Upload
phamngoc
View
215
Download
1
Embed Size (px)
Citation preview
How not to have a ‘bad time’
securing your micro-services
Or, how to avoid firewall hell@liljenstolpe | [email protected]
The Distributed Firewall
NetworkFabric
Routing
10.0.0.1
192.168.1.2
192.168.1.1
Routing10.0.0.2
192.168.1.3
192.168.1.4
Project Calico architecture
RouteReflector
Kernel
Routing
10.0.0.2
192.168.1.3
192.168.1.4
Routes
iptablesFelix
BGP
admin-ui.yaml
kind: NetworkPolicyapiVersion: net.alpha.kubernetes.io/v1alpha1metadata:
namespace: defaultname: allow-‐ui
spec:podSelector:ingress:-‐ from:
-‐ namespaces:role: management-‐ui
Metadata
Empty selector applies to all pods
Allow from management namespace