The Tale of Smokey and the Crypto Bandits How Okteto uses Falco to keep users happy and our platform healthy Ramiro Berrelleza October 28, 2020 ● Co-founder of Okteto ● Former architect @ Atlassian malicious actions without requiring human intervention Future Ideas The Tale of Smokey and the Crypto Bandits Ramiro Berrelleza October 28, 2020

topic1 and service2 to consume on topic1. Reject all other Kafka messages. Require the HTTP header X-Token: [0-9]+ to be present in all REST calls. See the section Layer 7 Policy [http://docs.cilium. Configuration: Datapath IPAM Datastore Encapsulation Cluster Pool Kubernetes CRD Requirements: OpenShift 4.x Install Cilium: Cilium is a Certified OpenShift CNI Plugin [https://access.redhat.com/articles/5436171] Configuration: Datapath IPAM Datastore Encapsulation Cluster Pool Kubernetes CRD Requirements: OpenShift 4.x Install Cilium: Cilium is a Certified OpenShift CNI Plugin [https://access.redhat.com/articles/5436171]

topic1 and service2 to consume on topic1. Reject all other Kafka messages. Require the HTTP header X-Token: [0-9]+ to be present in all REST calls. See the section Layer 7 Policy [http://docs.cilium. 78s cilium-etcd-operator-6ffbd46df9-pn6cf 1/1 Running 0 4m12s cilium-etcd-t695lgxf4x 1/1 Running 0 118s cilium-etcd-zw285m6t9g 1/1 0-beta.1-56d5d5d87f-qw8pv" deleted pod "kube-dns-5f8689dbc9-2nzft" deleted pod "kube-dns-5f8689dbc9-j7x5f" deleted pod "kube-dns-autoscaler-76fcd5f658-22r72" deleted pod "kube-state-metrics-7d9774bbd5-n6m5k"

topic1 and service2 to consume on topic1. Reject all other Kafka messages. Require the HTTP header X-Token: [0-9]+ to be present in all REST calls. See the section Layer 7 Policy [http://docs.cilium. 0-beta.1-56d5d5d87f-qw8pv" deleted pod "kube-dns-5f8689dbc9-2nzft" deleted pod "kube-dns-5f8689dbc9-j7x5f" deleted pod "kube-dns-autoscaler-76fcd5f658-22r72" deleted pod "kube-state-metrics-7d9774bbd5-n6m5k" latest version of kubernetes from when the kind release was created. kind: Cluster apiVersion: kind.x-k8s.io/v1alpha4 nodes: - role: control-plane - role: worker - role: worker - role: worker networking:

topic1 and service2 to consume on topic1 . Reject all other Ka�a messages. Require the HTTP header X-Token: [0-9]+ to be present in all REST calls. See the sec�on Layer 7 Policy [h�p://docs.cilium.i 78s cilium-etcd-operator-6ffbd46df9-pn6cf 1/1 Running 0 4m12s cilium-etcd-t695lgxf4x 1/1 Running 0 118s cilium-etcd-zw285m6t9g 1/1 RESTART aws-node-vgc7n 1/1 Running 0 aws-node-x6sjm 1/1 Running 0 cilium-cvp8q

topic1 and service2 to consume on topic1. Reject all other Kafka messages. Require the HTTP header X-Token: [0-9]+ to be present in all REST calls. See the section Layer 7 Policy [http://docs.cilium. rip-585db65b4d-x74nz 1/1 Running 0 68s host-to-b-multi-node-headless-77c64bc7d8-kgf8p 1/1 Running 0 67s pod-to-a-allowed-cnp-87b5895c8-bfw4x 0-beta.1-56d5d5d87f-qw8pv" deleted pod "kube-dns-5f8689dbc9-2nzft" deleted pod "kube-dns-5f8689dbc9-j7x5f" deleted pod "kube-dns-autoscaler-76fcd5f658-22r72" deleted pod "kube-state-metrics-7d9774bbd5-n6m5k"

topic1 and service2 to consume on topic1. Reject all other Kafka messages. Require the HTTP header X-Token: [0-9]+ to be present in all REST calls. See the section Layer 7 Policy [http://docs.cilium. Configuration: Datapath IPAM Datastore Encapsulation Cluster Pool Kubernetes CRD Requirements: OpenShift 4.x Install Cilium: Cilium is a Certified OpenShift CNI Plugin [https://access.redhat.com/articles/5436171] Configuration: Datapath IPAM Datastore Encapsulation Cluster Pool Kubernetes CRD Requirements: OpenShift 4.x Install Cilium: Cilium is a Certified OpenShift CNI Plugin [https://access.redhat.com/articles/5436171]

topic1 and service2 to consume on topic1. Reject all other Kafka messages. Require the HTTP header X-Token: [0-9]+ to be present in all REST calls. See the section Layer 7 Policy [http://docs.cilium. 0-beta.1-56d5d5d87f-qw8pv" deleted pod "kube-dns-5f8689dbc9-2nzft" deleted pod "kube-dns-5f8689dbc9-j7x5f" deleted pod "kube-dns-autoscaler-76fcd5f658-22r72" deleted pod "kube-state-metrics-7d9774bbd5-n6m5k" will create a cluster with 3 worker nodes and 1 control-plane node. kind: Cluster apiVersion: kind.x-k8s.io/v1alpha4 nodes: - role: control-plane - role: worker - role: worker - role: worker networking:

kernel 5.9+ ❏ bpftool 5.9+ ❏ libbpf headers ❏ kernel headers vm $ uname -r 5.9.1-36.vanilla.1.fc32.x86_64 vm $ bpftool version bpftool v5.9.1 Code and instructions at https://github.com/jsitnicki/ebpf-summit-2020 echo_ports flags 0x0 key 2B value 1B max_entries 1024 memlock 86016B # bpftool map pin id 28 ~vagrant/bpffs/echo_ports # bpftool map show id 29 29: sockmap name echo_socket flags 0x0 key {pathname="/home/vagrant/bpffs/echo_socket", …}, …) = 5 bpf(BPF_MAP_UPDATE_ELEM, {map_fd=5, key=0x7fff9c4e0b14, value=0x7fff9c4e0b08}, 120) = 0 +++ exited with 0 +++ $ bpftool map dump pinned $HOME/bpffs/echo_socket

/source/linux cd linux mkdir build make O=$PWD/build ARCH=x86_64 x86_64_defconfig make O=$PWD/build ARCH=x86_64 menuconfig make O=$PWD/build ARCH=x86_64 -j16 Kernel image Remember to: - Enable debugging filesystem image - Enable networking - Enable the SSH daemon cd /source/linux qemu-system-x86_64 -kernel build/arch/x86/boot/bzImage \ --enable-kvm \ -nic user,hostfwd=tcp::2222-:22 \ -boot c -m 2049M -hda