kubelet to istio kubernetes network security demystified
play

Kubelet to Istio: Kubernetes Network Security Demystified FOSDEM - PowerPoint PPT Presentation

Jul 07, 2023 •441 likes •1.54k views

Kubelet to Istio: Kubernetes Network Security Demystified FOSDEM SPEED RUN @sublimino and @controlplaneio @sublimino Im: - Andy - Dev-like - Sec-ish - Ops-y @sublimino What is Network Security @sublimino Why do we need Network

  1. X.509 Example Decoded Cert Certificate: X509v3 Certificate Policies: Data: Policy: 1.3.6.1.4.1.4146.1.20 Version: 3 (0x2) CPS: https://www.globalsign.com/repository/ Serial Number: Policy: 2.23.140.1.2.2 10:e6:fc:62:b7:41:8a:d5:00:5e:45:b6 Signature Algorithm: sha256WithRSAEncryption X509v3 Basic Constraints: Issuer: C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 CA:FALSE Validity X509v3 CRL Distribution Points: Not Before: Nov 21 08:00:00 2016 GMT Not After : Nov 22 07:59:59 2017 GMT Full Name: Subject: C=US, ST=California, L=San Francisco, O=Wikimedia Foundation, Inc., URI:http://crl.globalsign.com/gs/gsorganizationvalsha2g2.crl CN=*.wikipedia.org Subject Public Key Info: X509v3 Subject Alternative Name: Public Key Algorithm: id-ecPublicKey DNS:*.wikipedia.org, DNS:*.m.mediawiki.org, DNS:*.m.wikibooks.org, ... Public-Key: (256 bit) X509v3 Extended Key Usage: pub: TLS Web Server Authentication, TLS Web Client Authentication 04:c9:22:69:31:8a:d6:6c:ea:da:c3:7f:2c:ac:a5: X509v3 Subject Key Identifier: af:c0:02:ea:81:cb:65:b9:fd:0c:6d:46:5b:c9:1e: 28:2A:26:2A:57:8B:3B:CE:B4:D6:AB:54:EF:D7:38:21:2C:49:5C:36 ed:b2:ac:2a:1b:4a:ec:80:7b:e7:1a:51:e0:df:f7: X509v3 Authority Key Identifier: c7:4a:20:7b:91:4b:20:07:21:ce:cf:68:65:8c:c6: keyid:96:DE:61:F1:BD:1C:16:29:53:1C:C0:CC:7D:3B:83:00:40:E6:1A:7C 9d:3b:ef:d5:c1 ASN1 OID: prime256v1 Signature Algorithm: sha256WithRSAEncryption NIST CURVE: P-256 8b:c3:ed:d1:9d:39:6f:af:40:72:bd:1e:18:5e:30:54:23:35: X509v3 extensions: ... X509v3 Key Usage: critical Digital Signature, Key Agreement Authority Information Access: CA Issuers - URI:http://secure.globalsign.com/cacert/gsorganizationvalsha2g2r1.crt OCSP - URI:http://ocsp2.globalsign.com/gsorganizationvalsha2g2 https://tools.ietf.org/html/rfc5280#page-35 @sublimino

  2. Self Signed Certs aka Signing Your Own Homework @sublimino

  3. One-Way (Traditional) TLS Handshake @sublimino

  4. Mutual TLS Handshake (mTLS) @sublimino

  5. Private & Trusted Communications @sublimino

  6. Securing API Server Traffic @sublimino

  7. Don't we trust our networks and firewalls? @sublimino

  8. BeyondCorp @sublimino

  9. Zero Trust Networking @sublimino

  10. Zero Trust API Server? @sublimino

  11. Master etcd (key-value DB, SSOT) Controller Manager Scheduler API Server (REST API) (Controller Loops) (Bind Pod to Node) User Nodes Networking Networking Networking Legend: CNI Kubelet Kubelet Kubelet CRI OCI Container Container Container Protobuf Runtime Runtime Runtime gRPC JSON OS OS OS Node 1 Node 2 Node 3 By Lucas Käldström @sublimino

  12. What could possibly go wrong? @sublimino

  13. Kubernetes Component Intercommunication @sublimino

  14. What could possibly go wrong? @sublimino

  15. Kubernetes Component Intercommunication @sublimino

  16. What could possibly go wrong? @sublimino

  17. Kubernetes Component Intercommunication @sublimino

  18. Continuous (Kubernetes) Security Slides / @sublimino @sublimino

  19. Application Layer @sublimino

  20. Containers and Traditional Network Security? @sublimino

  21. https://medium.com/google-cloud/ understanding-kubernetes-networ king-services-f0cb48e4cc82 @sublimino

  22. apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: default-deny spec: podSelector: https://github.com/ahmetb/kube rnetes-network-policy-recipes Kubernetes NetworkPolicy: default deny @sublimino

  23. apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: default-deny spec: Illegal syntax, but podSelector: represents what it - “*” actually does (effectively a wildcard) https://github.com/ahmetb/kube rnetes-network-policy-recipes Kubernetes NetworkPolicy: default deny @sublimino

  24. apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: foo-deny-external-egress spec: podSelector: matchLabels: app: foo policyTypes: - Egress egress: - ports: - port: 53 protocol: UDP - port: 53 protocol: TCP - to: https://github.com/ahmetb/kube - namespaceSelector: {} rnetes-network-policy-recipes Kubernetes NetworkPolicy @sublimino

  25. https://github.com/kubernetes/kubernetes/issues/56901 Kubernetes NetworkPolicy - NO DNS NAMES @sublimino

  26. apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: foo-deny-external-egress spec: podSelector: ILLEGAL! NOT ALLOWED! dnsName: control-plane.io policyTypes: - Egress egress: - ports: - port: 53 protocol: UDP - port: 53 protocol: TCP - to: - namespaceSelector: {} https://github.com/ahmetb/kube rnetes-network-policy-recipes Kubernetes NetworkPolicy - ILLEGAL! @sublimino

  27. netassert - cloud native network testing ● netassert - network security testing for DevSecOps workflows https://github.com/controlplaneio/netassert host: localhost: bitbucket.com: - 22 control-plane.io: github.com: - 22 @sublimino

  28. netassert - cloud native network testing k8s: # used for Kubernetes pods deployment: # only deployments currently supported test-frontend: # pod name, defaults to `default` namespace test-microservice: 80 # `test-microservice` is the DNS name of the target service test-database: -80 # should not be able to access port 80 of `test-database` new-namespace:test-microservice: # `new-namespace` is the namespace name test-database.new-namespace: 80 # longer DNS names can be used for other namespaces test-frontend.default: 80 default:test-database: test-frontend.default.svc.cluster.local: 80 # full DNS names can be used test-microservice.default.svc.cluster.local: -80 control-plane.io: 443 # we can check remote services too https://github.com/controlplaneio/netassert @sublimino

  29. @sublimino

  30. Cloud Native Dynamic Firewalls ● Network Policy recipes - https://github.com/ahmetb/kubernetes-network-policy-recipes ● WeaveNet Network Policy - https://kubernetes.io/docs/tasks/administer-cluster/weave-network-policy/ ● NeuVector Container Firewall - https://neuvector.com/products/ ● Tesla Compromise mitigation - https://www.tigera.io/tesla-compromise-network-policy/ @sublimino

  31. Applications: CNI and Network Policy @sublimino

  32. Applications: CNI and Network Policy @sublimino Choosing a CNI Provider

  33. Bootstrapping identity with SPIFFE @sublimino

  34. Attestation Example: Kubernetes /proc/[pid]/cgroup @sublimino

  35. Workload “You are spiffe://acme.com/fe “Who am I?” And here is your short-lived key to prove it to others.” SPIFFE Workload API @sublimino

  36. SPIFFE ID spiffe://acme.com/billing/payments Trust Domain Workload Identifier @sublimino

  37. SPIFFE Verifiable Identity Document spiffe://acme.com/billing/payments Typically short-lived Today only one form of SVID (X509-SVID). Other document types under consideration (including JWT-SVID) @sublimino

  38. X.509 RFC Format Certificate ::= SEQUENCE { Validity ::= SEQUENCE { tbsCertificate TBSCertificate, notBefore Time, signatureAlgorithm AlgorithmIdentifier, notAfter Time } signatureValue BIT STRING } Time ::= CHOICE { TBSCertificate ::= SEQUENCE { utcTime UTCTime, version [0] EXPLICIT Version DEFAULT v1, generalTime GeneralizedTime } serialNumber CertificateSerialNumber, signature AlgorithmIdentifier, UniqueIdentifier ::= BIT STRING issuer Name, validity Validity, SubjectPublicKeyInfo ::= SEQUENCE { subject Name, algorithm AlgorithmIdentifier, subjectPublicKeyInfo SubjectPublicKeyInfo, subjectPublicKey BIT STRING } issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL, -- If present, version MUST be v2 or v3 Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL, -- If present, version MUST be v2 or v3 Extension ::= SEQUENCE { extensions [3] EXPLICIT Extensions OPTIONAL extnID OBJECT IDENTIFIER, -- If present, version MUST be v3 critical BOOLEAN DEFAULT FALSE, } extnValue OCTET STRING -- contains the DER encoding of an ASN.1 value Version ::= INTEGER { v1(0), v2(1), v3(2) } -- corresponding to the extension type identified -- by extnID CertificateSerialNumber ::= INTEGER } https://github.com/spiffe/spiffe/blob/master/standards/X509-SVID.md #appendix-a-x509-field-reference @sublimino

  39. Certificate Path Validation Leaf Certificate Intermediate Certificate Certificate Authority @sublimino

  40. SPIFFE Runtime Environment spiffe://acme.com/billing/payments selector : aws:sg:sg-edcd9784 selector : k8s:ns:payments SPIRE Server selector : k8s:sa:pay-svc selector: docker:image-id:442ca9

  41. Simplify deployment of Identity for proxy services Secure Introduction to other services distributed systems mTLS JWTs gRPC Workload Workload API SPIRE Core Workload Attestor Plug-ins Node Attestor Plug-ins Linux OS X Kubernetes Azure HSM providers Platform Mesosphere GCP Join Token Windows YubiKey AWS Kerberos

  42. What SPIFFE is not ● Authorization (however it provides identities upon which authorization schemes can be deployed) ● Transport level security (however SVIDs can be used to facilitate things like TLS or JWT signing)

  43. Using SPIFFE in TLS Certificates @sublimino https://www.slideshare.net/MattBaldwin3/istio-cloud-native-online-series-intro-to-istio-security

  44. Istio and SPIFFE @sublimino https://www.slideshare.net/MattBaldwin3/istio-cloud-native-online-series-intro-to-istio-security

  45. Recap @sublimino

  46. End to End Encryption ● TLS on API Server Components ● SPIFFE to identify application workloads ● Istio CA to issue TLS certificates to application workloads ● Envoy to proxy application’s HTTPS traffic across the Istio service mesh @sublimino

  47. Takeaway: Encrypt Everything Everywhere ● Encrypt @sublimino

  48. Takeaway: Encrypt Everything Everywhere ● Encrypt ● Encrypt Everything @sublimino

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Kubernetes Networking and Istio Apurva Bhandari $whoami SRE / DevOps Docker & Kubernetes

Kubernetes Networking and Istio Apurva Bhandari $whoami SRE / DevOps Docker & Kubernetes

Kubernetes Networking and Istio Apurva Bhandari $whoami SRE / DevOps Docker & Kubernetes Enthusiast Speaker at Meetups Email: apurvbhandari@gmail.com LinkedIn: https://www.linkedin.com/in/apurvabhandari-linux GitHub:

2.16k views • 28 slides
& the architecture along the way! @mt165 mt165.co.uk The life of a packet through Istio

& the architecture along the way! @mt165 mt165.co.uk The life of a packet through Istio

QCon London March 2019 & the architecture along the way! @mt165 mt165.co.uk The life of a packet through Istio @mt165 Objectives Learn how a packet traverses an Istio/Envoy/Kubernetes system See what control plane calls are made in that

756 views • 51 slides
Continuous Kubernetes Security @sublimino and @controlplaneio Im: - Andy - Dev-like -

Continuous Kubernetes Security @sublimino and @controlplaneio Im: - Andy - Dev-like -

Continuous Kubernetes Security @sublimino and @controlplaneio Im: - Andy - Dev-like - Sec-ish - Ops-y Is this Kubernetes cluster secure? EPIC FAIL GIF How secure is Kubernetes? What this Kubernetes talk is about Common Pwns

1.18k views • 113 slides
Replacing iptables with eBPF in Kubernetes with Cilium Cilium, eBPF, Envoy, Istio, Hubble Michal

Replacing iptables with eBPF in Kubernetes with Cilium Cilium, eBPF, Envoy, Istio, Hubble Michal

Replacing iptables with eBPF in Kubernetes with Cilium Cilium, eBPF, Envoy, Istio, Hubble Michal Rostecki Swaminathan Vasudevan Software Engineer Software Engineer mrostecki@suse.com svasudevan@suse.com mrostecki@opensuse.org Whats

2.06k views • 52 slides
JUG Bern Real World Kubernetes Agenda - Introduction Agenturclient - Architecture

JUG Bern Real World Kubernetes Agenda - Introduction Agenturclient - Architecture

JUG Bern Real World Kubernetes Agenda - Introduction Agenturclient - Architecture Agenturclient - Kubernetes Deployment - HA-Setup - Demo - Istio Introduction Florian Lscher Software Engineer and Co-Founder Skills CV Solution

1.48k views • 70 slides
JUG Real World Kubernetes Agenda - Introduction Agenturclient - Architecture Agenturclient

JUG Real World Kubernetes Agenda - Introduction Agenturclient - Architecture Agenturclient

JUG Real World Kubernetes Agenda - Introduction Agenturclient - Architecture Agenturclient - Kubernetes Deployment - HA-Setup - Demo - Istio Introduction Florian Lscher Solution Architect and Co-Founder Skills CV Solution

845 views • 70 slides
What is network security? Friends and enemies: Alice, Bob, Trudy What is network security?

What is network security? Friends and enemies: Alice, Bob, Trudy What is network security?

Network security Network security Foundations: what is security? cryptography Network Security Network Security authentication message integrity key distribution and certification Security in practice: Srinidhi Varadarajan

332 views • 6 slides
Network Policy Controller in Weave Net Blocking unwanted network traffic in Kubernetes Bryan

Network Policy Controller in Weave Net Blocking unwanted network traffic in Kubernetes Bryan

Network Policy Controller in Weave Net Blocking unwanted network traffic in Kubernetes Bryan Boreham @bboreham Who knows... Kubernetes Docker Linux iptables Ancient wisdom For survival, your group needs: Leadership

675 views • 21 slides
Network Security Network Security Srinidhi Varadarajan Network security Network security

Network Security Network Security Srinidhi Varadarajan Network security Network security

Network Security Network Security Srinidhi Varadarajan Network security Network security Foundations: what is security? cryptography authentication message integrity key distribution and certification Security in practice:

634 views • 36 slides
Bringing Security and Multi- tenancy to Kubernetes Lei (Harry) Zhang About Me Lei (Harry)

Bringing Security and Multi- tenancy to Kubernetes Lei (Harry) Zhang About Me Lei (Harry)

Bringing Security and Multi- tenancy to Kubernetes Lei (Harry) Zhang About Me Lei (Harry) Zhang @resouer #CNCF member, #Microsoft MVP Previous: VMware, Baidu Feature Maintainer of Kubernetes HyperCrew: https://hyper.sh/

609 views • 40 slides
Airflow on Kubernetes: Containerizing your Workflows By Michael Hewitt Agenda Kubernetes

Airflow on Kubernetes: Containerizing your Workflows By Michael Hewitt Agenda Kubernetes

Airflow on Kubernetes: Containerizing your Workflows By Michael Hewitt Agenda Kubernetes Overview 1 Airflows integration with Kubernetes 2 Deployment of Airflow on Kubernetes 3 Kubernetes Pod Operator and its benefits 4 DAG Development

2.79k views • 14 slides
Solucionando Problemas de Microsservios com Service Mesh: Istio e Envoy Edson Yanaga (@yanaga)

Solucionando Problemas de Microsservios com Service Mesh: Istio e Envoy Edson Yanaga (@yanaga)

Solucionando Problemas de Microsservios com Service Mesh: Istio e Envoy Edson Yanaga (@yanaga) bit.ly/istio-tutorial @yanaga - bit.ly/istio-intro 1 @yanaga Edson Yanaga Raffle Rules @yanaga - Follow: - With a picture of the session -

1.16k views • 84 slides
OpenStack on Kubernetes: Make OpenStack and Kubernetes Fail-Safe Seungkyu Ahn (ahnsk@sk.com)

OpenStack on Kubernetes: Make OpenStack and Kubernetes Fail-Safe Seungkyu Ahn (ahnsk@sk.com)

OpenStack on Kubernetes: Make OpenStack and Kubernetes Fail-Safe Seungkyu Ahn (ahnsk@sk.com) Jaesuk Ahn (jay.ahn@sk.com) Open System Lab Network IT Convergence R&D Center SK Telecom Wil Reichert (wil@solinea.com) Solinea What will

1.26k views • 46 slides
Kubernetes Security Zooming In, Zooming Out A comprehensive Container Security Strategy Kavya

Kubernetes Security Zooming In, Zooming Out A comprehensive Container Security Strategy Kavya

Kubernetes Security Zooming In, Zooming Out A comprehensive Container Security Strategy Kavya Pearlman Global Cybersecurity Strategist - Wallarm @KavyaPearlman | @Wallarm Rob Richardson Technical Evangelist - MemSQL @Rob_Rich | @MemSQL

279 views • 27 slides
Using Cloud Native Technologies to Solve Complex Application Security Challenges in Kubernetes

Using Cloud Native Technologies to Solve Complex Application Security Challenges in Kubernetes

Using Cloud Native Technologies to Solve Complex Application Security Challenges in Kubernetes Deployments Cequence Security: A Cloud Native Approach to Application Security Venture-backed start-up bringing much-needed innovation to

304 views • 17 slides
HTTPS Demystified! What is that green lock and why is it so important? What is that green lock

HTTPS Demystified! What is that green lock and why is it so important? What is that green lock

HTTPS Demystified! What is that green lock and why is it so important? What is that green lock and why is it important? Security Integrity It protects* the It guarantees* that you information you send are talking to who you across the

430 views • 29 slides
TomcatCon Apache Tomcat and TLS Mark Thomas TM Introduction TM Why This Presentation? L o

TomcatCon Apache Tomcat and TLS Mark Thomas TM Introduction TM Why This Presentation? L o

T M TomcatCon Apache Tomcat and TLS Mark Thomas TM Introduction TM Why This Presentation? L o t s o f q u e s t i o n s a b o u t T L S o n t h e T o m c a t m a i l i n g l i s t s It is clear from the questions many folks dont

1.08k views • 41 slides
P4EC: Enabling Terabit Edge Computing in Enterprise 4G LTE Max Hollingsworth Jinsung Lee

P4EC: Enabling Terabit Edge Computing in Enterprise 4G LTE Max Hollingsworth Jinsung Lee

P4EC: Enabling Terabit Edge Computing in Enterprise 4G LTE Max Hollingsworth Jinsung Lee Zhang Liu Jihoon Lee Sangtae Ha Dirk Grunwald 1 From Few MNOs to Many 2012 FCC. Amendment of the Commissions Rules with Regard to

369 views • 15 slides
Predicting Deep Zero-Shot Convolutional Neural Networks using Textual Descriptions Jimmy Lei Ba,

Predicting Deep Zero-Shot Convolutional Neural Networks using Textual Descriptions Jimmy Lei Ba,

Predicting Deep Zero-Shot Convolutional Neural Networks using Textual Descriptions Jimmy Lei Ba, Kevin Swersky, Sanja Fidler, Ruslan Salakhutdinov ICCV 2015 Presenter: Fartash Faghri Zero-shot Learning Classify images of an unseen class

156 views • 12 slides
Advisor Research & Innovation TIMING AGENDA ITEM SCOPE 09:30 10:00 Registration

Advisor Research & Innovation TIMING AGENDA ITEM SCOPE 09:30 10:00 Registration

March 2020 Alexander Vandenberghe Advisor Research & Innovation TIMING AGENDA ITEM SCOPE 09:30 10:00 Registration approval Introduction, competition compliance and agenda 10:00 10:10 minor By Aidan Cronin, Executive Committee

474 views • 46 slides
TRIGGERFLOW Regression Testing by Advanced Execution Path Inspection 20 June 2019 Iaroslav

TRIGGERFLOW Regression Testing by Advanced Execution Path Inspection 20 June 2019 Iaroslav

default TRIGGERFLOW Regression Testing by Advanced Execution Path Inspection 20 June 2019 Iaroslav Gridin Cesar Pereida Garca Nicola Tuveri Billy Bob Brumley Tampere University, Tampere, Finland 1 / 15 default Outline Analysis

528 views • 15 slides
Securing Communications with your Apache HTTP Server Lars Eilebrecht Lars@apache.org Securing

Securing Communications with your Apache HTTP Server Lars Eilebrecht Lars@apache.org Securing

Securing Communications with your Apache HTTP Server Lars Eilebrecht Lars@apache.org Securing Communications with your Apache HTTP Server About Me About Me Lars Eilebrecht Independent IT Consultant based in London, UK

786 views • 46 slides
Enhancing MySQL Security Vinicius Grippa Percona About me Support Engineer at Percona since

Enhancing MySQL Security Vinicius Grippa Percona About me Support Engineer at Percona since

Enhancing MySQL Security Vinicius Grippa Percona About me Support Engineer at Percona since 2017 Working with MySQL for over 5 years - Started with SQL Server Working with databases for 7 years 2 Agenda OS/Cloud security

1.16k views • 78 slides
OPPORTUNISTIC ENCRYPTION USING IPSEC Linux Security Summit, Toronto August 2016 Presented by

OPPORTUNISTIC ENCRYPTION USING IPSEC Linux Security Summit, Toronto August 2016 Presented by

OPPORTUNISTIC ENCRYPTION USING IPSEC Linux Security Summit, Toronto August 2016 Presented by Paul Wouters, RHEL Security THE LIBRESWAN PROJECT An Internet Key Exchange (IKE) daemon for IPsec Enterprise IPsec based VPN solution

736 views • 32 slides

More recommend