafana
Using Hubble Observability Data for Security Compliance
Observability-Driven Zero Trust Approach Day 1: ● identify commonly shared services to include in baseline policy. ● identify “low-hanging fruit” namespaces easily locked down at ingress/egress (no per-namespace exceptions required). ● identify the set of “exceptions” required for a given per-namespace policy Day 2: ● Flow data can be sourced from dev/staging clusters as well as production to identify the network policy changes required to ship a new app version. ● Historical flow data can be analyzed to predict impact of new more stringent baseline or per-namespace policies. ● Historical flow data combined with enforced policies can be used to detect overly broad rules. For example, “egress allow 0.0.0.0/0 port 443” when a rule to a few specific DNS names would suffice.
eBPF resources eCHO eBPF YouTube podcast: https://www.youtube.com/channel/UCJFUxkVQTBJh3LD1wYB WvuQ eBPF & Cilium Slack http://slack.cilium.io/ eCHO News Bi-weekly eBPF newsletter: https://cilium.io/newsletter/ @raphink | @raphink@mastodon.social
Practical Labs … to become a Cilium & eBPF Jedi 🌐 isovalent.com/labs Get badges 🏅 @raphink | @raphink@mastodon.social
Zero Trust Visibility Using Cilium, Hubble & Grafana for namespace security 🌐 https://isogo.to/zero-trust-lab @raphink | @raphink@mastodon.social
Workshops @raphink | @raphink@mastodon.social Zurich — 1st June Basel — 7th June Geneva — 14th September 🌐 isovalent.com/workshop-tour
Thank you!

Recommended

Kubernetes Introduction
Kubernetes IntroductionKubernetes Introduction
Kubernetes IntroductionEric Gustafson
 
Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...
Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...
Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...Edureka!
 
Introduction to kubernetes
Introduction to kubernetesIntroduction to kubernetes
Introduction to kubernetesRishabh Indoria
 
Cloud Native: what is it? Why?
Cloud Native: what is it? Why?Cloud Native: what is it? Why?
Cloud Native: what is it? Why?Juan Pablo Genovese
 
Cloud Native In-Depth
Cloud Native In-DepthCloud Native In-Depth
Cloud Native In-DepthSiva Rama Krishna Chunduru
 
Deploy Application on Kubernetes
Deploy Application on KubernetesDeploy Application on Kubernetes
Deploy Application on KubernetesOpsta
 
Kubernetes Basics
Kubernetes BasicsKubernetes Basics
Kubernetes BasicsEueung Mulyana
 
Kubernetes Architecture and Introduction
Kubernetes Architecture and IntroductionKubernetes Architecture and Introduction
Kubernetes Architecture and IntroductionStefan Schimanski
 

Recommended

Kubernetes Introduction
Kubernetes IntroductionKubernetes Introduction
Kubernetes IntroductionEric Gustafson
 
Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...
Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...
Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...Edureka!
 
Introduction to kubernetes
Introduction to kubernetesIntroduction to kubernetes
Introduction to kubernetesRishabh Indoria
 
Cloud Native: what is it? Why?
Cloud Native: what is it? Why?Cloud Native: what is it? Why?
Cloud Native: what is it? Why?Juan Pablo Genovese
 
Cloud Native In-Depth
Cloud Native In-DepthCloud Native In-Depth
Cloud Native In-DepthSiva Rama Krishna Chunduru
 
Deploy Application on Kubernetes
Deploy Application on KubernetesDeploy Application on Kubernetes
Deploy Application on KubernetesOpsta
 
Kubernetes Basics
Kubernetes BasicsKubernetes Basics
Kubernetes BasicsEueung Mulyana
 
Kubernetes Architecture and Introduction
Kubernetes Architecture and IntroductionKubernetes Architecture and Introduction
Kubernetes Architecture and IntroductionStefan Schimanski
 
Kubernetes 101 - an Introduction to Containers, Kubernetes, and OpenShift
Kubernetes 101 - an Introduction to Containers, Kubernetes, and OpenShiftKubernetes 101 - an Introduction to Containers, Kubernetes, and OpenShift
Kubernetes 101 - an Introduction to Containers, Kubernetes, and OpenShiftDevOps.com
 
Kubernetes Networking
Kubernetes NetworkingKubernetes Networking
Kubernetes NetworkingCJ Cullen
 
Kubernetes a comprehensive overview
Kubernetes a comprehensive overviewKubernetes a comprehensive overview
Kubernetes a comprehensive overviewGabriel Carro
 
Gitops: the kubernetes way
Gitops: the kubernetes wayGitops: the kubernetes way
Gitops: the kubernetes waysparkfabrik
 
GitOps and ArgoCD
GitOps and ArgoCDGitOps and ArgoCD
GitOps and ArgoCDOmar Fathy
 
DevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptx
DevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptxDevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptx
DevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptxTurja Narayan Chaudhuri
 
Free GitOps Workshop + Intro to Kubernetes & GitOps
Free GitOps Workshop + Intro to Kubernetes & GitOpsFree GitOps Workshop + Intro to Kubernetes & GitOps
Free GitOps Workshop + Intro to Kubernetes & GitOpsWeaveworks
 
The Future of Service Mesh
The Future of Service MeshThe Future of Service Mesh
The Future of Service MeshAll Things Open
 
Why to Cloud Native
Why to Cloud NativeWhy to Cloud Native
Why to Cloud NativeKarthik Gaekwad
 
Meetup 23 - 03 - Application Delivery on K8S with GitOps
Meetup 23 - 03 - Application Delivery on K8S with GitOpsMeetup 23 - 03 - Application Delivery on K8S with GitOps
Meetup 23 - 03 - Application Delivery on K8S with GitOpsVietnam Open Infrastructure User Group
 
Shift Deployment Security Left with Weave GitOps & Upbound’s Universal Crossp...
Shift Deployment Security Left with Weave GitOps & Upbound’s Universal Crossp...Shift Deployment Security Left with Weave GitOps & Upbound’s Universal Crossp...
Shift Deployment Security Left with Weave GitOps & Upbound’s Universal Crossp...Weaveworks
 
The journey to GitOps
The journey to GitOpsThe journey to GitOps
The journey to GitOpsNicola Baldi
 
Kubernetes Concepts And Architecture Powerpoint Presentation Slides
Kubernetes Concepts And Architecture Powerpoint Presentation SlidesKubernetes Concepts And Architecture Powerpoint Presentation Slides
Kubernetes Concepts And Architecture Powerpoint Presentation SlidesSlideTeam
 
End-to-End CI/CD at scale with Infrastructure-as-Code on AWS
End-to-End CI/CD at scale with Infrastructure-as-Code on AWSEnd-to-End CI/CD at scale with Infrastructure-as-Code on AWS
End-to-End CI/CD at scale with Infrastructure-as-Code on AWSBhuvaneswari Subramani
 
Deploy 22 microservices from scratch in 30 mins with GitOps
Deploy 22 microservices from scratch in 30 mins with GitOpsDeploy 22 microservices from scratch in 30 mins with GitOps
Deploy 22 microservices from scratch in 30 mins with GitOpsOpsta
 
Kubernetes for Beginners: An Introductory Guide
Kubernetes for Beginners: An Introductory GuideKubernetes for Beginners: An Introductory Guide
Kubernetes for Beginners: An Introductory GuideBytemark
 
DevOps with Kubernetes
DevOps with KubernetesDevOps with Kubernetes
DevOps with KubernetesEastBanc Tachnologies
 
Open shift 4 infra deep dive
Open shift 4 infra deep diveOpen shift 4 infra deep dive
Open shift 4 infra deep diveWinton Winton
 
Microservices, Kubernetes and Istio - A Great Fit!
Microservices, Kubernetes and Istio - A Great Fit!Microservices, Kubernetes and Istio - A Great Fit!
Microservices, Kubernetes and Istio - A Great Fit!Animesh Singh
 
Kubernetes Introduction
Kubernetes IntroductionKubernetes Introduction
Kubernetes IntroductionPeng Xiao
 
Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...
Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...
Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...ContainerDay Security 2023
 
Explore the World of Cilium, Tetragon & eBPF
Explore the World of Cilium, Tetragon & eBPFExplore the World of Cilium, Tetragon & eBPF
Explore the World of Cilium, Tetragon & eBPFRaphaël PINSON
 

More Related Content

What's hot

Kubernetes 101 - an Introduction to Containers, Kubernetes, and OpenShift
Kubernetes 101 - an Introduction to Containers, Kubernetes, and OpenShiftKubernetes 101 - an Introduction to Containers, Kubernetes, and OpenShift
Kubernetes 101 - an Introduction to Containers, Kubernetes, and OpenShiftDevOps.com
 
Kubernetes Networking
Kubernetes NetworkingKubernetes Networking
Kubernetes NetworkingCJ Cullen
 
Kubernetes a comprehensive overview
Kubernetes a comprehensive overviewKubernetes a comprehensive overview
Kubernetes a comprehensive overviewGabriel Carro
 
Gitops: the kubernetes way
Gitops: the kubernetes wayGitops: the kubernetes way
Gitops: the kubernetes waysparkfabrik
 
GitOps and ArgoCD
GitOps and ArgoCDGitOps and ArgoCD
GitOps and ArgoCDOmar Fathy
 
DevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptx
DevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptxDevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptx
DevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptxTurja Narayan Chaudhuri
 
Free GitOps Workshop + Intro to Kubernetes & GitOps
Free GitOps Workshop + Intro to Kubernetes & GitOpsFree GitOps Workshop + Intro to Kubernetes & GitOps
Free GitOps Workshop + Intro to Kubernetes & GitOpsWeaveworks
 
The Future of Service Mesh
The Future of Service MeshThe Future of Service Mesh
The Future of Service MeshAll Things Open
 
Shift Deployment Security Left with Weave GitOps & Upbound’s Universal Crossp...
Shift Deployment Security Left with Weave GitOps & Upbound’s Universal Crossp...Shift Deployment Security Left with Weave GitOps & Upbound’s Universal Crossp...
Shift Deployment Security Left with Weave GitOps & Upbound’s Universal Crossp...Weaveworks
 
The journey to GitOps
The journey to GitOpsThe journey to GitOps
The journey to GitOpsNicola Baldi
 
Kubernetes Concepts And Architecture Powerpoint Presentation Slides
Kubernetes Concepts And Architecture Powerpoint Presentation SlidesKubernetes Concepts And Architecture Powerpoint Presentation Slides
Kubernetes Concepts And Architecture Powerpoint Presentation SlidesSlideTeam
 
End-to-End CI/CD at scale with Infrastructure-as-Code on AWS
End-to-End CI/CD at scale with Infrastructure-as-Code on AWSEnd-to-End CI/CD at scale with Infrastructure-as-Code on AWS
End-to-End CI/CD at scale with Infrastructure-as-Code on AWSBhuvaneswari Subramani
 
Deploy 22 microservices from scratch in 30 mins with GitOps
Deploy 22 microservices from scratch in 30 mins with GitOpsDeploy 22 microservices from scratch in 30 mins with GitOps
Deploy 22 microservices from scratch in 30 mins with GitOpsOpsta
 
Kubernetes for Beginners: An Introductory Guide
Kubernetes for Beginners: An Introductory GuideKubernetes for Beginners: An Introductory Guide
Kubernetes for Beginners: An Introductory GuideBytemark
 
Open shift 4 infra deep dive
Open shift 4 infra deep diveOpen shift 4 infra deep dive
Open shift 4 infra deep diveWinton Winton
 
Microservices, Kubernetes and Istio - A Great Fit!
Microservices, Kubernetes and Istio - A Great Fit!Microservices, Kubernetes and Istio - A Great Fit!
Microservices, Kubernetes and Istio - A Great Fit!Animesh Singh
 
Kubernetes Introduction
Kubernetes IntroductionKubernetes Introduction
Kubernetes IntroductionPeng Xiao
 

What's hot (20)

Kubernetes 101 - an Introduction to Containers, Kubernetes, and OpenShift
Kubernetes 101 - an Introduction to Containers, Kubernetes, and OpenShiftKubernetes 101 - an Introduction to Containers, Kubernetes, and OpenShift
Kubernetes 101 - an Introduction to Containers, Kubernetes, and OpenShift
 
Kubernetes Networking
Kubernetes NetworkingKubernetes Networking
Kubernetes Networking
 
Kubernetes a comprehensive overview
Kubernetes a comprehensive overviewKubernetes a comprehensive overview
Kubernetes a comprehensive overview
 
Gitops: the kubernetes way
Gitops: the kubernetes wayGitops: the kubernetes way
Gitops: the kubernetes way
 
GitOps and ArgoCD
GitOps and ArgoCDGitOps and ArgoCD
GitOps and ArgoCD
 
DevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptx
DevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptxDevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptx
DevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptx
 
Free GitOps Workshop + Intro to Kubernetes & GitOps
Free GitOps Workshop + Intro to Kubernetes & GitOpsFree GitOps Workshop + Intro to Kubernetes & GitOps
Free GitOps Workshop + Intro to Kubernetes & GitOps
 
The Future of Service Mesh
The Future of Service MeshThe Future of Service Mesh
The Future of Service Mesh
 
Why to Cloud Native
Why to Cloud NativeWhy to Cloud Native
Why to Cloud Native
 
Meetup 23 - 03 - Application Delivery on K8S with GitOps
Meetup 23 - 03 - Application Delivery on K8S with GitOpsMeetup 23 - 03 - Application Delivery on K8S with GitOps
Meetup 23 - 03 - Application Delivery on K8S with GitOps
 
Shift Deployment Security Left with Weave GitOps & Upbound’s Universal Crossp...
Shift Deployment Security Left with Weave GitOps & Upbound’s Universal Crossp...Shift Deployment Security Left with Weave GitOps & Upbound’s Universal Crossp...
Shift Deployment Security Left with Weave GitOps & Upbound’s Universal Crossp...
 
The journey to GitOps
The journey to GitOpsThe journey to GitOps
The journey to GitOps
 
Kubernetes Concepts And Architecture Powerpoint Presentation Slides
Kubernetes Concepts And Architecture Powerpoint Presentation SlidesKubernetes Concepts And Architecture Powerpoint Presentation Slides
Kubernetes Concepts And Architecture Powerpoint Presentation Slides
 
End-to-End CI/CD at scale with Infrastructure-as-Code on AWS
End-to-End CI/CD at scale with Infrastructure-as-Code on AWSEnd-to-End CI/CD at scale with Infrastructure-as-Code on AWS
End-to-End CI/CD at scale with Infrastructure-as-Code on AWS
 
Deploy 22 microservices from scratch in 30 mins with GitOps
Deploy 22 microservices from scratch in 30 mins with GitOpsDeploy 22 microservices from scratch in 30 mins with GitOps
Deploy 22 microservices from scratch in 30 mins with GitOps
 
Kubernetes for Beginners: An Introductory Guide
Kubernetes for Beginners: An Introductory GuideKubernetes for Beginners: An Introductory Guide
Kubernetes for Beginners: An Introductory Guide
 
DevOps with Kubernetes
DevOps with KubernetesDevOps with Kubernetes
DevOps with Kubernetes
 
Open shift 4 infra deep dive
Open shift 4 infra deep diveOpen shift 4 infra deep dive
Open shift 4 infra deep dive
 
Microservices, Kubernetes and Istio - A Great Fit!
Microservices, Kubernetes and Istio - A Great Fit!Microservices, Kubernetes and Istio - A Great Fit!
Microservices, Kubernetes and Istio - A Great Fit!
 
Kubernetes Introduction
Kubernetes IntroductionKubernetes Introduction
Kubernetes Introduction
 

Similar to Cloud Native Bern 05.2023 — Zero Trust Visibility

Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...
Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...
Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...ContainerDay Security 2023
 
Explore the World of Cilium, Tetragon & eBPF
Explore the World of Cilium, Tetragon & eBPFExplore the World of Cilium, Tetragon & eBPF
Explore the World of Cilium, Tetragon & eBPFRaphaël PINSON
 
ContainerDays Hamburg 2023 — Cilium Workshop.pdf
ContainerDays Hamburg 2023 — Cilium Workshop.pdfContainerDays Hamburg 2023 — Cilium Workshop.pdf
ContainerDays Hamburg 2023 — Cilium Workshop.pdfRaphaël PINSON
 
Neutron Networking: Service Groups, Policies and Chains
Neutron Networking: Service Groups, Policies and ChainsNeutron Networking: Service Groups, Policies and Chains
Neutron Networking: Service Groups, Policies and ChainsDaniel Krook
 
Design and Deploy Secure Clouds for Financial Services Use Cases
Design and Deploy Secure Clouds for Financial Services Use CasesDesign and Deploy Secure Clouds for Financial Services Use Cases
Design and Deploy Secure Clouds for Financial Services Use CasesPLUMgrid
 
Security and Transport Performance in 5G
Security and Transport Performance in 5GSecurity and Transport Performance in 5G
Security and Transport Performance in 5GDirk Kutscher
 
5 Steps to a Secure Hybrid Architecture - Session Sponsored by Palo Alto Netw...
5 Steps to a Secure Hybrid Architecture - Session Sponsored by Palo Alto Netw...5 Steps to a Secure Hybrid Architecture - Session Sponsored by Palo Alto Netw...
5 Steps to a Secure Hybrid Architecture - Session Sponsored by Palo Alto Netw...Amazon Web Services
 
Pristine rina-security-icc-2016
Pristine rina-security-icc-2016Pristine rina-security-icc-2016
Pristine rina-security-icc-2016ICT PRISTINE
 
A Pragmatic Approach to Network Security Across Your Hybrid Cloud Environment
A Pragmatic Approach to Network Security Across Your Hybrid Cloud EnvironmentA Pragmatic Approach to Network Security Across Your Hybrid Cloud Environment
A Pragmatic Approach to Network Security Across Your Hybrid Cloud EnvironmentAlgoSec
 
Cisco ACI: A New Approach to Software Defined Networking
Cisco ACI: A New Approach to Software Defined NetworkingCisco ACI: A New Approach to Software Defined Networking
Cisco ACI: A New Approach to Software Defined NetworkingDebra Jennings
 
Cisco ACI: A New Approach to Software Defined Networking
Cisco ACI: A New Approach to Software Defined NetworkingCisco ACI: A New Approach to Software Defined Networking
Cisco ACI: A New Approach to Software Defined NetworkingZivaro Inc
 
Delivering Network Innovation with SDN - Tom Nadeau
Delivering Network Innovation with SDN - Tom Nadeau Delivering Network Innovation with SDN - Tom Nadeau
Delivering Network Innovation with SDN - Tom Nadeau scoopnewsgroup
 
The hageu rina-workshop-security-peter
The hageu rina-workshop-security-peterThe hageu rina-workshop-security-peter
The hageu rina-workshop-security-peterICT PRISTINE
 
PhNOG Regional Conference 2018: Strengthening Internet infrastructure in the ...
PhNOG Regional Conference 2018: Strengthening Internet infrastructure in the ...PhNOG Regional Conference 2018: Strengthening Internet infrastructure in the ...
PhNOG Regional Conference 2018: Strengthening Internet infrastructure in the ...APNIC
 
Kubernetes with Cilium in AWS - Experience Report!
Kubernetes with Cilium in AWS - Experience Report!Kubernetes with Cilium in AWS - Experience Report!
Kubernetes with Cilium in AWS - Experience Report!QAware GmbH
 
WWTC Office Layout Diagram.htmlBackground Information for Wo.docx
WWTC Office Layout Diagram.htmlBackground Information for Wo.docxWWTC Office Layout Diagram.htmlBackground Information for Wo.docx
WWTC Office Layout Diagram.htmlBackground Information for Wo.docxericbrooks84875
 
Webinar: The Software Matters in Open Networking
Webinar: The Software Matters in Open NetworkingWebinar: The Software Matters in Open Networking
Webinar: The Software Matters in Open NetworkingStorage Switzerland
 
Openstack Summit: Networking and policies across Containers and VMs
Openstack Summit: Networking and policies across Containers and VMsOpenstack Summit: Networking and policies across Containers and VMs
Openstack Summit: Networking and policies across Containers and VMsSanjeev Rampal
 
M1-C17-Armando una red.pptx
M1-C17-Armando una red.pptxM1-C17-Armando una red.pptx
M1-C17-Armando una red.pptxAngel Garcia
 

Similar to Cloud Native Bern 05.2023 — Zero Trust Visibility (20)

Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...
Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...
Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...
 
Explore the World of Cilium, Tetragon & eBPF
Explore the World of Cilium, Tetragon & eBPFExplore the World of Cilium, Tetragon & eBPF
Explore the World of Cilium, Tetragon & eBPF
 
ContainerDays Hamburg 2023 — Cilium Workshop.pdf
ContainerDays Hamburg 2023 — Cilium Workshop.pdfContainerDays Hamburg 2023 — Cilium Workshop.pdf
ContainerDays Hamburg 2023 — Cilium Workshop.pdf
 
Neutron Networking: Service Groups, Policies and Chains
Neutron Networking: Service Groups, Policies and ChainsNeutron Networking: Service Groups, Policies and Chains
Neutron Networking: Service Groups, Policies and Chains
 
Design and Deploy Secure Clouds for Financial Services Use Cases
Design and Deploy Secure Clouds for Financial Services Use CasesDesign and Deploy Secure Clouds for Financial Services Use Cases
Design and Deploy Secure Clouds for Financial Services Use Cases
 
Security and Transport Performance in 5G
Security and Transport Performance in 5GSecurity and Transport Performance in 5G
Security and Transport Performance in 5G
 
5 Steps to a Secure Hybrid Architecture - Session Sponsored by Palo Alto Netw...
5 Steps to a Secure Hybrid Architecture - Session Sponsored by Palo Alto Netw...5 Steps to a Secure Hybrid Architecture - Session Sponsored by Palo Alto Netw...
5 Steps to a Secure Hybrid Architecture - Session Sponsored by Palo Alto Netw...
 
Pristine rina-security-icc-2016
Pristine rina-security-icc-2016Pristine rina-security-icc-2016
Pristine rina-security-icc-2016
 
A Pragmatic Approach to Network Security Across Your Hybrid Cloud Environment
A Pragmatic Approach to Network Security Across Your Hybrid Cloud EnvironmentA Pragmatic Approach to Network Security Across Your Hybrid Cloud Environment
A Pragmatic Approach to Network Security Across Your Hybrid Cloud Environment
 
Cisco ACI: A New Approach to Software Defined Networking
Cisco ACI: A New Approach to Software Defined NetworkingCisco ACI: A New Approach to Software Defined Networking
Cisco ACI: A New Approach to Software Defined Networking
 
Cisco ACI: A New Approach to Software Defined Networking
Cisco ACI: A New Approach to Software Defined NetworkingCisco ACI: A New Approach to Software Defined Networking
Cisco ACI: A New Approach to Software Defined Networking
 
Delivering Network Innovation with SDN - Tom Nadeau
Delivering Network Innovation with SDN - Tom Nadeau Delivering Network Innovation with SDN - Tom Nadeau
Delivering Network Innovation with SDN - Tom Nadeau
 
The hageu rina-workshop-security-peter
The hageu rina-workshop-security-peterThe hageu rina-workshop-security-peter
The hageu rina-workshop-security-peter
 
PhNOG Regional Conference 2018: Strengthening Internet infrastructure in the ...
PhNOG Regional Conference 2018: Strengthening Internet infrastructure in the ...PhNOG Regional Conference 2018: Strengthening Internet infrastructure in the ...
PhNOG Regional Conference 2018: Strengthening Internet infrastructure in the ...
 
Rina advantages for large scale decentralized applications
Rina advantages for large scale decentralized applicationsRina advantages for large scale decentralized applications
Rina advantages for large scale decentralized applications
 
Kubernetes with Cilium in AWS - Experience Report!
Kubernetes with Cilium in AWS - Experience Report!Kubernetes with Cilium in AWS - Experience Report!
Kubernetes with Cilium in AWS - Experience Report!
 
WWTC Office Layout Diagram.htmlBackground Information for Wo.docx
WWTC Office Layout Diagram.htmlBackground Information for Wo.docxWWTC Office Layout Diagram.htmlBackground Information for Wo.docx
WWTC Office Layout Diagram.htmlBackground Information for Wo.docx
 
Webinar: The Software Matters in Open Networking
Webinar: The Software Matters in Open NetworkingWebinar: The Software Matters in Open Networking
Webinar: The Software Matters in Open Networking
 
Openstack Summit: Networking and policies across Containers and VMs
Openstack Summit: Networking and policies across Containers and VMsOpenstack Summit: Networking and policies across Containers and VMs
Openstack Summit: Networking and policies across Containers and VMs
 
M1-C17-Armando una red.pptx
M1-C17-Armando una red.pptxM1-C17-Armando una red.pptx
M1-C17-Armando una red.pptx
 

More from Raphaël PINSON

Cfgmgmtcamp 2024 — eBPF-based Security Observability & Runtime Enforcement wi...
Cfgmgmtcamp 2024 — eBPF-based Security Observability & Runtime Enforcement wi...Cfgmgmtcamp 2024 — eBPF-based Security Observability & Runtime Enforcement wi...
Cfgmgmtcamp 2024 — eBPF-based Security Observability & Runtime Enforcement wi...Raphaël PINSON
 
KCD Zurich 2023 — Bridge Dev & Ops with eBPF.pdf
KCD Zurich 2023 — Bridge Dev & Ops with eBPF.pdfKCD Zurich 2023 — Bridge Dev & Ops with eBPF.pdf
KCD Zurich 2023 — Bridge Dev & Ops with eBPF.pdfRaphaël PINSON
 
DevOpsDays Zurich 2023 — Bridging Dev and Ops with eBPF: Extending Observabil...
DevOpsDays Zurich 2023 — Bridging Dev and Ops with eBPF: Extending Observabil...DevOpsDays Zurich 2023 — Bridging Dev and Ops with eBPF: Extending Observabil...
DevOpsDays Zurich 2023 — Bridging Dev and Ops with eBPF: Extending Observabil...Raphaël PINSON
 
Révolution eBPF - un noyau dynamique
Révolution eBPF - un noyau dynamiqueRévolution eBPF - un noyau dynamique
Révolution eBPF - un noyau dynamiqueRaphaël PINSON
 
Cfgmgmtcamp 2023 — eBPF Superpowers
Cfgmgmtcamp 2023 — eBPF SuperpowersCfgmgmtcamp 2023 — eBPF Superpowers
Cfgmgmtcamp 2023 — eBPF SuperpowersRaphaël PINSON
 
Cloud Native Networking & Security with Cilium & eBPF
Cloud Native Networking & Security with Cilium & eBPFCloud Native Networking & Security with Cilium & eBPF
Cloud Native Networking & Security with Cilium & eBPFRaphaël PINSON
 
2022 DevOpsDays Geneva — The Hare and the Tortoise.pdf
2022 DevOpsDays Geneva — The Hare and the Tortoise.pdf2022 DevOpsDays Geneva — The Hare and the Tortoise.pdf
2022 DevOpsDays Geneva — The Hare and the Tortoise.pdfRaphaël PINSON
 
The Hare and the Tortoise: Open Source, Standards & Technological Debt
The Hare and the Tortoise: Open Source, Standards & Technological DebtThe Hare and the Tortoise: Open Source, Standards & Technological Debt
The Hare and the Tortoise: Open Source, Standards & Technological DebtRaphaël PINSON
 
YAML Engineering: why we need a new paradigm
YAML Engineering: why we need a new paradigmYAML Engineering: why we need a new paradigm
YAML Engineering: why we need a new paradigmRaphaël PINSON
 
Container Security: a toolchain for automatic image rebuilds
Container Security: a toolchain for automatic image rebuildsContainer Security: a toolchain for automatic image rebuilds
Container Security: a toolchain for automatic image rebuildsRaphaël PINSON
 
K9s - Kubernetes CLI To Manage Your Clusters In Style
K9s - Kubernetes CLI To Manage Your Clusters In StyleK9s - Kubernetes CLI To Manage Your Clusters In Style
K9s - Kubernetes CLI To Manage Your Clusters In StyleRaphaël PINSON
 
Bivac - Container Volumes Backup
Bivac - Container Volumes BackupBivac - Container Volumes Backup
Bivac - Container Volumes BackupRaphaël PINSON
 
Automating Puppet Certificates Renewal
Automating Puppet Certificates RenewalAutomating Puppet Certificates Renewal
Automating Puppet Certificates RenewalRaphaël PINSON
 
Running the Puppet Stack in Containers
Running the Puppet Stack in ContainersRunning the Puppet Stack in Containers
Running the Puppet Stack in ContainersRaphaël PINSON
 
Automating Puppet Certificates Renewal
Automating Puppet Certificates RenewalAutomating Puppet Certificates Renewal
Automating Puppet Certificates RenewalRaphaël PINSON
 
Narcissus — mapping configs in Go
Narcissus — mapping configs in GoNarcissus — mapping configs in Go
Narcissus — mapping configs in GoRaphaël PINSON
 
FTTH Factory — an illustration of the "Everything as Code" paradigm
FTTH Factory — an illustration of the "Everything as Code" paradigmFTTH Factory — an illustration of the "Everything as Code" paradigm
FTTH Factory — an illustration of the "Everything as Code" paradigmRaphaël PINSON
 

More from Raphaël PINSON (20)

Cfgmgmtcamp 2024 — eBPF-based Security Observability & Runtime Enforcement wi...
Cfgmgmtcamp 2024 — eBPF-based Security Observability & Runtime Enforcement wi...Cfgmgmtcamp 2024 — eBPF-based Security Observability & Runtime Enforcement wi...
Cfgmgmtcamp 2024 — eBPF-based Security Observability & Runtime Enforcement wi...
 
KCD Zurich 2023 — Bridge Dev & Ops with eBPF.pdf
KCD Zurich 2023 — Bridge Dev & Ops with eBPF.pdfKCD Zurich 2023 — Bridge Dev & Ops with eBPF.pdf
KCD Zurich 2023 — Bridge Dev & Ops with eBPF.pdf
 
DevOpsDays Zurich 2023 — Bridging Dev and Ops with eBPF: Extending Observabil...
DevOpsDays Zurich 2023 — Bridging Dev and Ops with eBPF: Extending Observabil...DevOpsDays Zurich 2023 — Bridging Dev and Ops with eBPF: Extending Observabil...
DevOpsDays Zurich 2023 — Bridging Dev and Ops with eBPF: Extending Observabil...
 
Révolution eBPF - un noyau dynamique
Révolution eBPF - un noyau dynamiqueRévolution eBPF - un noyau dynamique
Révolution eBPF - un noyau dynamique
 
Cfgmgmtcamp 2023 — eBPF Superpowers
Cfgmgmtcamp 2023 — eBPF SuperpowersCfgmgmtcamp 2023 — eBPF Superpowers
Cfgmgmtcamp 2023 — eBPF Superpowers
 
Cloud Native Networking & Security with Cilium & eBPF
Cloud Native Networking & Security with Cilium & eBPFCloud Native Networking & Security with Cilium & eBPF
Cloud Native Networking & Security with Cilium & eBPF
 
2022 DevOpsDays Geneva — The Hare and the Tortoise.pdf
2022 DevOpsDays Geneva — The Hare and the Tortoise.pdf2022 DevOpsDays Geneva — The Hare and the Tortoise.pdf
2022 DevOpsDays Geneva — The Hare and the Tortoise.pdf
 
SKS in git ops mode
SKS in git ops modeSKS in git ops mode
SKS in git ops mode
 
The Hare and the Tortoise: Open Source, Standards & Technological Debt
The Hare and the Tortoise: Open Source, Standards & Technological DebtThe Hare and the Tortoise: Open Source, Standards & Technological Debt
The Hare and the Tortoise: Open Source, Standards & Technological Debt
 
Devops stack
Devops stackDevops stack
Devops stack
 
YAML Engineering: why we need a new paradigm
YAML Engineering: why we need a new paradigmYAML Engineering: why we need a new paradigm
YAML Engineering: why we need a new paradigm
 
Container Security: a toolchain for automatic image rebuilds
Container Security: a toolchain for automatic image rebuildsContainer Security: a toolchain for automatic image rebuilds
Container Security: a toolchain for automatic image rebuilds
 
K9s - Kubernetes CLI To Manage Your Clusters In Style
K9s - Kubernetes CLI To Manage Your Clusters In StyleK9s - Kubernetes CLI To Manage Your Clusters In Style
K9s - Kubernetes CLI To Manage Your Clusters In Style
 
Argocd up and running
Argocd up and runningArgocd up and running
Argocd up and running
 
Bivac - Container Volumes Backup
Bivac - Container Volumes BackupBivac - Container Volumes Backup
Bivac - Container Volumes Backup
 
Automating Puppet Certificates Renewal
Automating Puppet Certificates RenewalAutomating Puppet Certificates Renewal
Automating Puppet Certificates Renewal
 
Running the Puppet Stack in Containers
Running the Puppet Stack in ContainersRunning the Puppet Stack in Containers
Running the Puppet Stack in Containers
 
Automating Puppet Certificates Renewal
Automating Puppet Certificates RenewalAutomating Puppet Certificates Renewal
Automating Puppet Certificates Renewal
 
Narcissus — mapping configs in Go
Narcissus — mapping configs in GoNarcissus — mapping configs in Go
Narcissus — mapping configs in Go
 
FTTH Factory — an illustration of the "Everything as Code" paradigm
FTTH Factory — an illustration of the "Everything as Code" paradigmFTTH Factory — an illustration of the "Everything as Code" paradigm
FTTH Factory — an illustration of the "Everything as Code" paradigm
 

Recently uploaded

Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 

Recently uploaded (20)

Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 

Cloud Native Bern 05.2023 — Zero Trust Visibility

  • 1. Zero Trust Networking in Kubernetes Using Cilium, Hubble & Grafana Raphaël Pinson | @raphink | @raphink@mastodon.social Solutions Architect, Isovalent
  • 2. Key Questions when Enterprises Adopting Network Policy ● Where to start? ● How to troubleshoot Network Policies? ● How to stay up-to-date with Network Policies while applications evolve? ● How to prevent application teams from simple allowing everything? ● How can security teams prove that default deny policies are enforced? ● How can security teams be alerted on denied connections?
  • 3. There is no “Easy Road” for Adopting Network Policy ● Default Deny ○ Each service-to-service communication explicitly allowed ○ But high chance of misconfiguration ⇒ application unavailability and high adoption friction ● Better Approach: Focus on Risk Reduction ○ Define metrics for Risk Exposure ○ Focus on the most security sensitive namespaces first ○ Leverage network observability to identify which network policy patterns easily reduce risk with minimal friction.
  • 4. Who am I Raphaël Pinson Solutions Architect @ Isovalent CNCF Ambassador
  • 5. ⬢ Cilium & eBPF ⬢ Network Policies Strategies ⬢ Network Policies Observability Zero Trust Networking Using Cilium, Hubble & Grafana
  • 6. Tutorials Getting started guides and examples. cilium.io networkpolicy.io What this talk is NOT about: Network Policy 101 Tools Learn how to create Network Policies for Kubernetes editor.cilium.io Labs isovalent.com/labs This session IS about strategies to overcome the operational & organizational challenges of adopting Network Policy in complex an enterprise environments.
  • 7. ⬢ Cilium & eBPF ⬢ Network Policies Strategies ⬢ Network Policies Observability Zero Trust Networking Using Cilium, Hubble & Grafana
  • 8. ● Open Source Projects ● Company behind Cilium ● Provides Cilium Enterprise
  • 9.
  • 10. Makes the Linux kernel programmable in a secure and efficient way. “What JavaScript is to the browser, eBPF is to the Linux Kernel”
  • 11. Run eBPF programs on events Attachment points ● Kernel functions (kprobes) ● Userspace functions (uprobe) ● System calls ● Tracepoints ● Sockets (data level) ● Network devices (packet level) ● Network device (DMA level) [XDP] ● ...
  • 12. What is Cilium? At the foundation of Cilium is the new Linux kernel technology eBPF, which enables the dynamic insertion of powerful security, visibility, and networking control logic within Linux itself. Besides providing traditional network level security, the flexibility of BPF enables security on API and process level to secure communication within a container or pod. Read More ● Networking & Load-Balancing ○ CNI, Kubernetes Services, Multi-cluster, VM Gateway ● Network Security ○ Network Policy, Identity-based, Encryption ● Observability ○ Metrics, Flow Visibility, Service Dependency
  • 13.
  • 14. - Networking - Security - Observability - Service Mesh & Ingress -based: Foundation Created by Technology
  • 15. ⬢ Cilium & eBPF ⬢ Network Policies Strategies ⬢ Network Policies Observability Zero Trust Networking Using Cilium, Hubble & Grafana
  • 16. Application Teams & Multi-tenancy ● A Kubernetes cluster is often used by multiple teams, each managing one or more services. ● Each team has one or more namespaces to run their applications. ● Applying network policy at namespace level is a common first step in enabling multi-tenancy. Note: Not always 1-to-1 team-to-namespace. Team may be a namespace-label, or pod label within a larger namespace, but same concept applies.
  • 17. Key Types of Kubernetes Network Risk Exposure
  • 18. Risk Reduction Example - Wide blast radius
  • 19. Risk Reduction Example - Limited blast radius
  • 20. Measuring Risk: Prioritization Concrete Measurements to guide prioritization ● # of services reachable via Cluster Ingress with no matching traffic. ● # of services reachable from other namespaces with no matching traffic. ● # of services with access to External Networks or Internet with no matching connections.
  • 21. The Cost of “Overfitting” ● Strong network observability tools enables you to translate each observed flow into a rule. ● However, simplified approaches to translating traffic flow to rule tend to be cumbersome and brittle. ● Why?: ○ IPs for services outside the cluster can change or are opaque. ○ App dependencies or shared services: kube-dns, external logging, vaults servers are required by all apps. Creating pair-wise rules leads to friction and bloat. ○ Communication within a single app/team. Complex and frequent change. Leads to increased number of rules which change frequently.
  • 22. Best Practices - DNS Rules DNS-aware Cilium Network Policies for External Services which IPs frequently change.
  • 23. Initial “Coarse-Grained” Per-Namespace Strategy Pattern to avoid “overfitting” 1. Allow all ingress/egress communication within a namespace 2. Use Hubble Observability data to identify and permit: a. Which (service + port) within the namespace are “public services”: ■ Allow from cluster-only. ■ Allow from “world” (type LB/NP) or ingress namespace. b. Egress Access to: ■ Other services in the cluster (optional, limit ports). ■ Other services in the external private network (optional, limit ports). ■ Other services on the Internet (optional, limit ports). 3. Coarse-grained nature of policies ⇒ policies need only change rarely
  • 24. Key Pattern: Baseline vs. Per-Namespace Policies ● Default deny ingress/egress. ● Allow all ingress/egress within namespace. ● Egress to “public services” ○ cluster-wide shared services (e.g. kube-dns, prometheus). ○ external shared CIDR/DNS (logging, monitoring, vault, etc.) ● Often implemented by CiliumClusterWideNetworkPolicies Global Baseline Policies ● Per-service ingress (limited by port): ○ Exposed within cluster via ClusterIP service. ○ Exposed externally via ingress or Load-Balancer/NodePort. ● Namespace-specific egress: ○ No access. ○ Egress to specific CIDR/DNS + port ○ Unrestricted access on specific ports (fallback). Per-Namespace Policies
  • 25. Example Baseline + Coarse-grained Per Namespace Policies
  • 26. Transitioning from “Coarse” to “Fine-Grained” Policies ● Prioritize namespaces based on: ○ Most security-sensitive applications ○ Measurement of exposure vs. used connectivity ● Transition for egress outside the cluster: ○ Access to all private network -> Access to specific FQDNs or smaller CIDRs (with port) ○ Access to Internet -> Access to specific FQDNs or small CIDRs (with port) ● Transitions within the cluster: ○ Shift rules that allow all to/from cluster to allowing to/from specific namespaces or services.
  • 27. Example Baseline + Fine-grained Per Namespace Policies
  • 28. ⬢ Cilium & eBPF ⬢ Network Policies Strategies ⬢ Network Policies Observability Zero Trust Networking Using Cilium, Hubble & Grafana
  • 30. Cilium + Hubble ❤ Grafana
  • 31. Using Hubble Observability Data to Build Policies
  • 34. Using Hubble Observability Data for Security Compliance
  • 35. Observability-Driven Zero Trust Approach Day 1: ● identify commonly shared services to include in baseline policy. ● identify “low-hanging fruit” namespaces easily locked down at ingress/egress (no per-namespace exceptions required). ● identify the set of “exceptions” required for a given per-namespace policy Day 2: ● Flow data can be sourced from dev/staging clusters as well as production to identify the network policy changes required to ship a new app version. ● Historical flow data can be analyzed to predict impact of new more stringent baseline or per-namespace policies. ● Historical flow data combined with enforced policies can be used to detect overly broad rules. For example, “egress allow 0.0.0.0/0 port 443” when a rule to a few specific DNS names would suffice.
  • 36. eBPF resources eCHO eBPF YouTube podcast: https://www.youtube.com/channel/UCJFUxkVQTBJh3LD1wYB WvuQ eBPF & Cilium Slack http://slack.cilium.io/ eCHO News Bi-weekly eBPF newsletter: https://cilium.io/newsletter/ @raphink | @raphink@mastodon.social
  • 37. Practical Labs … to become a Cilium & eBPF Jedi 🌐 isovalent.com/labs Get badges 🏅 @raphink | @raphink@mastodon.social
  • 38. Zero Trust Visibility Using Cilium, Hubble & Grafana for namespace security 🌐 https://isogo.to/zero-trust-lab @raphink | @raphink@mastodon.social
  • 39. Workshops @raphink | @raphink@mastodon.social Zurich — 1st June Basel — 7th June Geneva — 14th September 🌐 isovalent.com/workshop-tour