Archive

Category Archives for "Tigera.io"

CVE-2021-31440: Kubernetes container escape using eBPF

In a recent post by ZDI, researchers found an out-of-bounds access flaw (CVE-2021-31440) in the Linux kernel’s (5.11.15) implementation of the eBPF code verifier: an incorrect register bounds calculation occurs while checking unsigned 32-bit instructions in an eBPF program. The flaw can be leveraged to escalate privileges and execute arbitrary code in the context of the kernel.

This vulnerability allows a local privilege escalation, which means an attacker with non-root access to the system can gain higher privileges by exploiting this vulnerability. The non-root access can be a user account without sudo or group privileges, which are usually provided to the application user.

Why you should be worried

In a Kubernetes environment, containers use the host kernel to run themselves. Therefore, the execution of malicious eBPF code as an unprivileged user in the context of the kernel can result in container escape and privilege escalation to the host.

Unprivileged users inside the container need CAP_SYS_ADMIN permission already assigned to the container to run a malicious eBPF program. For Linux kernels 5.8 and above, a new permission, CAP_BPF, is added to allow users to run eBPF programs. CAP_BPF is a subset of CAP_SYS_ADMIN.

In Kubernetes, Continue reading

CVE-2021-31440: Kubernetes container escape using eBPF

In a recent post by ZDI, researchers found an out-of-bounds access flaw (CVE-2021-31440) in the Linux kernel’s (5.11.15) implementation of the eBPF code verifier: an incorrect register bounds calculation occurs while checking unsigned 32-bit instructions in an eBPF program. The flaw can be leveraged to escalate privileges and execute arbitrary code in the context of the kernel.

This vulnerability allows a local privilege escalation, which means an attacker with non-root access to the system can gain higher privileges by exploiting this vulnerability. The non-root access can be a user account without sudo or group privileges, which are usually provided to the application user.

Why you should be worried

In a Kubernetes environment, containers use the host kernel to run themselves. Therefore, the execution of malicious eBPF code as an unprivileged user in the context of the kernel can result in container escape and privilege escalation to the host.

Unprivileged users inside the container need CAP_SYS_ADMIN permission already assigned to the container to run a malicious eBPF program. For Linux kernels 5.8 and above, a new permission, CAP_BPF, is added to allow users to run eBPF programs. CAP_BPF is a subset of CAP_SYS_ADMIN.

In Kubernetes, Continue reading

Learn from industry experts at the Kubernetes Security and Observability Summit—next week!

The Kubernetes Security and Observability Summit is only 1 week away! The industry’s first and only conference solely focused on Kubernetes security and observability will be taking place online June 3, 2021.

During the Summit, DevOps, SREs, platform architects, and security teams will enjoy the chance to network with industry experts and explore trends, strategies, and technologies for securing, observing and troubleshooting cloud-native applications.

What does security and observability mean in a cloud-native context? What challenges should Kubernetes practitioners anticipate and what opportunities should they investigate? Join us to explore these types of questions and gain valuable insight you’ll be able to take back to your teams.

Speakers & sessions

Tigera’s President & CEO, Ratan Tipirneni, will kick off the Summit with an opening keynote address. Two additional keynotes from Graeme Hay of Morgan Stanley and Keith Neilson of Discover Financial Services will follow. Attendees will then have the opportunity to attend breakout sessions organized into three tracks:

  1. Stories from the real world
  2. Best practices
  3. Under the hood

During these sessions, experts from industry-leading companies like Amazon, Box, Citi, EY, Mirantis, Morgan Stanley, PayPal, Salesforce, and of course, Tigera, will share real-world stories, best practices, and technical concepts related to Continue reading

Learn from industry experts at the Kubernetes Security and Observability Summit—next week!

The Kubernetes Security and Observability Summit is only 1 week away! The industry’s first and only conference solely focused on Kubernetes security and observability will be taking place online June 3, 2021.

During the Summit, DevOps, SREs, platform architects, and security teams will enjoy the chance to network with industry experts and explore trends, strategies, and technologies for securing, observing and troubleshooting cloud-native applications.

What does security and observability mean in a cloud-native context? What challenges should Kubernetes practitioners anticipate and what opportunities should they investigate? Join us to explore these types of questions and gain valuable insight you’ll be able to take back to your teams.

Speakers & sessions

Tigera’s President & CEO, Ratan Tipirneni, will kick off the Summit with an opening keynote address. Two additional keynotes from Graeme Hay of Morgan Stanley and Keith Neilson of Discover Financial Services will follow. Attendees will then have the opportunity to attend breakout sessions organized into three tracks:

  1. Stories from the real world
  2. Best practices
  3. Under the hood

During these sessions, experts from industry-leading companies like Amazon, Box, Citi, EY, Mirantis, Morgan Stanley, PayPal, Salesforce, and of course, Tigera, will share real-world stories, best practices, and technical concepts related to Continue reading

Why you don’t want to miss the upcoming Kubernetes Security and Observability Summit

The inaugural Kubernetes Security and Observability Summit will be a free, live, online experience full of Kubernetes-related security and observability content. On June 3, 2021, industry experts will gather under one virtual roof to discuss trends, strategies, and technologies for Kubernetes security and observability, to help you understand and navigate today’s pressing issues in the world of cloud-native applications.

Why attend?

The Summit is a great opportunity to:

  • Network with the industry’s best security, DevOps, and site reliability engineer (SRE) teams for cloud-native platforms
  • Learn how to secure, observe, and troubleshoot Kubernetes environments
  • Explore real-world Kubernetes security and observability use cases presented by experts from industry-leading companies like Amazon, Box, Citi, EY, Mirantis, Morgan Stanley, PayPal, Salesforce, and of course, Tigera

Who should attend?

SREs, platform architects, and DevOps and security teams will all find value in attending the Summit.

  • DevOps teams and SREs – Learn how to include security and observability in your CI/CD to enable security, observability, and troubleshooting
  • Platform architects – Learn architecture patterns and best practices to secure and troubleshoot cloud-native applications
  • Security teams – Learn how to holistically secure your cloud-native applications following today’s best practices

Speakers & sessions

An opening keynote address from Continue reading

Why you don’t want to miss the upcoming Kubernetes Security and Observability Summit

The inaugural Kubernetes Security and Observability Summit will be a free, live, online experience full of Kubernetes-related security and observability content. On June 3, 2021, industry experts will gather under one virtual roof to discuss trends, strategies, and technologies for Kubernetes security and observability, to help you understand and navigate today’s pressing issues in the world of cloud-native applications.

Why attend?

The Summit is a great opportunity to:

  • Network with the industry’s best security, DevOps, and site reliability engineer (SRE) teams for cloud-native platforms
  • Learn how to secure, observe, and troubleshoot Kubernetes environments
  • Explore real-world Kubernetes security and observability use cases presented by experts from industry-leading companies like Amazon, Box, Citi, EY, Mirantis, Morgan Stanley, PayPal, Salesforce, and of course, Tigera

Who should attend?

SREs, platform architects, and DevOps and security teams will all find value in attending the Summit.

  • DevOps teams and SREs – Learn how to include security and observability in your CI/CD to enable security, observability, and troubleshooting
  • Platform architects – Learn architecture patterns and best practices to secure and troubleshoot cloud-native applications
  • Security teams – Learn how to holistically secure your cloud-native applications following today’s best practices

Speakers & sessions

An opening keynote address from Continue reading

Don’t miss our session at SUSECON Digital 2021

Join us at SUSECON Digital 2021, taking place virtually from May 18–20. It’s free! Tigera VP Product Management & Business Development, Amit Gupta, will be leading a session on Kubernetes networking, security and observability with Rancher and Calico. Our team will also be at the Tigera booth waiting to speak with you.

Speaking session

Don’t miss our session on Kubernetes networking, security and observability with Rancher and Calico! You can add our session to your schedule here.

Session details

Title: Kubernetes Networking, Security and Observability with Rancher and Calico
Date: Tuesday, May 18 at 6:00–6:30 PM (BST)

Rancher enables enterprises to deliver Kubernetes-as-a-Service across any infrastructure, including hybrid, multi-cloud and multi-cluster environments. Kubernetes’ networking, security, and observability for such deployments are critical in preventing an organization’s exposure to a multitude of security and compliance issues.

In this session, you’ll learn about how you can leverage open-source Calico in Rancher (built-in) to secure your Kubernetes environments. You will also learn about how Calico Cloud and Calico Enterprise, built on open-source Calico, can help you address performance hotspots, troubleshoot microservice communication, and carry out anomaly detection. Lastly, you will learn how to bootstrap and configure your Rancher cluster along with sample network Continue reading

Don’t miss our session at SUSECON Digital 2021

Join us at SUSECON Digital 2021, taking place virtually from May 18–20. It’s free! Tigera VP Product Management & Business Development, Amit Gupta, will be leading a session on Kubernetes networking, security and observability with Rancher and Calico. Our team will also be at the Tigera booth waiting to speak with you.

Speaking session

Don’t miss our session on Kubernetes networking, security and observability with Rancher and Calico! You can add our session to your schedule here.

Session details

Title: Kubernetes Networking, Security and Observability with Rancher and Calico
Date: Tuesday, May 18 at 6:00–6:30 PM (BST)

Rancher enables enterprises to deliver Kubernetes-as-a-Service across any infrastructure, including hybrid, multi-cloud and multi-cluster environments. Kubernetes’ networking, security, and observability for such deployments are critical in preventing an organization’s exposure to a multitude of security and compliance issues.

In this session, you’ll learn about how you can leverage open-source Calico in Rancher (built-in) to secure your Kubernetes environments. You will also learn about how Calico Cloud and Calico Enterprise, built on open-source Calico, can help you address performance hotspots, troubleshoot microservice communication, and carry out anomaly detection. Lastly, you will learn how to bootstrap and configure your Rancher cluster along with sample network Continue reading

Join us at our inaugural Kubernetes Security and Observability Summit

We are excited to announce that the inaugural Kubernetes Security and Observability Summit, brought to you by Tigera, will take place on June 3, 2021.

The journey to Kubernetes adoption can be riddled with challenges and roadblocks. These challenges are magnified in a cloud-native context, where organizations are running hundreds—sometimes thousands—of applications simultaneously across numerous business units, for customers around the world.

What does security and observability mean in this context? What challenges should Kubernetes practitioners anticipate and what opportunities should they explore? To address these questions and to explore emerging trends, we are gathering industry experts under one (virtual) roof at the Kubernetes Security and Observability Summit.

As the industry’s first and only conference solely focused on Kubernetes security and observability, this (free) live virtual event will include discussions with technology leaders and Kubernetes users on real-world experiences, fundamentals, and best practices for securing and troubleshooting Kubernetes environments.

What to expect

The Kubernetes Security and Observability Summit is a place for DevOps, SREs, platform architects, and security teams to come together to explore trends, strategies, and technologies for securing, observing and troubleshooting cloud-native applications.

During the summit, experts from industry-leading companies like Amazon, Box, Citi, EY, Mirantis, Morgan Stanley, Continue reading

Join us at our inaugural Kubernetes Security and Observability Summit

We are excited to announce that the inaugural Kubernetes Security and Observability Summit, brought to you by Tigera, will take place on June 3, 2021.

The journey to Kubernetes adoption can be riddled with challenges and roadblocks. These challenges are magnified in a cloud-native context, where organizations are running hundreds—sometimes thousands—of applications simultaneously across numerous business units, for customers around the world.

What does security and observability mean in this context? What challenges should Kubernetes practitioners anticipate and what opportunities should they explore? To address these questions and to explore emerging trends, we are gathering industry experts under one (virtual) roof at the Kubernetes Security and Observability Summit.

As the industry’s first and only conference solely focused on Kubernetes security and observability, this (free) live virtual event will include discussions with technology leaders and Kubernetes users on real-world experiences, fundamentals, and best practices for securing and troubleshooting Kubernetes environments.

What to expect

The Kubernetes Security and Observability Summit is a place for DevOps, SREs, platform architects, and security teams to come together to explore trends, strategies, and technologies for securing, observing and troubleshooting cloud-native applications.

During the summit, experts from industry-leading companies like Amazon, Box, Citi, EY, Mirantis, Morgan Stanley, Continue reading

What’s New in Calico v3.19

We’re excited to announce Calico v3.19.0! This release includes a number of cool new features as well as bug fixes. Thank you to each one of the contributors to this release! For detailed release notes, please go here. Here are some highlights from the release…

VPP Data Plane (tech-preview)

We’re very excited to announce that Calico v3.19 includes tech-preview support for FD.io’s Vector Packet Processing (VPP) data plane, joining Calico’s existing iptables, eBPF, and Windows dataplanes.

The VPP data plane promises high performance Kubernetes networking with support for network policy, encryption via WireGuard or IPSec, and MagLev service load balancing.

Interested? Try it out by following the tech-preview getting started guide!

Resource Management with kubectl (tech-preview)

In previous versions of Calico, the “calicoctl” command line tool was required to properly manage Calico API resources. In Calico v3.19, we’ve introduced a new tech-preview feature that allows you to manage all projectcalico.org API resources directly with kubectl using an optional API server add-on.

Try it out on your cluster by following the guide!

Windows Data Plane Support for containerd

Calico v3.19 introduces support for Calico for Windows users to deploy containers using containerd Continue reading

Calico Enterprise enables live view of cloud-native apps deployed in Kubernetes

We are happy to announce that the latest release of Calico Enterprise delivers unprecedented levels of Kubernetes observability! Calico Enterprise 3.5 provides full-stack observability across the entire Kubernetes environment, from application layer to networking layer.

With this new release, developers, DevOps, SREs, and platform owners get:

  • A live, high-fidelity view of microservices and workload interactions in the environment, with the ability to take corrective actions in real time
  • An easy-to-understand, action-oriented view that maintains correlations at the service, deployment, container, node, pod, network, and packet levels
  • Kubernetes context for easy filtering and subsequent analysis of traffic payloads
  • A Dynamic Service Graph representing traffic between namespaces, microservices, and deployments for faster problem identification and troubleshooting
  • An interactive display that shows DNS information categorized by microservices and workloads, to determine whether DNS is the root cause of application connectivity issues
  • The ability to customize the duration and packet size for packet capture
  • Application-level observability to detect and prevent anomalous behaviors

For more information, see our official press release.

Are you a Calico Cloud user? Not to worry—these same features are now available in Calico Cloud, too.

To learn more about new cloud-native approaches for establishing security and observability with Kubernetes, check Continue reading

Calico Enterprise enables live view of cloud-native apps deployed in Kubernetes

We are happy to announce that the latest release of Calico Enterprise delivers unprecedented levels of Kubernetes observability! Calico Enterprise 3.5 provides full-stack observability across the entire Kubernetes environment, from application layer to networking layer.

With this new release, developers, DevOps, SREs, and platform owners get:

  • A live, high-fidelity view of microservices and workload interactions in the environment, with the ability to take corrective actions in real time
  • An easy-to-understand, action-oriented view that maintains correlations at the service, deployment, container, node, pod, network, and packet levels
  • Kubernetes context for easy filtering and subsequent analysis of traffic payloads
  • A Dynamic Service Graph representing traffic between namespaces, microservices, and deployments for faster problem identification and troubleshooting
  • An interactive display that shows DNS information categorized by microservices and workloads, to determine whether DNS is the root cause of application connectivity issues
  • The ability to customize the duration and packet size for packet capture
  • Application-level observability to detect and prevent anomalous behaviors

For more information, see our official press release.

Are you a Calico Cloud user? Not to worry—these same features are now available in Calico Cloud, too.

To learn more about new cloud-native approaches for establishing security and observability with Kubernetes, check Continue reading

Calico Enterprise enables live view of cloud-native apps deployed in Kubernetes

We are happy to announce that the latest release of Calico Enterprise delivers unprecedented levels of Kubernetes observability! Calico Enterprise 3.5 provides full-stack observability across the entire Kubernetes environment, from application layer to networking layer.

With this new release, developers, DevOps, SREs, and platform owners get:

  • A live, high-fidelity view of microservices and workload interactions in the environment, with the ability to take corrective actions in real time
  • An easy-to-understand, action-oriented view that maintains correlations at the service, deployment, container, node, pod, network, and packet levels
  • Kubernetes context for easy filtering and subsequent analysis of traffic payloads
  • A Dynamic Service Graph representing traffic between namespaces, microservices, and deployments for faster problem identification and troubleshooting
  • An interactive display that shows DNS information categorized by microservices and workloads, to determine whether DNS is the root cause of application connectivity issues
  • The ability to customize the duration and packet size for packet capture
  • Application-level observability to detect and prevent anomalous behaviors

For more information, see our official press release.

Are you a Calico Cloud user? Not to worry—these same features are now available in Calico Cloud, too.

To learn more about new cloud-native approaches for establishing security and observability with Kubernetes, check Continue reading

Announcing Calico Enterprise 3.5: New ways to automate, simplify and accelerate Kubernetes adoption and deployment

We are thrilled to announce the availability of Calico Enterprise 3.5, which delivers deep observability across the entire Kubernetes stack, from application to networking layers (L3–L7). This release also includes data plane support for Windows and eBPF, in addition to the standard Linux data plane. These new capabilities are designed to automate, simplify and accelerate Kubernetes adoption and deployment. Here are highlights from the release…

Application-level security and observability: Get the benefits of a service mesh, minus the operational complexity

The majority of operational problems inherent to deploying microservices in a distributed architecture are linked to two areas: security and observability. At the application level, the need to understand all aspects associated with service-to-service communication within the cluster becomes paramount. DevOps teams often struggle with these questions: Where is monitoring needed? How can I understand the impact of issues and effectively troubleshoot? How can I effectively protect application-level data?

If observability and security are your primary drivers for considering a service mesh, Calico provides L3–L7 observability and security without the additional overhead associated with a service mesh. Calico integrates Envoy at the node level to provide deep observability of microservices at the application level. Since HTTP is one of Continue reading

Announcing Calico Enterprise 3.5: New ways to automate, simplify and accelerate Kubernetes adoption and deployment

We are thrilled to announce the availability of Calico Enterprise 3.5, which delivers deep observability across the entire Kubernetes stack, from application to networking layers (L3–L7). This release also includes data plane support for Windows and eBPF, in addition to the standard Linux data plane. These new capabilities are designed to automate, simplify and accelerate Kubernetes adoption and deployment. Here are highlights from the release…

Application-level security and observability: Get the benefits of a service mesh, minus the operational complexity

The majority of operational problems inherent to deploying microservices in a distributed architecture are linked to two areas: security and observability. At the application level, the need to understand all aspects associated with service-to-service communication within the cluster becomes paramount. DevOps teams often struggle with these questions: Where is monitoring needed? How can I understand the impact of issues and effectively troubleshoot? How can I effectively protect application-level data?

If observability and security are your primary drivers for considering a service mesh, Calico provides L3–L7 observability and security without the additional overhead associated with a service mesh. Calico integrates Envoy at the node level to provide deep observability of microservices at the application level. Since HTTP is one of Continue reading

Join Tigera at KubeCon + CloudNativeCon Europe 2021

We are excited to be a sponsor of this year’s virtual KubeCon + CloudNativeCon Europe conference, taking place May 4–7, 2021 online. We hope you’ll join us by visiting our virtual booth, where a team of Tigera experts will be standing by to speak with you.

Visit us at our booth

Our team will be conducting live demos, Ask the Architect sessions, 1:1 chats, and more during our booth hours.

Tigera booth hours

Live demo and Ask the Expert sessions

We will have eight 30-minute interactive sessions focused on addressing questions about Kubernetes security and observability. Stop by our booth to check out the times for these sessions.

Private 1:1 chats & calls

Attendees can view each booth representative’s profile and initiate a private or group text chat, or request a video call.

Public booth chat

Our booth will have a built-in public chat window where booth representatives and attendees can post and reply to messages. Announcements about upcoming activities will be posted in this chat by Tigera representatives.

Enter our raffle to win Apple AirPods

We have 5 pairs of Apple AirPods to give away! The first 100 visitors to our booth will automatically be entered to win. Attendees Continue reading

First look: new O’Reilly eBook on Kubernetes security and observability *early release chapters*

We are excited to announce the early release of a new O’Reilly eBook on Kubernetes security and observability!

This practical book introduces new cloud-native approaches for Kubernetes practitioners who care about the security and observability of mission-critical microservices. Through practical guidance and best practice recommendations, this book helps you understand why cloud-native applications require a modern approach to security and observability practices and how to implement them.

You should read this book if you want to:

  • learn why you need a security and observability strategy for cloud-native applications, and determine your scope of coverage;
  • understand key concepts behind Kubernetes’s security and observability approach;
  • discover how to split security responsibilities across multiple teams or roles; and/or
  • learn how to architect Kubernetes security and observability for multi-cloud and hybrid environments.

Whether you want to know how to secure and troubleshoot your cloud-native applications, or are exploring Kubernetes for your organization and would like to solve security and observability challenges before making a decision, you will find that this book provides valuable insight.

Get your early release copy here!

The post First look: new O’Reilly eBook on Kubernetes security and observability *early release chapters* appeared first on Tigera.

Calico Cloud now available on AWS Marketplace

We are pleased to announce that Calico Cloud, our software as a service (SaaS) for Kubernetes security and observability, is now available on AWS Marketplace! AWS users can now use Kubernetes security and observability as services along with managed Kubernetes services, all with a single click. For more information, see our official press release.

Can’t wait to jump right in? Subscribe and deploy Calico Cloud on AWS Marketplace here.

The post Calico Cloud now available on AWS Marketplace appeared first on Tigera.

How Calico Cloud’s runtime defense mitigates Kubernetes MITM vulnerability CVE-2020-8554

Since the release of CVE-2020-8554 on GitHub this past December, the vulnerability has received widespread attention from industry media and the cloud security community. This man-in-the-middle (MITM) vulnerability affects Kubernetes pods and underlying hosts, and all Kubernetes versions—including future releases—are vulnerable.

Despite this, there is currently no patch for the issue. While Kubernetes did suggest a fix, it only applies to external IPs using an admission webhook controller or an OPA gatekeeper integration, leaving the door open for attackers to exploit other attack vectors (e.g. internet, same VPC cluster, within the cluster). We previously outlined these in this post.

Suggested fixes currently on the market

Looking at the Kubernetes security market, there are currently a few security solutions that attempt to address CVE-2020-8554. Most of these solutions fall into one or two of three categories:

  1. Detection (using Kubernetes audit logs)
  2. Prevention (using admission webhook controller)
  3. Runtime defense (inline defense)

A few of the solutions rely on preventing vulnerable deployments using an OPA gatekeeper integration; these solutions alert users when externalIP (possibly loadBalancerIP) is deployed in their cluster configurations. Most solutions, however, present a dual strategy with a focus on prevention and detection. They use an admission controller for Continue reading