kubelet to istio kubernetes network security demystified
play

Kubelet to Istio: Kubernetes Network Security Demystified FOSDEM - PowerPoint PPT Presentation

Jul 07, 2023 •441 likes •1.54k views

Kubelet to Istio: Kubernetes Network Security Demystified FOSDEM SPEED RUN @sublimino and @controlplaneio @sublimino Im: - Andy - Dev-like - Sec-ish - Ops-y @sublimino What is Network Security @sublimino Why do we need Network

  1. X.509 Example Decoded Cert Certificate: X509v3 Certificate Policies: Data: Policy: 1.3.6.1.4.1.4146.1.20 Version: 3 (0x2) CPS: https://www.globalsign.com/repository/ Serial Number: Policy: 2.23.140.1.2.2 10:e6:fc:62:b7:41:8a:d5:00:5e:45:b6 Signature Algorithm: sha256WithRSAEncryption X509v3 Basic Constraints: Issuer: C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 CA:FALSE Validity X509v3 CRL Distribution Points: Not Before: Nov 21 08:00:00 2016 GMT Not After : Nov 22 07:59:59 2017 GMT Full Name: Subject: C=US, ST=California, L=San Francisco, O=Wikimedia Foundation, Inc., URI:http://crl.globalsign.com/gs/gsorganizationvalsha2g2.crl CN=*.wikipedia.org Subject Public Key Info: X509v3 Subject Alternative Name: Public Key Algorithm: id-ecPublicKey DNS:*.wikipedia.org, DNS:*.m.mediawiki.org, DNS:*.m.wikibooks.org, ... Public-Key: (256 bit) X509v3 Extended Key Usage: pub: TLS Web Server Authentication, TLS Web Client Authentication 04:c9:22:69:31:8a:d6:6c:ea:da:c3:7f:2c:ac:a5: X509v3 Subject Key Identifier: af:c0:02:ea:81:cb:65:b9:fd:0c:6d:46:5b:c9:1e: 28:2A:26:2A:57:8B:3B:CE:B4:D6:AB:54:EF:D7:38:21:2C:49:5C:36 ed:b2:ac:2a:1b:4a:ec:80:7b:e7:1a:51:e0:df:f7: X509v3 Authority Key Identifier: c7:4a:20:7b:91:4b:20:07:21:ce:cf:68:65:8c:c6: keyid:96:DE:61:F1:BD:1C:16:29:53:1C:C0:CC:7D:3B:83:00:40:E6:1A:7C 9d:3b:ef:d5:c1 ASN1 OID: prime256v1 Signature Algorithm: sha256WithRSAEncryption NIST CURVE: P-256 8b:c3:ed:d1:9d:39:6f:af:40:72:bd:1e:18:5e:30:54:23:35: X509v3 extensions: ... X509v3 Key Usage: critical Digital Signature, Key Agreement Authority Information Access: CA Issuers - URI:http://secure.globalsign.com/cacert/gsorganizationvalsha2g2r1.crt OCSP - URI:http://ocsp2.globalsign.com/gsorganizationvalsha2g2 https://tools.ietf.org/html/rfc5280#page-35 @sublimino

  2. Self Signed Certs aka Signing Your Own Homework @sublimino

  3. One-Way (Traditional) TLS Handshake @sublimino

  4. Mutual TLS Handshake (mTLS) @sublimino

  5. Private & Trusted Communications @sublimino

  6. Securing API Server Traffic @sublimino

  7. Don't we trust our networks and firewalls? @sublimino

  8. BeyondCorp @sublimino

  9. Zero Trust Networking @sublimino

  10. Zero Trust API Server? @sublimino

  11. Master etcd (key-value DB, SSOT) Controller Manager Scheduler API Server (REST API) (Controller Loops) (Bind Pod to Node) User Nodes Networking Networking Networking Legend: CNI Kubelet Kubelet Kubelet CRI OCI Container Container Container Protobuf Runtime Runtime Runtime gRPC JSON OS OS OS Node 1 Node 2 Node 3 By Lucas Käldström @sublimino

  12. What could possibly go wrong? @sublimino

  13. Kubernetes Component Intercommunication @sublimino

  14. What could possibly go wrong? @sublimino

  15. Kubernetes Component Intercommunication @sublimino

  16. What could possibly go wrong? @sublimino

  17. Kubernetes Component Intercommunication @sublimino

  18. Continuous (Kubernetes) Security Slides / @sublimino @sublimino

  19. Application Layer @sublimino

  20. Containers and Traditional Network Security? @sublimino

  21. https://medium.com/google-cloud/ understanding-kubernetes-networ king-services-f0cb48e4cc82 @sublimino

  22. apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: default-deny spec: podSelector: https://github.com/ahmetb/kube rnetes-network-policy-recipes Kubernetes NetworkPolicy: default deny @sublimino

  23. apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: default-deny spec: Illegal syntax, but podSelector: represents what it - “*” actually does (effectively a wildcard) https://github.com/ahmetb/kube rnetes-network-policy-recipes Kubernetes NetworkPolicy: default deny @sublimino

  24. apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: foo-deny-external-egress spec: podSelector: matchLabels: app: foo policyTypes: - Egress egress: - ports: - port: 53 protocol: UDP - port: 53 protocol: TCP - to: https://github.com/ahmetb/kube - namespaceSelector: {} rnetes-network-policy-recipes Kubernetes NetworkPolicy @sublimino

  25. https://github.com/kubernetes/kubernetes/issues/56901 Kubernetes NetworkPolicy - NO DNS NAMES @sublimino

  26. apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: foo-deny-external-egress spec: podSelector: ILLEGAL! NOT ALLOWED! dnsName: control-plane.io policyTypes: - Egress egress: - ports: - port: 53 protocol: UDP - port: 53 protocol: TCP - to: - namespaceSelector: {} https://github.com/ahmetb/kube rnetes-network-policy-recipes Kubernetes NetworkPolicy - ILLEGAL! @sublimino

  27. netassert - cloud native network testing ● netassert - network security testing for DevSecOps workflows https://github.com/controlplaneio/netassert host: localhost: bitbucket.com: - 22 control-plane.io: github.com: - 22 @sublimino

  28. netassert - cloud native network testing k8s: # used for Kubernetes pods deployment: # only deployments currently supported test-frontend: # pod name, defaults to `default` namespace test-microservice: 80 # `test-microservice` is the DNS name of the target service test-database: -80 # should not be able to access port 80 of `test-database` new-namespace:test-microservice: # `new-namespace` is the namespace name test-database.new-namespace: 80 # longer DNS names can be used for other namespaces test-frontend.default: 80 default:test-database: test-frontend.default.svc.cluster.local: 80 # full DNS names can be used test-microservice.default.svc.cluster.local: -80 control-plane.io: 443 # we can check remote services too https://github.com/controlplaneio/netassert @sublimino

  29. @sublimino

  30. Cloud Native Dynamic Firewalls ● Network Policy recipes - https://github.com/ahmetb/kubernetes-network-policy-recipes ● WeaveNet Network Policy - https://kubernetes.io/docs/tasks/administer-cluster/weave-network-policy/ ● NeuVector Container Firewall - https://neuvector.com/products/ ● Tesla Compromise mitigation - https://www.tigera.io/tesla-compromise-network-policy/ @sublimino

  31. Applications: CNI and Network Policy @sublimino

  32. Applications: CNI and Network Policy @sublimino Choosing a CNI Provider

  33. Bootstrapping identity with SPIFFE @sublimino

  34. Attestation Example: Kubernetes /proc/[pid]/cgroup @sublimino

  35. Workload “You are spiffe://acme.com/fe “Who am I?” And here is your short-lived key to prove it to others.” SPIFFE Workload API @sublimino

  36. SPIFFE ID spiffe://acme.com/billing/payments Trust Domain Workload Identifier @sublimino

  37. SPIFFE Verifiable Identity Document spiffe://acme.com/billing/payments Typically short-lived Today only one form of SVID (X509-SVID). Other document types under consideration (including JWT-SVID) @sublimino

  38. X.509 RFC Format Certificate ::= SEQUENCE { Validity ::= SEQUENCE { tbsCertificate TBSCertificate, notBefore Time, signatureAlgorithm AlgorithmIdentifier, notAfter Time } signatureValue BIT STRING } Time ::= CHOICE { TBSCertificate ::= SEQUENCE { utcTime UTCTime, version [0] EXPLICIT Version DEFAULT v1, generalTime GeneralizedTime } serialNumber CertificateSerialNumber, signature AlgorithmIdentifier, UniqueIdentifier ::= BIT STRING issuer Name, validity Validity, SubjectPublicKeyInfo ::= SEQUENCE { subject Name, algorithm AlgorithmIdentifier, subjectPublicKeyInfo SubjectPublicKeyInfo, subjectPublicKey BIT STRING } issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL, -- If present, version MUST be v2 or v3 Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL, -- If present, version MUST be v2 or v3 Extension ::= SEQUENCE { extensions [3] EXPLICIT Extensions OPTIONAL extnID OBJECT IDENTIFIER, -- If present, version MUST be v3 critical BOOLEAN DEFAULT FALSE, } extnValue OCTET STRING -- contains the DER encoding of an ASN.1 value Version ::= INTEGER { v1(0), v2(1), v3(2) } -- corresponding to the extension type identified -- by extnID CertificateSerialNumber ::= INTEGER } https://github.com/spiffe/spiffe/blob/master/standards/X509-SVID.md #appendix-a-x509-field-reference @sublimino

  39. Certificate Path Validation Leaf Certificate Intermediate Certificate Certificate Authority @sublimino

  40. SPIFFE Runtime Environment spiffe://acme.com/billing/payments selector : aws:sg:sg-edcd9784 selector : k8s:ns:payments SPIRE Server selector : k8s:sa:pay-svc selector: docker:image-id:442ca9

  41. Simplify deployment of Identity for proxy services Secure Introduction to other services distributed systems mTLS JWTs gRPC Workload Workload API SPIRE Core Workload Attestor Plug-ins Node Attestor Plug-ins Linux OS X Kubernetes Azure HSM providers Platform Mesosphere GCP Join Token Windows YubiKey AWS Kerberos

  42. What SPIFFE is not ● Authorization (however it provides identities upon which authorization schemes can be deployed) ● Transport level security (however SVIDs can be used to facilitate things like TLS or JWT signing)

  43. Using SPIFFE in TLS Certificates @sublimino https://www.slideshare.net/MattBaldwin3/istio-cloud-native-online-series-intro-to-istio-security

  44. Istio and SPIFFE @sublimino https://www.slideshare.net/MattBaldwin3/istio-cloud-native-online-series-intro-to-istio-security

  45. Recap @sublimino

  46. End to End Encryption ● TLS on API Server Components ● SPIFFE to identify application workloads ● Istio CA to issue TLS certificates to application workloads ● Envoy to proxy application’s HTTPS traffic across the Istio service mesh @sublimino

  47. Takeaway: Encrypt Everything Everywhere ● Encrypt @sublimino

  48. Takeaway: Encrypt Everything Everywhere ● Encrypt ● Encrypt Everything @sublimino

Recommend

Kubernetes Networking and Istio Apurva Bhandari $whoami SRE / DevOps Docker & Kubernetes

Kubernetes Networking and Istio Apurva Bhandari $whoami SRE / DevOps Docker & Kubernetes

Kubernetes Networking and Istio Apurva Bhandari $whoami SRE / DevOps Docker & Kubernetes Enthusiast Speaker at Meetups Email: apurvbhandari@gmail.com LinkedIn: https://www.linkedin.com/in/apurvabhandari-linux GitHub:

2.17k views • 28 slides
& the architecture along the way! @mt165 mt165.co.uk The life of a packet through Istio

& the architecture along the way! @mt165 mt165.co.uk The life of a packet through Istio

QCon London March 2019 & the architecture along the way! @mt165 mt165.co.uk The life of a packet through Istio @mt165 Objectives Learn how a packet traverses an Istio/Envoy/Kubernetes system See what control plane calls are made in that

756 views • 51 slides
Continuous Kubernetes Security @sublimino and @controlplaneio Im: - Andy - Dev-like -

Continuous Kubernetes Security @sublimino and @controlplaneio Im: - Andy - Dev-like -

Continuous Kubernetes Security @sublimino and @controlplaneio Im: - Andy - Dev-like - Sec-ish - Ops-y Is this Kubernetes cluster secure? EPIC FAIL GIF How secure is Kubernetes? What this Kubernetes talk is about Common Pwns

1.18k views • 113 slides
Replacing iptables with eBPF in Kubernetes with Cilium Cilium, eBPF, Envoy, Istio, Hubble Michal

Replacing iptables with eBPF in Kubernetes with Cilium Cilium, eBPF, Envoy, Istio, Hubble Michal

Replacing iptables with eBPF in Kubernetes with Cilium Cilium, eBPF, Envoy, Istio, Hubble Michal Rostecki Swaminathan Vasudevan Software Engineer Software Engineer mrostecki@suse.com svasudevan@suse.com mrostecki@opensuse.org Whats

2.06k views • 52 slides
JUG Bern Real World Kubernetes Agenda - Introduction Agenturclient - Architecture

JUG Bern Real World Kubernetes Agenda - Introduction Agenturclient - Architecture

JUG Bern Real World Kubernetes Agenda - Introduction Agenturclient - Architecture Agenturclient - Kubernetes Deployment - HA-Setup - Demo - Istio Introduction Florian Lscher Software Engineer and Co-Founder Skills CV Solution

1.48k views • 70 slides
JUG Real World Kubernetes Agenda - Introduction Agenturclient - Architecture Agenturclient

JUG Real World Kubernetes Agenda - Introduction Agenturclient - Architecture Agenturclient

JUG Real World Kubernetes Agenda - Introduction Agenturclient - Architecture Agenturclient - Kubernetes Deployment - HA-Setup - Demo - Istio Introduction Florian Lscher Solution Architect and Co-Founder Skills CV Solution

845 views • 70 slides
What is network security? Friends and enemies: Alice, Bob, Trudy What is network security?

What is network security? Friends and enemies: Alice, Bob, Trudy What is network security?

Network security Network security Foundations: what is security? cryptography Network Security Network Security authentication message integrity key distribution and certification Security in practice: Srinidhi Varadarajan

332 views • 6 slides
Network Policy Controller in Weave Net Blocking unwanted network traffic in Kubernetes Bryan

Network Policy Controller in Weave Net Blocking unwanted network traffic in Kubernetes Bryan

Network Policy Controller in Weave Net Blocking unwanted network traffic in Kubernetes Bryan Boreham @bboreham Who knows... Kubernetes Docker Linux iptables Ancient wisdom For survival, your group needs: Leadership

675 views • 21 slides
Network Security Network Security Srinidhi Varadarajan Network security Network security

Network Security Network Security Srinidhi Varadarajan Network security Network security

Network Security Network Security Srinidhi Varadarajan Network security Network security Foundations: what is security? cryptography authentication message integrity key distribution and certification Security in practice:

634 views • 36 slides
Bringing Security and Multi- tenancy to Kubernetes Lei (Harry) Zhang About Me Lei (Harry)

Bringing Security and Multi- tenancy to Kubernetes Lei (Harry) Zhang About Me Lei (Harry)

Bringing Security and Multi- tenancy to Kubernetes Lei (Harry) Zhang About Me Lei (Harry) Zhang @resouer #CNCF member, #Microsoft MVP Previous: VMware, Baidu Feature Maintainer of Kubernetes HyperCrew: https://hyper.sh/

609 views • 40 slides
Airflow on Kubernetes: Containerizing your Workflows By Michael Hewitt Agenda Kubernetes

Airflow on Kubernetes: Containerizing your Workflows By Michael Hewitt Agenda Kubernetes

Airflow on Kubernetes: Containerizing your Workflows By Michael Hewitt Agenda Kubernetes Overview 1 Airflows integration with Kubernetes 2 Deployment of Airflow on Kubernetes 3 Kubernetes Pod Operator and its benefits 4 DAG Development

2.79k views • 14 slides
Solucionando Problemas de Microsservios com Service Mesh: Istio e Envoy Edson Yanaga (@yanaga)

Solucionando Problemas de Microsservios com Service Mesh: Istio e Envoy Edson Yanaga (@yanaga)

Solucionando Problemas de Microsservios com Service Mesh: Istio e Envoy Edson Yanaga (@yanaga) bit.ly/istio-tutorial @yanaga - bit.ly/istio-intro 1 @yanaga Edson Yanaga Raffle Rules @yanaga - Follow: - With a picture of the session -

1.16k views • 84 slides
OpenStack on Kubernetes: Make OpenStack and Kubernetes Fail-Safe Seungkyu Ahn (ahnsk@sk.com)

OpenStack on Kubernetes: Make OpenStack and Kubernetes Fail-Safe Seungkyu Ahn (ahnsk@sk.com)

OpenStack on Kubernetes: Make OpenStack and Kubernetes Fail-Safe Seungkyu Ahn (ahnsk@sk.com) Jaesuk Ahn (jay.ahn@sk.com) Open System Lab Network IT Convergence R&D Center SK Telecom Wil Reichert (wil@solinea.com) Solinea What will

1.26k views • 46 slides
Kubernetes Security Zooming In, Zooming Out A comprehensive Container Security Strategy Kavya

Kubernetes Security Zooming In, Zooming Out A comprehensive Container Security Strategy Kavya

Kubernetes Security Zooming In, Zooming Out A comprehensive Container Security Strategy Kavya Pearlman Global Cybersecurity Strategist - Wallarm @KavyaPearlman | @Wallarm Rob Richardson Technical Evangelist - MemSQL @Rob_Rich | @MemSQL

279 views • 27 slides
Using Cloud Native Technologies to Solve Complex Application Security Challenges in Kubernetes

Using Cloud Native Technologies to Solve Complex Application Security Challenges in Kubernetes

Using Cloud Native Technologies to Solve Complex Application Security Challenges in Kubernetes Deployments Cequence Security: A Cloud Native Approach to Application Security Venture-backed start-up bringing much-needed innovation to

304 views • 17 slides
HTTPS Demystified! What is that green lock and why is it so important? What is that green lock

HTTPS Demystified! What is that green lock and why is it so important? What is that green lock

HTTPS Demystified! What is that green lock and why is it so important? What is that green lock and why is it important? Security Integrity It protects* the It guarantees* that you information you send are talking to who you across the

430 views • 29 slides
DEEP LEARNING DEMYSTIFIED Will Ramey Director, Developer Programs NVIDIA Corporation

DEEP LEARNING DEMYSTIFIED Will Ramey Director, Developer Programs NVIDIA Corporation

DEEP LEARNING DEMYSTIFIED Will Ramey Director, Developer Programs NVIDIA Corporation DEFINITIONS DEEP LEARNING IS SWEEPING ACROSS INDUSTRIES Internet Services Medicine Media & Entertainment Security & Defense Autonomous Machines

532 views • 24 slides
Economics of network security Harald Vranken 1 Economics of network security Note that

Economics of network security Harald Vranken 1 Economics of network security Note that

Advanced Network Security (2019-2020) Economics of network security Harald Vranken 1 Economics of network security Note that network in this lecture means Physical communication network (eg. Internet, telephony, fax, telegraph)

769 views • 49 slides
Intro, history, hacking Network Security Lecture 1 Welcome to Network Security Should be able

Intro, history, hacking Network Security Lecture 1 Welcome to Network Security Should be able

Intro, history, hacking Network Security Lecture 1 Welcome to Network Security Should be able to Skills identify design and Ability to analyze the implementation security of networked vulnerabilities in network systems protocols

564 views • 33 slides
Kubernetes Matthias Haeussler Mirna Alaisami Overview Overview Kubernetes is an open-source

Kubernetes Matthias Haeussler Mirna Alaisami Overview Overview Kubernetes is an open-source

Kubernetes Matthias Haeussler Mirna Alaisami Overview Overview Kubernetes is an open-source platform designed to automate deploying , scaling , and operating application containers . Kubernetes v1.0 was released in 2015. It utilizes

916 views • 52 slides
K8s or Die! You must do Kubernetes. Or should you? If so when, where, why? How?! Marco Ceppi

K8s or Die! You must do Kubernetes. Or should you? If so when, where, why? How?! Marco Ceppi

K8s or Die! You must do Kubernetes. Or should you? If so when, where, why? How?! Marco Ceppi @marcoceppi Ryan Beisner @ryanbeisner Why Kubernetes Computing in the modern age Virtual Process Machines Containers Traditional Container

516 views • 24 slides
Foundations of Network and Foundations of Network and Computer Security Computer Security J ohn

Foundations of Network and Foundations of Network and Computer Security Computer Security J ohn

Foundations of Network and Foundations of Network and Computer Security Computer Security J ohn Black J CSCI 6268/TLEN 5831, Fall 2004 Introduction UC Davis PhD in 2000 Cryptography Interested in broader security as well

492 views • 12 slides
Network Security Where we are in the Course Security crosses all layers Applicatjon

Network Security Where we are in the Course Security crosses all layers Applicatjon

Network Security Where we are in the Course Security crosses all layers Applicatjon Transport Network Link Physical CSE 461 University of Washington 2 Security Threats Security is like performance Means many things

1.12k views • 92 slides
Network Security Where we are in the Course Security crosses all layers Application

Network Security Where we are in the Course Security crosses all layers Application

Network Security Where we are in the Course Security crosses all layers Application Transport Network Link Physical CSE 461 University of Washington 2 Security Threats Security is like performance Means many things

374 views • 13 slides

More recommend