NetworkingNexus.net

Endpoint Selectors and Kubernetes Namespaces in CiliumNetworkPolicies

While performing some testing with CiliumNetworkPolicies, I came across a behavior that was unintuitive and unexpected to me. The behavior centers around how an endpoint selector behaves in a CiliumNetworkPolicies when Kubernetes namespaces are involved. (If you didn’t understand a bit of what I just said, I’ll provide some additional explanation shortly—stay with me!) After chatting through the behavior with a few folks, I realized the behavior is essentially “correct” and expected. However, if I was confused by the behavior then there’s a good chance others might be confused by the behavior as well, so I thought a quick blog post might be a good idea. Keep reading to get more details on the interaction between endpoint selectors and Kubernetes namespaces in CiliumNetworkPolicies.

Before digging into the behavior, let me first provide some definitions or explanations of the various things involved here:

Kubernetes namespaces are a way to logically isolate groups of resources in a cluster. For example, you might install the software that drives your point-of-sale (PoS) devices in the “retail-pos” namespace while the application that handles inventory is in the “inventory” namespace. You can read more about namespaces in the Kubernetes documentation.
CiliumNetworkPolicies are Cilium-specific network policies Continue reading

NAN064: Get to Know NAF Co-Founder: Scott Robohn

Scott Robohn is responsible for so much of the current buzz and awareness of network automation. Today, we sit down with the co-founder of Network Automation Forum to learn about his own journey. We chat about his education and the question of if college degrees are necessary. We also talk about his experience at big... Read more »

Disrupting FlyingYeti’s campaign targeting Ukraine

Cloudforce One is publishing the results of our investigation and real-time effort to detect, deny, degrade, disrupt, and delay threat activity by the Russia-aligned threat actor FlyingYeti during their latest phishing campaign targeting Ukraine. At the onset of Russia’s invasion of Ukraine on February 24, 2022, Ukraine introduced a moratorium on evictions and termination of utility services for unpaid debt. The moratorium ended in January 2024, resulting in significant debt liability and increased financial stress for Ukrainian citizens. The FlyingYeti campaign capitalized on anxiety over the potential loss of access to housing and utilities by enticing targets to open malicious files via debt-themed lures. If opened, the files would result in infection with the PowerShell malware known as COOKBOX, allowing FlyingYeti to support follow-on objectives, such as installation of additional payloads and control over the victim’s system.

Since April 26, 2024, Cloudforce One has taken measures to prevent FlyingYeti from launching their phishing campaign – a campaign involving the use of Cloudflare Workers and GitHub, as well as exploitation of the WinRAR vulnerability CVE-2023-38831. Our countermeasures included internal actions, such as detections and code takedowns, as well as external collaboration with third parties to remove the actor’s cloud-hosted malware. Continue reading

Cloudflare acquires BastionZero to extend Zero Trust access to IT infrastructure

We’re excited to announce that BastionZero, a Zero Trust infrastructure access platform, has joined Cloudflare. This acquisition extends our Zero Trust Network Access (ZTNA) flows with native access management for infrastructure like servers, Kubernetes clusters, and databases.

Security teams often prioritize application and Internet access because these are the primary vectors through which users interact with corporate resources and external threats infiltrate networks. Applications are typically the most visible and accessible part of an organization's digital footprint, making them frequent targets for cyberattacks. Securing application access through methods like Single Sign-On (SSO) and Multi-Factor Authentication (MFA) can yield immediate and tangible improvements in user security.

However, infrastructure access is equally critical and many teams still rely on castle-and-moat style network controls and local resource permissions to protect infrastructure like servers, databases, Kubernetes clusters, and more. This is difficult and fraught with risk because the security controls are fragmented across hundreds or thousands of targets. Bad actors are increasingly focusing on targeting infrastructure resources as a way to take down huge swaths of applications at once or steal sensitive data. We are excited to extend Cloudflare One’s Zero Trust Network Access to natively protect infrastructure with user- and device-based policies Continue reading

Key Hyperscalers And Chip Makers Gang Up On Nvidia’s NVSwitch Interconnect

The generative AI revolution is making strange bedfellows, as revolutions and emerging monopolies that capitalize on them, often do. …

Key Hyperscalers And Chip Makers Gang Up On Nvidia’s NVSwitch Interconnect was written by Timothy Prickett Morgan at The Next Platform.

IPB152: IPv6 and Windows Active Directory

If you’re an Active Directory administrator or part of an enterprise network team working with one, this episode is for you. Ed literally wrote the book “Practical IPv6 for Windows Administrators” so Scott has fun interviewing him as today’s guest. Ed goes over how to diagram out your IPv6 deployment, including address allocation and making... Read more »

BGP Labs: Graceful Shutdown

Using the typical default router configurations, it can take minutes between a failure of an inter-AS link and the convergence of BGP routes. You can fine-tune that behavior with BGP timers and BFD (and still get pwned by Graceful Restart). While you can’t influence link failures, you could drain the traffic from a link before starting maintenance operations on it, and it would be a shame not to do that considering there’s a standard way to do that – the GRACEFUL_SHUTDOWN BGP community defined in RFC 8326. That’s what you’ll practice in the next BGP lab exercise.

BGP Labs: Graceful Shutdown

Explore the lab exercise

Upcoming Changes to the AWX Project

By Matthew Jones, Chief Architect, Ansible Automation at Red Hat

Back in 2013, a small team of engineers worked for over a year to make the first commercial release of Ansible Tower (before we expanded and evolved to Ansible Automation Platform) and during that time we put down the foundation of an application that I’m immensely proud of.

We, the original architects of Tower, were trying to find the best way to create a system that would allow running Ansible at scale for hundreds of thousands of servers. We wanted there to be a way to not just manage those servers but store the results of that automation and provide auditability and traceability. It needed to make Ansible functional for large teams and it succeeded.

Today, we’re not just talking about hundreds of thousands. We’re thinking in the millions and tens of millions, we’re managing automation for some of the largest IT organizations in the world. And we’re not just managing servers. In the intervening years we’ve been automating containers, cloud platforms, network devices, storage, IoT devices and PLCs (among other things). One of the main challenges that we’re facing is that some of the architectural decisions we made Continue reading

On the ‘net: Modeling Tunnels

One reason the OSI model isnﾒt all that useful anymore is because it assumes things about networks that are no longer true, such as the existence of a clear set of protocols neatly layered one atop another. We just donﾒt build networks this way any longer.

Getting Barrier Working Between Arch Linux and Ubuntu

I recently had a need to get Barrier—an open source project aimed at enabling mouse/keyboard sharing across multiple computers, aka a “software KVM”—running between Arch Linux and Ubuntu 22.04. Unfortunately, the process for getting Barrier working isn’t as intuitive as it should be, so I’m posting this information in the hopes it will prove useful to others who find themselves in a similar situation. Below, I’ll share how I got Barrier working between an Arch Linux system and an Ubuntu system.

Although this post specifically mentions Arch Linux and Ubuntu, the process for getting Barrier running should be pretty similar (if not identical) for other Linux distributions and for macOS. I don’t have any Windows-based systems on which to test these instructions, but they should be adaptable to Windows as well. Note that there may be slight differences in the flags for the commands listed here when they are run on platforms other than Linux.

Installing Barrier

Both Arch and Ubuntu 22.04 have the latest release of Barrier, version 2.4.0, available in their repositories, so the installation is straightforward.

For Arch, just install with pacman:

pacman -Ss barrier

There’s also a “barrier-headless” package in Continue reading

The New Era of AI Centers

In 1984, Sun was famous for declaring, “The Network is the Computer.” Forty years later we are seeing this cycle come true again with the advent of AI. The collective nature of AI training models relies on a lossless, highly-available network to seamlessly connect every GPU in the cluster to one another and enable peak performance. Networks also connect trained AI models to end users and other systems in the data center such as storage, allowing the system to become more than the sum of its parts. As a result, data centers are evolving into new AI Centers where the networks become the epicenter of AI management.

Must Read: Make Two Trips

Tom Limoncelli wrote another must-read masterpiece: sometimes you’ll save time if you make two trips instead of one.

The same lesson applies to network design: cramming too many features into a single device will inevitably result in complex, hard-to-understand configurations and weird bugs. Sometimes, it’s cheaper to split the required functionality across multiple devices.

Must Read: Make Two Trips

Tom Limoncelli wrote another must-read masterpiece: sometimes you’ll save time if you make two trips instead of one.

Container Security: Protect your data with Calico Egress Access Controls

23andMe is a popular genetics testing company, which was valued at $6B in 2021. Unfortunately, there was a massive data breach in December 2023, which caused a steep decline in the company’s value and trust, plummeting the company to a penny stock. While this breach was not directly related to Kubernetes, the same risks apply to containers running in your Kubernetes environments. If your containerized applications do not have the right egress access controls defined, chances of data exfiltration are much higher.

The basics

A typical modus operandi for threat actors is to look for vulnerabilities or misconfiguration in the environment and workloads, install malicious pods through privilege escalation techniques, and then exploit this unsecured pod to exfiltrate data.

Fig 1: Anatomy of a data exfiltration attack

An easy reconnaissance technique by just scanning the cluster network for public-facing workloads will be a first starting point for most attackers. Privilege escalation occurs mostly due to inconsistent or incorrect RBAC policies in Kubernetes through which unauthorized users can gain root privileges. Vulnerabilities in container images as part of the supply chain are also another attack path. All of these techniques will ultimately land on an exposed pod with a remote code Continue reading

Introducing NFA 24.05: SNMP Explorer Parameter Sets, TACACS+, Microsoft Teams support and more

The post Introducing NFA 24.05: SNMP Explorer Parameter Sets, TACACS+, Microsoft Teams support and more appeared first on Noction.

With Thor 2, Broadcom Wants To Become The AI Network Adapter

Aside from all of the buzz that optics get in datacenter networking, copper is still king of the short haul. …

With Thor 2, Broadcom Wants To Become The AI Network Adapter was written by Timothy Prickett Morgan at The Next Platform.

PP016: Tabletop Security Exercises: D&D for Grown-ups

Tabletop security exercises can help organizations game out their response to a security incident. From the technical and business considerations to legal and PR implications, a tabletop exercise, like Dungeons and Dragons, lets you play-test attack and defense scenarios. Johna Till Johnson, CEO of Nemertes consulting firm and co-host of the Heavy Strategy podcast, joins... Read more »

HW028: Highlights from Wi-Fi World Congress USA

A cardboard box with a circuit printed on it that harvests just enough power to activate a radio and have it chirp something out a short distance: that’s just one of the cool products and 802.11 standards that stood out at this year’s Wi-Fi World Congress USA. Drew Lentz joins the show to recap the... Read more »

On the ‘net: Grey Failures and the Law of Large Numbers

You’ve just finished building a 1,000 router fabric using a proper underlay and overlay. You’ve thought of everything, including doing it all with a single SKU, carefully choosing transceivers, using only the best optical cables, and running all the software through a rigorous testing cycle. Time to relax? Perhaps—or perhaps not.

« Previous 1 … 91 92 93 94 95 … 3,795 Next »