network policy controller in weave net
play

Network Policy Controller in Weave Net Blocking unwanted network - PowerPoint PPT Presentation

Mar 15, 2024 •455 likes •675 views

Network Policy Controller in Weave Net Blocking unwanted network traffic in Kubernetes Bryan Boreham @bboreham Who knows... Kubernetes Docker Linux iptables Ancient wisdom For survival, your group needs: Leadership

  1. Network Policy Controller in Weave Net Blocking unwanted network traffic in Kubernetes Bryan Boreham @bboreham

  2. Who knows... • Kubernetes • Docker • Linux • iptables

  3. Ancient wisdom For survival, your group needs: ● Leadership ● Hunting skills ● Medical skills ● Someone who knows iptables

  4. What I am going to talk about Weave Network Policy Controller Blocking unwanted network traffic in Kubernetes

  5. Threat Model

  6. Traditional defence

  7. Problem

  8. Solution

  9. Now make it dynamic

  10. Example Presentation Tier Middle Tier Data Tier

  11. Kubernetes NetworkPolicy kind: NetworkPolicy :80 metadata: Presentation Tier name: presentation-policy spec: podSelector: Middle Tier tier: presentation ingress: Data Tier - ports: - protocol: tcp port: 80

  12. Kubernetes NetworkPolicy kind: NetworkPolicy metadata: Presentation Tier name: middle-tier-policy spec: podSelector: Middle Tier tier: middle ingress: Data Tier - from: - podSelector: matchLabels: tier: presentation

  13. So how do we implement this?

  14. Controller Kubernetes Master watch on policies, pods host1 host2 weave-npc weave-npc iptables iptables

  15. Top-level iptables rules FORWARD chain: -o weave -j WEAVE-NPC -o weave -j DROP WEAVE_NPC chain: -m state --state RELATED,ESTABLISHED -j ACCEPT -m state --state NEW -j WEAVE-NPC-DEFAULT -m state --state NEW -j WEAVE-NPC-INGRESS

  16. Overall flow src bridge iptables dst ipset ipset ipset weave-npc

  17. Per-policy iptables rules WEAVE-NPC-DEFAULT chain: -m set --match-set weave-v/q_G.;Q?uK]BuDs2 dst -j ACCEPT -m set --match-set weave-k?Z;25^M}|1s7P3|H dst -j ACCEPT ... WEAVE-NPC-INGRESS chain: -m set --match-set weave-LuMDZrBg:KsT9Xll[ src -m set --match-set weave-hR9K[Olp~d>@1wQu/ dst -j ACCEPT -m set --match-set weave-hR9K[Olp~d>@1wQu/ src -m set --match-set weave-hR9K[Olp~d>@1wQu/ dst -j ACCEPT ...

  18. What could possibly go wrong? Back in the FORWARD chain: -o weave -m state --state NEW -j NFLOG --nflog-group 86 We subscribe to this via ulogd so we can print: TCP connection from 10.32.0.7:56648 to 10.32.0.11:80 blocked by Weave NPC. Also exported as a Prometheus metric

  19. Interested? Try it out! https://weave.works/securing-microservices-kubernetes/ Take a look at the code! https://github.com/weaveworks/weave/ Visualize, manage and monitor containers and services https://cloud.weave.works

  20. Fin

  21. 3-tier Illustration Front end Middle tier Redis Front end Middle tier Redis Presentation Middle tier Redis :80 :6379

Recommend

Weave Net Five years with no central control. FOSDEM 2020 Bryan Boreham @bboreham

Weave Net Five years with no central control. FOSDEM 2020 Bryan Boreham @bboreham

Weave Net Five years with no central control. FOSDEM 2020 Bryan Boreham @bboreham https://weave.works @weaveworks 1 Bryan Boreham Lead on Weave Net since 2015. Project member of Kubernetes, CNI, Cortex, Scope,

683 views • 36 slides
E ff ortless Eventual Consistency Gossip, CRDTs, and Weave Mesh weave works - Outline Theory

E ff ortless Eventual Consistency Gossip, CRDTs, and Weave Mesh weave works - Outline Theory

E ff ortless Eventual Consistency Gossip, CRDTs, and Weave Mesh weave works - Outline Theory Practice Extension weave works - Outline Theory Gossip CRDT Practice Weave Mesh Weave Net Extension

2.05k views • 185 slides
F inite element modelling of progressive damage in non-crimp 3D orthogonal weave and plain

F inite element modelling of progressive damage in non-crimp 3D orthogonal weave and plain

F inite element modelling of progressive damage in non-crimp 3D orthogonal weave and plain weave E -glass composites Stepan V. LOMOV, Dmitry S. IVANOV, Ignaas VERPOEST Department MTM, Katholieke Universiteit Leuven, Belgium Alexander E.

412 views • 27 slides
good teachers are able to weave a complex web of connections between themselves, their

good teachers are able to weave a complex web of connections between themselves, their

good teachers are able to weave a complex web of connections between themselves, their subjects, and their students, so that students can learn to weave a world for themselvesthe connections made by good teachers are held not in their

726 views • 25 slides
Designing an ultra low-overhead multithreading runtime for Nim Mamy Ratsimbazafy Weave

Designing an ultra low-overhead multithreading runtime for Nim Mamy Ratsimbazafy Weave

Designing an ultra low-overhead multithreading runtime for Nim Mamy Ratsimbazafy Weave mamy@numforge.co https://github.com/mratsim/weave Hello! I am Mamy Ratsimbazafy During the day blockchain/Ethereum 2 developer (in Nim) During the night,

388 views • 37 slides
OFFICE OF THE CONTROLLER Ben Rosenfield Controller Todd Rydstrom CITY AND COUNTY OF SAN

OFFICE OF THE CONTROLLER Ben Rosenfield Controller Todd Rydstrom CITY AND COUNTY OF SAN

OFFICE OF THE CONTROLLER Ben Rosenfield Controller Todd Rydstrom CITY AND COUNTY OF SAN FRANCISCO Deputy Controller Nonprofit Contracting Forum Wedn dnesda day, Novem ember er 6, 2019, 1:00pm pm 2:30 30pm Koret Aud uditorium um,

1.05k views • 63 slides
OFFICE OF THE CONTROLLER Ben Rosenfield Controller Todd Rydstrom CITY AND COUNTY OF SAN

OFFICE OF THE CONTROLLER Ben Rosenfield Controller Todd Rydstrom CITY AND COUNTY OF SAN

OFFICE OF THE CONTROLLER Ben Rosenfield Controller Todd Rydstrom CITY AND COUNTY OF SAN FRANCISCO Deputy Controller Nonprofit Contracting Forum Monday, M March 2, 2, 20 2020 20, 1 1pm 2p 2pm Kore ret A Auditori rium, M , Main

1.08k views • 58 slides
The Tangled Web We Weave: The Internet of Saturday, July 27, 2019 Things (IoT) Saturday, July

The Tangled Web We Weave: The Internet of Saturday, July 27, 2019 Things (IoT) Saturday, July

The Tangled Web We Weave: The Internet of Saturday, July 27, 2019 Things (IoT) Saturday, July 27, 2019 The Tangled Web We Weave: The Internet B RE RENT G ATEW OOD , IGP, CRM, MBA J AME AMES A. A. S S HER HERER , E SQ . EWOOD CTO/Technologist

407 views • 13 slides
An Architecture of a Network Controller for QoS Management in Home Networks with Lots of IoT

An Architecture of a Network Controller for QoS Management in Home Networks with Lots of IoT

An Architecture of a Network Controller for QoS Management in Home Networks with Lots of IoT Devices and Services Daisuke Kotani (Kyoto University) IoT Services in Home 2019/1/13 2 l So many use cases are proposed u Energy monitoring and

488 views • 19 slides
Testing web apps with traffic control with Weave Scope Alban Crequy FOSDEM 2017-02-05

Testing web apps with traffic control with Weave Scope Alban Crequy FOSDEM 2017-02-05

Testing web apps with traffic control with Weave Scope Alban Crequy FOSDEM 2017-02-05 alban@kinvolk.io Alban Crequy Contributor to rkt Working on Weave Scope and eBPF In 2014, worked on traffic control for multimedia

221 views • 9 slides
community projects inform enterprise products microsoft <3 open source microsoft is an

community projects inform enterprise products microsoft <3 open source microsoft is an

community projects inform enterprise products microsoft <3 open source microsoft is an enterprise company enterprises want k8s policy first: Azure Policy Controller then: Kubernetes Policy Controller building consensus upstream now:

298 views • 12 slides
let the earth hold us + heal us. If I could mend your heart, I would weave together the edges of

let the earth hold us + heal us. If I could mend your heart, I would weave together the edges of

let the earth hold us + heal us. If I could mend your heart, I would weave together the edges of your threadbare spirit and soothe your pain, your shock and your disbelief. Mary Farr Author + Pediatric Hospital Chaplain a place to rest

653 views • 28 slides
Mindfulness and Taking in the Good: Using Neuroplasticity to Weave Resources Into the Brain and

Mindfulness and Taking in the Good: Using Neuroplasticity to Weave Resources Into the Brain and

Mindfulness and Taking in the Good: Using Neuroplasticity to Weave Resources Into the Brain and the Self Healing and Treating Trauma, Addictions, and Related Disorders December 2, 2011 Rick Hanson, Ph.D. The Wellspring Institute for

1.08k views • 41 slides
TOUCAN: A proTocol tO secUre Controller Area Network Giampaolo Bella Gianpiero Costantino

TOUCAN: A proTocol tO secUre Controller Area Network Giampaolo Bella Gianpiero Costantino

AutoSec 2019 Dallas, TX, USA TOUCAN: A proTocol tO secUre Controller Area Network Giampaolo Bella Gianpiero Costantino Pietro Biondi Ilaria Matteucci 1 Automotive communication domains User to Vehicle Vehicle to Infrastructure

363 views • 12 slides
RGBW Controller Unearthly potential Fibaro RGBW Controller is a one of a kind, advanced wireless

RGBW Controller Unearthly potential Fibaro RGBW Controller is a one of a kind, advanced wireless

Home intelligence RGBW Controller Unearthly potential Fibaro RGBW Controller is a one of a kind, advanced wireless 4-colour LED strip controller. Apart from traditional RGB channels, it also supports the additional white light channel, which

310 views • 26 slides
Information into WEAVE Planning and Assessment Ramapo College Entering Mission/Purpose in

Information into WEAVE Planning and Assessment Ramapo College Entering Mission/Purpose in

How to Enter Information into WEAVE Planning and Assessment Ramapo College Entering Mission/Purpose in WEAVE Each unit will enter its mission statement in the system. Click on Mission/Purpose in the Assessment tab. Enter mission The

458 views • 9 slides
The Controller Area Network (CAN) Interface Corrado Santoro ARSLAB - Autonomous and Robotic

The Controller Area Network (CAN) Interface Corrado Santoro ARSLAB - Autonomous and Robotic

The Controller Area Network (CAN) Interface Corrado Santoro ARSLAB - Autonomous and Robotic Systems Laboratory Dipartimento di Matematica e Informatica - Universit` a di Catania, Italy santoro@dmi.unict.it L.S.M. 1 Course Corrado Santoro The

586 views • 13 slides
Networked Control Systems Joo Hespanha Networked Control Systems controller sensor actuator

Networked Control Systems Joo Hespanha Networked Control Systems controller sensor actuator

Research Supported by NSF & ARO Networked Control Systems Joo Hespanha Networked Control Systems controller sensor actuator sensor controller Network (wireline/wireless) actuator sensor controller sensor Application Areas

857 views • 73 slides
CONTROLLER AREA NETWORK (CAN) DEEP PACKET INSPECTION Grkem Batmaz , Systems Engineer Ildik

CONTROLLER AREA NETWORK (CAN) DEEP PACKET INSPECTION Grkem Batmaz , Systems Engineer Ildik

CONTROLLER AREA NETWORK (CAN) DEEP PACKET INSPECTION Grkem Batmaz , Systems Engineer Ildik Pete , Systems Engineer 28 th March, 2018 Car Hacking Immediately my accelerator stopped working. As I frantically pressed the pedal and watched the

371 views • 35 slides
Big Picture Interrupts Processor Cache IC220 Set #18: Storage and I/O Memory- I/O bus Main

Big Picture Interrupts Processor Cache IC220 Set #18: Storage and I/O Memory- I/O bus Main

Big Picture Interrupts Processor Cache IC220 Set #18: Storage and I/O Memory- I/O bus Main I/O I/O I/O memory controller controller controller Network Graphics Disk Disk output 1 2 I/O Outline Important but neglected A.

455 views • 4 slides
Big Picture Interrupts Processor IC220 Set #11: Cache Storage and I/O Memory- I/O bus Main

Big Picture Interrupts Processor IC220 Set #11: Cache Storage and I/O Memory- I/O bus Main

Big Picture Interrupts Processor IC220 Set #11: Cache Storage and I/O Memory- I/O bus Main I/O I/O I/O memory controller controller controller Network Graphics Disk Disk output 1 2 I/O Outline Important but neglected A.

560 views • 6 slides
agenda 1. what we heard 2. universal design elements 3. design option A - Weave 4. design

agenda 1. what we heard 2. universal design elements 3. design option A - Weave 4. design

agenda 1. what we heard 2. universal design elements 3. design option A - Weave 4. design option B - Flow 5. priorities and goals Maple Jefferson Stakeholder Meeting #3 4.3.2018 Experience Philadelphia Chicago Sydney San Antonio

953 views • 39 slides
Controller Area Network (CAN) Schedulability Analysis with FIFO queues Robert Davis 1 , Steffen

Controller Area Network (CAN) Schedulability Analysis with FIFO queues Robert Davis 1 , Steffen

Controller Area Network (CAN) Schedulability Analysis with FIFO queues Robert Davis 1 , Steffen Kollmann 2 , Victor Pollex 2 , Frank Slomka 2 1 Real-Time Systems Research Group, University of York 2 Institute of Embedded Systems / Real-Time

483 views • 31 slides
Building a Sensor Network Controller Michael Pigg Chariot Solutions November 5, 2010 This work

Building a Sensor Network Controller Michael Pigg Chariot Solutions November 5, 2010 This work

Building a Sensor Network Controller Michael Pigg Chariot Solutions November 5, 2010 This work is licensed under the Creative Commons Attribution- Noncommercial-Share Alike 3.0 United States License. Friday, November 5, 2010 1 Chariot

1.12k views • 76 slides

More recommend