CloudNativeSecurityCon North America 2024

The Kubernetes API manages network policies for application traffic in a declarative way. Some network interfaces—like Cilium—take this further by introducing additional policy resources that are more expressive than the default resources. Kubernetes intentionally leaves host networking policy out of the equation. As a result, admins typically fall back to familiar tools and write fragile bash scripts for Iptables and Firewalld when defining host network firewall policy, but that's not the only option. The host network in your Kubernetes node is just another network namespace, albeit a somewhat special one, and it is possible to use declarative resources to secure node host networks, but not with the default Kubernetes API resources. This talk will cover a couple of contemporary implementations that provide in-cluster host network firewalling. Both Talos, as a Kubernetes distribution, and Cilium, as an advanced CNI, offer host firewalling declared as resources inside the cluster.