Cloud Security Podcast eBPF - Kubernetes Network Security without the Blind Sides!
7 snips
Nov 30, 2023 The podcast explores the challenges of network security in managed Kubernetes environments and the benefits of using tools like eBPF and Cilium. It discusses the initial approach to networking in Kubernetes and the need for the next generation of networking tools. The chapter also explores how eBPF revolutionized the kernel field and the network security capabilities of Cilium. It discusses the process of graduating a project within the CNCF and the importance of having a company backing an open source project. The speakers engage in a light-hearted conversation, sharing their personal interests and aspirations.
AI Snips
Chapters
Transcript
Episode notes
Kubernetes Left Networking Security As A Day Two Problem
- Kubernetes initially inherited traditional VM networking and treated containers like VMs, leaving security and encryption as day-two problems.
- Thomas Graf explains Kubernetes specified network policy but didn't require plugins to implement it, creating gaps at scale.
eBPF Lets You Safely Extend The Kernel
- eBPF lets you load verified programs into the Linux kernel to run on events like packet receive or syscalls.
- Thomas Graf describes eBPF as a safe way to extend kernel behavior without destabilizing the global Linux ecosystem.
Secure Kubernetes With Three Defensible Pillars
- For Kubernetes network security adopt three pillars: identity-based segmentation, encryption, and mutual authentication.
- Cilium enforces policies by identity not IP, offers WireGuard/IPsec for encryption, and supports mTLS-like mutual authentication.