<!-- .slide: data-background="images/chuttersnap-fN603qcEA7g-unsplash.jpg" class="vertical-center" style="padding: 1em 1em 1em 1em; color: white; background: rgba(0, 0, 0, 0.5); width: 90%; margin: auto;" --> # Kubernetes Security<br/>Network Policies *Nicholas Dille, Haufe Group* <i class="fa-brands fa-docker" style="width: 1.5em; text-align: center;"></i> Docker Captain <i class="fa-brands fa-windows" style="width: 1.5em; text-align: center;"></i> Microsoft MVP <i class="fa-brands fa-twitter" style="width: 1.5em; text-align: center;"></i> [@nicholasdille](https://twitter.com/nicholasdille) <i class="fa-brands fa-mastodon" style="width: 1.5em; text-align: center;"></i> [@nicholasdille@freiburg.social](https://freiburg.social/@nicholasdille)

## Agenda Part 1: Platform-as-a-Service (2023-04-26) <!-- .element: style="color: grey;" --> Part 2: Network Policies (2023-05-03) - <span class="fa-li"><i class="fa-duotone fa-network-wired"></i></span> Networking / DNS - <span class="fa-li"><i class="fa-duotone fa-shield-check"></i></span> Controlling network connections - <span class="fa-li"><i class="fa-duotone fa-monitor-waveform"></i></span> Auditing network conections - <span class="fa-li"><i class="fa-duotone fa-chart-network"></i></span> Visualizing network conections <!-- .element: class="fa-ul" --> Part 3: Policies (2023-05-10) <!-- .element: style="color: grey;" --> Part 4: Supply Chain Security (2023-05-17) <!-- .element: style="color: grey;" --> ### Hourly breaks <i class="fa fa-mug-hot"></i>

## Why Network Policies Kubernetes does not control inter-pod communication <i class="fa-duotone fa-shield-check fa-8x"></i> <!-- .element: style="float: right;" --> ### Use cases for a cluster firewall Reduce attack surface Isolate team resources Understand communication Prevent apps from calling home

<!-- .slide: class="center" --> ## <i class="fa-duotone fa-chart-network"></i> Kubernetes Networking

<!-- .slide: class="center" --> ## <i class="fa-duotone fa-person-military-pointing"></i> DNS in Kubernetes

<!-- .slide: class="center" --> ## <i class="fa-duotone fa-shield-check"></i> Network Policy

<!-- .slide: class="center" -->  <!-- .element: style="width: 25%" -->

## Summary - <span class="fa-li"><i class="fa-duotone fa-layer-group"></i></span> Kubernetes uses overlay networking (most of the time) - <span class="fa-li"><i class="fa-duotone fa-puzzle-piece-simple"></i></span> Choosing a CNI plugin is hard - <span class="fa-li"><i class="fa-duotone fa-monitor-waveform"></i></span> No audit to understand network traffic - <span class="fa-li"><i class="fa-duotone fa-shield-check"></i></span> Network policies allow traffic explicitly - <span class="fa-li"><i class="fa-duotone fa-person-carry-box"></i></span> Resource `NetworkPolicy` is portable - <span class="fa-li"><img src="images/cilium.svg" style="height: 1em; width: 1em; object-fit: cover; object-position: left top;" /></span> Cilium provides valuable features - <span class="fa-li"><i class="fa-duotone fa-rocket"></i></span> eBPF enables fast, low-overhead CNI plugin - <span class="fa-li"><i class="fa-duotone fa-chart-network"></i></span> Cross-node flow visualization with Hubble - <span class="fa-li"><i class="fa-duotone fa-magnifying-glass"></i></span> Integrated observability <!-- .element: class="fa-ul" style="line-height: 1.5em;" --> Cilium Performance Benchmark [](https://docs.cilium.io/en/stable/operations/performance/benchmark/)

## More topics Bandwidth management [](https://docs.cilium.io/en/stable/network/kubernetes/bandwidth-manager/) Tuning: eBPF-based host routing [](https://docs.cilium.io/en/stable/operations/performance/tuning/#ebpf-host-routing)