K8s Policy as Code for CN-Series

A DevSecOps playbook that automates the synching of Kubernetes Network Policy with CN-Series Security Policy.

Comment

Inspiration

The inspiration for this project stems from the need to bridge the gap between DevOps and SecOps, as it pertains to firewall policy. Although the Panorama Kubernetes plugin solves the problem of dynamically synching pod-to-ip mappings, we were missing a mechanism that enables firewall policy to be defined once and automatically synched with Panorama.

What it does

A custom Kubernetes integration allows XSOAR to listen for Network Policy changes via the watch API. A change detected via the watch API triggers an XSOAR playbook that automatically converts Network Policy into Panorama policy.

Future support for using XSOAR to detect and quarantine pods associated with malicious activity.

How I built it

The Kubernetes integration was built using the Kubernetes Python SDK. The playbook itself performs the on-the-fly conversion of NP into SP and the XSOAR Panorama integration pushes the results to Panorama.

Challenges I ran into

  • Mapping k8s NP to SP
  • Creating a NP annotations/label convention/mapping sufficient for declaring NGFW features and objects, e.g. App-ID, security profiles, etc.
  • Reconciling the fundamental differences in how firewall policy is interpreted and enforced in k8s vs CN-Series.

Accomplishments that I'm proud of

  • Seeing a working prototype.

What I learned

  • Policy as code and other attempts to reduce the number of times firewall policy must be written is a critical piece of the DevSecOps story.

What's next for K8s Policy as Code for CN-Series

  • World domination

Built With

Share this project:

Updates