Exploring Network Policy automation and Kubernetes security
Discover the future of network policy automation and Kubernetes security with Ben Hirschberg, ARMO's CTO.
In this interview, Ben will discuss:
How automating network policy generation by monitoring application behaviour can enhance network segmentation.
The evolution of Kubernetes secret management from environment variables to files and the potential benefits of using a secret management tool.
The challenges Kubernetes faces in node management and its promising future with increasing adoptions.
Transcription
Bart: Who are you? What's your role? Who do you work for?
Ben: Hey everyone, I'm Ben, CTO of ARMO.
Bart: What are three emerging Kubernetes tools that you're keeping an eye on?
Ben: Lately, Karpenter is one of the great tools we applied. It significantly reduced our costs in Kubernetes. We also started to experiment with Knative. Knative is a great tool, and we love it. I think it's a very good approach to a problem we are having in our clusters. And last, but not least, KubeScape, which I am one of the maintainers of, is excellent for security automation. It's one of the best tools you can have.
Bart: One of our guests, Ori, argued that network policies are the wrong abstraction for achieving zero trust and network segmentation. He argues that network policies create unnecessary dependencies between teams, hindering independent progress. How do you manage network policies in your cluster? What strategies work for you?
Ben: The way we are managing our network policies is by monitoring our development and staging clusters, observing how our applications behave, and using our own tools to understand which components are communicating with each other. We then generate network policies based on this actual behavior. This way, we can automate the entire process of generating network policies and applying them in production, achieving a very good level of network segmentation, though not a full zero trust.
Bart: One of our guests, Mac, advocated using plain Kubernetes secrets, emphasizing their effectiveness in most scenarios. He shared how a threat model can support this reasoning and lead to simpler yet secure solutions. What's your advice on Kubernetes secrets? What's worked for you in the past? And did you have a threat model to test against?
Ben: We started to use Kubernetes secrets when we moved to Kubernetes from day one. We first mapped them as environment variables. Then we moved away and mapped them as files because we saw them as a more secure solution in general. In our threat modeling, we identified that one of the hardest things is to prove that the secrets are being deployed securely from A to Z, from the Git to the cluster. Sometimes it's hard. We are considering using a secret management tool on top of Kubernetes secrets to complete our security posture.
Bart: Kubernetes is turning 10 years old this year.
Ben: It's going to be a very cool birthday for Kubernetes this year. I think that what we're going to see is more and more adoptions. One of the hardest things that Kubernetes will need to tackle is the lower management layers because for many... Users, managing nodes is kind of a problem, and optimizing around nodes is hard. If Kubernetes can complement the current offering with solutions for this, it will have a bright next 10 years with more and more adoptions.
Bart: What's next for you?
Ben: For me, I think that we are trying to go up in the Kubernetes and CNCF landscape, both with ARMO and KubeScape. Incubation. So we are looking for more adopters and contributors, and giving out, we get a bigger footprint in the CNCF landscape.
Bart: How can people get in touch with you?
Ben: I think the best way to be in touch with me is CNCF Slack. I'm always around. Also, in the tech security and CubeScape channels is the best way, but you can also connect with me on X.
