Current Kubernetes networking solutions provide basic security for pod network traffic using layers 3 and 4 CIDR-based or identity-based network policies. However, there is no mechanism to assign network identities to native processes running on hosts (e.g., kubelet) or processes in pods that use the host network. Securing host processes has traditionally been done using layer 7 auth, which comes with its overhead costs and scale challenges.

In this talk, Vinay presents an innovative, industry-first approach that leverages eBPF to efficiently identify, in the kernel at network layer, traffic from native host processes and pods using host network. This takes network micro-segmentation to a new level. He will explain how host process identities are transmitted on a per-packet basis, and illustrate efficient network policy enforcement for such traffic. He will discuss how this approach offers significant scalability advantages, and conclude with a demo showcasing the proposed solution.