Keynote: Crossing the Kubernetes Network Policy Chasm - Michael Foster, Red Hat, Community Lead

The MP Guard project proposes a flexible workflow for DevSec organizations to simplify the experience of creating and maintaining Kubernetes Network policies. The project aims to automate the generation of policies and integrate them into the application's CI/CD pipeline, ensuring that policies get updated whenever required cluster connectivity changes. The proposed network activity is presented to the DevOps team for review, and changes can be automatically updated. The resulting Kubernetes network policies become part of the GitOps process to provision Kubernetes clusters, helping organizations cross the Kubernetes network policy chasm.

• Identifying the right networking requirements of individual workloads is challenging, and operationalizing the task across Dev, Sec, and Ops is not trivial.
• The MP Guard project proposes a flexible workflow for DevSec organizations to simplify the experience of creating and maintaining Kubernetes Network policies.
• The project aims to automate the generation of policies and integrate them into the application's CI/CD pipeline, ensuring that policies get updated whenever required cluster connectivity changes.
• The proposed network activity is presented to the DevOps team for review, and changes can be automatically updated.
• The resulting Kubernetes network policies become part of the GitOps process to provision Kubernetes clusters, helping organizations cross the Kubernetes network policy chasm.

The rules for Kubernetes network policies are additive, and communication between teams tends to break down. Developers need specific rules for their applications, and the security teams don't necessarily know that. The MP Guard project aims to fix this human problem and leverage the technology to simplify the process. The project proposes a flexible workflow for DevSec organizations to automate the generation of policies and integrate them into the application's CI/CD pipeline, ensuring that policies get updated whenever required cluster connectivity changes. The proposed network activity is presented to the DevOps team for review, and changes can be automatically updated. The resulting Kubernetes network policies become part of the GitOps process to provision Kubernetes clusters, helping organizations cross the Kubernetes network policy chasm.

Isolating pods with Kubernetes network policies is a vital activity in securing the Kubernetes cluster. The technology has been around since 2017, and yet organizations often make very limited use of it, leaving workloads with over-privileged ingress and egress rights.  Why is that? Well, identifying the right networking requirements of individual workloads is challenging to begin with, and operationalizing the task across Dev, Sec and Ops is not trivial.  In this talk we will explain how open source technology helps development and security teams automate the process using machine generated Kubernetes  network policies, along with human authored policies to govern them. The resulting Kubernetes network policies become part of the GitOps process to provision Kubernetes clusters, helping organizations cross this chasm.