and HTTP-Aware Policy Enforcement Locking down external access with DNS-based policies Inspecting TLS Encrypted Connections with Cilium Securing a Kafka cluster How to secure gRPC Getting Started Securing cilium cilium/cilium --version $CILIUM_VERSION \\ --namespace $CILIUM_NAMESPACE \\ --set hubble.tls.auto.method="cronJob" \\ --set hubble.listenAddress=":4244" \\ --set hubble.relay.enabled=true cilium cilium/cilium --version $CILIUM_VERSION \\ --namespace $CILIUM_NAMESPACE \\ --set hubble.tls.auto.method="cronJob" \\ --set hubble.listenAddress=":4244" \\ --set hubble.relay.enabled=true

and HTTP-Aware Policy Enforcement Locking down external access with DNS-based policies Inspecting TLS Encrypted Connections with Cilium Securing a Kafka cluster How to secure gRPC Getting Started Securing consider setting identityAllocationMode: --set identityAllocationMode=kvstore Optional: Configure the SSL certificates Create a Kubernetes secret with the root certificate authority, and client-side key and key=client.key \ --from-file=etcd-client.crt=client.crt Adjust the helm template generation to enable SSL for etcd and use https instead of http for the etcd endpoint URLs: helm install cilium cilium/cilium

and HTTP-Aware Policy Enforcement Locking down external access with DNS-based policies Inspecting TLS Encrypted Connections with Cilium Securing a Kafka cluster How to secure gRPC Getting Started Securing consider setting identityAllocationMode: --set identityAllocationMode=kvstore Optional: Configure the SSL certificates Create a Kubernetes secret with the root certificate authority, and client-side key and key=client.key \ --from-file=etcd-client.crt=client.crt Adjust the helm template generation to enable SSL for etcd and use https instead of http for the etcd endpoint URLs: helm install cilium cilium/cilium

and HTTP-Aware Policy Enforcement Locking down external access with DNS-based policies Inspecting TLS Encrypted Connections with Cilium Securing a Kafka cluster How to secure gRPC Getting Started Securing restarting the pods to reset the CrashLoopBackoff time. CoreDNS: Enable reverse lookups In order for the TLS certificates between etcd peers to work correctly, a DNS reverse lookup on a pod IP must map back to management of the etcd cluster including compaction, restart on quorum loss, and automatic use of TLS. There are several disadvantages which can become of relevance as you scale up your clusters: etcd

and HTTP-Aware Policy Enforcement Locking down external access with DNS-based policies Inspecting TLS Encrypted Connections with Cilium Securing a Kafka cluster How to secure gRPC Getting Started Securing restarting the pods to reset the CrashLoopBackoff time. CoreDNS: Enable reverse lookups In order for the TLS certificates between etcd peers to work correctly, a DNS reverse lookup on a pod IP must map back to management of the etcd cluster including compaction, restart on quorum loss, and automatic use of TLS. There are several disadvantages which can become of relevance as you scale up your clusters: etcd

restarting the pods to reset the CrashLoopBackoff time. CoreDNS: Enable reverse lookups In order for the TLS certificates between etcd peers to work correctly, a DNS reverse lookup on a pod IP must map back to management of the etcd cluster including compaction, restart on quorum loss, and automatic use of TLS. There are several disadvantages which can become of relevance as you scale up your clusters: etcd --set global.etcd.endpoints[1]=http://etcd-endpoint2:2379 \ > cilium.yaml Optional: Configure the SSL certificates Create a Kubernetes secret with the root certificate authority, and client-side key and

how to prepare your Kubernetes environment. For CoreDNS: Enable reverse lookups In order for the TLS cer�ficates between etcd peers to work correctly, a DNS reverse lookup on a pod IP must map back to automa�c management of the etcd cluster including compac�on, restart on quorum loss, and automa�c use of TLS. There are several disadvantages which can become of relevance as you scale up your clusters: etcd In case you are not using a TLS-enabled etcd, comment out the configura�on op�ons in the ConfigMap referring to the key loca�ons like this: # In case you want to use TLS in etcd, uncomment the 'ca-file'

netns is not in-use) ○ host services connector (netns is in-use) ○ transparent proxy (mostly for TLS) ○ container firewall ○ network faults injection ○ network counters (rack, datacenter, region) Proxy ● Facebook traffic has to be encrypted ● Transparent TLS helps some services encrypt easily ● How to send task TCP traffic to TLS forward proxy transparently for a service? Solution: ● Redirect

NetworkPolicy logging Multi-cluster DNS Aware NetworkPolicy Increased Istio security External Services TLS visibility Performance Kafka policies by labels