tldr - powered by Generative AI

• Use Celium and eBPF features to achieve network security and observability
• Prioritize on the number of servers exposed through Ingress or Gateway API
• Focus on services reachable within the cluster across namespaces and services with access to external resources such as egress
• Start with an initial namespace policy and use global policies across the platform or even across clusters using cluster-wide network policies to define the guardrails
• Transition from per-namespace security with global policies as guardrails to more fine-grained policies
• Use CI/CD pipeline tools like Argo Flux and Github pipelines to manage network policies at scale
• Automatically check for CIDR blocks which are not approved to be allowed to access using a policy
• Unlock features in networking security and observability using eBPF

tldr - powered by Generative AI

• Tools can be used to develop initial security policies in Kubernetes environments
• Network policies are generated based on captured traffic and enriched with Kubernetes-related information
• Maintaining policies over time can be challenging as applications change and may require new capabilities or system calls
• Automatic updates to policies may not be reliable without human supervision

tldr - powered by Generative AI

• Psyllium and Kubernetes can be used to enforce network policies for microservices
• Least privilege security can be achieved by filtering HTTP requests and restricting API access
• L7 security policies can restrict access to required API resources
• Psyllium website provides resources and a helpful Slack community for beginners and contributors

tldr - powered by Generative AI

• Identifying the right networking requirements of individual workloads is challenging, and operationalizing the task across Dev, Sec, and Ops is not trivial.
• The MP Guard project proposes a flexible workflow for DevSec organizations to simplify the experience of creating and maintaining Kubernetes Network policies.
• The project aims to automate the generation of policies and integrate them into the application's CI/CD pipeline, ensuring that policies get updated whenever required cluster connectivity changes.
• The proposed network activity is presented to the DevOps team for review, and changes can be automatically updated.
• The resulting Kubernetes network policies become part of the GitOps process to provision Kubernetes clusters, helping organizations cross the Kubernetes network policy chasm.

tldr - powered by Generative AI

• Overview of Kubernetes architecture and components
• Using K8s Threat Matrix and MITRE ATT&CK for Containers to demonstrate attack phases
• Best practices for securing Kubernetes clusters
• Anecdote about a vulnerable Drupal web application used for modeling attacks