This is a demo of how to lock down your Kubernetes cluster using advanced Cilium Network Policies. For simplicity's sake, this demo assumes a green-field deployment of a new Kubernetes cluster with some common infrastructure components.
If you would like to apply those or similar policies to your existing clusters, it's still possible without too much effort by leveraging Cilium Hubble's visibility capabilities to see if a newly introduced Cilium Network Policy causes unwanted traffic denies or not. You should check out Isovalent's free Zero Trust hands-on lab in case you are eager to learn more about our recommended way of validating new Cilium Network Policies before applying them to existing clusters.
- Go to the
slidesdirectory to see slide decks of talks I did based on this demo setup. - Head over to the
deploydirectory to see how the demo Kubeadm Kubernetes cluster and infrastructure components are deployed. - Check the
netpols/no-host-policiesdirectory to see the actual Cilium (Cluster-wide) Network Policies. - Check the
netpols/with-host-policiesdirectory to see the actual Cilium (Cluster-wide) Network Policies where Cilium Host Policies are used as well (Host Firewall).
More examples and even hands-on labs on how to leverage Cilium Network Policies can be found in the free Isovalent "Security Professional" learning track.