In this blog post, I will be talking about label standard and best practices for Kubernetes security. This is a common area where I see organizations struggle to define the set of labels required to meet their security requirements. My advice is to always start with a hierarchical security design that is capable of achieving your enterprise security and compliance requirements, then define your label standard in alignment with your design. This is not meant to be a comprehensive guide for all your label requirements, but rather a framework that guides you through developing your own label standard to meet your specific security requirements.
Labels are key/value pairs that are attached to Kubernetes objects to identify attributes that are intuitive for users and that are required for specific purposes, such as inventory reporting or the enforcement of an intent.
Kubernetes network policies represent the intent of enforcing security controls to pods using labels to match intended endpoints. Label prefixes can be used to identify label classification. The following short-list is a high-level classification of endpoints required for developing a Kubernetes network policies design:
Labels Continue reading
Cloudflare provides a broad range of products — ranging from security, to performance and serverless compute — which are used by millions of Internet properties worldwide. Often, these products are built by multiple teams in close collaboration and delivering them can be a complex task. So ever wondered how we do so consistently and safely at scale?
Software delivery consists of all the activities to get working software into the hands of customers. It’s usual to talk about software delivery with reference to a model, or framework. These provide the scaffolding for most modern software delivery models, although in order to minimise operational friction it’s usual for a company to tailor their approach to suit their business context and culture.
For example, a company that designs the autopilot systems for passenger aircraft will require very strict tolerances, as a failure could cost hundreds of lives. They would want a different process to a cutting edge tech startup, who may value time to market over system uptime or stability.
Before outlining the approach we use at Cloudflare it’s worth quickly running through a couple of commonly used delivery models.
Waterfall has its foundations (pun intended) in construction and Continue reading
Arista’s EOS (Extensible Operating System) has been nurtured over the past decade, taking the best principles of extensible, open and scalable networks. While SDN evangelists insisted that the right way to build networks started with the decoupling of hardware and software in the network, manipulated by a centralized, shared controller, many companies failed to provide the core customer requisite in a clean software architecture and implementation coupled with key technical differentiation. This has been the essence of Arista EOS.
One of the publicly observable artifacts of the October 2021 Facebook outage was an intricate interaction between BGP routing and their DNS servers needed to support optimal anycast configuration. Not surprisingly, it was all networking engineers' fault according to some opinions1
There’s no need for anycast2/BGP advertisement for DNS servers. DNS is already highly available by design. Only network people never understand that, which leads to overengineering.
It’s not that hard to find a counter-argument3: while it looks like there are only 13 root name servers4, each one of them is a large set of instances advertising the same IP prefix5 to the Internet.
One of the publicly observable artifacts of the October 2021 Facebook outage was an intricate interaction between BGP routing and their DNS servers needed to support optimal anycast configuration. Not surprisingly, it was all networking engineers’ fault according to some opinions1
There’s no need for anycast2/BGP advertisement for DNS servers. DNS is already highly available by design. Only network people never understand that, which leads to overengineering.
It’s not that hard to find a counter-argument3: while it looks like there are only 13 root name servers4, each one of them is a large set of instances advertising the same IP prefix5 to the Internet.
Like most languages, variables in Javascript are defined with the = operator. There are 3 different keywords that can be used to define a variable. var - Depricated, should not be used for ES6+. let - Variable can be re-assigned. Value can be mutated. const - Variable cannot be...continue reading
One of the defining characteristics of edge applications is the need for low latency to absorb and analyze data from connected devices deployed in locations such as retail stores, manufacturing facilities, distribution centers, and municipal infrastructure. Until recently, most chatter about “the edge” has been vague, often conflating the extension of cloud service delivery to […]
The post Vapor IO Realizes Open Grid Vision With INZONE 5G Edge Services appeared first on Packet Pushers.
Today on the Tech Bytes podcast, sponsored by Juniper, we talk with a customer of Juniper’s Apstra intent-based networking data center software. IT solutions provider Advania uses Apstra internally to operate its own data centers, as well as for customer engagements.
The post Tech Bytes: Advania Chooses Apstra For Data Center Operations (Sponsored) appeared first on Packet Pushers.
docker run -p 8008:8008 -p 6343:6343/udp sflow/prometheusThe pre-built sflow/prometheus Docker image packages sFlow-RT with the applications for exploring real-time sFlow analytics. Run the command above, configure network devices to send sFlow to the application on UDP port 6343 (the default sFlow port) and connect with a web browser to port 8008 to access the user interface.
This blog reviews what VXLAN is, why it was developed, how it is being used in data centers, and advantages over other virtualization technologies.
The post VXLAN: Virtualizing Data Center Networks for the Cloud Era appeared first on Pluribus Networks.
Since VXLAN was introduced in 2014 it has become an important component of modern data center network fabrics. This blog reviews what VXLAN is, why it was developed, how it is being used in data centers, and advantages over other virtualization technologies. In an upcoming blog, we will look at some innovative VXLAN applications outside the data center.
Virtual eXtensible Local Area Network (VXLAN) is an Internet standard protocol that provides a means of encapsulating Ethernet (Layer 2) frames over an IP (Layer 3) network, a concept often referred to as “tunneling.” This allows devices and applications to communicate across a large physical network as if they were located on the same Ethernet Layer 2 network.
Tunneling approaches such as VXLAN provide an important tool to virtualize the physical network, often called the “underlay,” and allow for connectivity to be defined and managed as a set of virtual connections, called the “overlay.” These virtual connections can be created, modified and removed as needed without any change to the physical underlay network. (Mike Capuano’s blog, What to Know About Data Center Overlay Networks, provides a deeper dive on overlays.)
While VXLAN is only one Continue reading
Take a Network Break! This week we discuss how startup Rockport Networks brings switchless networking to the data center. The FTC says ISPs are amassing and monetizing sensitive customer data. Cisco unveils new routing silicon, Juniper sees revenues rise and income fall, and more tech news.
The post Network Break 357: Switchless Networking? Startup Rockport Says Yes; ISPs Monetize Customer Surveillance appeared first on Packet Pushers.