network policy controller in weave net
play

Network Policy Controller in Weave Net Blocking unwanted network - PowerPoint PPT Presentation

Mar 15, 2024 •455 likes •675 views

Network Policy Controller in Weave Net Blocking unwanted network traffic in Kubernetes Bryan Boreham @bboreham Who knows... Kubernetes Docker Linux iptables Ancient wisdom For survival, your group needs: Leadership

  1. Network Policy Controller in Weave Net Blocking unwanted network traffic in Kubernetes Bryan Boreham @bboreham

  2. Who knows... • Kubernetes • Docker • Linux • iptables

  3. Ancient wisdom For survival, your group needs: ● Leadership ● Hunting skills ● Medical skills ● Someone who knows iptables

  4. What I am going to talk about Weave Network Policy Controller Blocking unwanted network traffic in Kubernetes

  5. Threat Model

  6. Traditional defence

  7. Problem

  8. Solution

  9. Now make it dynamic

  10. Example Presentation Tier Middle Tier Data Tier

  11. Kubernetes NetworkPolicy kind: NetworkPolicy :80 metadata: Presentation Tier name: presentation-policy spec: podSelector: Middle Tier tier: presentation ingress: Data Tier - ports: - protocol: tcp port: 80

  12. Kubernetes NetworkPolicy kind: NetworkPolicy metadata: Presentation Tier name: middle-tier-policy spec: podSelector: Middle Tier tier: middle ingress: Data Tier - from: - podSelector: matchLabels: tier: presentation

  13. So how do we implement this?

  14. Controller Kubernetes Master watch on policies, pods host1 host2 weave-npc weave-npc iptables iptables

  15. Top-level iptables rules FORWARD chain: -o weave -j WEAVE-NPC -o weave -j DROP WEAVE_NPC chain: -m state --state RELATED,ESTABLISHED -j ACCEPT -m state --state NEW -j WEAVE-NPC-DEFAULT -m state --state NEW -j WEAVE-NPC-INGRESS

  16. Overall flow src bridge iptables dst ipset ipset ipset weave-npc

  17. Per-policy iptables rules WEAVE-NPC-DEFAULT chain: -m set --match-set weave-v/q_G.;Q?uK]BuDs2 dst -j ACCEPT -m set --match-set weave-k?Z;25^M}|1s7P3|H dst -j ACCEPT ... WEAVE-NPC-INGRESS chain: -m set --match-set weave-LuMDZrBg:KsT9Xll[ src -m set --match-set weave-hR9K[Olp~d>@1wQu/ dst -j ACCEPT -m set --match-set weave-hR9K[Olp~d>@1wQu/ src -m set --match-set weave-hR9K[Olp~d>@1wQu/ dst -j ACCEPT ...

  18. What could possibly go wrong? Back in the FORWARD chain: -o weave -m state --state NEW -j NFLOG --nflog-group 86 We subscribe to this via ulogd so we can print: TCP connection from 10.32.0.7:56648 to 10.32.0.11:80 blocked by Weave NPC. Also exported as a Prometheus metric

  19. Interested? Try it out! https://weave.works/securing-microservices-kubernetes/ Take a look at the code! https://github.com/weaveworks/weave/ Visualize, manage and monitor containers and services https://cloud.weave.works

  20. Fin

  21. 3-tier Illustration Front end Middle tier Redis Front end Middle tier Redis Presentation Middle tier Redis :80 :6379

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Weave Net Five years with no central control. FOSDEM 2020 Bryan Boreham @bboreham

Weave Net Five years with no central control. FOSDEM 2020 Bryan Boreham @bboreham

Weave Net Five years with no central control. FOSDEM 2020 Bryan Boreham @bboreham https://weave.works @weaveworks 1 Bryan Boreham Lead on Weave Net since 2015. Project member of Kubernetes, CNI, Cortex, Scope,

683 views • 36 slides
E ff ortless Eventual Consistency Gossip, CRDTs, and Weave Mesh weave works - Outline Theory

E ff ortless Eventual Consistency Gossip, CRDTs, and Weave Mesh weave works - Outline Theory

E ff ortless Eventual Consistency Gossip, CRDTs, and Weave Mesh weave works - Outline Theory Practice Extension weave works - Outline Theory Gossip CRDT Practice Weave Mesh Weave Net Extension

2.05k views • 185 slides
F inite element modelling of progressive damage in non-crimp 3D orthogonal weave and plain

F inite element modelling of progressive damage in non-crimp 3D orthogonal weave and plain

F inite element modelling of progressive damage in non-crimp 3D orthogonal weave and plain weave E -glass composites Stepan V. LOMOV, Dmitry S. IVANOV, Ignaas VERPOEST Department MTM, Katholieke Universiteit Leuven, Belgium Alexander E.

412 views • 27 slides
good teachers are able to weave a complex web of connections between themselves, their

good teachers are able to weave a complex web of connections between themselves, their

good teachers are able to weave a complex web of connections between themselves, their subjects, and their students, so that students can learn to weave a world for themselvesthe connections made by good teachers are held not in their

726 views • 25 slides
Designing an ultra low-overhead multithreading runtime for Nim Mamy Ratsimbazafy Weave

Designing an ultra low-overhead multithreading runtime for Nim Mamy Ratsimbazafy Weave

Designing an ultra low-overhead multithreading runtime for Nim Mamy Ratsimbazafy Weave mamy@numforge.co https://github.com/mratsim/weave Hello! I am Mamy Ratsimbazafy During the day blockchain/Ethereum 2 developer (in Nim) During the night,

388 views • 37 slides
OFFICE OF THE CONTROLLER Ben Rosenfield Controller Todd Rydstrom CITY AND COUNTY OF SAN

OFFICE OF THE CONTROLLER Ben Rosenfield Controller Todd Rydstrom CITY AND COUNTY OF SAN

OFFICE OF THE CONTROLLER Ben Rosenfield Controller Todd Rydstrom CITY AND COUNTY OF SAN FRANCISCO Deputy Controller Nonprofit Contracting Forum Wedn dnesda day, Novem ember er 6, 2019, 1:00pm pm 2:30 30pm Koret Aud uditorium um,

1.05k views • 63 slides
OFFICE OF THE CONTROLLER Ben Rosenfield Controller Todd Rydstrom CITY AND COUNTY OF SAN

OFFICE OF THE CONTROLLER Ben Rosenfield Controller Todd Rydstrom CITY AND COUNTY OF SAN

OFFICE OF THE CONTROLLER Ben Rosenfield Controller Todd Rydstrom CITY AND COUNTY OF SAN FRANCISCO Deputy Controller Nonprofit Contracting Forum Monday, M March 2, 2, 20 2020 20, 1 1pm 2p 2pm Kore ret A Auditori rium, M , Main

1.08k views • 58 slides
The Tangled Web We Weave: The Internet of Saturday, July 27, 2019 Things (IoT) Saturday, July

The Tangled Web We Weave: The Internet of Saturday, July 27, 2019 Things (IoT) Saturday, July

The Tangled Web We Weave: The Internet of Saturday, July 27, 2019 Things (IoT) Saturday, July 27, 2019 The Tangled Web We Weave: The Internet B RE RENT G ATEW OOD , IGP, CRM, MBA J AME AMES A. A. S S HER HERER , E SQ . EWOOD CTO/Technologist

407 views • 13 slides
An Architecture of a Network Controller for QoS Management in Home Networks with Lots of IoT

An Architecture of a Network Controller for QoS Management in Home Networks with Lots of IoT

An Architecture of a Network Controller for QoS Management in Home Networks with Lots of IoT Devices and Services Daisuke Kotani (Kyoto University) IoT Services in Home 2019/1/13 2 l So many use cases are proposed u Energy monitoring and

488 views • 19 slides
Testing web apps with traffic control with Weave Scope Alban Crequy FOSDEM 2017-02-05

Testing web apps with traffic control with Weave Scope Alban Crequy FOSDEM 2017-02-05

Testing web apps with traffic control with Weave Scope Alban Crequy FOSDEM 2017-02-05 alban@kinvolk.io Alban Crequy Contributor to rkt Working on Weave Scope and eBPF In 2014, worked on traffic control for multimedia

221 views • 9 slides
community projects inform enterprise products microsoft <3 open source microsoft is an

community projects inform enterprise products microsoft <3 open source microsoft is an

community projects inform enterprise products microsoft <3 open source microsoft is an enterprise company enterprises want k8s policy first: Azure Policy Controller then: Kubernetes Policy Controller building consensus upstream now:

298 views • 12 slides
let the earth hold us + heal us. If I could mend your heart, I would weave together the edges of

let the earth hold us + heal us. If I could mend your heart, I would weave together the edges of

let the earth hold us + heal us. If I could mend your heart, I would weave together the edges of your threadbare spirit and soothe your pain, your shock and your disbelief. Mary Farr Author + Pediatric Hospital Chaplain a place to rest

653 views • 28 slides
Mindfulness and Taking in the Good: Using Neuroplasticity to Weave Resources Into the Brain and

Mindfulness and Taking in the Good: Using Neuroplasticity to Weave Resources Into the Brain and

Mindfulness and Taking in the Good: Using Neuroplasticity to Weave Resources Into the Brain and the Self Healing and Treating Trauma, Addictions, and Related Disorders December 2, 2011 Rick Hanson, Ph.D. The Wellspring Institute for

1.08k views • 41 slides
TOUCAN: A proTocol tO secUre Controller Area Network Giampaolo Bella Gianpiero Costantino

TOUCAN: A proTocol tO secUre Controller Area Network Giampaolo Bella Gianpiero Costantino

AutoSec 2019 Dallas, TX, USA TOUCAN: A proTocol tO secUre Controller Area Network Giampaolo Bella Gianpiero Costantino Pietro Biondi Ilaria Matteucci 1 Automotive communication domains User to Vehicle Vehicle to Infrastructure

363 views • 12 slides
RGBW Controller Unearthly potential Fibaro RGBW Controller is a one of a kind, advanced wireless

RGBW Controller Unearthly potential Fibaro RGBW Controller is a one of a kind, advanced wireless

Home intelligence RGBW Controller Unearthly potential Fibaro RGBW Controller is a one of a kind, advanced wireless 4-colour LED strip controller. Apart from traditional RGB channels, it also supports the additional white light channel, which

310 views • 26 slides
Information into WEAVE Planning and Assessment Ramapo College Entering Mission/Purpose in

Information into WEAVE Planning and Assessment Ramapo College Entering Mission/Purpose in

How to Enter Information into WEAVE Planning and Assessment Ramapo College Entering Mission/Purpose in WEAVE Each unit will enter its mission statement in the system. Click on Mission/Purpose in the Assessment tab. Enter mission The

458 views • 9 slides
CSC321 Lecture 22: Q-Learning Roger Grosse Roger Grosse CSC321 Lecture 22: Q-Learning 1 / 21

CSC321 Lecture 22: Q-Learning Roger Grosse Roger Grosse CSC321 Lecture 22: Q-Learning 1 / 21

CSC321 Lecture 22: Q-Learning Roger Grosse Roger Grosse CSC321 Lecture 22: Q-Learning 1 / 21 Overview Second of 3 lectures on reinforcement learning Last time: policy gradient (e.g. REINFORCE) Optimize a policy directly, dont represent

482 views • 22 slides
Integrity Policies CSE497b - Spring 2007 Introduction Computer and Network Security Professor

Integrity Policies CSE497b - Spring 2007 Introduction Computer and Network Security Professor

Integrity Policies CSE497b - Spring 2007 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse497b-s07/ CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Integrity

509 views • 16 slides
Deep Reinforcement Learning [Mastering the Game of Go with Deep Reinforcement Learning and Tree

Deep Reinforcement Learning [Mastering the Game of Go with Deep Reinforcement Learning and Tree

Deep Reinforcement Learning [Mastering the Game of Go with Deep Reinforcement Learning and Tree Search, Nature 2016] CS 486/686 University of Waterloo Lecture 21: July 12, 2017 Outline AlphaGo Supervised Learning of Policy Networks

540 views • 15 slides
Policy vs. Mechanism Policy Decisions about what should be done. Mechanism

Policy vs. Mechanism Policy Decisions about what should be done. Mechanism

Processes and Threads Marie Roch Tanenbaum 2.1-2.2 Policy vs. Mechanism Policy Decisions about what should be done. Mechanism Algorithms and data structures that implement policy 2 1 Processes Process program in

264 views • 13 slides
Neural Networks and their Application to Go Neural Networks Learning Blackjack Theory Training

Neural Networks and their Application to Go Neural Networks Learning Blackjack Theory Training

Neural Networks and their Application to Go A. Bausch Neural Networks and their Application to Go Neural Networks Learning Blackjack Theory Training neural networks Problems AlphaGo Anne-Marie Bausch The Game of Go Policy Network

280 views • 24 slides
Deep Reinforcement Learning Philipp Koehn 18 April 2019 Philipp Koehn Artificial Intelligence:

Deep Reinforcement Learning Philipp Koehn 18 April 2019 Philipp Koehn Artificial Intelligence:

Deep Reinforcement Learning Philipp Koehn 18 April 2019 Philipp Koehn Artificial Intelligence: Deep Reinforcement Learning 18 April 2019 Reinforcement Learning 1 Sequence of actions moves in chess driving controls in car

859 views • 63 slides
How to address Polo? Grammatically correct Prof. Chau Dr. Chau Grammatically incorrect, but

How to address Polo? Grammatically correct Prof. Chau Dr. Chau Grammatically incorrect, but

http://poloclub.gatech.edu/cse6242 CSE6242 / CX4242: Data & Visual Analytics Duen Horng (Polo) Chau Assistant Professor Associate Director, MS Analytics Georgia Tech Google Polo Chau (only one in the world) How to

913 views • 74 slides
August 5, 2014 1 DISCLAIMER This presentation includes time sensitive information that may be

August 5, 2014 1 DISCLAIMER This presentation includes time sensitive information that may be

August 5, 2014 1 DISCLAIMER This presentation includes time sensitive information that may be accurate only as of todays date, August 5, 2014. Estimates of future net income per share, funds from operations per share, adjusted funds from

699 views • 49 slides

More recommend