Kubernetes Security Without Friction

Bart Farrell: Welcome to KubeFM. Who are you? What's your role? And who do you work for?

Abhishek Rao: I am Abhishek Rao. I work as a solutions architect at Tigera.

Bart Farrell: Abhishek, what are three Kubernetes emerging tools that you are keeping an eye on?

Abhishek Rao: To be honest with you, there are so many. But if you wanted me to drill it down to three, the first one would be Istio Ambient Mode. People have been using the sidecar model for years. It's heavy in terms of workload, and it's on overhead as well, it causes a lot of friction. and now what's happened is we've got Istio Ambient Mode which is lightweight it's easier to deploy it simplifies the data plane so that would be number one the second one would be Gateway API that I'm looking into with NGINX ingress controller being deprecated in a month or so I feel it's the right time for people to kind of move from NGINX ingress controller to Gateway API because not only is the Kubernetes platform recommending it but it's also that Kubernetes has developed so much in the past 10 years that I feel it's a good pivot into that platform and it's no more like oh I want to expose this service it's more complex in terms of architecture so I feel Gateway API kind of fits the bill there so that's the second one the third one is the eBPF for Kubernetes networking I know it's been here for a while I know that but I feel that a lot of people are moving from traditional data networks and with VMs to Kubernetes in the recent past with all the AI boom happening a lot of people are moving their workloads to I feel picking and choosing the right. networking is really important. And I feel eBPF stands out there. It's not only quick to use, it's in-depth observability, it's frictionless, it has a lot of good features compared to the other options that are available. And I feel that is something that people need to choose. And that's what I'm hearing from and that's something that I like to investigate and put my time in. So those are the three,

Bart Farrell: Now, our podcast guest, Mac, thinks you can't just stumble your way into building a secure orchestration system. How do you approach security when designing platform solutions without deep security knowledge?

Abhishek Rao: To be honest with you, in the day and age we are, with all the tools that are available in our arsenal, I feel we don't need to be a rocket scientist of sorts to kind of do security. I feel it's something that a lot of people can do, as long as you understand the core concepts of what security is and what it entails. An example that I use with a lot of people I speak to, because I talk to a lot of people on a daily. A good example that I go with is, take an apartment building, for example. That would entail or that would become your cluster. And any entrance into the apartment building, you'll need a fob to get in. It's already secure. So that's something like ingress and ingress controller that you're talking about. Once you're in the building, if you want to go to a specific floor that you reside on, that's namespace-based isolation. That's basically only people residing on that floor can access it. And then you have a unit which is locked. Only you can access that unit. That's workload-based isolation. Security is available in our lives. We already use it in a different form without thinking about it. Once you start thinking about it and you want to go all bazooka into it, that's when it starts getting overwhelming. So I feel not looking at it as a difficult task. I know security achieves a lot. And what people think is because of the value it provides, implementation is equally difficult. But it's not. It's not supposed to be with all the tools that we have. It's way simpler than people think.

Bart Farrell: Our podcast guest John defined a zero trust network as rather than allowing anyone to connect to anything, every hop along the way authenticates and authorizes who can connect. What's your advice for implementing zero trust in a Kubernetes network?

Abhishek Rao: John's right. That's completely true. Zero trust is, to be honest with you, zero trust is, it's like an implicit deny kind of sorts, only because Kubernetes is inherently made in such a way that it's permissible. pod communication and workload communications are allowed unless you deny it explicitly zero trust flips the whole script zero trust works in a way where you're only allowing traffic that you explicitly want to allow and you're denying everything else and I feel security in that sense is way better my advice or the way I would look at it is I would like to do it in a tiered or a structured or a phased up with whatever terminology you want to use you have to do it in a multiple tier approach right so the first one or the core of it would be network segmentation or micro segmentation as we like to call it where you're talking about workload or pod based security where you're basically just allowing the traffic that you want to communicate and denying everything else so that would be your micro segmentation or tier one once you go a little higher then you're talking about identity based identity based right so you have mTLS here's where Istio Ambient mode comes in so you're talking about that you have authentication and certifications happening at this identity based layer and then that to top it off all basically at the end of the whole thing is a global network policy cluster ingress and egress access control and stuff like that. So that tiered approach creates a really good zero trust model.

Bart Farrell: John also observed the big thing I found over the years is that it's not so much about the features and security. It's about getting people to use it. How do you address the adoption challenge that John highlighted regarding Kubernetes security features?

Abhishek Rao: This is very true. It's not the security features that is difficult, but it's more of adoption that becomes a problem. And what's happening is there's a lot of gray area in the roles that have come up, right? What's happened before in the past was you had a whole security team and you still have those in a lot of companies. But I feel it's also that it's come to a spot where you have network engineers, architects doing security as well. And then that's an afterthought. So it's networking and security is one of those things which works until it doesn't. So people just keep it as an afterthought and don't look at it as much. What I feel would help in adoption is using the helper tools that are available. There are so many open source tools available on the CNCF project landscape tools, commercial tools as well, such as Calico and Cilium and such. You have so many tools that are available. Use those because they are so handy in terms of observability, service graph. You have those, you have dashboarding, which helps you kind of visualize and do stuff. That would be step number one. Step number two, getting into this. is also using, I know a lot of people don't like CLI. I am a network engineer through and through. CLI is not my go-to because it's not one of those things that I like using as much. I'd rather use a more human formatted GUI and a lot of tools exist for that as well. Use a human formatted GUI which creates network policies on the front end, on the back end, it creates the YAML for yourself. So it itself creates it so you don't have to worry about or look at how that formatting or syntax works. You just put in what you want to put in and boom, works. along with that you have staged network policies that's another thing where if you're scared to deploy a policy because you feel you'll break your cluster you're not gonna and staged network policy that will give you a preview and such so I feel using all the tools in the arsenal and making yourself feel more confident and comfortable and using it in the format that you've been seeing in will help adoption in a way and I feel that that's what I like to preach about is go ahead look at the observability tools, the service graphs that you have out there and try to understand your network from there, rather than looking at the CLI and the mumbo jumbo, because that kind of messes up and scares people away. So I feel that's the steps of adoption that I would go for.

Bart Farrell: You know, Abhishek, Kubernetes turned 10 years old, about a year and a half ago, what should we expect in the next 10 years?

Abhishek Rao: I mean, in the past 10 years, there were so many changes that happened, it changes every single day is what I feel. But if you ask me what I'm looking at with Kubernetes, I feel there'll be a lot of consolidation. And you'll have all these tools combining into a unified approach. You'll have different open source projects that would come up, which have Ingress, Egress, and all of those things bundled into one to make it easier for people to adopt as well, right? Because adoption has been an issue. So it makes it easier for people to come is what I'm seeing. Multi-cluster environments will become a norm. Everyone will start using those is what I'm feeling. happening and then I'm gonna use the buzzwords that people love using like AI workloads are gonna come and take over you'll have something for that you'll have Kubernetes environment reshape itself so that it can handle stuff such as that and I'm hoping I'm hoping this happens in the next 10 years where Kubernetes becomes really robust and networking and security becomes something that inherently is adopted in the platform by itself so I feel Those are the things in the next 10 years that I'm looking forward to.

Bart Farrell: Great. And what's next for you, Abhishek?

Abhishek Rao: Next for me is increased adoption. That's the thing that I am doing, and I would love to continue doing that. I'm pivoting into adoption of AI workloads and how Kubernetes, right now with the tools that we have, how can we do that and help people with AI workloads work on that? So that is one of those things that I preach on. But other than that, the core of it is I love talking about networking and network security in Kubernetes. that is that's what's up for me in the near future and if people want to get in touch with you what's the best way to do that you guys can reach out to me on LinkedIn and it's Abhishek Rao I work for Tigera so you can find me that and other ways you could email me at rao at tigera.io so I'm reachable through that means as well