SlideShare une entreprise Scribd logo

Testing Network Policies

inovex GmbH
inovex GmbH

Trust is good, control is better – A short story about Network Policies. Abstract: Probably everybody who uses Kubernetes in a productive environment with multiple users possibly has looked at policies. Often the operators of the cluster(s) just trust the policies but in some cases it might be useful to control if the policies actually have taken action and often there are just to many Policies in the cluster setup to manually test them all (and obviously you don’t want to do this). Testing the effectiveness of the Network Policies can be done in different approaches. In this talk we will show you the benefits and drawbacks of different approaches and what solution we finally chose. Also we will show you some other tools and how they complement our solution. As a takeaway you will get an overview of different testing strategies for policies, as well as understanding challenges in testing policies in general and the Kubernetes ecosystem. Event: ContainerDays 2019 Datum: 26.06.2019 Speaker: Johannes M. Scheuermann, Maximilian Bischoff (beide inovex) Mehr Tech-Vorträge: inovex.de/vortraege Mehr Tech-Artikel: inovex.de/blog

Technologie
1  sur  30
Télécharger pour lire hors ligne
Trust is good, control is better A short story about Network Policies Maximilian Bischoff, Johannes M. Scheuermann Hamburg, 26. June 2019
Maximilian Bischoff Unofficial: Chaos Monkey @johscheuer 2 Cloud Platform Engineer Cloud Platform Engineer Johannes M. Scheuermann
What can you expect ? ● Get an overview about challenges with network policies ● Get an overview on different aspects of testing / validating your setup 3
What about you? 4
Why should I test my network policies? 5
Why should I test my policies ? Many adjustment screws https://www.pexels.com/photo/colorful-toothed-wheels-1711986
Why should I test my policies ? Kubernetes doesn’t implement the policies 7 kube-apiserver Netpol CNI Plugin Read NetPol Implements them
Why should I test my policies ? Kubernetes doesn’t implement the policies 8 kube-apiserver CNI Plugin Read NetPol No Feedback ! Netpol Implements them
Why should I test my policies ? I choose you ! This list is not complete!9
... spec: ingress: - from: - namespaceSelector: matchLabels: team: operations podSelector: matchLabels: type: monitoring Why should I test? Hard to read policies https://github.com/ahmetb/kubernetes-network-policy-recipes/blob/master/07-allow-traffic-from-some-pods-in-another-namespace.md10 ... spec: ingress: - from: - namespaceSelector: matchLabels: team: operations - podSelector: matchLabels: type: monitoring and or
Node Why should I test my policies ? Component updates 11 kube-proxy iptables CNI-Plugins Node kube-proxy ipvs CNI-Plugins Node kube-proxy iptables CNI-Plugins v1 Node kube-proxy iptables CNI-Plugins v2
Node Why should I test my policies ? Component updates 12 kube-proxy iptables CNI-Plugins Node kube-proxy ipvs CNI-Plugins Node kube-proxy iptables CNI-Plugins v1 Node kube-proxy iptables CNI-Plugins v2 Is everything still working after an update?
Node Why should I test my policies ? Component updates 13 kube-proxy iptables CNI-Plugins Node kube-proxy ipvs CNI-Plugins Node kube-proxy iptables CNI-Plugins v1 Node kube-proxy iptables CNI-Plugins v2 Conformance tests don’t test network policies!
What to test 14
What to test 15 Policy Policy Policy SDN Control Plane Data Plane Conformance - Effect of policies - Synchronisation
How to test 16
How to test 17 Policy Policy Policy SDN Control Plane Data Plane Conformance - Effect of policies - Synchronisation
Testing strategies Copy-pod 18 kind: pod apiVersion: v1 metadata: name: foo namespace: default labels: app: foo spec: containers: - name: foo image: foo:latest ... kind: pod apiVersion: v1 metadata: name: foo-test-copy namespace: default labels: app: foo testing.framework: “” spec: containers: - name: test image: test/runner:latest ... copy
Testing strategies Docker networking 19 foo pausefoo test- runner
Testing strategies Linux namespaces 20 pause (of pod foo) test- runner underlying OS ... Network IPC CGroup ... IPC CGroup
kubectl exec -it foo -- wget -qO - --timeout=2 http://bar.default wget: download timed out Manually https://github.com/ahmetb/kubernetes-network-policy-recipes/blob/master/03-deny-all-non-whitelisted-traffic-in-the-namespace.md21 kind: NetworkPolicy apiVersion: networking.k8s.io/v1 metadata: name: default-deny-all namespace: default spec: podSelector: {} ingress: [] default foo barbar
node 1 netassert https://github.com/controlplaneio/netassert22 default foo barbar config.yaml --- k8s: deployment: default:foo: default:bar: TCP:80 ssh docker run --net ... test.js nmap netassert
node 1 illuminatio 23 default foo barbar API Server nsenter results test.py nmap illuminatio
kind: NetworkPolicy apiVersion: networking.k8s.io/v1 metadata: name: demo namespace: default spec: podSelector: matchLabels: app: prometheus ingress: ... Test case generation Preface 24 isolated from every pod except for those matching
Test case generation Two kinds of tests 25 pod A app=prometheus pod B app=grafana pod C ... spec: podSelector: matchLabels: app: prometheus ingress: - from: - podSelector: matchLabels: app: grafana
pod A app=prometheus Test case generation Multiple policies 26 pod B team=ops app=foo ... spec: podSelector: matchLabels: app: prometheus ingress: - from: - podSelector: matchLabels: app: grafana ... spec: podSelector: {} ingress: - from: - podSelector: matchLabels: team: ops namespaceSelector: {} ?
Wrap up 27
How do these tools complement 28 Policy Policy Policy kubeaudit/ SDN Control Plane Data Plane netassert/illuminatio
Recap ● Test your assumptions! ● Regression testing makes your life easier ● Network Policies are still hard to get right ○ Missing feedback ○ Does it work for Services and Pods? 29
Thank You Maximilian Bischoff IT Engineering & Operations inovex GmbH Ludwig-Erhard-Allee 6 76131 Karlsruhe maximilian.bischoff@ inovex.de Johannes Scheuermann IT Engineering & Operations inovex GmbH Ludwig-Erhard-Allee 6 76131 Karlsruhe johannes.scheuermann@ inovex.de

Recommandé

CNCF App-Delivery SIG Presentation - Litmus Chaos Engineering
CNCF App-Delivery SIG Presentation - Litmus Chaos EngineeringCNCF App-Delivery SIG Presentation - Litmus Chaos Engineering
CNCF App-Delivery SIG Presentation - Litmus Chaos EngineeringUmasankar Mukkara
 
TFI2014 Session II - Requirements for SDN - Brian Field
TFI2014 Session II - Requirements for SDN - Brian FieldTFI2014 Session II - Requirements for SDN - Brian Field
TFI2014 Session II - Requirements for SDN - Brian FieldColorado Internet Society (CO ISOC)
 
Introduction to robot framework
Introduction to robot frameworkIntroduction to robot framework
Introduction to robot frameworkChonlasith Jucksriporn
 
Blockchain Hyperledger Lab
Blockchain Hyperledger LabBlockchain Hyperledger Lab
Blockchain Hyperledger LabDev_Events
 
Performance profiling and testing of symfony application 2
Performance profiling and testing of symfony application 2Performance profiling and testing of symfony application 2
Performance profiling and testing of symfony application 2Andrew Yatsenko
 
SHARE 2014, Pittsburgh Using policies to manage critical cics resources
SHARE 2014, Pittsburgh Using policies to manage critical cics resourcesSHARE 2014, Pittsburgh Using policies to manage critical cics resources
SHARE 2014, Pittsburgh Using policies to manage critical cics resourcesnick_garrod
 
story_of_bpf-1.pdf
story_of_bpf-1.pdfstory_of_bpf-1.pdf
story_of_bpf-1.pdfhegikip775
 
MuleSoft_Meetup_Brisbane_2022-06-01_SonarQube_CataloguingAPIs.pptx
MuleSoft_Meetup_Brisbane_2022-06-01_SonarQube_CataloguingAPIs.pptxMuleSoft_Meetup_Brisbane_2022-06-01_SonarQube_CataloguingAPIs.pptx
MuleSoft_Meetup_Brisbane_2022-06-01_SonarQube_CataloguingAPIs.pptxBrianFraser29
 

Recommandé

CNCF App-Delivery SIG Presentation - Litmus Chaos Engineering
CNCF App-Delivery SIG Presentation - Litmus Chaos EngineeringCNCF App-Delivery SIG Presentation - Litmus Chaos Engineering
CNCF App-Delivery SIG Presentation - Litmus Chaos EngineeringUmasankar Mukkara
 
TFI2014 Session II - Requirements for SDN - Brian Field
TFI2014 Session II - Requirements for SDN - Brian FieldTFI2014 Session II - Requirements for SDN - Brian Field
TFI2014 Session II - Requirements for SDN - Brian FieldColorado Internet Society (CO ISOC)
 
Introduction to robot framework
Introduction to robot frameworkIntroduction to robot framework
Introduction to robot frameworkChonlasith Jucksriporn
 
Blockchain Hyperledger Lab
Blockchain Hyperledger LabBlockchain Hyperledger Lab
Blockchain Hyperledger LabDev_Events
 
Performance profiling and testing of symfony application 2
Performance profiling and testing of symfony application 2Performance profiling and testing of symfony application 2
Performance profiling and testing of symfony application 2Andrew Yatsenko
 
SHARE 2014, Pittsburgh Using policies to manage critical cics resources
SHARE 2014, Pittsburgh Using policies to manage critical cics resourcesSHARE 2014, Pittsburgh Using policies to manage critical cics resources
SHARE 2014, Pittsburgh Using policies to manage critical cics resourcesnick_garrod
 
story_of_bpf-1.pdf
story_of_bpf-1.pdfstory_of_bpf-1.pdf
story_of_bpf-1.pdfhegikip775
 
MuleSoft_Meetup_Brisbane_2022-06-01_SonarQube_CataloguingAPIs.pptx
MuleSoft_Meetup_Brisbane_2022-06-01_SonarQube_CataloguingAPIs.pptxMuleSoft_Meetup_Brisbane_2022-06-01_SonarQube_CataloguingAPIs.pptx
MuleSoft_Meetup_Brisbane_2022-06-01_SonarQube_CataloguingAPIs.pptxBrianFraser29
 
Cumulus Networks: Automating Network Configuration
Cumulus Networks: Automating Network ConfigurationCumulus Networks: Automating Network Configuration
Cumulus Networks: Automating Network ConfigurationCumulus Networks
 
Workshop: Introduction to Web Components & Polymer
Workshop: Introduction to Web Components & Polymer Workshop: Introduction to Web Components & Polymer
Workshop: Introduction to Web Components & Polymer John Riviello
 
Cross Context Scripting attacks & exploitation
Cross Context Scripting attacks & exploitationCross Context Scripting attacks & exploitation
Cross Context Scripting attacks & exploitationRoberto Suggi Liverani
 
Dev confus.2020 compliance operator
Dev confus.2020 compliance operatorDev confus.2020 compliance operator
Dev confus.2020 compliance operatorjaormx
 
Chicago Docker Meetup Presentation - Mediafly
Chicago Docker Meetup Presentation - MediaflyChicago Docker Meetup Presentation - Mediafly
Chicago Docker Meetup Presentation - MediaflyMediafly
 
LibreSocial - P2P Framework for Social Networks - Overview
LibreSocial - P2P Framework for Social Networks - OverviewLibreSocial - P2P Framework for Social Networks - Overview
LibreSocial - P2P Framework for Social Networks - OverviewKalman Graffi
 
Troubleshooting for Intent-based Networking
Troubleshooting for Intent-based NetworkingTroubleshooting for Intent-based Networking
Troubleshooting for Intent-based NetworkingOpen Networking Summit
 
Optimizing Your CI Pipelines
Optimizing Your CI PipelinesOptimizing Your CI Pipelines
Optimizing Your CI PipelinesSebastian Witowski
 
Michele Italy Talk
Michele Italy TalkMichele Italy Talk
Michele Italy TalkMichele Fattoruso
 
DevOps with Serverless
DevOps with ServerlessDevOps with Serverless
DevOps with ServerlessYan Cui
 
End-to-end testing in complex GitOps environments
End-to-end testing in complex GitOps environmentsEnd-to-end testing in complex GitOps environments
End-to-end testing in complex GitOps environmentsEtienne Tremel
 
Advanced deployment scenarios
Advanced deployment scenariosAdvanced deployment scenarios
Advanced deployment scenariosSergio Navarro Pino
 
Lior rotkovitch ASM WAF unified learning – building policy with asm v12
Lior rotkovitch ASM WAF unified learning – building policy with asm v12Lior rotkovitch ASM WAF unified learning – building policy with asm v12
Lior rotkovitch ASM WAF unified learning – building policy with asm v12Lior Rotkovitch
 
Introduction of eBPF - 時下最夯的Linux Technology
Introduction of eBPF - 時下最夯的Linux Technology Introduction of eBPF - 時下最夯的Linux Technology
Introduction of eBPF - 時下最夯的Linux Technology Jace Liang
 
This is the way - Holistic (Network) Automation
This is the way - Holistic (Network) AutomationThis is the way - Holistic (Network) Automation
This is the way - Holistic (Network) AutomationMaximilan Wilhelm
 
5 Thomas Magedanz
5 Thomas Magedanz5 Thomas Magedanz
5 Thomas MagedanzFire Conference 2010
 
ENPM808 Independent Study Final Report - amaster 2019
ENPM808 Independent Study Final Report - amaster 2019ENPM808 Independent Study Final Report - amaster 2019
ENPM808 Independent Study Final Report - amaster 2019Alexander Master
 
Plugins And Making Your Own
Plugins And Making Your OwnPlugins And Making Your Own
Plugins And Making Your OwnLambert Beekhuis
 
Robot framework
Robot frameworkRobot framework
Robot frameworkRochak Bhalla
 
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...sparkfabrik
 
lldb – Debugger auf Abwegen
lldb – Debugger auf Abwegenlldb – Debugger auf Abwegen
lldb – Debugger auf Abwegeninovex GmbH
 
Are you sure about that?! Uncertainty Quantification in AI
Are you sure about that?! Uncertainty Quantification in AIAre you sure about that?! Uncertainty Quantification in AI
Are you sure about that?! Uncertainty Quantification in AIinovex GmbH
 

Contenu connexe

Similaire à Testing Network Policies

Cumulus Networks: Automating Network Configuration
Cumulus Networks: Automating Network ConfigurationCumulus Networks: Automating Network Configuration
Cumulus Networks: Automating Network ConfigurationCumulus Networks
 
Workshop: Introduction to Web Components & Polymer
Workshop: Introduction to Web Components & Polymer Workshop: Introduction to Web Components & Polymer
Workshop: Introduction to Web Components & Polymer John Riviello
 
Cross Context Scripting attacks & exploitation
Cross Context Scripting attacks & exploitationCross Context Scripting attacks & exploitation
Cross Context Scripting attacks & exploitationRoberto Suggi Liverani
 
Dev confus.2020 compliance operator
Dev confus.2020 compliance operatorDev confus.2020 compliance operator
Dev confus.2020 compliance operatorjaormx
 
Chicago Docker Meetup Presentation - Mediafly
Chicago Docker Meetup Presentation - MediaflyChicago Docker Meetup Presentation - Mediafly
Chicago Docker Meetup Presentation - MediaflyMediafly
 
LibreSocial - P2P Framework for Social Networks - Overview
LibreSocial - P2P Framework for Social Networks - OverviewLibreSocial - P2P Framework for Social Networks - Overview
LibreSocial - P2P Framework for Social Networks - OverviewKalman Graffi
 
Troubleshooting for Intent-based Networking
Troubleshooting for Intent-based NetworkingTroubleshooting for Intent-based Networking
Troubleshooting for Intent-based NetworkingOpen Networking Summit
 
DevOps with Serverless
DevOps with ServerlessDevOps with Serverless
DevOps with ServerlessYan Cui
 
End-to-end testing in complex GitOps environments
End-to-end testing in complex GitOps environmentsEnd-to-end testing in complex GitOps environments
End-to-end testing in complex GitOps environmentsEtienne Tremel
 
Lior rotkovitch ASM WAF unified learning – building policy with asm v12
Lior rotkovitch ASM WAF unified learning – building policy with asm v12Lior rotkovitch ASM WAF unified learning – building policy with asm v12
Lior rotkovitch ASM WAF unified learning – building policy with asm v12Lior Rotkovitch
 
Introduction of eBPF - 時下最夯的Linux Technology
Introduction of eBPF - 時下最夯的Linux Technology Introduction of eBPF - 時下最夯的Linux Technology
Introduction of eBPF - 時下最夯的Linux Technology Jace Liang
 
This is the way - Holistic (Network) Automation
This is the way - Holistic (Network) AutomationThis is the way - Holistic (Network) Automation
This is the way - Holistic (Network) AutomationMaximilan Wilhelm
 
ENPM808 Independent Study Final Report - amaster 2019
ENPM808 Independent Study Final Report - amaster 2019ENPM808 Independent Study Final Report - amaster 2019
ENPM808 Independent Study Final Report - amaster 2019Alexander Master
 
Plugins And Making Your Own
Plugins And Making Your OwnPlugins And Making Your Own
Plugins And Making Your OwnLambert Beekhuis
 
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...sparkfabrik
 

Similaire à Testing Network Policies (20)

Cumulus Networks: Automating Network Configuration
Cumulus Networks: Automating Network ConfigurationCumulus Networks: Automating Network Configuration
Cumulus Networks: Automating Network Configuration
 
Workshop: Introduction to Web Components & Polymer
Workshop: Introduction to Web Components & Polymer Workshop: Introduction to Web Components & Polymer
Workshop: Introduction to Web Components & Polymer
 
Cross Context Scripting attacks & exploitation
Cross Context Scripting attacks & exploitationCross Context Scripting attacks & exploitation
Cross Context Scripting attacks & exploitation
 
Dev confus.2020 compliance operator
Dev confus.2020 compliance operatorDev confus.2020 compliance operator
Dev confus.2020 compliance operator
 
Chicago Docker Meetup Presentation - Mediafly
Chicago Docker Meetup Presentation - MediaflyChicago Docker Meetup Presentation - Mediafly
Chicago Docker Meetup Presentation - Mediafly
 
LibreSocial - P2P Framework for Social Networks - Overview
LibreSocial - P2P Framework for Social Networks - OverviewLibreSocial - P2P Framework for Social Networks - Overview
LibreSocial - P2P Framework for Social Networks - Overview
 
Troubleshooting for Intent-based Networking
Troubleshooting for Intent-based NetworkingTroubleshooting for Intent-based Networking
Troubleshooting for Intent-based Networking
 
Optimizing Your CI Pipelines
Optimizing Your CI PipelinesOptimizing Your CI Pipelines
Optimizing Your CI Pipelines
 
Michele Italy Talk
Michele Italy TalkMichele Italy Talk
Michele Italy Talk
 
DevOps with Serverless
DevOps with ServerlessDevOps with Serverless
DevOps with Serverless
 
End-to-end testing in complex GitOps environments
End-to-end testing in complex GitOps environmentsEnd-to-end testing in complex GitOps environments
End-to-end testing in complex GitOps environments
 
Advanced deployment scenarios
Advanced deployment scenariosAdvanced deployment scenarios
Advanced deployment scenarios
 
Lior rotkovitch ASM WAF unified learning – building policy with asm v12
Lior rotkovitch ASM WAF unified learning – building policy with asm v12Lior rotkovitch ASM WAF unified learning – building policy with asm v12
Lior rotkovitch ASM WAF unified learning – building policy with asm v12
 
Introduction of eBPF - 時下最夯的Linux Technology
Introduction of eBPF - 時下最夯的Linux Technology Introduction of eBPF - 時下最夯的Linux Technology
Introduction of eBPF - 時下最夯的Linux Technology
 
This is the way - Holistic (Network) Automation
This is the way - Holistic (Network) AutomationThis is the way - Holistic (Network) Automation
This is the way - Holistic (Network) Automation
 
5 Thomas Magedanz
5 Thomas Magedanz5 Thomas Magedanz
5 Thomas Magedanz
 
ENPM808 Independent Study Final Report - amaster 2019
ENPM808 Independent Study Final Report - amaster 2019ENPM808 Independent Study Final Report - amaster 2019
ENPM808 Independent Study Final Report - amaster 2019
 
Plugins And Making Your Own
Plugins And Making Your OwnPlugins And Making Your Own
Plugins And Making Your Own
 
Robot framework
Robot frameworkRobot framework
Robot framework
 
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...
 

Plus de inovex GmbH

lldb – Debugger auf Abwegen
lldb – Debugger auf Abwegenlldb – Debugger auf Abwegen
lldb – Debugger auf Abwegeninovex GmbH
 
Are you sure about that?! Uncertainty Quantification in AI
Are you sure about that?! Uncertainty Quantification in AIAre you sure about that?! Uncertainty Quantification in AI
Are you sure about that?! Uncertainty Quantification in AIinovex GmbH
 
Why natural language is next step in the AI evolution
Why natural language is next step in the AI evolutionWhy natural language is next step in the AI evolution
Why natural language is next step in the AI evolutioninovex GmbH
 
Interpretable Machine Learning
Interpretable Machine LearningInterpretable Machine Learning
Interpretable Machine Learninginovex GmbH
 
Jenkins X – CI/CD in wolkigen Umgebungen
Jenkins X – CI/CD in wolkigen UmgebungenJenkins X – CI/CD in wolkigen Umgebungen
Jenkins X – CI/CD in wolkigen Umgebungeninovex GmbH
 
AI auf Edge-Geraeten
AI auf Edge-GeraetenAI auf Edge-Geraeten
AI auf Edge-Geraeteninovex GmbH
 
Prometheus on Kubernetes
Prometheus on KubernetesPrometheus on Kubernetes
Prometheus on Kubernetesinovex GmbH
 
Deep Learning for Recommender Systems
Deep Learning for Recommender SystemsDeep Learning for Recommender Systems
Deep Learning for Recommender Systemsinovex GmbH
 
Representation Learning von Zeitreihen
Representation Learning von ZeitreihenRepresentation Learning von Zeitreihen
Representation Learning von Zeitreiheninovex GmbH
 
Talk to me – Chatbots und digitale Assistenten
Talk to me – Chatbots und digitale AssistentenTalk to me – Chatbots und digitale Assistenten
Talk to me – Chatbots und digitale Assistenteninovex GmbH
 
Künstlich intelligent?
Künstlich intelligent?Künstlich intelligent?
Künstlich intelligent?inovex GmbH
 
Das Android Open Source Project
Das Android Open Source ProjectDas Android Open Source Project
Das Android Open Source Projectinovex GmbH
 
Machine Learning Interpretability
Machine Learning InterpretabilityMachine Learning Interpretability
Machine Learning Interpretabilityinovex GmbH
 
Performance evaluation of GANs in a semisupervised OCR use case
Performance evaluation of GANs in a semisupervised OCR use casePerformance evaluation of GANs in a semisupervised OCR use case
Performance evaluation of GANs in a semisupervised OCR use caseinovex GmbH
 
People & Products – Lessons learned from the daily IT madness
People & Products – Lessons learned from the daily IT madnessPeople & Products – Lessons learned from the daily IT madness
People & Products – Lessons learned from the daily IT madnessinovex GmbH
 
Infrastructure as (real) Code – Manage your K8s resources with Pulumi
Infrastructure as (real) Code – Manage your K8s resources with PulumiInfrastructure as (real) Code – Manage your K8s resources with Pulumi
Infrastructure as (real) Code – Manage your K8s resources with Pulumiinovex GmbH
 
Remote First – Der Arbeitsplatz in der Cloud
Remote First – Der Arbeitsplatz in der CloudRemote First – Der Arbeitsplatz in der Cloud
Remote First – Der Arbeitsplatz in der Cloudinovex GmbH
 

Plus de inovex GmbH (20)

lldb – Debugger auf Abwegen
lldb – Debugger auf Abwegenlldb – Debugger auf Abwegen
lldb – Debugger auf Abwegen
 
Are you sure about that?! Uncertainty Quantification in AI
Are you sure about that?! Uncertainty Quantification in AIAre you sure about that?! Uncertainty Quantification in AI
Are you sure about that?! Uncertainty Quantification in AI
 
Why natural language is next step in the AI evolution
Why natural language is next step in the AI evolutionWhy natural language is next step in the AI evolution
Why natural language is next step in the AI evolution
 
WWDC 2019 Recap
WWDC 2019 RecapWWDC 2019 Recap
WWDC 2019 Recap
 
Interpretable Machine Learning
Interpretable Machine LearningInterpretable Machine Learning
Interpretable Machine Learning
 
Jenkins X – CI/CD in wolkigen Umgebungen
Jenkins X – CI/CD in wolkigen UmgebungenJenkins X – CI/CD in wolkigen Umgebungen
Jenkins X – CI/CD in wolkigen Umgebungen
 
AI auf Edge-Geraeten
AI auf Edge-GeraetenAI auf Edge-Geraeten
AI auf Edge-Geraeten
 
Prometheus on Kubernetes
Prometheus on KubernetesPrometheus on Kubernetes
Prometheus on Kubernetes
 
Deep Learning for Recommender Systems
Deep Learning for Recommender SystemsDeep Learning for Recommender Systems
Deep Learning for Recommender Systems
 
Azure IoT Edge
Azure IoT EdgeAzure IoT Edge
Azure IoT Edge
 
Representation Learning von Zeitreihen
Representation Learning von ZeitreihenRepresentation Learning von Zeitreihen
Representation Learning von Zeitreihen
 
Talk to me – Chatbots und digitale Assistenten
Talk to me – Chatbots und digitale AssistentenTalk to me – Chatbots und digitale Assistenten
Talk to me – Chatbots und digitale Assistenten
 
Künstlich intelligent?
Künstlich intelligent?Künstlich intelligent?
Künstlich intelligent?
 
Dev + Ops = Go
Dev + Ops = GoDev + Ops = Go
Dev + Ops = Go
 
Das Android Open Source Project
Das Android Open Source ProjectDas Android Open Source Project
Das Android Open Source Project
 
Machine Learning Interpretability
Machine Learning InterpretabilityMachine Learning Interpretability
Machine Learning Interpretability
 
Performance evaluation of GANs in a semisupervised OCR use case
Performance evaluation of GANs in a semisupervised OCR use casePerformance evaluation of GANs in a semisupervised OCR use case
Performance evaluation of GANs in a semisupervised OCR use case
 
People & Products – Lessons learned from the daily IT madness
People & Products – Lessons learned from the daily IT madnessPeople & Products – Lessons learned from the daily IT madness
People & Products – Lessons learned from the daily IT madness
 
Infrastructure as (real) Code – Manage your K8s resources with Pulumi
Infrastructure as (real) Code – Manage your K8s resources with PulumiInfrastructure as (real) Code – Manage your K8s resources with Pulumi
Infrastructure as (real) Code – Manage your K8s resources with Pulumi
 
Remote First – Der Arbeitsplatz in der Cloud
Remote First – Der Arbeitsplatz in der CloudRemote First – Der Arbeitsplatz in der Cloud
Remote First – Der Arbeitsplatz in der Cloud
 

Dernier

08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 

Dernier (20)

08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 

Testing Network Policies

  • 1. Trust is good, control is better A short story about Network Policies Maximilian Bischoff, Johannes M. Scheuermann Hamburg, 26. June 2019
  • 2. Maximilian Bischoff Unofficial: Chaos Monkey @johscheuer 2 Cloud Platform Engineer Cloud Platform Engineer Johannes M. Scheuermann
  • 3. What can you expect ? ● Get an overview about challenges with network policies ● Get an overview on different aspects of testing / validating your setup 3
  • 5. Why should I test my network policies? 5
  • 6. Why should I test my policies ? Many adjustment screws https://www.pexels.com/photo/colorful-toothed-wheels-1711986
  • 7. Why should I test my policies ? Kubernetes doesn’t implement the policies 7 kube-apiserver Netpol CNI Plugin Read NetPol Implements them
  • 8. Why should I test my policies ? Kubernetes doesn’t implement the policies 8 kube-apiserver CNI Plugin Read NetPol No Feedback ! Netpol Implements them
  • 9. Why should I test my policies ? I choose you ! This list is not complete!9
  • 10. ... spec: ingress: - from: - namespaceSelector: matchLabels: team: operations podSelector: matchLabels: type: monitoring Why should I test? Hard to read policies https://github.com/ahmetb/kubernetes-network-policy-recipes/blob/master/07-allow-traffic-from-some-pods-in-another-namespace.md10 ... spec: ingress: - from: - namespaceSelector: matchLabels: team: operations - podSelector: matchLabels: type: monitoring and or
  • 11. Node Why should I test my policies ? Component updates 11 kube-proxy iptables CNI-Plugins Node kube-proxy ipvs CNI-Plugins Node kube-proxy iptables CNI-Plugins v1 Node kube-proxy iptables CNI-Plugins v2
  • 12. Node Why should I test my policies ? Component updates 12 kube-proxy iptables CNI-Plugins Node kube-proxy ipvs CNI-Plugins Node kube-proxy iptables CNI-Plugins v1 Node kube-proxy iptables CNI-Plugins v2 Is everything still working after an update?
  • 13. Node Why should I test my policies ? Component updates 13 kube-proxy iptables CNI-Plugins Node kube-proxy ipvs CNI-Plugins Node kube-proxy iptables CNI-Plugins v1 Node kube-proxy iptables CNI-Plugins v2 Conformance tests don’t test network policies!
  • 15. What to test 15 Policy Policy Policy SDN Control Plane Data Plane Conformance - Effect of policies - Synchronisation
  • 17. How to test 17 Policy Policy Policy SDN Control Plane Data Plane Conformance - Effect of policies - Synchronisation
  • 18. Testing strategies Copy-pod 18 kind: pod apiVersion: v1 metadata: name: foo namespace: default labels: app: foo spec: containers: - name: foo image: foo:latest ... kind: pod apiVersion: v1 metadata: name: foo-test-copy namespace: default labels: app: foo testing.framework: “” spec: containers: - name: test image: test/runner:latest ... copy
  • 20. Testing strategies Linux namespaces 20 pause (of pod foo) test- runner underlying OS ... Network IPC CGroup ... IPC CGroup
  • 21. kubectl exec -it foo -- wget -qO - --timeout=2 http://bar.default wget: download timed out Manually https://github.com/ahmetb/kubernetes-network-policy-recipes/blob/master/03-deny-all-non-whitelisted-traffic-in-the-namespace.md21 kind: NetworkPolicy apiVersion: networking.k8s.io/v1 metadata: name: default-deny-all namespace: default spec: podSelector: {} ingress: [] default foo barbar
  • 23. node 1 illuminatio 23 default foo barbar API Server nsenter results test.py nmap illuminatio
  • 24. kind: NetworkPolicy apiVersion: networking.k8s.io/v1 metadata: name: demo namespace: default spec: podSelector: matchLabels: app: prometheus ingress: ... Test case generation Preface 24 isolated from every pod except for those matching
  • 25. Test case generation Two kinds of tests 25 pod A app=prometheus pod B app=grafana pod C ... spec: podSelector: matchLabels: app: prometheus ingress: - from: - podSelector: matchLabels: app: grafana
  • 26. pod A app=prometheus Test case generation Multiple policies 26 pod B team=ops app=foo ... spec: podSelector: matchLabels: app: prometheus ingress: - from: - podSelector: matchLabels: app: grafana ... spec: podSelector: {} ingress: - from: - podSelector: matchLabels: team: ops namespaceSelector: {} ?
  • 28. How do these tools complement 28 Policy Policy Policy kubeaudit/ SDN Control Plane Data Plane netassert/illuminatio
  • 29. Recap ● Test your assumptions! ● Regression testing makes your life easier ● Network Policies are still hard to get right ○ Missing feedback ○ Does it work for Services and Pods? 29
  • 30. Thank You Maximilian Bischoff IT Engineering & Operations inovex GmbH Ludwig-Erhard-Allee 6 76131 Karlsruhe maximilian.bischoff@ inovex.de Johannes Scheuermann IT Engineering & Operations inovex GmbH Ludwig-Erhard-Allee 6 76131 Karlsruhe johannes.scheuermann@ inovex.de