Native Kubernetes cluster mesh with Calico
workloads from remote clusters
As Kubernetes continues to gain traction in the cloud-native ecosystem, the need for robust, scalable, and highly available cluster deployments has become more noticeable.
While a Kubernetes cluster can easily expand via additional nodes, the downside of such an approach is that you might have to spend a lot of time troubleshooting the underlying networking or managing and updating resources between clusters. On top of that, a multi-regional scenario or hyper-cloud environment might be off the limits depending on the limitations that a cloud provider or your Kubernetes distro might impose on your environment.
Calico Enterprise cluster mesh is a suite of features native to Kubernetes with a multi-layer design that connects two or more Kubernetes clusters and seamlessly shares resources between them. This post will explore cluster mesh, its benefits, and how it can enhance your Kubernetes environment.
Projects that provide cluster mesh
Multiple projects offer cluster mesh, and while they are all similar in basic principles, each has a different take on implementing this solution in an environment.
The following table is a brief overview of notable projects that offer cluster mesh:
| Calico Open Source | Calico Enterprise | Cilium | Calico Enterprise | Submariner | |
| Encapsulation | IPIP | Direct Continue reading |
eBPF: Enabling Security and Performance to Co-Exist
Today, most organizations and individuals use Linux and the Linux kernel with a “one-size-fits-all” approach. This differs from how Linux was used in the past–for example, 20 years ago, many users would compile their kernel and modify it to fit their specific needs, architectures and use cases. This is no longer the case, as one-size-fits-all has become good enough. But, like anything in life, “good enough” is not the best you can get.
Enter: Extended Berkeley Packet Filter (eBPF). eBPF allows users to modify one-size-fits-all to fit their specific needs. While this was not impossible before, it was cumbersome and often unsecure.
eBPF is a feature available in Linux kernels that allows users to safely load programs into the kernel, to customize its operation. With eBPF, the kernel and its behavior become highly customizable, instead of being fixed.
Utilizing eBPF, users can load a program into the kernel and instruct the kernel to execute their program if, for example, a certain packet is seen or another event occurs. eBPF lets programs run without needing to add additional modules or modify the kernel source code. Users can think of it as a lightweight, sandboxed virtual machine (VM) within the Linux kernel Continue reading
Embracing Modern Virtualization with Calico’s Microsegmentation
In the rapidly evolving landscape of IT infrastructure, enterprises are increasingly moving away from traditional virtualization platforms due to rising licensing costs and the limitations these older systems impose on modern cloud-native application needs. The shift towards Kubernetes, which can manage diverse workloads such as containers, virtual machines (VMs), and bare metal environments, accelerates the migration from traditional virtualization platforms.
The Limitations of Traditional Network Segmentation
Traditionally, enterprises have segmented their virtualized environments using VLANs and logical switches to create distinct virtual networks and security zones. This segmentation was primarily static VM environments. However, this traditional approach to network segmentation is ill-equipped to handle the dynamic nature of Kubernetes environments, where workloads are frequently created and destroyed, leading to rapidly changing network configurations and policies.
Calico’s Solution: Dynamic and Unified Microsegmentation
Calico is designed to address the shortcomings of traditional network segmentation in the age of Kubernetes and container-based architectures. Calico provides a robust, dynamic, and high-performance network policy engine that supports a diverse range of workloads and scales across environments.
Key Features of Calico’s Microsegmentation:
- Unified Security Model: Calico offers a consistent security model across various environments, whether you are managing VMs, containers, or bare metal. This unified approach Continue reading
Embracing Modern Virtualization with Calico’s Microsegmentation
In the rapidly evolving landscape of IT infrastructure, enterprises are increasingly moving away from traditional virtualization platforms due to rising licensing costs and the limitations these older systems impose on modern cloud-native application needs. The shift towards Kubernetes, which can manage diverse workloads such as containers, virtual machines (VMs), and bare metal environments, accelerates the migration from traditional virtualization platforms.
The Limitations of Traditional Network Segmentation
Traditionally, enterprises have segmented their virtualized environments using VLANs and logical switches to create distinct virtual networks and security zones. This segmentation was primarily static VM environments. However, this traditional approach to network segmentation is ill-equipped to handle the dynamic nature of Kubernetes environments, where workloads are frequently created and destroyed, leading to rapidly changing network configurations and policies.
Calico’s Solution: Dynamic and Unified Microsegmentation
Calico’s microsegmentation capabilities are designed to address the shortcomings of traditional network segmentation in the age of Kubernetes and container-based architectures. Calico provides a robust, dynamic, and high-performance network policy engine that supports a diverse range of workloads and scales across environments.
Key Features of Calico’s Microsegmentation:
- Unified Security Model: Calico offers a consistent security model across various environments, whether you are managing VMs, containers, or bare metal. This Continue reading
Calico monthly roundup: June 2024
Welcome to the Calico monthly roundup: June edition! From open source news to live events, we have exciting updates to share—let’s get into it!
S&P Global 451 Market Insight: Tigera Provides Most Comprehensive CNAPP
Learn how Tigera differentiates itself from competitors by focusing on runtime security, aligning with the rapidly growing market category and how it is one of the strong players in this segment. |
Your Guide to Observability
This guide explains what observability is and shows you how to use Calico’s observability tools. With these tools, you can find and troubleshoot issues with workload communications, performance, and operations in a Kubernetes cluster.Read case study. |
Customer case study: eHealth
Calico helped eHealth gain visibility and implement zero-trust security controls on Amazon EKS. Read the case study to learn more. |
Open source news
Kubernetes network policies: 4 pain points and how to address them – Learn about the challenges of implementing Kubernetes network policies and how to simplify their management and enhance security using Calico. Read blog post.
The power of Kubevirt and Calico – Unlock the combined power of Kubevirt and Calico for your Kubernetes environments. Learn how to streamline VM management, Continue reading
Kubernetes network policies: 4 pain points and how to address them
Kubernetes is used everywhere, from test environments to the most critical production foundations that we use daily, making it undoubtedly a de facto in cloud computing. While this is great news for everyone who works with, administers, and expands Kubernetes, the downside is that it makes Kubernetes a favorable target for malicious actors.
Malicious actors typically exploit flaws in the system to gain access to a portion of the environment. They then chain these flaws together to move laterally within the environment, ultimately seeking root access or access to critical information.
While the best way to fix security flaws in any software is to patch it with appropriate fixes that the project maintainers publish, there are certain security practices that you can adopt to fortify your environment, like using network policies. However, most people find network policies complex and overwhelming, which discourages them from implementing policies in their environment.
In this blog post, we will examine four pain points that people face when they want to implement network policies and provide solutions to help you effectively secure your Kubernetes environment.
What is a network policy and why should I use it?
In Kubernetes, a network policy (KNP) resource is the Continue reading
How to Address Kubernetes Risks and Vulnerabilities Head-on
Misconfigurations and container image vulnerabilities are major causes of Kubernetes threats and risks. According to Gartner, more than 90% of global organizations will be running containerized applications in production by 2027. This is a significant increase from fewer than 40% in 2021. As container adoption soars, Kubernetes remains the dominant container orchestration platform.
Realizing the full benefits of Kubernetes requires implementing processes and solutions to fight vulnerabilities, threats and risks, including issues stemming from human error such as misconfigurations, and inherent vulnerabilities like those from container images. DevOps and security teams need the right solutions to mitigate the risks and enjoy the full benefits of Kubernetes.
Mitigating the Impact of Misconfigurations
While container adoption has taken off, the industry still lacks skilled Kubernetes experts. Kubernetes is a complex platform, and personnel without the right skillset inadvertently — and frequently—make mistakes that create misconfigurations.
In the Red Hat State of Kubernetes Security Report 2023, more than 50% of respondents said they were concerned about misconfigurations and vulnerabilities. And with good reason: The simplest way for attackers to get to a company’s data, applications or code is through a misconfigured Kubernetes cluster. A bad actor needs just one small misconfiguration Continue reading
Calico monthly roundup: May 2024
Welcome to the Calico monthly roundup: May edition! From open source news to live events, we have exciting updates to share—let’s get into it!
What’s new in Calico
Discover the latest enhancements in Calico for Spring 2024, featuring new security capabilities, improved visualization tools, and an advanced workload-centric WAF to streamline and secure your Kubernetes operations. |
Customer case study: NuraLogix
AI-driven healthtech company, NuraLogix, improves security and compliance on Amazon EKS using Calico Cloud. |
Join us at CloudNative SecurityCon 2024 in Seattle We’re gearing up for CloudNative SecurityCon 2024, on June 26 and 27 in Seattle. Be sure to swing by our booth and learn about exciting container networking updates. Plus, pick up some cool new Calico swag! Stay tuned for details.
|
|
S&P Global 451 Market Insight: Tigera Provides Most Comprehensive CNAPP Learn how Tigera differentiates itself from competitors by focusing on runtime security, aligning with the rapidly growing market category and how it is one of the strong players in this segment. |
Open source news
What’s new in 3.28 – Explore the new features in Calico 3.28, including a Grafana dashboard for Typha performance monitoring, Continue reading
Network observability in Kubernetes clusters for better security and faster troubleshooting
For DevOps and platform teams working with containers and Kubernetes, reducing downtime and improving security posture is crucial. A clear understanding of network topology, service interactions, and workload dependencies is required in cloud-native applications. This is essential for securing and optimizing the Kubernetes deployment and minimizing response time in the event of failure.
Network observability can highlight gaps in network policies for applications that require network policy controls to reduce the risk of attack from unsecured egress access or lateral movement of threats within the Kubernetes cluster. However, visualizing workload communication, service dependencies, and active and inactive network security policies presents significant challenges due to the distributed and dynamic nature of Kubernetes workloads.
Why is network observability difficult with Kubernetes workloads?
Kubernetes scales up and scales out pods and creates and destroys services depending on real-time business requirements, resulting in dynamic network connections for each workload instance. Network access policies defined for each workload further impact these connections.
In such a scenario, capturing an accurate and up-to-date representation of network traffic, service dependencies, and network policies is difficult. The default Kubernetes implementation provides limited network traffic visibility and policy information, making it challenging for teams to troubleshoot connectivity issues, improve Continue reading
Container Security: Protect your data with Calico Egress Access Controls
23andMe is a popular genetics testing company, which was valued at $6B in 2021. Unfortunately, there was a massive data breach in December 2023, which caused a steep decline in the company’s value and trust, plummeting the company to a penny stock. While this breach was not directly related to Kubernetes, the same risks apply to containers running in your Kubernetes environments. If your containerized applications do not have the right egress access controls defined, chances of data exfiltration are much higher.
The basics
A typical modus operandi for threat actors is to look for vulnerabilities or misconfiguration in the environment and workloads, install malicious pods through privilege escalation techniques, and then exploit this unsecured pod to exfiltrate data.
An easy reconnaissance technique by just scanning the cluster network for public-facing workloads will be a first starting point for most attackers. Privilege escalation occurs mostly due to inconsistent or incorrect RBAC policies in Kubernetes through which unauthorized users can gain root privileges. Vulnerabilities in container images as part of the supply chain are also another attack path. All of these techniques will ultimately land on an exposed pod with a remote code Continue reading
Modern Egress Gateway: Assign stable IPs to traffic leaving Kubernetes clusters
Whether an enterprise is migrating its legacy application to a cloud-native architecture or deploying a new cloud-native application, it will face the challenge of integrating with security tools such as firewalls that rely on a stable network identity for security configuration. This is due to the fact that cloud-native workloads aren’t guaranteed to have a fixed network identity. The juxtaposition of dynamic, modern workloads alongside traditional applications that rely on fixed network identifiers presents a unique set of challenges.
This is particularly pertinent for DevOps and platform teams tasked with ensuring seamless communication and security between these disparate environments. It becomes crucial for DevOps, platforms, and network security teams to ensure seamless communication and secure traffic flow as organizations balance innovation (cloud-native applications) and harness existing investments (traditional firewalls and data sources).
Common Scenarios
Securing and Identifying Traffic Leaving the Cluster
One of the key challenges in integrating cloud-native workloads with legacy applications behind a firewall is securing and identifying traffic from specific workloads running in the cluster. Many applications, such as databases, are protected by firewalls that need a stable IP address to enable access to these applications. Teams want to ensure that only authorized traffic from specific workloads Continue reading
What’s new in Calico – Spring 2024
Calico, the leading solution for container networking and security, unveils a host of new features this spring. From new security capabilities that simplify operations, enhanced visualization for faster troubleshooting, and major enhancements to its popular workload-centric distributed WAF, Calico is set to redefine how you manage and secure your containerized workloads.
This blog describes the new capabilities in Calico.
Simplified security operations for Runtime Threat Detection
Runtime threat detection generates a large number of security events. However, managing and analyzing these events can be challenging, and users need a way to summarize and navigate through them to gain deeper insights and take appropriate actions. Let’s see how Calico simplifies runtime security operations.
New Security Events Dashboard
We are excited to announce the introduction of the Security Event Dashboard in Calico. This dashboard provides a summary of the security events generated by the runtime threat detection engine. With the Security Event Dashboard, users can easily analyze and pivot around the data, enabling them to:
- Efficiently find and analyze specific segments of security events.
- Collaborate with stakeholders involved in the analysis, response, and remediation of security events.
The Security Event Dashboard offers a visually appealing and user-friendly interface, presenting key summarizations of Continue reading
What is new in Calico 3.28
TL/DR
- A new Grafana dashboard that helps you monitor Calico Typha’s performance and troubleshoot issues.
- Calico eBPF dataplane IPv6 is now GA. It supports true IPv6-only clusters as well as dual-stack clusters.
- Optional Pod startup delay to ensure networking is up in high-churn scenarios.
- Tigera operator now supports multiple IP pools, IP pool modification, affinity for operator pods, priorityclassname, and more!
- Improved policy performance in both eBPF and iptables.
- Calico now ships with a pprof server. Activate the performance server for real-time views of Typha and Felix components and real-time debugging.
Important changes
Important changes Calico 3.28 now has enabled VXLAN checksum offload by default for environments with the kernel version of 5.8 or above. In the past, offloading was disabled due to kernel bugs.
Please keep in mind, if you are upgrading to 3.28 this change will take effect after node restarts.
If you encounter unexpected performance issues, you can use the following command to revert to the previous method by using the following command:
kubectl patch felixconfiguration default --type="merge" -p='{"spec":{"FeatureDetectOverride":"ChecksumOffloadBroken=true"}'
Please keep in mind that you can report any issues via GitHub tickets or Slack and include a detailed description of the environment (NIC hardware, kernel, distro, Continue reading
Amazon EKS networking options
When setting up a Kubernetes environment with Amazon Elastic Kubernetes Service (EKS), it is crucial to understand your available networking options. EKS offers a range of networking choices that allow you to build a highly available and scalable cloud environment for your workloads.
In this blog post, we will explore the networking and policy enforcement options provided by AWS for Amazon EKS. By the end, you will have a clear understanding of the different networking options and network policy enforcement engines, and other features that can help you create a functional and secure platform for your Kubernetes workloads and services.
Amazon Elastic Kubernetes Service (EKS)
Amazon Elastic Kubernetes Service (EKS) is a managed Kubernetes service that simplifies routine operations, such as cluster deployment and maintenance, by automating tasks such as patching and updating operating systems and their underlying components. EKS enhances scalability through AWS Auto Scaling groups and other AWS service integrations and offers a highly available control plane to manage your cluster.
Amazon EKS in the cloud has two options:
- Managed
- Self-managed
Managed clusters rely on the AWS control plane node, which AWS hosts and controls separately from your cluster. This node operates in isolation and cannot be directly Continue reading
3 observability best practices for improved security in cloud-native applications
Why is observability important for better security?
Observability, especially in the context of cloud-native applications, is important for several reasons. First and foremost is security. By design, cloud-native applications rely on multiple, dynamic, distributed, and highly ephemeral components or microservices, with each microservice operating and scaling independently to deliver the application functionality. In this type of microservices-based architecture, observability and metrics provide security insights that enable teams to identify and mitigate zero-day threats through the detection of anomalies in microservices metrics, such as traffic flow, process calls, syscalls, and more. Using machine learning (ML) and heuristic analysis, security teams can identify abnormal behavior and issue alerts.
Observability also enables security teams to visualize the blast radius in the event of a breach. Using this information, teams can apply mitigating controls, such as security policy updates, to isolate the breached microservice and thereby limit exposure.
And finally, observability helps DevOps teams maintain the quality of service by identifying service failure and performance hotspots, and conducting a detailed investigation with capabilities such as packet capture and distributed tracing.
Observability challenges
DevOps and SRE teams today are being overwhelmed by an enormous amount of data from multiple, disparate systems that monitor infrastructure and Continue reading
Enhancing Kubernetes network security with microsegmentation: A strategic approach
Microsegmentation represents a transformative approach to enhancing network security within Kubernetes environments. This technique divides networks into smaller, isolated segments, allowing for granular control over traffic flow and significantly bolstering security posture. At its core, microsegmentation leverages Kubernetes network policies to isolate workloads, applications, namespaces, and entire clusters, tailoring security measures to specific organizational needs and compliance requirements.
The essence of microsegmentation strategies
Scalability and flexibility
The fundamental advantage of microsegmentation through network policies lies in its scalability and flexibility. Kubernetes’ dynamic, label-based selection process facilitates the addition of new segments without compromising existing network infrastructure, enabling organizations to adapt to evolving security landscapes seamlessly.
Prevent lateral movement of threats
Workload isolation, a critical component of microsegmentation, emphasizes the importance of securing individual microservices within a namespace or tenant by allowing only required and approved communication. This minimizes the attack surface and prevents unauthorized lateral movement.
Namespace and tenant isolation
Namespace isolation further enhances security by segregating applications into unique namespaces, ensuring operational independence and reducing the impact of potential security breaches. Similarly, tenant isolation addresses the needs of multi-tenant environments by securing shared Kubernetes infrastructure, thus protecting tenants from each other Continue reading
What is platform engineering and when should you invest in it?
As application platforms grow larger, the idea of DevOps teams where developers support the software development lifecycle, but also manage infrastructure and the platform, is beginning to reach the limits of what these teams can support. Rather than taking their best application developers and making them work on infrastructure problems, more organizations are coming to the conclusion that a centralized platform team specialized in that area is a better use of their developers’ skill sets. But what exactly is the platform engineering team and how is it different from the DevOps team? Should your organization invest in platform engineering? Let’s take a closer look.
Platform engineering: What is it and how did it come about?
Platform engineering is essentially building (selecting/standardizing on), operating, and managing the infrastructure that supports 1st- and 3rd-party applications. In the days before cloud-native application development, what we saw was that there was a central team that provided compute infrastructure for enterprise developers to build and host their applications. At a certain point in time, those developers moved to a microservices-based architecture. They didn’t just need virtual machines or servers where they could run their applications; they were building those applications in a containerized form factor, Continue reading
Prevent Data Exfiltration in Kubernetes: The Critical Role of Egress Access Controls
Data exfiltration and ransomware attacks in cloud-native applications are evolving cyber threats that pose significant risks to organizations, leading to substantial financial losses, reputational damage, and operational disruptions. As Kubernetes adoption grows for running containerized applications, it becomes imperative to address the unique security challenges it presents. This article explores the economic impact of data exfiltration and ransomware attacks, their modus operandi in Kubernetes environments, and effective strategies to secure egress traffic. We will delve into the implementation of DNS policies and networksets, their role in simplifying egress control enforcement, and the importance of monitoring and alerting for suspicious egress activity. By adopting these measures, organizations can strengthen their containerized application’s security posture running in Kubernetes and mitigate the risks associated with these prevalent cyber threats.
Economic impact of data exfiltration and ransomware attacks
Data exfiltration and ransomware attacks have emerged as formidable threats to organizations worldwide, causing substantial financial losses and service outage. According to IBM’s 2023 Cost of a Data Breach report, data exfiltration attacks alone cost businesses an average of $3.86 million per incident, a staggering figure that underscores the severity of this issue. Ransomware attacks, on the other hand, can inflict even more damage, with Continue reading
Recap: KubeCon + CloudNativeCon EU + CalicoCon 2024
Last week we had the pleasure of attending KubeCon + CloudNativeCon EU in Paris, France. It was a fantastic event where we once again had the opportunity to engage in meaningful conversations about Kubernetes, container security, and the latest developments in the open source ecosystem. We also hosted CalicoCon 2024, a co-located event, to talk about our favorite subject: Calico! Let’s take a look at some of the highlights from the conference.
CalicoCon 2024
A large group of KubeCon attendees joined us on March 19th for a full-day event to explore the trends, strategies, and technologies making waves in the Kubernetes networking, security, and observability world. The day included a keynote on Project Calico’s past, present, and future, plus multiple presentations and workshops delivered by Calico engineers that provided a deep dive into topics such as eBPF, Windows HNS, multi-cluster mesh, best practices for network policies, scale, performance, encryption, and compliance.
A good time was had by all in attendance, and two lucky winners of our raffles each took home a pair of AirPods! The day ended with happy hour and networking, where attendees had a chance to meet other Calico users as well as the engineers and leadership Continue reading
What’s new in Calico – Spring 2024
Last quarter we announced Calico Cloud’s ‘Cluster Security Score’ feature as part of cluster security posture management. Today, we are excited to announce product and user experience improvements and better user experience for the Calico platform. This blog covers all major updates including VXLAN-based cluster mesh networking, advanced observability and troubleshooting features, improved support for Windows-based containers, third-party integration using webhooks, and enhanced egress gateway high-availability.
By leveraging these new features, organizations can streamline their Kubernetes cluster management, enhance network visibility, and ensure reliable connectivity and security for their applications across clusters.
Enhanced cluster mesh implementation
Kubernetes does not natively support inter-cluster pod to pod communication. While routable IPs is a way to solve this, it requires changes to the underlying network which is both challenging and time consuming. Calico’s new capability solves this by implementing VXLAN support. You no longer need to make any changes to the network to enable pod to pod connectivity across multiple clusters. This allows you to easily deploy applications and services across multiple clusters, and manage them as a single entity.
Calico’s cluster mesh is fully integrated with its policy and security features, so that policies and security controls can be applied Continue reading