Cisco Tetration integration with Kubernetes

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hello this is a demo of how titration can help protect containers or specifically kubernetes in our install here so you can see here in our display page that we have a bunch of containers all running there's a front end there's a orders from containers the payment container so i have a bunch of them running and if we look into one of the containers specifically you can see that there is a titration agent policy basically is to allow tcp all so it's wide open there's really no security policy in force it's just wide open now let's go into uh titration how can tetration get access or visibility of kubernetes you can see here we go into the external orchestration tool where we can configure credentials to connect to kubernetes and there are additional options that you can choose to other systems so here's a for us we're going to choose kubernetes and then after we choose kubernetes we'll just simply input the credentials the information that needed certificates etc to connect to the kubernetes system so we could inherit the device attributes or the container attributes into our titration instance for policy creation and you can see here's an example of a successful connection to kubernetes and now let's go into the titration workspace so we have a workspace called sockshop and we drill into it and there you can see a whole list of all the policies i per import from the kubernetes cluster there and we can see here here's a visual representation of the traffic flow going from front-end server to a back-end server to payment server so it's represented by different colors and if i point a different color it's basically telling us what is the traffic flow being permitted or being assigned by pulled down by the kubernetes policy itself right this is all downloaded from the kubernetes master node here by tetration um and then after this we can see that this is the overall policy that it downloaded so it's a table list of all the permits uh ports protocols that it should be used to have this policy uh have this cluster working as advertised uh for design and you can see there's you know front end uh user pods talking to database pods there's front end pods talking to uh another other pods like carts etc so there's just different variations of the communications that is supposed to happen because these multi-tiered application needs to work okay so now let's spin up a whole new separate container called busy box and as we spin up this busy box this is sort of a simulation of somebody else spinning up another container in the work environment they're simply doing testing and there's no policy in four so it's a wide open network so now this container or row container could be stealing traffic or having a connection that it's not supposed to so we can see here now this busy box container just popped up it can reach this other container this other front-end container that we're looking at so and that's fine right because right now it's an open policy right so it's it's a pretty much a flat network there so we can see the pings are going so what we're going to do next is say well we need to stop this from happening prevent rogue devices from connecting so now we'll go back into the titration page and enforce the policy right and these are the policies that's created downloaded by the kubernetes masternodes and only these applications should talk to each other so i'm going to go hit the enforce policies button and deploy the latest version of course hit accept and enforce and now the policy has been configured and forced and we can see that pings actually now have stopped you can see the sequence number 128 129 130 is the last entry there so the pings have stopped okay because the policy has kicked into place and you can see here earlier there's only two rules that says allow tcp all now there's a bunch of more rules in the ip tables of the container we can see that uh it's blocking or are permitting traffic from communicating and now if we jump into the actual applications that's what we're interested in these applications it's a three-tier application it's still working because that's what the kubernetes policy mandated that these applications need to talk to each other through certain protocols while everything else outside the policy gets stopped all right thanks for watching
Info
Channel: Ciscolive Security Fan
Views: 93
Rating: undefined out of 5
Keywords: Tetration with Kubernetes
Id: nmTzWCGuQjE
Channel Id: undefined
Length: 4min 57sec (297 seconds)
Published: Thu Nov 12 2020
Related Videos
FTD 6.7.0-65 Anyconnect Integration with Azure SAML
Ciscolive Security Fan
3.8K
Kubernetes for Sysadmins – Kelsey Hightower at PuppetConf 2016
Puppet
126K
Anyconnect with Okta SAML & ISE Posture thru Radius Authorization
Ciscolive Security Fan
2.9K
Using Tetration to Implement Zero Trust Networking (Microsegmentation)
Chris McHenry
5.8K
Anyconnect 4.9 SAML authentication with FTD 6.7 and Okta IDP
Ciscolive Security Fan
554
Cisco Tetration Analytics Security Model with Tim Garner
Tech Field Day
3.3K
Kubernetes and Cisco ACI with Andres Vega
Tech Field Day
6K
Cisco Anyconnect client SAML Authentication with Duo Single Sign-On
Ciscolive Security Fan
993
Special Lecture: F-22 Flight Controls
MIT OpenCourseWare
2.2M
Understanding the Cisco ACI Policy Model
Tech Field Day
62K
Docker on OpenStack with Kubernetes
Open Infrastructure Foundation
13K
SecureX Action Orchestrator Demo
Ciscolive Security Fan
82
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.