Fixing vulnerabilities can be hard—especially so for cloud-native applications. Let’s take a deeper look at why this is, and how mitigating controls can help secure your cloud-native applications.
The trials and tribulations of Log4j are now safely in our rearview mirror. Most of us responsible for operating a container platform like Kubernetes have navigated through the remediation efforts and disaster has been averted.
But it was a wake-up call for many, and at the very least a healthy reminder for all of us. There have been many infamous vulnerabilities before Log4j, and much like living in an area of the world where earthquakes can strike at any moment, much can be learned from the big ones that came before.
When Heartbleed was publicly disclosed in 2014 it sent shockwaves around the world. It was a critical vulnerability in the ubiquitous OpenSSL library—a cryptographic software library that is used to implement the Transport Layer Security (TLS) protocol. Most of the web relies on TLS to secure communication between clients and servers, and the vulnerability came about through a simple bug that resulted in improper input validation for heartbeats.
The bug existed in OpenSSL Continue reading
Hey everyone. We’re excited to announce the release of Calico v3.23! Thanks to everyone in the community who contributed to the release. We could not have fitted this many improvements in without you. To view the detailed release notes, please visit us here. While we have many improvements in this release, here’s a brief overview of some of the larger features to be aware of.
Calico now supports VXLAN encapsulation for IPv6 networks. This expands our support for any users who have adopted IPv6.
We are ecstatic to announce that the Calico VPP data plane has reached beta status! A huge thanks to the VPP team for working tirelessly over the last few releases to increase stability, performance, and feature compatibility. Try it out by visiting our documentation here.
You can now install Calico networking in your AKS clusters to take advantage of all of the Calico networking features. To try it out, follow the Calico on AKS installation instructions. To learn more about using your own network plugin in AKS, see the AKS documentation here.
We have added new configuration options to allow for Continue reading
In this installment of the Calico Community Spotlight series, I interviewed Ana Shmyglya and Josef Janda, who both work for Jamf. Last year, Josef wrote Migrating CNI plugin from kube-router to Calico on Kops managed Kubernetes cluster, and I wanted to dive deeper into his and Ana’s experience based on that blog post. We mainly talked about their respective teams, their responsibilities, and the challenges they have faced whilst using Kubernetes.
Q: What are your current roles and primary responsibilities?
Ana: I work in the Platform team. This basically means I am responsible for a team that maintains the core infrastructure, which includes the Kubernetes clusters that we run. We also own the underlying CNI of the clusters.
Josef: I work as a DevOps engineer on the team that maintains the internal development tools and other systems connected to the software delivery life cycle process.
Q: What orchestrator(s) have you been using?
Josef: We use Kubernetes. That’s basically the only orchestrator in our company.
Ana: Same for us as well, it’s Kubernetes across the company.
Q: What cloud infrastructure(s) has been part of your projects?
Ana: We use a couple of different providers, including AWS, but we only run Continue reading
We are excited to announce the publication of our first State of Cloud-Native Security market report! The report compiles survey results from more than 300 security and IT professionals worldwide (all of whom have direct container responsibilities), and explores organizations’ needs and challenges when it comes to containers and cloud-native applications, specifically in the areas of security, observability, and compliance.
Our survey results showcase the rise in cloud-native development, while identifying barriers and areas where organizations need support on their cloud-native journey. Some of the report’s key findings include:
The report gives organizations a chance to benchmark themselves against the findings, Continue reading
In the first installment of our Community Spotlight series, I asked Geoff Burke from Tsunati to share his experience with Kubernetes and Calico Open Source. Geoff talks about how he got started with Kubernetes, the challenges that led him to search for a Container Network Interface (CNI), and why he has chosen Calico Open Source as his preferred CNI.
If you are just getting started with Kubernetes and curious about where other people start their journey, this blog post provides valuable insight and information.
Q: Please tell us a little bit about yourself, including where you currently work and what you do there.
I’m currently a senior cloud solutions architect at Tsunati. We are a data protection company and we focus on backup and recovery, mainly trying to help service providers enhance their services. We have a lot of virtualization expertise. In fact, I am a Veeam legend and a Veeam Vanguard. I also work quite intensely with Kasten by Veeam, which is a Kubernetes-native backup and recovery migration application.
Q: There are many people who are just getting started with Kubernetes and might have a lot of questions. Could you please talk a little bit about your own journey?
An important part of any Kubernetes cluster is the underlying containers. Containers are the workloads that your business relies on, what your customers engage with, and what shapes your networking infrastructure. Long story short, containers are arguably the soul of any containerized environment.
One of the most popular open-source container orchestration systems, Kubernetes, has a modular architecture. On its own, Kubernetes is a sophisticated orchestrator that helps you manage multiple projects in order to deliver highly available, scalable, and automated deployment solutions. But to do so, it relies on having a suite of underlying container orchestration tools.
This blog post focuses on containers and container networking. Throughout this post, you will find information on what a container is, how you can create one, what a namespace means, and what the mechanisms are that allow Kubernetes to limit resources for a container.
A container is an isolated environment used to run an application. By utilizing the power of
filesystem from the Linux kernel, containers can be allocated with a limited amount of resources and filesystems inside isolated environments.
In previous blog posts, my colleagues and I have introduced and explored the Calico eBPF data plane in detail, including learning how to validate that it is configured and running correctly. If you have the time, those are still a great read; you could dive in with the Calico eBPF Data Plane Deep-Dive.
However, sometimes a picture paints a thousand words! I was inspired by Daniele Polencic’s wonderful A Visual Guide on Troubleshooting Kubernetes Deployments. With his permission and kind encouragement, I decided to adapt the validation part of my previous deep-dive post to this easy-to-digest flowchart. Feel free to share it far and wide; wherever you think a Calico-learning colleague might benefit! It includes a link back here in case the diagram is updated in the future.
Did you know you can become a certified Calico operator? Learn container and Kubernetes networking and security fundamentals using Calico in this free, self-paced certification course.
There are additional level-two courses as well. One of them specifically addresses eBPF and the Calico eBPF data plane!
The post A visual guide to Calico eBPF data plane validation appeared first on Tigera.
Infrastructure security is something that is important to get right so that attacks can be prevented—or, in the case of a successful attack—damage can be minimized. It is especially important in a Kubernetes environment because, by default, a large number of Kubernetes configurations are not secure.
Securing Kubernetes at the infrastructure level requires a combination of host hardening, cluster hardening, and network security.
Let’s dive into each of these and look at best practices for securing both self-hosted and managed Kubernetes clusters.
There are many techniques that can be used to ensure a secure host. Here are three best practices for host hardening.
If you have the flexibility to choose an operating system (i.e. your organization doesn’t standardize on one operating system across all infrastructure), use a modern immutable Linux distribution, such as Flatcar Container Linux or Bottlerocket. This type of operating system is specifically designed for containers and offers several benefits, including:
Last month, we announced the launch of our active cloud-native application runtime security. Calico Cloud’s active runtime security helps security teams secure their containerized workloads with a holistic approach to threat detection, prevention, and mitigation.
As security teams look to secure these workloads, it’s also critical that they employ a defense-in-depth strategy. Calico Cloud’s active runtime security can detect, prevent, and mitigate threats across the entire cyber kill chain for containerized workloads.
The cyber kill chain is a framework used to track the steps a threat actor might take as they attempt to execute a cyber attack on your organization. The cyber kill chain was originally developed by Lockheed Martin to adapt the military concept that details the structure of an attack for cybersecurity threats. Today, this framework is used by security teams from a wide range of organizations to understand and respond to cybersecurity threats.
The Lockheed Martin cyber kill chain consists of seven stages:
There has been a huge uptick in microservices adoption in the data analytics domain, primarily aided by machine learning (ML) and artificial intelligence (AI) projects. Some of the reasons why containers are popular among ML developers is the ease of portability, scalability, and quick access to data using services—specifically network services. The rise of cloud-native applications, especially for big data in the analytics sector, makes these applications a prime target for cyber crime.
Preventing threat actors from breaching the network and accessing critical data or applications is a daunting task for one team or individual to take on alone. DevOps and security engineers, SREs, and platform architects all need to work together to facilitate the process. These teams are usually presented with two challenges:
This article talks about what organizations need to know about zero trust for cloud-native workloads, and how zero trust Continue reading
Amazon’s custom-built Graviton processor allows users to create ARM instances in the AWS public cloud, and Rancher K3s is an excellent way to run Kubernetes in these instances. By allowing a lightweight implementation of Kubernetes optimized for ARM with a single binary, K3s simplifies the cluster initialization process down to executing a simple command.
In an earlier article, I discussed how ARM architecture is becoming a rival to x86 in cloud computing, and steps that can be taken to leverage this situation and be prepared for this new era. Following the same narrative, in this article I’ll look at an example of the Calico eBPF data plane running on AWS, using Terraform to bootstrap our install to AWS, and Rancher K3s to deploy the cluster.
A few changes to Calico are needed for ARM compatibility, including updating parts, enabling eBPF, and compiling operators for the ARM64 environment:.
The rise of cloud native and containerization, along with the automation of the CI/CD pipeline, introduced fundamental changes to existing application development, deployment, and security paradigms. Because cloud native is so different from traditional architectures, both in how workloads are developed and how they need to be secured, there is a need to rethink our approach to security in these environments.
As stated in this article, security for cloud-native applications should take a holistic approach where security is not an isolated concern, but rather a shared responsibility. Collaboration is the name of the game here. In order to secure cloud-native deployments, the application, DevOps, and security teams need to work together to make sure security happens earlier in the development cycle and is more closely associated with the development process.
Since Kubernetes is the most popular container orchestrator and many in the industry tend to associate it with cloud native, let’s look at this holistic approach by breaking it down into a framework for securing Kubernetes-native environments.
At a high level, the framework for securing cloud-native environments consists of three stages: build, deploy, and runtime.
In the build stage, developers write code and the code gets compiled, Continue reading
Calico Cloud has just celebrated its 1-year anniversary! And what better way to celebrate than to launch new features and capabilities that help users address their most urgent cloud security needs.
Over the past year, the Tigera team has seen rapid adoption of Calico Cloud for security and observability of cloud-native applications. With this new release, Calico Cloud becomes the first in the industry to offer the most comprehensive active cloud-native application security that goes beyond detecting threats to limit exposure and automatically mitigate risks in real time.
With news of new zero-day threats emerging almost every day (e.g. Argo CD, Chrome Browser), the current security approach needs to evolve. We need active build, deploy, and runtime security, all together, instead of using a siloed approach. Security threats, vulnerabilities, and risks for all three areas should be addressed together, by the same security platform, rather than using multiple disjointed tools. Calico Cloud does just that!
With Calico Cloud, you can reduce your cloud-native application’s attack surface, harness machine learning to combat runtime security risks from known and unknown zero-day threats, enable continuous compliance, and prioritize and mitigate the risks from vulnerabilities and attacks.
Let’s take a look Continue reading
First-generation security solutions for cloud-native applications have been failing because they apply a legacy mindset where the focus is on vulnerability scanning instead of a holistic approach to threat detection, threat prevention, and remediation. Given that the attack surface of modern applications is much larger than in traditional apps, security teams are struggling to keep up and we’ve seen a spike in breaches.
To better protect cloud-native applications, we need solutions that focus on threat prevention by reducing the attack surface. With this foundation, we can then layer on threat detection and threat mitigation strategies.
I have exciting news to share on this front! Today, Tigera launched new capabilities in its Calico product line to help you address your most urgent cloud security needs. Before getting into a discussion about the features themselves, I’d like to talk about the driving force behind the changes, our thought process, and why we’re well-positioned to bring these to market.
To properly secure modern cloud-native applications, we need to use a modern architecture that aligns with them. At Tigera, we’ve created a model we call active cloud-native application runtime security. This model has three components:
The Project Calico community is one of the most collaborative and supportive communities in the open-source space. Our community has shown great engagement through the years, which has helped us maintain and grow the project.
Thanks to our 200+ contributors from all over the world, Calico Open Source (the solution born out of the project) is powering 1.5M+ nodes daily across 166 countries. Our engineering team is committed to maintaining Calico Open Source as the leading standard for container and Kubernetes networking and security!
Given our community’s passion for Project Calico, we wanted to give its members a chance to inspire others by telling their stories. To this end, we are very excited to announce our new Calico Big Cats ambassador program!
Calico Big Cats is an ambassador program that provides a platform for our community to talk about their experiences with Calico. The goal is to help community members connect, inspire, and share common challenges and ways to overcome these challenges using Calico and other tools.
If you have experience with Project Calico, recognize its value in the open-source networking and security domain, and are passionate about sharing Continue reading
Central processing units (CPUs) can be compared to the human brain in that their unique architecture allows them to solve mathematical equations in different ways. x86 is the dominant architecture used in cloud computing at the time of this writing; however, it is worth noting that this architecture is not efficient for every scenario, and its proprietary nature is causing an industry shift toward ARM.
ARM (Advanced RISC Machines) is a type of CPU architecture that powers most tablets and smartphones, as well as the fastest supercomputer in the world (supercomputer Fugaku). ARM’s low power consumption and high computational performance make it a worthy rival for x86 in cloud computing.
In this article, I will talk about a few popular ARM projects, the main difference between x86 and ARM architectures, and explore how we can prepare developers for the future by providing them with an ARM-based container environment.
Companies are increasing their pursuit to leverage ARM in order to reduce both cost and energy consumption. While x86 remains a proprietary CPU architecture, ARM provides licenses to other companies allowing them to design their own custom-built processors using ARM’s patented technology.
Amazon’s custom-designed Graviton processor is a great Continue reading
Monitoring is a critical part of any computer system that has been brought in to a production-ready state. No IT system exists in true isolation, and even the simplest systems interact in interesting ways with the systems “surrounding” them. Since compute time, memory, and long-term storage are all finite, it’s necessary at the very least to understand how these things are being allocated.
Perhaps this question seems contrived. However, it’s always worth spending a moment thinking about reasons before adding any technical complexity to a distributed system! After all, they are already quite complicated! So why does the Calico eBPF data plane support metrics through Prometheus and Grafana?
Well, the Calico eBPF data plane is production ready and widely deployed, so a well-configured Kubernetes cluster with the Calico eBPF data plane correctly enabled will be stable and reliable. However, distributed systems are inherently complex and when dealing with them, it is generally good practice to instrument and baseline metrics wherever they are available. Doing so provides many benefits, especially for capacity planning, change management, and as an early-warning or smoke-testing system.
Additionally, seeing a running distributed system fully instrumented can be Continue reading
Like any great technology, the interest in and adoption of Kubernetes (an excellent way to orchestrate your workloads, by the way) took off as cloud native and containerization grew in popularity. With that came a lot of confusion. Everyone was using Kubernetes to move their workloads, but as they went through their journey to deployment, they weren’t thinking about security until they got to production. While this might seem like the intuitive thing to do, it doesn’t work in Kubernetes.
With Kubernetes, you can’t wait until the end when you’re ready to move workloads to production; you need to think about security early on. If security is not thought through in a system like Kubernetes, workloads are left vulnerable and you will not end up with a solution that is effective.
Why is this? What makes cloud native so different? Let’s take a look at some of the differences to understand why they warrant a more holistic approach to security and observability for cloud-native applications, whether in Kubernetes or another environment.
What we’re used to (if we remove cloud native from the equation) is having a client-server architecture, where servers are running Continue reading
When deploying cloud-native applications to a hybrid and multi-cloud environment that is protected by traditional perimeter-based firewalls, such as Palo Alto Networks (PAN) Panorama, you need to work within the confines of your existing IT security architecture. For applications that communicate with external resources outside the Kubernetes cluster, a traditional firewall is typically going to be part of that communication.
A good practice is to enable enterprise security teams to leverage existing firewall platforms, processes, and architectures to protect access to Kubernetes workloads.
Calico Enterprise already extends Panorama’s firewall manager to Kubernetes. The firewall manager creates a zone-based architecture for your Kubernetes cluster, and Calico reads those firewall rules and translates them into Kubernetes security policies that control traffic between your applications.
With its 3.11 release, Calico Enterprise extends its integration with PAN firewalls to include Panorama address groups in sync with Calico NetworkSets. The new release provides granular application security for your cloud-native application and eliminates workflow complexity.
This integration helps users to:
Cloud-native workloads require Continue reading
Troubleshooting container connectivity issues and performance hotspots in Kubernetes clusters can be a frustrating exercise in a dynamic environment where hundreds, possibly thousands of pods are continually being created and destroyed. If you are a DevOps or platform engineer and need to troubleshoot microservices and application connectivity issues, or figure out why a service or application is performing slowly, you might use traditional packet capture methods like executing tcpdump against a container in a pod. This might allow you to achieve your task in a siloed single-developer environment, but enterprise-level troubleshooting comes with its own set of mandatory requirements and scale. You don’t want to be slowed down by these requirements, but rather address them in order to shorten the time to resolution.
Dynamic Packet Capture is a Kubernetes-native way that helps you to troubleshoot your microservices and applications quickly and efficiently without granting extra permissions. Let’s look at a specific use case to see some challenges and best practices for live troubleshooting with packet capture in a Kubernetes environment.
Let’s talk about this use case in the context of a hypothetical situation.
Your organization’s DevOps and platform teams are trying to figure out Continue reading