Calico monthly roundup: December 2023
Welcome to the Calico monthly roundup: December edition! From open source news to live events, we have exciting updates to share—let’s get into it!
Tigera has achieved AWS Security Competency status!
Tigera has gained a new AWS Security Competency, which we’re proud to add to our already existing AWS Containers Software Competency. Read about the addition of our newest security competency. |
Find your Cluster Security Score
Calico Cloud is releasing new capabilities for security posture management called Security Scoring and Recommended Actions. Start measuring and tracking your security posture. |
Customer case study: Leader-bet
Calico provides container security and compliance for online gaming giant, Leader-bet. Read our case study to learn more. |
 Comparing NGFW container firewalls with Calico container firewall
Learn how to establish robust firewall policies with just code or a single click for advanced threat protection using behavior-based learning and IDS/IPS integrated with the firewall. |
Open source news
Calico v3.27 is out 
and there are a lot of new features, updates, and improvements that are packed into this release. Here is a breakdown of the most important changes:
- Significant performance improvements, especially for extremely large clusters
- Calico VPP Continue reading
Calico monthly roundup: November 2023
Welcome to the Calico monthly roundup: November edition! From open source news to live events, we have exciting updates to share—let’s get into it!
| Find your Cluster Security Score
Calico Cloud is releasing new capabilities for security posture management called Security Scoring and Recommended Actions. Start measuring and tracking your security posture. |
Customer case study: Boundless Software
Calico Cloud enabled SOC 2 compliance for Boundless Software while also drastically reducing onboarding times for the company’s customers. Read our case study to find out how. |
| Secure Kubernetes traffic with Calico Egress gateway
Discover how egress gateways enable users to assign meaningful network identity to selected traffic so that this information can be further used by traditional tools to enforce granular policies to traffic based on identity or bandwidth. |
Open source news
- NEW features
- Streamlined Operations with Windows HostProcess Container – Automated node pool scaling and upgrades, eliminating the need for manual node initialization to streamline operations and management of Windows container-based applications.
- Performance and Scalability with IPv6 Support for Calico eBPF Dataplane – IPv6 support for eBPF in Calico empowers enterprises to enhance the performance and scalability of their applications by alleviating Continue reading
Tigera has achieved AWS Security Competency status!
We’re happy to announce that Tigera recently achieved Amazon Web Services (AWS) Security Competency status. This designation recognizes the security capabilities of Tigera’s Calico Cloud platform in helping customers secure their AWS workloads and achieve their cloud security goals.
To receive the designation, AWS Partners must possess deep AWS expertise and deliver solutions seamlessly on AWS. After evaluating Calico Cloud’s security capabilities, including vulnerability management, container- and network-based threat detection, observability and security policy lifecycle, AWS found it surpassed the competency requirements.
This is the second AWS competency Tigera has achieved and we’re proud to add this new competency to our existing AWS Containers Software Competency. Our team is dedicated to helping companies achieve their Kubernetes and container security goals by combining our technology with the range of powerful security tools AWS provides.
Read the full press release for more details or visit us on the AWS Marketplace.
The post Tigera has achieved AWS Security Competency status! appeared first on Tigera.
Recap: KubeCon + CloudNativeCon NA 2023
Thanks to everyone who joined us in Chicago this month at KubeCon + CloudNativeCon NA 2023. We had a chance to have many meaningful conversations about Kubernetes and container security, the latest in the open source ecosystem, and of course—Calico! Here are some highlights from the conference.
Calico at KubeCon
We had a ton of visitors at our booth this year and were happy to catch up with old friends as well as meet new ones. Tech problems for business needs, such as how to provide fixed IPs to workloads for communication outside of the Kubernetes cluster instead of architectural debates about the underlying dataplane, was a popular topic of discussion. Another was runtime security at the workload level (default-deny/zero trust). The issue of visibility into workload communication at scale overlaid with effective security policies also came up often. We were all too happy to show how Calico can help!
Cruise Party
Those who joined us for our private cruise party enjoyed a guided architecture tour of the spectacular Chicago lakefront. The evening went swimmingly and offered our guests a chance to unwind and network while enjoying great food and an open bar, against a backdrop of glittering skyscrapers.
2023 Continue reading
My First Web Page
<h2>My First Web Page</h2>
<p>My first paragraph.</p>
<p>Never call dudud document.write after the document has finished loading.
<div id="om-utia0gbpx93d4wvo9abp-holder"></div>.
It will overwrite the whole document.</p>
<script>
document.write(5 + 6);
</script>The post My First Web Page appeared first on Tigera.
Calico monthly roundup: October 2023
Welcome to the Calico monthly roundup: October edition! From open source news to live events, we have exciting updates to share—let’s get into it!
| Join us at KubeCon + CloudNativeCon North America 2023
We’re gearing up for KubeCon + CloudNativeCon 2023 in Chicago. Join us at booth #G13 for exciting Kubernetes security updates and pick up some cool new Calico swag! |
Customer case study: eHealth
Calico provides visibility and zero-trust security controls for eHealth on Amazon EKS. Read our new case study to find out how. |
|
Learn why a traditional firewall architecture doesn’t work for modern cloud-native applications and results in a huge resource drain in a production environment. |
The State of Calico Open Source: Usage & Adoption Report 2023 Get insights into Calico’s adoption across container and Kubernetes environments, in terms of platforms, data planes, and policies. |
Open source news
- Read stories of Calico Open Source in action from our Calico Big Cats
- Share your Calico Open Source journey and win Continue reading
Calico monthly roundup: September 2023
Welcome to the Calico monthly roundup: September edition! From open source news to live events, we have exciting updates to share—let’s get into it!
|
Discover how you can automate security, ensure consistency, and tightly align security with development practices in a microservices environment. |
|
The State of Calico Open Source: Usage & Adoption Report 2023 Get insights into Calico’s adoption across container and Kubernetes environments, in terms of platforms, data planes, and policies. |
Open source news
- Share your Calico Open Source journey and win a $25.00 gift card – Your journey with Calico Open Source matters to us! Share your experience and insight on how you solve problems and build your network security using Calico. Book a meeting to tell us about your journey and where you seek information. As a thank you, we’ll send you a $25.00 gift card!
- Calico Live – Join the Calico community every Wednesday at 2:00 pm ET for a live discussion about learning how to leverage Calico and Kubernetes for networking and security. We will explore Kubernetes security and policy design, network flow logs and more. Join Continue reading
Transforming Container Network Security with Calico Container Firewall
In today’s cloud-driven landscape, containerized workloads are at the heart of modern applications, driving agility, scalability, and innovation. However, as these workloads become increasingly distributed across multi-cluster, multi-cloud, and hybrid environments, the challenge of securing them grows exponentially. Traditional network security measures designed for static network boundaries are ill-suited for the dynamic nature of containerized applications.
The Challenge: Protecting Cloud-Native Workloads
The rapid migration to the cloud has resulted in an explosion of cloud workloads, ranging from traditional applications with minimal cloud adaptation to cloud-native applications exploiting the cloud’s elasticity and scalability.
Cloud-native applications, in particular, rely on microservices architectures, ephemeral and highly elastic containers, and CI/CD automation through platforms like Kubernetes. These applications embrace the cloud’s dynamic nature but introduce unique security challenges. Unlike traditional workloads, cloud-native applications lack fixed network boundaries and are highly distributed across hybrid and multi-cloud environments. They demand a new approach to network security.
The Need for a Container Firewall in DevOps Flows:
The essence of DevOps is speed and automation. Containers and orchestration platforms like Kubernetes enable rapid software development and deployment. However, this agility brings heightened security concerns.
Traditional firewalls, rooted in perimeter defenses, struggle to secure dynamic containerized environments effectively.
Fig Continue reading
What’s new in Calico Enterprise 3.18: Major workload-centric WAF updates and more
This release, we’re really excited about major improvements to Calico’s workload-centric WAF. We’ve made it much easier for users to configure and deploy the WAF in just a few clicks and we’ve also made it much easier to review and manage WAF alerts through our new Security Events feature.
Why do we need a new WAF for microservices?
Application security teams have deployed perimeter-based WAFs for decades to protect against common web attacks, with a focus on browser-based and client-side attacks. But with the rise of microservice architecture, there’s now a significant amount of HTTP traffic related to internal APIs. Moreover, with the growing use of open source and third-party software, all deployed within your Kubernetes cluster, you can no longer trust that the software running in your cluster is safe or secure. With this growing attack surface within your cloud environment, it’s critical to employ a workload-based WAF.
Calico’s workload-centric WAF
We know that security teams are struggling to keep up with the rapid pace of software development in their organizations, so we wanted to simplify the way that security teams secure application traffic. Further, we wanted to ensure that security teams can secure all workloads, not just their Continue reading
Calico monthly roundup: August 2023
Welcome to the Calico monthly roundup: August edition! From open source news to live events, we have exciting updates to share—let’s get into it!
|
*NEW* The State of Calico Open Source: Usage & Adoption Report 2023 Get insights into Calico’s adoption across container and Kubernetes environments, in terms of platforms, data planes, and policies. |
Customer case study: HanseMerkur Using Calico, HanseMerkur was able to reduce infrastructure overhead and achieve organizational compliance. Read our new case study to find out how. |
Open source news
- Calico Live – Join the Calico community every Wednesday at 2:00 pm ET for a live discussion about learning how to leverage Calico and Kubernetes for networking and security. We will explore Kubernetes security and policy design, network flow logs and more. Join us live on LinkedIn or YouTube.
- CNCF webinar – Watch the recording of our CNCF live webinar, where we talk about eBPF advantages and troubleshooting. Watch now.
- Calico for Microsoft Azure – Learn technical differences between different Azure networking options for Microsoft AKS environments and tradeoff analysis. Read blog post.
- Podcast – Listen to this joint podcast with Calico Big Cat, Parth Goswami, where they answer the Continue reading
New report: The state of Calico Open Source 2023
We are excited to announce the publication of our 2023 State of Calico Open Source, Usage & Adoption report! The report compiles survey results from more than 1,200 Calico Open Source users from around the world, who are actively using Calico in their container and Kubernetes environments. It sheds light on how they are using Calico across various environments, while also highlighting different aspects of Calico’s adoption in terms of platforms, data planes, and policies.
Report highlights
The report shows that Calico continues to be a pivotal part of the container and Kubernetes ecosystem, finding large-scale adoption across major Kubernetes platforms.
- Calico Open Source is mainly used for Kubernetes networking and security
- 63% are using Calico as a security policy engine on top of an existing CNI
- The top 3 Calico capabilities driving user adoption are its scalable networking, security policies and interoperability across different environments
- Calico users are using a combination of data planes including eBPF, standard Linux and Windows
- 16% of respondents use Calico’s newer eBPF data plane
- Calico policy creation and deployment is driven by the need for workload access control and secure egress access
- 85% of users need to achieve network segmentation and protect east-west traffic
Continue reading
Integrating Calico statistics with Prometheus
Metrics are important for a microservices application running on Kubernetes because they provide visibility into the health and performance of the application. This visibility can be used to troubleshoot problems, optimize the application, and ensure that it is meeting its SLAs.
Some of the challenges that metrics solve for microservices applications running on Kubernetes include:
- Visibility: Microservices applications are typically composed of many small, independent services. This can make it difficult to get a clear picture of the overall health and performance of the application. Metrics provide a way to aggregate data from all of the services, giving you a single view of the application.
- Troubleshooting: When something goes wrong with a microservices application, it can be difficult to identify the root cause of the problem. Metrics can help you to track down the problem by providing information about the state of the application at the time of the failure.
- Optimization: Metrics can be used to optimize the performance of a microservices application. By tracking metrics such as CPU usage, memory usage, and network traffic, you can identify areas where the application can be improved.
- SLAs: Many microservices applications have SLAs that they must meet. Metrics can be used to Continue reading
Calico monthly roundup: July 2023
Welcome to the Calico monthly roundup: July edition! From open source news to live events, we have exciting updates to share—let’s get into it!
Customer case study: Upwork Using Calico, Upwork was able to enforce zero-trust security for its newly migrated containerized applications on Amazon EKS. Read our new case study to find out how. |
Container security – Self-paced workshop This self-paced tutorial is designed to help you prevent, detect, and stop breaches in containers and Kubernetes. Learn how to secure all aspects of your containerized applications—all at your own pace! |
Open source news
- Calico Live – Join the Calico community every Wednesday at 2:00 pm ET for a live discussion about learning how to leverage Calico and Kubernetes for networking and security. We will explore Kubernetes security and policy design, network flow logs and more. Join us live on Linkedin or YouTube.
- CNCF webinar – Watch our CNCF on-demand webinar, Container and Kubernetes security policy design: 10 critical best practices, here.
- Calico eBPF and XDP – Learn how to implement eBPF security policies and XDP to achieve better performance in your Kubernetes cluster. Hands-on lab environment available here.
- Calico Wall of Continue reading
Automated namespace isolation with Calico
Calico has recently introduced a powerful new policy recommendation engine that enables DevOps, SREs, and Kubernetes operators to automatically generate Calico policies to implement namespace isolation and improve the security posture of their clusters.
This new recommendation engine is unique for three reasons:
- Calico’s policy recommendations work continuously in the background over a user-configurable time period. This ensures that less frequent traffic flows are also accounted for in recommended policies.
- Policy recommendations leverage Calico’s policy tiers. Tiers enforce an order of precedence on how Calico policies are evaluated and enforced. The recommended policies are placed in their own tier and Calico ensures each generated rule does not conflict with other policies you have implemented.
- Recommended policies are
StagedNetworkPolicies, allowing admins and operators to audit the behavior of these security policies before actively enforcing them.
In this blog, we’ll dive into each of these areas in more detail and provide an in-depth overview of how policy recommendations work and how it can improve the security posture of your cluster.
Before we get started, let’s quickly talk about namespace isolation and why it’s so important.
Why is namespace isolation important?
Namespaces are a foundational concept within Kubernetes. They help divide your Continue reading
Using Web Application Firewall at container-level for network-based threats
The microservices architecture provides developers and DevOps engineers significant agility that helps them move at the pace of the business. Breaking monolithic applications into smaller components accelerates development, streamlines scaling, and improves fault isolation. However, it also introduces certain security complexities since microservices frequently engage in inter-service communications, primarily through HTTP-based APIs, thus broadening the application’s attack surface. This scenario is similar to breaking a chunk of ice into smaller pieces, increasing its surface area. It is crucial that enterprises address these security challenges before benefiting from adopting a microservice architecture.
Challenges implementing defense-in-depth for containers with perimeter-based Web Application Firewall
Kubernetes is the de-facto standard for microservices orchestration. However, as organizations increasingly adopt Kubernetes, they run the risk of inadvertently introducing security gaps. This is often the result of attempts to integrate traditional security tooling into a cloud-native ecosystem that is highly dynamic, ephemeral, and non-deterministic. Instead of implementing security around the platform, DevOps, security, and platform teams must look at enforcing defenses through the platform.
Let’s look at an example of a web application firewall (WAF) which is typically deployed at the ingress of a network or application. As shown in the diagram below, HTTP traffic is Continue reading
Exploring AKS networking options
At Kubecon 2023 in Amsterdam, Azure made several exciting announcements and introduced a range of updates and new options to Azure-CNI (Azure Container Networking Interface). These changes will help Azure Kubernetes Services (AKS) users to solve some of the pain points that they used to face in previous iterations of Azure-CNI such as IP exhaustion and big cluster deployments with custom IP address management (IPAM). On top of that, with this announcement Microsoft officially added an additional dataplane to the Azure platform.
The big picture
Worker nodes in an AKS (Azure Kubernetes Service) cluster are Azure VMs pre-configured with a version of Kubernetes that has been tested and certified by Azure. These clusters communicate with other Azure resources and external sources (including the internet) via the Azure virtual network (VNet).
Now, let’s delve into the role of the dataplane within this context. The dataplane operations take place within each Kubernetes node. It is responsible for handling the communication between your workloads, and cluster resources. By default, an AKS cluster is configured to utilize the Azure dataplane, which Continue reading
Cybernews Expert Interview with Tigera President and CEO, Ratan Tipirneni
The challenges companies face regarding private and professional data protection are more important today than ever. In the modern enterprise, cloud computing and the use of cloud-native architectures enable unmatched performance, flexibility, velocity, and innovation. However, as digitalization pushes applications and services to the cloud, cyber criminals’ intrusion techniques have become increasingly sophisticated. To stay current with advancing technologies, doubling or tripling security measures is a must.
To understand the critical need for advanced cybersecurity measures, we turned to an expert in the industry, Ratan Tipirneni, President and CEO of Tigera – a company providing active, zero-trust-based security for cloud-native applications running on containers and Kubernetes.
Q: How did the idea of Tigera originate? What has your journey been like so far?
It was over six years ago that Tigera created Project Calico, an open-source container networking and security project.
As containers and Kubernetes adoption grew and organizations started using Kubernetes at scale, Tigera recognized the industry’s need for more advanced security and observability. Tigera has since grown from the Project Calico open-source project to a container security innovator that now supports many Fortune 100 companies across the globe.
Tigera’s continued success comes from listening to customers’ needs, understanding Continue reading
Preventing Vulnerable Container Deployments with Admission Control
In a previous blog post, Hands-on guide: How to scan and block container images to mitigate SBOM attacks, we looked at how Software Supply Chain threats can be identified and assessed. The severity of these vulnerabilities determine the posture or scan result for an image i.e. Pass, Warning or Fail. The next question is “What can we do with these results?”. To improve the security posture to reduce attacks on your workload we must ensure that workloads have the fewest possible vulnerabilities and layer on configuration security with KSPM, egress controls, and microsegmentation.
In this post we will cover how the scan results can be leveraged to add an additional layer of protection during Deploy Time in application deployment lifecycles.
It’s worth noting that Calico’s Image Scanner is an offline binary which can be run locally. This means the Image Scanner can be baked into any existing Continuous Integration/Continuous Delivery(CI/CD) pipeline. For example, after an image has been built the image can be scanned by the Image Scanner in an Execution Environment. Here checks can be configured to prevent the image from being pushed to a registry should vulnerabilities be detected. This is effectively how image scanning Continue reading
Optimizing Network Performance using Topology Aware Routing with Calico eBPF and Standard Linux dataplane
In this blog post, we will explore the concept of Kubernetes topology aware routing and how it can enhance network performance for workloads running in Amazon. We will delve into topology aware routing and discuss its benefits in terms of reducing latency and optimizing network traffic flow. In addition, we’ll show you how to minimize the performance impact of overlay networking, using encapsulation only when necessary for communication across availability zones. By doing so, we can enhance network performance by optimizing the utilization of resources based on network topology.
Understanding Topology Aware Routing
Kubernetes clusters are being deployed more often in multi-zone environments. The nodes that make up the cluster are spread across availability zones. If one availability zone is having problems, the nodes in the other availability zones will keep working, and your cluster will continue to provide service for your customers. While this helps to ensure high availability, it also results in increased latency for inter-zone workload communication and can result in inter-zone data transfer costs.
Under normal circumstances, when traffic is directed to a Kubernetes Service, it evenly distributes requests among the pods that support it. Those pods can be spread across nodes in different zones. Topology Continue reading
Implementing workload-centric Web Application Firewall (WAF) using Calico
Microservices security is a growing concern for businesses in the face of increasing cyber threats. With application layer attacks being a leading cause of breaches, it’s more important than ever to safeguard the HTTP-based communication between microservices within a Kubernetes cluster. Traditional web application firewalls (WAFs) are not designed to address this specific challenge, but Calico WAF offers a unique solution.
What is a workload-centric WAF?
Calico WAF, a workload-centric web application firewall, brings a fresh, cloud-native approach to securing microservices communication. Unlike traditional WAFs deployed at the edge of a Kubernetes cluster, Calico WAF focuses on protecting the intra-cluster traffic and applies zero-trust rules specifically designed for microservices within your cluster.
This innovative solution defends against common HTTP-layer attacks, such as server-side request forgery (SSRF), improper HTTP header type, occurring within the cluster. It seamlessly integrates with Calico Cloud network policies, enabling the enforcement of security controls at the host level for selected pods.
Calico WAF ensures the secure communication between microservices within your Kubernetes cluster, reducing the risk of vulnerabilities and threats. By adopting Calico WAF, businesses can confidently fortify the HTTP-based communication channels within their microservices architecture. This comprehensive approach enhances the overall security posture of Continue reading