What’s new in Calico – Spring 2024

Last quarter we announced Calico Cloud’s ‘Cluster Security Score’ feature as part of cluster security posture management. Today, we are excited to announce product and user experience improvements and better user experience for the Calico platform. This blog covers all major updates including VXLAN-based cluster mesh networking, advanced observability and troubleshooting features, improved support for Windows-based containers, third-party integration using webhooks, and enhanced egress gateway high-availability.

By leveraging these new features, organizations can streamline their Kubernetes cluster management, enhance network visibility, and ensure reliable connectivity and security for their applications across clusters.

Enhanced cluster mesh implementation

Kubernetes does not natively support inter-cluster pod to pod communication. While routable IPs is a way to solve this, it requires changes to the underlying network which is both challenging and time consuming. Calico’s new capability solves this by implementing VXLAN support. You no longer need to make any changes to the network to enable pod to pod connectivity across multiple clusters. This allows you to easily deploy applications and services across multiple clusters, and manage them as a single entity.

Calico’s cluster mesh is fully integrated with its policy and security features, so that policies and security controls can be applied Continue reading

Calico monthly roundup: January 2024

Welcome to the Calico monthly roundup: January edition! From open source news to live events, we have exciting updates to share—let’s get into it!

Join us at CalicoCon 2024 in Paris We are thrilled to announce that CalicoCon 2024 will be held on March 19 in Paris as a KubeCon + CloudNativeCon Europe 2024 co-located event. Join us for an immersive event focused on the latest trends, strategies, and technologies in Kubernetes networking, security, and observability. Limited spots are available, so register now to secure your spot. Register.

Customer case study: NuraLogix AI-driven healthtech company, NuraLogix, improves security and compliance on Amazon EKS using Calico Cloud. Read case study.

Tigera has achieved AWS Security Competency status! Tigera has gained a new AWS Security Competency, which we’re proud to add to our already existing AWS Containers Software Competency. Read about the addition of our newest security competency. Read more.

Securely connect EKS workloads to approved SaaS with Calico Egress Gateway Learn how Calico Egress Gateway for AWS Elastic IP provides a valuable tool to bolster an organization’s defenses and ensure secure and dependable connections to trusted SaaS platforms. Read blog post.

Open source news

*NEW* GitHub Discussion forum – Looking for Continue reading

Join us at CalicoCon 2024, co-located with KubeCon + CloudNativeCon Europe 2024

We are excited to announce CalicoCon 2024, an in-person learning event for Project Calico, taking place March 19th, 2024 as ‌a co-located event with KubeCon + CloudNativeCon Europe 2024.

As Kubernetes continues to expand its presence in both enterprises and small-to-medium businesses, understanding container networking and security in managed or self-managed Kubernetes environments becomes crucial. Organizations are now presented with choices for dataplanes, such as eBPF, Windows HNS, and Linux IP tables, multi-cloud and Kubernetes distributions as they scale their applications and make them more performance-efficient. Additionally, the process of creating new cloud-native applications or modernizing legacy applications also presents Kubernetes users with a selection of cutting-edge and mature container networking and security technologies.

To make these decisions to leverage their existing investments and future-proofing, users require guidance on developing and implementing scalable network security policies, selecting dataplanes, achieving low latency, optimizing resources, and integrating with bare metal and VM workloads.

What can you expect?

At CalicoCon, we will provide KubeCon Paris 2024 attendees with an opportunity to actively participate in a full-day event where they will:

• Discuss how to incorporate the latest Calico eBPF container networking and security innovations into their applications
• Discover best practices for securing Continue reading

Tigera Closes Out 2023 with Significant Momentum for Calico as Demand for Container Security Accelerates

As 2023 comes to a close, we’re happy to report that we’ve had a successful year full of powerful product advancements and notable third-party recognition.

Key product enhancements

• Plug-and-play Runtime Threat Defense – Combines signature and behavior-based threat detection to protect against both known and zero-day threats. Calico Runtime Threat Defense provides preconfigured threat detectors to detect most common MITRE attack techniques for container and network-based attacks.
• Security Score and Recommended Actions – Provides an unparalleled view of security risks, enabling enterprises to identify, prioritize and mitigate them swiftly.
• Streamlined autoscaling with Windows HostProcess Container – Simplifies Kubernetes operations while saving time and resources.
• IPv6 support for eBPF – Empowers enterprises to enhance the performance and scalability of their applications, ensuring they meet the demands of modern workloads.
• Calico cluster mesh for VxLAN – Offers a scalable solution for multi-cluster deployments, enabling multi-cluster pod-to-pod connectivity and enhancing security and visibility.

With these new enhancements, Calico is the industry’s most complete solution for securing and observing Kubernetes environments.

User feedback

Calico Open Source users represent a robust sample of IT professionals from across industries and use cases. We polled these users to better understand their needs and compiled the insights into Continue reading

Cisco Acquires Isovalent: A Big Win for Cloud-Native Network Security and a Validation of Tigera’s Vision

This week’s news of Cisco’s intent to acquire Isovalent sends an important message to the cloud security ecosystem: network security is no longer an afterthought in the cloud-native world. It’s now a critical component of any robust security posture for cloud-native applications. This move not only validates the work of the Isovalent team in evangelizing this essential category but also underscores the vision Tigera has pioneered since 2016 with Project Calico.

I would first like to extend heartfelt congratulations to Isovalent and its founders on their well-deserved exit and thank them for their invaluable contributions to cloud-native network security.

Cisco’s acquisition recognizes that traditional perimeter security solutions simply don’t translate to the dynamic, distributed nature of cloud-native architectures and that network security is a critical part of a good cloud-native security design. This is a fundamental truth that Tigera identified early on with Project Calico. We saw the need for a fundamentally different approach to network security, one tailored to the unique demands of containerized and distributed applications running in the cloud.

Calico Open Source, born from this vision, has become the industry leader in container networking and security. It now powers over 100 million containers across 8 million+ Continue reading

Calico monthly roundup: December 2023

Welcome to the Calico monthly roundup: December edition! From open source news to live events, we have exciting updates to share—let’s get into it!

Tigera has achieved AWS Security Competency status! Tigera has gained a new AWS Security Competency, which we’re proud to add to our already existing AWS Containers Software Competency. Read about the addition of our newest security competency. Read more.

Find your Cluster Security Score Calico Cloud is releasing new capabilities for security posture management called Security Scoring and Recommended Actions. Start measuring and tracking your security posture. Learn more.

Customer case study: Leader-bet Calico provides container security and compliance for online gaming giant, Leader-bet. Read our case study to learn more. Read case study.

Comparing NGFW container firewalls with Calico container firewall Learn how to establish robust firewall policies with just code or a single click for advanced threat protection using behavior-based learning and IDS/IPS integrated with the firewall. Read blog post.

Open source news

Calico v3.27 is out and there are a lot of new features, updates, and improvements that are packed into this release. Here is a breakdown of the most important changes:

• Significant performance improvements, especially for extremely large clusters
• Calico VPP Continue reading

Calico monthly roundup: November 2023

Welcome to the Calico monthly roundup: November edition! From open source news to live events, we have exciting updates to share—let’s get into it!

Find your Cluster Security Score Calico Cloud is releasing new capabilities for security posture management called Security Scoring and Recommended Actions. Start measuring and tracking your security posture. Learn more.

Customer case study: Boundless Software Calico Cloud enabled SOC 2 compliance for Boundless Software while also drastically reducing onboarding times for the company’s customers. Read our case study to find out how. Read case study.

Secure Kubernetes traffic with Calico Egress gateway Discover how egress gateways enable users to assign meaningful network identity to selected traffic so that this information can be further used by traditional tools to enforce granular policies to traffic based on identity or bandwidth. Read blog post.

Open source news

• NEW features
  • Streamlined Operations with Windows HostProcess Container – Automated node pool scaling and upgrades, eliminating the need for manual node initialization to streamline operations and management of Windows container-based applications.
  • Performance and Scalability with IPv6 Support for Calico eBPF Dataplane – IPv6 support for eBPF in Calico empowers enterprises to enhance the performance and scalability of their applications by alleviating Continue reading

Tigera has achieved AWS Security Competency status!

We’re happy to announce that Tigera recently achieved Amazon Web Services (AWS) Security Competency status. This designation recognizes the security capabilities of Tigera’s Calico Cloud platform in helping customers secure their AWS workloads and achieve their cloud security goals.

To receive the designation, AWS Partners must possess deep AWS expertise and deliver solutions seamlessly on AWS. After evaluating Calico Cloud’s security capabilities, including vulnerability management, container- and network-based threat detection, observability and security policy lifecycle, AWS found it surpassed the competency requirements.

This is the second AWS competency Tigera has achieved and we’re proud to add this new competency to our existing AWS Containers Software Competency. Our team is dedicated to helping companies achieve their Kubernetes and container security goals by combining our technology with the range of powerful security tools AWS provides.

Read the full press release for more details or visit us on the AWS Marketplace.

The post Tigera has achieved AWS Security Competency status! appeared first on Tigera.

Recap: KubeCon + CloudNativeCon NA 2023

Thanks to everyone who joined us in Chicago this month at KubeCon + CloudNativeCon NA 2023. We had a chance to have many meaningful conversations about Kubernetes and container security, the latest in the open source ecosystem, and of course—Calico! Here are some highlights from the conference.

Calico at KubeCon

We had a ton of visitors at our booth this year and were happy to catch up with old friends as well as meet new ones. Tech problems for business needs, such as how to provide fixed IPs to workloads for communication outside of the Kubernetes cluster instead of architectural debates about the underlying dataplane, was a popular topic of discussion. Another was runtime security at the workload level (default-deny/zero trust). The issue of visibility into workload communication at scale overlaid with effective security policies also came up often. We were all too happy to show how Calico can help!

Cruise Party

Those who joined us for our private cruise party enjoyed a guided architecture tour of the spectacular Chicago lakefront. The evening went swimmingly and offered our guests a chance to unwind and network while enjoying great food and an open bar, against a backdrop of glittering skyscrapers.

2023 Continue reading

My First Web Page

<h2>My First Web Page</h2>
<p>My first paragraph.</p>
<p>Never call dudud document.write after the document has finished loading.
<div id="om-utia0gbpx93d4wvo9abp-holder"></div>.
It will overwrite the whole document.</p>
<script>
document.write(5 + 6);
</script>

The post My First Web Page appeared first on Tigera.

Calico monthly roundup: October 2023

Welcome to the Calico monthly roundup: October edition! From open source news to live events, we have exciting updates to share—let’s get into it!

Join us at KubeCon + CloudNativeCon North America 2023 We’re gearing up for KubeCon + CloudNativeCon 2023 in Chicago. Join us at booth #G13 for exciting Kubernetes security updates and pick up some cool new Calico swag! See what we’ve got planned.

Customer case study: eHealth Calico provides visibility and zero-trust security controls for eHealth on Amazon EKS. Read our new case study to find out how. Read case study.

Evaluating container firewalls for Kubernetes network security Learn why a traditional firewall architecture doesn’t work for modern cloud-native applications and results in a huge resource drain in a production environment. Read blog post

The State of Calico Open Source: Usage & Adoption Report 2023 Get insights into Calico’s adoption across container and Kubernetes environments, in terms of platforms, data planes, and policies. Read the report.

Open source news

• Read stories of Calico Open Source in action from our Calico Big Cats
  • Demystifying Calico Open Source: Empowering Your Network Security
  • Securing what others have overlooked with Calico
• Share your Calico Open Source journey and win Continue reading

Calico monthly roundup: September 2023

Welcome to the Calico monthly roundup: September edition! From open source news to live events, we have exciting updates to share—let’s get into it!

Transforming Container Network Security with Calico Container Firewall Discover how you can automate security, ensure consistency, and tightly align security with development practices in a microservices environment. Read blog post

The State of Calico Open Source: Usage & Adoption Report 2023 Get insights into Calico’s adoption across container and Kubernetes environments, in terms of platforms, data planes, and policies. Read the report.

Open source news

• Share your Calico Open Source journey and win a $25.00 gift card – Your journey with Calico Open Source matters to us! Share your experience and insight on how you solve problems and build your network security using Calico. Book a meeting to tell us about your journey and where you seek information. As a thank you, we’ll send you a $25.00 gift card!
• Calico Live – Join the Calico community every Wednesday at 2:00 pm ET for a live discussion about learning how to leverage Calico and Kubernetes for networking and security. We will explore Kubernetes security and policy design, network flow logs and more. Join Continue reading

Transforming Container Network Security with Calico Container Firewall

In today’s cloud-driven landscape, containerized workloads are at the heart of modern applications, driving agility, scalability, and innovation. However, as these workloads become increasingly distributed across multi-cluster, multi-cloud, and hybrid environments, the challenge of securing them grows exponentially. Traditional network security measures designed for static network boundaries are ill-suited for the dynamic nature of containerized applications.

The Challenge: Protecting Cloud-Native Workloads

The rapid migration to the cloud has resulted in an explosion of cloud workloads, ranging from traditional applications with minimal cloud adaptation to cloud-native applications exploiting the cloud’s elasticity and scalability.

Cloud-native applications, in particular, rely on microservices architectures, ephemeral and highly elastic containers, and CI/CD automation through platforms like Kubernetes. These applications embrace the cloud’s dynamic nature but introduce unique security challenges. Unlike traditional workloads, cloud-native applications lack fixed network boundaries and are highly distributed across hybrid and multi-cloud environments. They demand a new approach to network security.

The Need for a Container Firewall in DevOps Flows:

The essence of DevOps is speed and automation. Containers and orchestration platforms like Kubernetes enable rapid software development and deployment. However, this agility brings heightened security concerns.

Traditional firewalls, rooted in perimeter defenses, struggle to secure dynamic containerized environments effectively.

Fig Continue reading

What’s new in Calico Enterprise 3.18: Major workload-centric WAF updates and more

This release, we’re really excited about major improvements to Calico’s workload-centric WAF. We’ve made it much easier for users to configure and deploy the WAF in just a few clicks and we’ve also made it much easier to review and manage WAF alerts through our new Security Events feature.

Why do we need a new WAF for microservices?

Application security teams have deployed perimeter-based WAFs for decades to protect against common web attacks, with a focus on browser-based and client-side attacks. But with the rise of microservice architecture, there’s now a significant amount of HTTP traffic related to internal APIs. Moreover, with the growing use of open source and third-party software, all deployed within your Kubernetes cluster, you can no longer trust that the software running in your cluster is safe or secure. With this growing attack surface within your cloud environment, it’s critical to employ a workload-based WAF.

Calico’s workload-centric WAF

We know that security teams are struggling to keep up with the rapid pace of software development in their organizations, so we wanted to simplify the way that security teams secure application traffic. Further, we wanted to ensure that security teams can secure all workloads, not just their Continue reading

Calico monthly roundup: August 2023

Welcome to the Calico monthly roundup: August edition! From open source news to live events, we have exciting updates to share—let’s get into it!

*NEW* The State of Calico Open Source: Usage & Adoption Report 2023 Get insights into Calico’s adoption across container and Kubernetes environments, in terms of platforms, data planes, and policies. Read the report.

Customer case study: HanseMerkur Using Calico, HanseMerkur was able to reduce infrastructure overhead and achieve organizational compliance. Read our new case study to find out how. Get case study.

Open source news

• Calico Live – Join the Calico community every Wednesday at 2:00 pm ET for a live discussion about learning how to leverage Calico and Kubernetes for networking and security. We will explore Kubernetes security and policy design, network flow logs and more. Join us live on LinkedIn or YouTube.
• CNCF webinar – Watch the recording of our CNCF live webinar, where we talk about eBPF advantages and troubleshooting. Watch now.
• Calico for Microsoft Azure – Learn technical differences between different Azure networking options for Microsoft AKS environments and tradeoff analysis. Read blog post.
• Podcast – Listen to this joint podcast with Calico Big Cat, Parth Goswami, where they answer the Continue reading

New report: The state of Calico Open Source 2023

We are excited to announce the publication of our 2023 State of Calico Open Source, Usage & Adoption report! The report compiles survey results from more than 1,200 Calico Open Source users from around the world, who are actively using Calico in their container and Kubernetes environments. It sheds light on how they are using Calico across various environments, while also highlighting different aspects of Calico’s adoption in terms of platforms, data planes, and policies.

Report highlights

The report shows that Calico continues to be a pivotal part of the container and Kubernetes ecosystem, finding large-scale adoption across major Kubernetes platforms.

• Calico Open Source is mainly used for Kubernetes networking and security
  • 63% are using Calico as a security policy engine on top of an existing CNI
• The top 3 Calico capabilities driving user adoption are its scalable networking, security policies and interoperability across different environments
• Calico users are using a combination of data planes including eBPF, standard Linux and Windows
  • 16% of respondents use Calico’s newer eBPF data plane
• Calico policy creation and deployment is driven by the need for workload access control and secure egress access
  • 85% of users need to achieve network segmentation and protect east-west traffic

Continue reading

Integrating Calico statistics with Prometheus

Metrics are important for a microservices application running on Kubernetes because they provide visibility into the health and performance of the application. This visibility can be used to troubleshoot problems, optimize the application, and ensure that it is meeting its SLAs.

Some of the challenges that metrics solve for microservices applications running on Kubernetes include:

• Visibility: Microservices applications are typically composed of many small, independent services. This can make it difficult to get a clear picture of the overall health and performance of the application. Metrics provide a way to aggregate data from all of the services, giving you a single view of the application.
• Troubleshooting: When something goes wrong with a microservices application, it can be difficult to identify the root cause of the problem. Metrics can help you to track down the problem by providing information about the state of the application at the time of the failure.
• Optimization: Metrics can be used to optimize the performance of a microservices application. By tracking metrics such as CPU usage, memory usage, and network traffic, you can identify areas where the application can be improved.
• SLAs: Many microservices applications have SLAs that they must meet. Metrics can be used to Continue reading

Calico monthly roundup: July 2023

Welcome to the Calico monthly roundup: July edition! From open source news to live events, we have exciting updates to share—let’s get into it!

Customer case study: Upwork Using Calico, Upwork was able to enforce zero-trust security for its newly migrated containerized applications on Amazon EKS. Read our new case study to find out how. Read case study.

Container security – Self-paced workshop This self-paced tutorial is designed to help you prevent, detect, and stop breaches in containers and Kubernetes. Learn how to secure all aspects of your containerized applications—all at your own pace! Get started.

Open source news

• Calico Live – Join the Calico community every Wednesday at 2:00 pm ET for a live discussion about learning how to leverage Calico and Kubernetes for networking and security. We will explore Kubernetes security and policy design, network flow logs and more. Join us live on Linkedin or YouTube.
• CNCF webinar – Watch our CNCF on-demand webinar, Container and Kubernetes security policy design: 10 critical best practices, here.
• Calico eBPF and XDP – Learn how to implement eBPF security policies and XDP to achieve better performance in your Kubernetes cluster. Hands-on lab environment available here.
• Calico Wall of Continue reading

Automated namespace isolation with Calico

Calico has recently introduced a powerful new policy recommendation engine that enables DevOps, SREs, and Kubernetes operators to automatically generate Calico policies to implement namespace isolation and improve the security posture of their clusters.

This new recommendation engine is unique for three reasons:

1. Calico’s policy recommendations work continuously in the background over a user-configurable time period. This ensures that less frequent traffic flows are also accounted for in recommended policies.
2. Policy recommendations leverage Calico’s policy tiers. Tiers enforce an order of precedence on how Calico policies are evaluated and enforced. The recommended policies are placed in their own tier and Calico ensures each generated rule does not conflict with other policies you have implemented.
3. Recommended policies are StagedNetworkPolicies, allowing admins and operators to audit the behavior of these security policies before actively enforcing them.

In this blog, we’ll dive into each of these areas in more detail and provide an in-depth overview of how policy recommendations work and how it can improve the security posture of your cluster.

Before we get started, let’s quickly talk about namespace isolation and why it’s so important.

Why is namespace isolation important?

Namespaces are a foundational concept within Kubernetes. They help divide your Continue reading

Using Web Application Firewall at container-level for network-based threats

The microservices architecture provides developers and DevOps engineers significant agility that helps them move at the pace of the business. Breaking monolithic applications into smaller components accelerates development, streamlines scaling, and improves fault isolation. However, it also introduces certain security complexities since microservices frequently engage in inter-service communications, primarily through HTTP-based APIs, thus broadening the application’s attack surface. This scenario is similar to breaking a chunk of ice into smaller pieces, increasing its surface area. It is crucial that enterprises address these security challenges before benefiting from adopting a microservice architecture.

Challenges implementing defense-in-depth for containers with perimeter-based Web Application Firewall

Kubernetes is the de-facto standard for microservices orchestration. However, as organizations increasingly adopt Kubernetes, they run the risk of inadvertently introducing security gaps. This is often the result of attempts to integrate traditional security tooling into a cloud-native ecosystem that is highly dynamic, ephemeral, and non-deterministic. Instead of implementing security around the platform, DevOps, security, and platform teams must look at enforcing defenses through the platform.

Let’s look at an example of a web application firewall (WAF) which is typically deployed at the ingress of a network or application. As shown in the diagram below, HTTP traffic is Continue reading