Kubelet Istio: Kubernetes Network Security Demystified

Cite

FOSDEM VZW

Martin, Andrew

Formal Metadata

Title

Kubelet Istio: Kubernetes Network Security Demystified

Title of Series

FOSDEM 2019

Number of Parts

561

Author

Martin, Andrew

License

CC Attribution 2.0 Belgium:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.

Identifiers

10.5446/44363 (DOI)

Publisher

FOSDEM VZW

Release Date

2019

Language

English

Content Metadata

Subject Area

Computer Science

Genre

Conference/Talk

Abstract

Kubernetes provides multiple layers of network security including the control plane, etcd, the CNI network, network policies, and - with Istio on top - the requests between applications themselves. In this talk we explore the underlying technologies on which these layers are built using approachable examples and demonstrations. Attendees can expect to gain an understanding of these implementations and the principles behind encryption, identity, and trust in Kubernetes. What are TLS, X.509, and mutual authentication? Why cloud native communication should be encrypted by default Kubernetes component intercommunication CNI and network policy for applications Bootstrapping identity with SPIFFE Mutual TLS, route rules, and destination policies in Istio