CloudNative Security Con 2023.pdf

1、CNI or Service Mesh?Comparing Security Policies Across ProvidersChristine Kim-GooglextineskimRob Salmond-SuperOrbitalmastodon.social/rsalmondWhat well cover.Whats a CNI?Whats a Service Mesh?The What and How of Policy EnforcementSecurity GotchasMitigation and How the Field is EvolvingWhat You Can DoT

2、op Ten CNCF Projects by:Top Ten CNCF Projects by:commitsTop Ten CNCF Projects by:contributorsTop Ten CNCF Projects by:commentsTop Ten CNCF Projects by:issuesPodPod“pods can communicate with all other pods on any other node without NAT”datahttps:/kubernetes.io/docs/concepts/services-networking/PodPod

3、CNICNIdataWhat is CNI?Container Network InterfaceWhat is CNI?Container Network Interface“A way to ask for changes to be made to a containers network config.”What kind of changes?What kind of changes?PodPodCNICNIPodkernelnetworkCNIPodkernelCNIdatacontrolWhat kind of changes?PodkernelnetworkCNIPodkern

4、elCNIdatacontrolWhat kind of changes?“CNI”“CNI Plugin”What is a CNI plugin?implementsWhat is a CNI plugin?“A thing that can make container networking changes.implementsPodnetworkbridgePodbridgeveth0br0eth0veth0eth0https:/ pluginPodkernelnetworkcalicoPodkernelcalicohttps:/ pluginPodkernelnetworkcalic

5、oPodkernelcalicoiptablesiptableshttps:/ shall not pass!Calico pluginPodkernelnetworkweavePodkernelweavehttps:/ vSwitchopen vSwitchweave pluginPodkernelnetworkweavePodkernelweaveiptablesiptableshttps:/ vSwitchopen vSwitchweave pluginPodkernelnetworkciliumPodkernelciliumebpfebpfhttps:/ pluginPodkernel

6、networkciliumPodkernelciliumebpfebpfhttps:/ pluginMost of the popular CNI Plugins:Most of the popular CNI Plugins:Configure pod to pod networkingMost of the popular CNI Plugins:Configure pod to pod networking Support NetworkPolicy enforcementMost of the popular CNI Plugins:Configure pod to pod netwo

7、rking Support NetworkPolicy enforcement Cloud Native software defined networkWhat is a Service Mesh?What is a Service Mesh?What is a Service Mesh?What is a Service Mesh?What is a Service Mesh?What is a Service Mesh?What is a Service Mesh?What is a Service Mesh?What is a Service Mesh?What is a Servic

8、e Mesh?What is a Service Mesh?What is a Service Mesh?What is a Service Mesh?What is a Service Mesh?The most popular Meshes offer:Observability Identity Encryption Access Control Load BalancingPodkernelnetworkSidecarPodkernelSidecardatacontrolservice meshPodkernelnetworkSidecarPodkernelSidecardatacon

9、trolservice meshPodkernelnetworkSidecarPodkernelSidecardatacontrolservice meshPodkernelnetworkmeshSidecarPodkernelmeshSidecariptablesdatacontrolservice meshiptablesPodkernelnetworkmeshSidecarPodkernelmeshSidecariptablesdatacontrolservice meshiptablesPodkernelnetworkmeshSidecarPodkernelmeshSidecaript

10、ablesiptablesdatacontrolNo Interfaces?service meshPodnetworkbridgePodbridgeveth0br0eth0veth0eth0https:/ pluginPodkernelnetworkmeshSidecarPodkernelmeshSidecariptablesdatacontroliptablesservice mesh with bridge pluginveth0br0eth0veth0br0eth0bridgebridgePodkernelnetworkSidecarPodkernelSidecariptablesda

11、tacontroliptablesCNI+service meshPodkernelnetworkSidecarPodkernelSidecariptablesdatacontroliptablesebpfebpfCNI+service meshPodkernelnetworkSidecarPodkernelSidecariptablesdatacontroliptablesiptablesiptablesCNI+service meshPodkernelnetworkSidecarPodkernelSidecariptablesdatacontroliptablesCNI+service m

12、eshPodkernelnetworkSidecarPodkernelSidecariptablesdatacontroliptablesCNI+service meshPodkernelnetworkSidecarPodkernelSidecariptablesdatacontroliptablesCNI+service meshWIZARD FIGHT!CNI-what shall not pass?CNI-what shall not pass?-what is enforceable?CNI-what is enforceable?$kubectl explain networkpol

13、icy.specAllows you to apply policy on traffic which:is going to any*IP or CIDRis going to pods that match some label selectoris going to specific port(s)is going to a specific namespace(s)*except loopback or host trafficCNI-what is enforceable?$kubectl explain networkpolicy.specAllows you to apply p

14、olicy on traffic which:is going to any*IP or CIDRis going to pods that match some label selectoris going to specific port(s)is going to a specific namespace(s)Allows you to conditionally block/permit traffic based on:source IP or CIDRsource pods that match some label selectorsource namespace*except

15、loopback or host trafficCNI-how is it enforced?PodkernelnetworkPodkernelCNI-how is it enforced?PodkernelnetworkPodkernelnamespace:frontendnamespace:apiCNI-how is it enforced?PodkernelnetworkPodkernelfrontendapi$dear CNI:pods in frontend=pods in api=OK!CNI-how is it enforced?PodkernelnetworkPodkernel

16、frontendapi$dear CNI:pods in frontend=pods in api=OK!CNI-how is it enforced?PodkernelnetworkPodkernelfrontendapi10.2.2.4 frontend10.2.4.12 frontend10.2.4.9 apiCNI-how is it enforced?PodkernelnetworkPodkernelfrontendapi10.2.2.4 frontend10.2.4.12 frontend10.2.4.9 apiCNI-how is it enforced?Podkernelnet

17、workPodkernelfrontendapi10.2.2.4 frontend10.2.4.12 frontend10.2.4.9 apiIts time for a contrivedscenario!CNI-contrived scenario$dear CNI:pods in frontend=pods in api=OK!PodkernelnetworkPodkerneliptablesnetworkPodkernelfrontendapiPodkernelhackedPodkernelnetworkPodkerneliptablesnetworkPodkernelCNI-cont

18、rived scenariofrontendapiPodkernelhacked10.2.2.4 frontend10.2.4.12 frontend10.2.4.9 apiPodkernelnetworkPodkerneliptablesnetworkPodkernelCNI-contrived scenariofrontendapiPodkernelhacked10.2.2.4 frontend10.2.4.12 frontend10.2.4.9 api10.2.2.4PodkernelnetworkPodkerneliptablesnetworkPodkernelCNI-contrive

19、d scenariofrontendapiPodkernelhacked10.2.2.4 frontend10.2.4.12 frontend10.2.4.9 api10.2.2.4PodkernelnetworkPodkerneliptablesnetworkPodkernelCNI-contrived scenariofrontendapiPodkernelhacked10.2.2.4 frontend10.2.4.12 frontend10.2.4.9 api10.2.2.8PodkernelnetworkPodkerneliptablesnetworkPodkernelCNI-cont

20、rived scenariofrontendapiPodkernelhacked10.2.2.4 frontend10.2.4.12 frontend10.2.4.9 api10.2.2.8.8PodkernelnetworkPodkerneliptablesnetworkPodkernelCNI-contrived scenariofrontendapiPodkernelhacked10.2.2.4 frontend10.2.4.12 frontend10.2.4.9 api10.2.2.8 PodPodPodPodPodPod10.2.2.310.2.2.510.2.2.610.2.2.7

21、.8PodkernelnetworkPodkerneliptablesnetworkPodkernelCNI-contrived scenariofrontendapiPodkernelhacked10.2.2.4 frontend10.2.4.12 frontend10.2.4.9 api10.2.2.8 10.2.2.4.8PodkernelnetworkPodkerneliptablesnetworkPodkernelCNI-contrived scenariofrontendapiPodkernelhacked10.2.2.4 frontend10.2.4.12 frontend10.

22、2.4.9 api10.2.2.8 10.2.2.4.8PodkernelnetworkPodkerneliptablesnetworkPodkernelCNI-contrived scenariofrontendapiPodkernelhacked10.2.2.8 frontend10.2.4.12 frontend10.2.4.9 api10.2.2.8 10.2.2.4PodkernelnetworkPodkerneliptablesnetworkPodkernelCNI-contrived scenariofrontendapiPodkernelhacked10.2.2.8 front

23、end10.2.4.12 frontend10.2.4.9 api10.2.2.8 10.2.2.4https:/www.solo.io/blog/could-network-cache-based-identity-be-mistaken/PodkernelnetworkPodkerneliptablesnetworkPodkernelCNI-contrived scenariofrontendapiPodkernelhacked10.2.2.8 frontend10.2.4.12 frontend10.2.4.9 api10.2.2.8 10.2.2.4https:/www.solo.io

24、/blog/could-network-cache-based-identity-be-mistaken/MITIGATION TBDSvc Mesh-what is enforceable?Svc Mesh-what is enforceable?$kubectl explain$SERVICE_MESH_AUTH_POLICYAllows you to apply policy on traffic which:is going anywhere*is going to a specific K8s Serviceis going to a specific port(s)*includi

25、ng loopback or host trafficSvc Mesh-what is enforceable?$kubectl explain$SERVICE_MESH_AUTH_POLICYAllows you to apply policy on traffic which:is going anywhere*is going to a specific K8s Serviceis going to a specific port(s)Allows you to conditionally block/permit requests based on:source IP address

26、or CIDRsource kubernetes namespacesource kubernetes service account*including loopback or host trafficSvc Mesh-what is enforceable?$kubectl explain$SERVICE_MESH_AUTH_POLICYAllows you to apply policy on traffic which:is going anywhere*is going to a specific K8s Serviceis going to a specific port(s)Al

27、lows you to conditionally block/permit requests based on HTTP properties:specific Host/Authorityspecific HTTP methodspecific URI(or prefix)specific header is present or set to a specific valueJWT claims(Istio only)*including loopback or host trafficSvc Mesh-what is enforceable?$kubectl explain$SERVI

28、CE_MESH_AUTH_POLICYAllows you to apply policy on traffic which:is going anywhere*is going to a specific K8s Serviceis going to a specific port(s)Allows you to conditionally block/permit requests based on:source IP address or CIDRsource kubernetes namespacesource kubernetes service account*including

29、loopback or host trafficPodkernelnetworkSidecarPodkernelSidecariptablesdatacontroliptablesnetworkPodkernelSvc Mesh-how is it enforced?PodkernelnetworkSidecarPodkernelSidecariptablesdatacontroliptablesnetworkPodkernelSvc Mesh-how is it enforced?frontendapiPodkernelnetworkSidecarPodkernelSidecariptabl

30、esdatacontroliptablesnetworkPodkernelSvc Mesh-how is it enforced?frontendapi$dear Service Mesh:pods in frontend=pods in api=OK!PodkernelnetworkSidecarPodkernelSidecariptablesdatacontroliptablesnetworkPodkernelSvc Mesh-how is it enforced?frontendapi$dear Service Mesh:pods in frontend=pods in api=OK!P

31、odkernelnetworkSidecarPodkernelSidecariptablesdatacontroliptablesnetworkPodkernelSvc Mesh-how is it enforced?frontendapi$dear Service Mesh:pods in frontend=pods in api=OK!mTLS StickPodkernelnetworkSidecarPodkernelSidecariptablesdatacontroliptablesnetworkPodkernelSvc Mesh-how is it enforced?frontenda

32、pimTLSPodkernelnetworkSidecarPodkernelSidecariptablesdatacontroliptablesnetworkPodkernelSvc Mesh-how is it enforced?frontendapi-BEGIN CERTIFICATE-Namespace:frontendService Account:frontend-END CERTIFICATE-mTLSPodkernelnetworkSidecarPodkernelSidecariptablesdatacontroliptablesnetworkPodkernelSvc Mesh-

33、how is it enforced?frontendapi-BEGIN CERTIFICATE-Namespace:frontendService Account:frontend-END CERTIFICATE-mTLSSvc Mesh-how is it enforced?PodkernelnetworkSidecarPodkernelSidecariptablesdatacontroliptablesnetworkPodkernelSvc Mesh-how is it enforced?frontendapimTLS$dear Service Mesh:pods in frontend

34、=pods in api=OK!1PodkernelnetworkSidecarPodkernelSidecariptablesdatacontroliptablesnetworkPodkernelSvc Mesh-how is it enforced?frontendapimTLS2-BEGIN CERTIFICATE-Namespace:frontendService Account:frontend-END CERTIFICATE-datacontrolClient Cert-how is it secured?mTLS-BEGIN CERTIFICATE-Namespace:front

35、endService Account:frontend-END CERTIFICATE-datacontrolClient Cert-how is it secured?mTLS-BEGIN CERTIFICATE-Namespace:frontendService Account:frontend-END CERTIFICATE-PodkernelnetworkSidecarPodkernelSidecariptablesiptablesnetworkPodkernel-BEGIN CERTIFICATE-Namespace:frontendService Account:frontend-

36、END CERTIFICATE-datacontrolClient Cert-how is it secured?mTLS-BEGIN CERTIFICATE-Namespace:frontendService Account:frontend-END CERTIFICATE-PodkernelnetworkSidecarPodkernelSidecariptablesiptablesnetworkPodkernel-BEGIN CERTIFICATE-Namespace:frontendService Account:frontend-END CERTIFICATE-datacontrolC

37、lient Cert-how is it issued?mTLSPodkernelnetworkSidecarPodkernelSidecariptablesiptablesnetworkPodkerneldatacontrolClient Cert-how is it issued?mTLSPodkernelnetworkSidecarPodkernelSidecariptablesiptablesnetworkPodkerneldatacontrolClient Cert-how is it issued?mTLSPodkernelnetworkSidecarPodkernelSideca

38、riptablesiptablesnetworkPodkerneldatacontrolClient Cert-how is it issued?mTLSPodkernelnetworkSidecarPodkernelSidecariptablesiptablesnetworkPodkernel/var/run/secretsdatacontrolClient Cert-how is it issued?mTLSPodkernelnetworkSidecarPodkernelSidecariptablesiptablesnetworkPodkernelkubernetes.io:namespa

39、ce:frontend,serviceaccount:frontenddatacontrolClient Cert-how is it issued?mTLSPodkernelnetworkSidecarPodkernelSidecariptablesiptablesnetworkPodkernel-BEGIN CERTIFICATE-Namespace:frontendService Account:frontend-END CERTIFICATE-Its time for acontrivedscenario!anotherPodkernelnetworkSidecarPodkernelS

40、idecariptablesiptablesnetworkPodkernelSvc Mesh-contrived scenariofrontendapiPodkernelSidecariptableshackediptables$dear Service Mesh:pods in frontend=pods in api=OK!PodkernelnetworkSidecarPodkernelSidecariptablesiptablesnetworkPodkernelSvc Mesh-contrived scenariofrontendapiPodkernelSidecariptablesha

41、ckediptables$dear Service Mesh:pods in frontend=pods in api=OK!/var/run/secretsPodkernelnetworkSidecarPodkernelSidecariptablesiptablesnetworkPodkernelSvc Mesh-contrived scenariofrontendapiPodkernelSidecariptableshackediptables$dear Service Mesh:pods in frontend=pods in api=OK!././var/run/secretsPodk

42、ernelnetworkSidecarPodkernelSidecariptablesiptablesnetworkPodkernelSvc Mesh-contrived scenariofrontendapiPodkernelSidecariptableshackediptables$dear Service Mesh:pods in frontend=pods in api=OK!file:/var/run/secretsPodkernelnetworkSidecarPodkernelSidecariptablesiptablesnetworkPodkernelSvc Mesh-contr

43、ived scenariofrontendapiPodkernelSidecariptableshackediptables$dear Service Mesh:pods in frontend=pods in api=OK!/var/run/secretsPodkernelnetworkSidecarPodkernelSidecariptablesiptablesnetworkPodkernelSvc Mesh-contrived scenariofrontendapiPodkernelSidecariptableshackediptables$dear Service Mesh:pods

44、in frontend=pods in api=OK!/var/run/secretsPodkernelnetworkSidecarPodkernelSidecariptablesiptablesnetworkPodkernelSvc Mesh-contrived scenariofrontendapiPodkernelSidecariptableshackediptables$dear Service Mesh:pods in frontend=pods in api=OK!PodkernelnetworkSidecarPodkernelSidecariptablesiptablesnetw

45、orkPodkernelSvc Mesh-contrived scenariofrontendapiPodkernelSidecariptableshackediptables$dear Service Mesh:pods in frontend=pods in api=OK!https:/ mitigations#1.Right wizard tool,right job.PodkernelnetworkSidecarPodkernelSidecariptablesiptablesnetworkPodkernelfrontendapiPodkernelSidecariptableshacke

46、diptables#1.Right wizard tool,right job.PodkernelnetworkSidecarPodkernelSidecariptablesiptablesnetworkPodkernelfrontendapiPodkernelSidecariptableshackediptables$dear Service Mesh:pods in frontend=pods in api=OK!#1.Right wizard tool,right job.PodkernelnetworkSidecarPodkernelSidecariptablesiptablesnet

47、workPodkernelfrontendapiPodkernelSidecariptableshackediptables$dear CNI:pods in frontend=pods in api=OK!#1.Right wizard tool,right job.PodkernelnetworkSidecarPodkernelSidecariptablesiptablesnetworkPodkernelfrontendapiPodkernelSidecariptableshackediptables#1.Right wizard tool,right job.Podkernelnetwo

48、rkSidecarPodkernelSidecariptablesiptablesnetworkPodkernelfrontendapiPodkernelSidecariptableshackediptables$dear CNI:pods in frontend=pods in api=OK!#1.Right wizard tool,right job.PodkernelnetworkSidecarPodkernelSidecariptablesiptablesnetworkPodkernelfrontendapiPodkernelSidecariptableshackediptables1

49、0.2.2.8 10.2.2.4#2.Evolution.The landscape is changingThe landscape is changingIstioThe landscape is changingIstioAmbient meshAmbient MeshAmbient MeshL4 Secure OverlayztunnelmTLS,Svc-to-svc Authz PoliciesAmbient MeshSource PodkernelnetworkistioSidecarDestination PodkernelSidecariptablesiptablesistio

50、datacontrolmTLSAmbient MeshSource PodkernelnetworkistioSidecarDestination PodkernelSidecariptablesiptablesistiodatacontrolmTLSAmbient MeshSource PodkernelnetworkistioSidecarDestination PodkernelSidecariptablesiptablesistiodatacontrolmTLSPodkernelnetworkztunnelPodkernelistioztunneliptablesiptablesSou

51、rce PodkernelztunnelDestination PodkernelistioztunneldatacontrolmTLSnetworkistioAmbient Meshiptablesiptableshttps:/ PodkernelztunnelDestination PodkernelistioztunneldatacontrolmTLSnetworkistioAmbient Meshiptablesiptableshttps:/ PodkernelztunnelDestination PodkernelistioztunneldatacontrolmTLSnetworki

52、stioAmbient Meshiptablesiptableshttps:/merbridge.io/L7 Processing LayerL4 Secure OverlayWaypoint ProxyztunnelRich Authz PoliciesAmbient MeshmTLS,Svc-to-svc Authz PoliciesSource PodkernelnetworkztunnelDestination PodkerneliptablesiptablesWaypoint ProxykernelIstioiptablesztunnelIstioIstiodatacontrolmT

53、LSAmbient MeshztunnelSource PodkernelnetworkztunnelDestination PodkerneliptablesiptablesWaypoint ProxykernelIstioiptablesztunnelIstioIstiodatacontrolmTLSAmbient Meshztunnelbit.ly/3l00k4ZThe landscape is changingCiliumIstio adding Ambient ModeIstioAmbient modeThe landscape is changingIstio adding Amb

54、ient ModeCilium Service MeshIstioAmbient modeCilium Service MeshPodkernelnetworkistioPodkerneliptablesiptablesSource PodkernelnetworkCilium componentDestination PodeBPF programkernelCilium componenteBPF programcilium-agentcilium-agentCilium Service MeshPodkernelnetworkistioPodkerneliptablesiptablesS

55、ource PodkernelnetworkCilium componentDestination PodeBPF programkernelCilium componenteBPF programcilium-agentcilium-agentCilium Service MeshPodkernelnetworkistioPodkerneliptablesiptablesSource PodkernelnetworkCilium componentDestination PodkernelCilium componentcilium-agentcilium-agentCilium Servi

56、ce Meshhttps:/ landscape is changingIstio adding Ambient ModeCilium Service MeshIstioAmbient modeThe landscape is changingIstio adding Ambient ModeCilium Service MeshIstioAmbient modeconvergingTakeawaysIsolationGenericSidecar modelProxy/nodebit.ly/3YhFrRdTakeawaysIsolationGenericSidecar modelProxy/n

57、odeComplexitySimplicityeBPFeBPF-CNI L3 ObservabilityL3 RoutingL3 Network policyReplacing iptables with eBPF in Kubernetes with Cilium-bit.ly/3DuNNgteBPF L3 ObservabilityL3 RoutingL3 Network policyReplacing iptables with eBPF in Kubernetes with Cilium-bit.ly/3DuNNgteBPFTakeawaysTakeawaysTakeawaysTakeawaysbit.ly/3Hy86uDCall to actionCall to actionCall to actionhttps:/istio.io/latest/blog/2022/get-started-ambient/Call to actionhttps:/ to actionCall to actionChristine Kim-GoogleRob Salmond-SuperOrbitalThanks for Listening!Scan or visitsched.co/1FV12to get slides and share feedback.Demo?Questions?