CloudNative Security Con 2023.pdf

1、CNI or Service Mesh?Comparing Security Policies Across ProvidersChristine Kim-GooglextineskimRob Salmond-SuperOrbitalmastodon.social/rsalmondWhat well cover.Whats a CNI?Whats a Service Mesh?The What and How of Policy EnforcementSecurity GotchasMitigation and How the Field is EvolvingWhat You Can DoT

2、op Ten CNCF Projects by:Top Ten CNCF Projects by:commitsTop Ten CNCF Projects by:contributorsTop Ten CNCF Projects by:commentsTop Ten CNCF Projects by:issuesPodPod“pods can communicate with all other pods on any other node without NAT”datahttps:/kubernetes.io/docs/concepts/services-networking/PodPod

3、CNICNIdataWhat is CNI?Container Network InterfaceWhat is CNI?Container Network Interface“A way to ask for changes to be made to a containers network config.”What kind of changes?What kind of changes?PodPodCNICNIPodkernelnetworkCNIPodkernelCNIdatacontrolWhat kind of changes?PodkernelnetworkCNIPodkern

4、elCNIdatacontrolWhat kind of changes?“CNI”“CNI Plugin”What is a CNI plugin?implementsWhat is a CNI plugin?“A thing that can make container networking changes.implementsPodnetworkbridgePodbridgeveth0br0eth0veth0eth0https:/ pluginPodkernelnetworkcalicoPodkernelcalicohttps:/ pluginPodkernelnetworkcalic

5、oPodkernelcalicoiptablesiptableshttps:/ shall not pass!Calico pluginPodkernelnetworkweavePodkernelweavehttps:/ vSwitchopen vSwitchweave pluginPodkernelnetworkweavePodkernelweaveiptablesiptableshttps:/ vSwitchopen vSwitchweave pluginPodkernelnetworkciliumPodkernelciliumebpfebpfhttps:/ pluginPodkernel

6、networkciliumPodkernelciliumebpfebpfhttps:/ pluginMost of the popular CNI Plugins:Most of the popular CNI Plugins:Configure pod to pod networkingMost of the popular CNI Plugins:Configure pod to pod networking Support NetworkPolicy enforcementMost of the popular CNI Plugins:Configure pod to pod netwo