Archive

Category Archives for "Tigera.io"

Calico’s 3.26.0 update unlocks high density vertical scaling in Kubernetes

Kubernetes is a highly popular and widely used container orchestration platform designed to deploy and manage containerized applications at a scale, with strong horizontal scaling capabilities that can support up to 5,000 nodes; the only limit in adding nodes to your cluster is your budget. However, its vertical scaling is restricted by its default configurations, with a cap of 110 pods per node. To maximize the use of hardware resources and minimize the need for costly horizontal scaling, users can adjust the kubelet maximum pod configuration to increase this limit allowing more pods to run concurrently on a single node.

To avoid network performance issues and achieve efficient horizontal scaling in a Kubernetes cluster that is tasked to run a large number of pods, high-speed links and switches are essential. A reliable and flexible Software Defined Networking (SDN) solution, such as Calico, is also important for managing network traffic efficiently. Calico has been tested and proven by numerous companies for horizontal scaling, but in this post, we will discuss recent improvements made to help vertical scaling of containerized applications to just work.

For example, the following chart illustrates the efficiency achieved with the improvements of vertical scaling in Calico 3. Continue reading

Tigera Named Winner of the Esteemed Global InfoSec Awards during RSA Conference 2023

The annual Global InfoSec Awards from Cyber Defense Magazine (CDM) have been announced, and we are excited to unveil that Tigera has won the ‘Hot Company: Container Security’ category! This award recognizes the value of the work Tigera does as a security company, and we wouldn’t be where we are without the support of our teams, customers, and community.

“We are honored to be recognized as one of the best in container security by Cyber Defense Magazine. As this is one of the most esteemed awards in cybersecurity, we are so grateful to have been selected amongst a pool of qualified applicants and are eager to continue to innovate and provide better container security for organizations,” said Amit Gupta, Chief Product Officer, Tigera.

Tigera’s transformative approach to container security helps prevent, detect, and mitigate threats in containers and Kubernetes environments across build, deploy and runtime stages. Calico Cloud provides a unique solution that gives users a single container security solution to improve security posture, reduce the attack surface with fine-grained security controls, and provide threat defense from network and host based threats.

Cyber Defense Magazine is the Continue reading

Leveraging security policy recommender to tighten your cluster’s security posture

We’ve noticed that many of our customers are currently undergoing a significant transformation in their application architecture, transitioning from legacy vertical applications to distributed microservices running on Kubernetes. This shift brings along a range of benefits, such as improved scalability, resilience, and agility. However, it also creates a larger attack surface that needs to be managed effectively.

To minimize the attack surface, it is crucial to have a clear understanding of how each microservice communicates microservices within, and outside, the cluster to implement robust network configuration and security policies. This can be challenging, especially when dealing with re-architected applications that can consist of hundreds of microservices.

To make the life of the security and DevOps teams easier, there are a few things that can be done. Firstly, providing them with access to detailed information on how microservices communicate within and outside the cluster. Secondly, having automated policy recommendations to improve their configuration and security. Finally, providing visibility and audit reports to help identify vulnerabilities in the system and prevent potential breaches.

In this blog, we will discuss how to leverage the security policy recommender to rapidly create security policies to minimize the attack surface and improve the security posture.

Gathering Continue reading

Hands-on guide: How to scan and block container images to mitigate SBOM attacks

According to OpenLogic’s Open Source Adoption and Expansion in 2022 Report, the adoption of Open Source Software (OSS) across all sizes of organizations is rising with 40% of respondents stating an increase of OSS software over the previous year and 36% reporting a significant increase in OSS software usage. The increase in OSS adoption can be attributed to a number of factors including access to the latest innovations, reduction in costs and frequent product updates. However, leveraging community contribution introduces the potential for malicious code to be attached. For example, a series of 2022 case studies conducted by the Package Analysis project, part of the Open Source Security Foundation (OpenSSF), details a number of malicious packages from widely used repositories such as PyPi and NPM. Therefore, it is essential to determine the vulnerabilities in any container image before its deployment into the environment. Calico Cloud’s Image Assurance capabilities enables Vulnerability Assessment for any image. We often hear this referred to as Image Scanning.

Looking for vulnerabilities in images

In order to assess the posture of container images the components that make up an image must be broken down. We refer to this inventory as the Software Bill of Materials Continue reading

White paper: Addressing the MITRE ATT&CK framework for containers using Calico

Be it chess, poker, or everyday driving, you must predict your opponent’s (or other drivers’) movement to win (or keep yourself safe!). Container security is the same, and many organizations look to the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) framework to understand an attacker’s mindset and how to prevent attacks. The MITRE ATT&CK framework released a matrix for containers, giving organizations that use Kubernetes and containers a chance to analyze an attacker’s M.O. and assess the organization’s attack vectors.

To help organizations stay ahead of attackers, Tigera recently released a white paper based on the MITRE ATT&CK containers matrix. Drawing from Tigera’s experience as a cybersecurity provider, the white paper offers an in-depth analysis of the containers matrix. It also details how Tigera’s active security platform, Calico Cloud, a fully-managed SaaS, and its self-managed counterpart, Calico Enterprise, can detect and mitigate every tactic outlined in the matrix.

White paper highlights

Tigera’s white paper dives deep into the MITRE framework for containers to help organizations understand the risks they face and how they can mitigate these vulnerabilities using Calico. Here’s what you will learn from the white paper and the questions it’ll answer:

What is SOC 2 and how do you achieve SOC 2 compliance for containers and Kubernetes?

SOC 2 is a compliance standard for service organizations, developed by the American Institute of CPAs (AICPA), which specifies how organizations should manage customer data. SOC 2 is based on five overarching Trust Services Criteria (TSC): security, availability, processing integrity, confidentiality, and privacy. Specifically, the security criteria are broken down into nine sections called common criteria (CC):

  • CC1: Control Environment
  • CC2: Communication and Information
  • CC3: Risk Assessment
  • CC4: Monitoring Activities
  • CC5: Control Activities
  • CC6: Logical and Physical Access Controls
  • CC7: System Operations
  • CC8: Change Management
  • CC9: Risk Mitigation

How does SOC 2 compliance apply to containers and Kubernetes?

Running Kubernetes clusters often presents challenges for CC6 (logical and physical access), CC7 (systems operations), and CC8 (change management) when trying to comply with SOC 2 standards.

In this technical blog, we will dive into how Calico can help you achieve full compliance in achieving all the requirements of CC6. To understand how to achieve compliance with CC7 and CC8, you can review our SOC 2 white paper.

Control # Compliance requirements Calico controls
CC 6.1, 6.6, 6.7, 6.8

 

 Implement logical access security measures to authorized systems only, implement controls to prevent or detect and act upon Continue reading

Project Calico wants to hear from you! The 2023 Calico Open Source Adoption Survey

Project Calico is made possible thanks to you—thank you for your ongoing support of Project Calico, and for being an essential part of our growing open-source community. To improve Calico, we want to hear from you.

That’s why we’ve created the 2023 Calico Open Source Adoption Survey, a 16-question survey designed specifically to help us gather your feedback and insights.

Why take this survey?

Not only will this be a chance to share extensive feedback,  your input will actually help us prioritize future development efforts and ensure that we are addressing the most pressing needs of the community. We want to make sure that Project Calico continues to be the best possible solution for networking and security in Kubernetes and container environments.

We know that your time is valuable, but we believe that your feedback is essential to our success. We hope that you will take a few moments to complete the survey and share your thoughts with us.

Thank you again for your continued support, and we look forward to hearing from you soon.

Take the survey

The post Project Calico wants to hear from you! The 2023 Calico Open Source Adoption Survey appeared first on Tigera.

Introducing Calico Runtime Threat Defense—The most extensive security coverage for containers and Kubernetes

Containerized applications are complex, which is why an effective container security strategy is difficult to design and execute. As digitalization continues to push applications and services to the cloud, bad actors’ attack techniques have also become more sophisticated, which further challenges container security solutions available on the market.

Despite the discussion around agent vs agentless in the cloud security landscape and which type of solution is better, the most valuable solution is one that provides a wide breadth of coverage. Calico is unique as it is already installed as part of the underlying platform and provides the dataplane for a Kubernetes cluster. When Calico Cloud or Calico Enterprise is deployed, security and observability capabilities can be enabled on top of these core components. We provide a simple plug-and-play active security solution that focuses on securing workloads and the Kubernetes platform with the least amount of complexity and configuration.

Runtime attack vectors

Cloud-native applications are susceptible to many attack vectors. We have broken them down to eight, as seen in the following illustration:

Fig 1: Cloud-native attack vectors

In previous blogs, we have explained how the use of vulnerability management, zero-trust workload security, and microsegmentation can help reduce the Continue reading

Introducing Calico Runtime Threat Defense—The most extensive security coverage for containers and Kubernetes

Containerized applications are complex, which is why an effective container security strategy is difficult to design and execute. As digitalization continues to push applications and services to the cloud, bad actors’ attack techniques have also become more sophisticated, which further challenges container security solutions available on the market.

Despite the discussion around agent vs agentless in the cloud security landscape and which type of solution is better, the most valuable solution is one that provides a wide breadth of coverage. Calico is unique as it is already installed as part of the underlying platform and provides the dataplane for a Kubernetes cluster. When Calico Cloud or Calico Enterprise is deployed, security and observability capabilities can be enabled on top of these core components. We provide a simple plug-and-play active security solution that focuses on securing workloads and the Kubernetes platform with the least amount of complexity and configuration.

Runtime attack vectors

Cloud-native applications are susceptible to many attack vectors. We have broken them down to eight, as seen in the following illustration:

Fig 1: Cloud-native attack vectors

In previous blogs, we have explained how the use of vulnerability management, zero-trust workload security, and microsegmentation can help reduce the Continue reading

4 ways to leverage existing kernel security features to set up process monitoring

The large attack surface of Kubernetes’ default pod provisioning is susceptible to critical security vulnerabilities, some of which include malicious exploits and container breakouts. I believe one of the most effective workload runtime security measures to prevent such exploits is layer-by-layer process monitoring within the container.

It may sound like a daunting task that requires additional resources, but in reality, it is actually quite the opposite. In this article, I will walk you through how to use existing Linux kernel security features to implement layer-by-layer process monitoring and prevent threats.

Threat prevention and process monitoring

Containerized workloads in Kubernetes are composed of numerous layers. An effective runtime security strategy takes each layer into consideration and monitors the process within each container, also known as process monitoring.

Threat detection in process monitoring involves integrating mechanisms that isolate workloads or control access. With these controls in place, you can effectively prevent malicious behavior, reduce your workload’s attack surface, and limit the blast radius of security incidents. Fortunately, we can use existing Kubernetes mechanisms and leverage Linux defenses to achieve this.

Kernel security features

By pulling Linux defenses closer to the container, we can leverage existing Kubernetes mechanisms to monitor processes and reduce Continue reading

Meet Calico at KubeCon EU 2023!

KubeCon EU 2023 is happening from April 18-21 in Amsterdam. We are very excited to announce that Project Calico will be attending, so come meet us at booth #S28—we’ll be there from 10:30 am onwards!

Chat and learn

At the event, you’ll have an opportunity to meet our Project Calico team, collect cool Calico swags, and ask questions in person. Whether you’re an expert Kubernetes user or just getting started, the Project Calico community is here to provide guidance on best practices and help you get the most out of Calico. Here are some of the things you can learn at our booth:

  • Simplified networking: Calico provides a simple, easy-to-use networking solution for Kubernetes. With Calico, you can easily set up and manage your network infrastructure without worrying about complex configurations or difficult networking concepts.
  • Enhanced security: Security is a top priority for any Kubernetes and container environment, and Calico provides the tools you need to keep your applications safe. With Calico, you can enforce network policies, protect against DDoS attacks, and more.
  • Scalability: Whether you’re running a small Kubernetes cluster or a large-scale deployment, Calico can scale to meet your needs.
  • Open-source community: Built on open-source technologies, Project Calico Continue reading

WAF is woefully insufficient in today’s container-based applications: Here’s why

According to the Cloud Security Alliance, the average large enterprise has 946 custom applications deployed. Traditionally, organizations deployed Web Application Firewalls (WAF), which provide visibility and enforce security controls on external traffic that passes through them, at the perimeter to protect these applications against external attacks.

However, WAF-secured container-based applications have a high likelihood of being breached, as the concept of a perimeter does not exist in these architectures. A new approach is needed to address both external threats and threats from lateral movement inside the cluster. In a world where successful exploits may be inevitable, relying on a perimeter WAF for application security leaves your entire environment vulnerable unless adequate security tools and policies are implemented at the workload level.

WAF’s weak security

Security techniques for traditional container-based application architectures are analogous to medieval castles, where everything important to running an application is consolidated within castle walls. In this analogy, WAF played the role of the wall and gate, only letting in friendly traffic.

WAF provides additional capabilities in these traditional architectures. It actively parses through valid requests and threats and provides alerts when it receives suspicious log requests. These alerts keep the security team apprised of threats Continue reading

Kubernetes secrets management: 3 approaches and 9 best practices

Secrets, such as usernames, passwords, API tokens, and TLS certificates, contain confidential data that can be used to authenticate and authorize users, groups, or entities. As the name implies, secrets are not meant to be known or seen by others. So how do we keep them safe?

The key to keeping secrets safe lies within how you manage them. Where to store secrets, how to retrieve them, and how to make them available in an application as needed are all early design choices a developer must make when migrating an application or microservice to Kubernetes. Part of this design choice is to ensure the secrets can become available without compromising the application’s security posture.

In this article, I will provide approaches and recommended best practices for managing secrets in Kubernetes.

How to approach secrets management in Kubernetes

Let’s start with some approaches. Below are three approaches I recommend for Kubernetes secrets management.

etcd

etcd is a supported datastore in Kubernetes, and a lot of developers opt to store secrets in a Base64-encoded format in etcd as a key-value pair. Secrets stored in etcd can be made available from within Kubernetes deployment specs as an environment variable, which is stored in Continue reading

What’s new in Calico Enterprise 3.16: Egress gateway on AKS, Service Graph optimizations, and more!

We are excited to announce the early preview of Calico Enterprise 3.16. This latest release extends the active security platform’s support for egress access controls, improves the usability of network-based threat defense features, and scales visualization of Kubernetes workloads to 100s of namespaces. Let’s go through some of the highlights of this release.

Egress gateways for Microsoft Azure and AKS

Egress gateways allow you to identify the source of traffic at the namespace or pod level when it leaves a Kubernetes cluster to communicate to external resources. This makes it highly beneficial for security teams to apply access controls to specific traffic instead of opening up a larger set of IP addresses. Calico Enterprise 3.16 has added egress gateway support for Microsoft Azure and AKS in addition to our support for AWS and EKS. Check out our documentation, Configure egress gateways, Azure, to learn more.

Operator-managed deployments of egress gateways

Calico Enterprise now includes operator-managed deployments of egress gateways. This reduces operational overhead and eliminates additional steps required during software upgrades. With the Tigera Operator, egress gateways will always be automatically upgraded.

UI for workload-based web application firewalls (WAF)

Calico Enterprise’s unique workload-centric web application Continue reading

Navigating the security challenges of multi-tenancy in a cloud environment

Multi-tenancy can maximize the number of resources that are utilized in a cluster by sharing these resources between different groups, teams, or customers. However, boundaries must be placed to avoid problems associated with resource-sharing. On top of that, in a multi-tenant cluster, the number of security policies might gradually grow to the point where a slight misconfiguration could cause major security problems, performance issues, and service disruptions.

In this blog post, we will focus on multi-tenancy issues such as bandwidth shortage, security policy scaling, privacy impacts, and suggest a few solutions that you can deploy to solve them in your environment. We will also look at how an eBPF-based security design can offer better performance and help you navigate the complex multi-tenant environment with ease.

What is multi-tenancy?

Technologies such as virtualization, containerization, or any other technologies that allow a range of different workloads to share the underlying hardware resources, all have a common goal—allocate resources as efficiently as possible and make the most of the available hardware. However, it is common for workloads that are running in such an environment to not fully utilize all the potential power that the hardware can offer, and in many cases, leave a Continue reading

Process monitoring: How you can detect malicious behavior in your containers

The default pod provisioning mechanism in Kubernetes has a substantial attack surface, making it susceptible to malevolent exploits and container breakouts. To achieve effective runtime security, your containerized workloads in Kubernetes require multi-layer process monitoring within the container.

In this article, I will introduce you to process monitoring and guide you through a Kubernetes-native approach that will help you enforce runtime security controls and detect unauthorized access of host resources.

What is process monitoring?

When you run a containerized workload in Kubernetes, several layers should be taken into account when you begin monitoring the process within a container. This includes container process logs and artifacts, Kubernetes and cloud infrastructure artifacts, filesystem access, network connections, system calls required, and kernel permissions (specialized workloads). Your security posture depends on how effectively your solutions can correlate disparate log sources and metadata from these various layers. Without effective workload runtime security in place, your Kubernetes workloads, which have a large attack surface, can easily be exploited by adversaries and face container breakouts.

Traditional monitoring systems

Before I dive into the details on how to monitor your processes and detect malicious activities within your container platform, let us first take a look at some of Continue reading

The MITRE ATT&CK framework explained: Discerning a threat actor’s mindset

This is part 2 of the blog series on the MITRE ATT&CK framework for container security, where I explain and discuss the MITRE ATT&CK framework. For those who are not familiar with what the MITRE framework is, I encourage you to read part 1.

In my previous blog post, I explained the first four stages of the MITRE ATT&CK framework and the tactics used by adversaries to gain a foothold in the network or the environment within a containerized application. What happens next?

Imagine a military battalion trying to invade its enemy’s territory. What would a soldier do once they’ve infiltrated the opposition? They would take cover and wait for the right opportunity to attack. Similarly, in cyber crime, an attacker will take time to make sure they evade any type of defense that has been put in place. This is the fifth stage in the MITRE ATT&CK framework. In this article, I will explore this fifth stage, along with stages six through nine, and look at how Calico can help mitigate the attack techniques used in these stages.

Fig 1: MITRE ATT&CK framework for containers. Source: Mitre Corporation

Delivery and exploitation tactics

Defense evasion

Many security solutions offer Continue reading

High throughput Kubernetes cluster networking with the Calico/VPP dataplane and accelerated memif

 

This blog post was written in collaboration with:

Aloys Augustin, Nathan Skrzypczak, Hedi Bouattour, Onong Tayeng, and Jerome Tollet at Cisco. Aloys and Nathan are part of a team of external contributors to Calico Open Source that has been working on an integration between Calico Open Source and the FD.io VPP dataplane technology for the last couple of years.

Mrittika Ganguli, principal engineer and architect at Intel’s Network and Edge (NEX). Ganguli leads a team with Qian Q Xu, Ping Yu, and Xiaobing Qian to enhance the performance of Calico and VPP through software and hardware acceleration.

 

This blog will cover what the Calico/VPP dataplane is and demonstrate the performance and flexibility advantages of using the VPP dataplane through a benchmarking setup. By the end of this blog post, you will have a clear understanding of how Calico/VPP dataplane, with the help of DPDK and accelerated memif interfaces, can provide high throughput and low-latency Kubernetes cluster networking for your environment. Additionally, you will learn how these technologies can be used to reduce CPU utilization by transferring packets directly in memory between different hosts, making it an efficient solution for building distributed network functions with lightning-fast speeds.

What’s Continue reading

Kubernetes network monitoring: What is it, and why do you need it?

In this article, we will dive into Kubernetes network monitoring and metrics, examining these concepts in detail and exploring how metrics in an application can be transformed into tangible, human-readable reports. The article will also include a step-by-step tutorial on how to enable Calico’s integration with Prometheus, a free and open-source CNCF project created for monitoring the cloud. By the end of the article, you will be able to create customized reports and graphical dashboards from the metrics that Calico publishes to get better insight into the inner workings of your cluster and its various components. In addition, you will have the fundamental knowledge of how these pieces can fit together to establish Kubernetes network monitoring for any environment.

Background

The benefits offered by cloud computing and infrastructure as code, including scalability, easy distribution, and quick and flexible deployment, have caused cloud service adoption to skyrocket. But this rapid adoption requires checks and balances to ensure that cloud services are secure and running in their desired state. Furthermore, any security events and problems should be logged and reported for future examination.

Read our guide on Kubernetes logging: Approaches and best practices

In the past, traditional monitoring solutions such as Nagios Continue reading

Calico Open Source 2022 highlights

2022 has been a year full of new releases, new events, and new projects for Open Source Calico. Let’s take a look at Project Calico’s 2022 highlights and see if you’ve missed any exciting news.

New version releases

Project Calico is maintained by Tigera’s engineering team who are dedicated to adding new features, fixing bugs, and improving the user experience. Based on the feedback and support our team has received from the community, they have successfully released three new versions of Calico in the past year: v3.22, v3.23, and v3.24.

V3.22 (January 28th 2022)

  • Project Calico is now only a single directory, making it easier for contributors to add their changes
  • Ability to convert Kubernetes NetworkPolicy objects into Calico NetworkPolicies

V3.23 (May 9th 2022)

  • Added IPv6 VXLAN support
  • Added VPP dataplane beta
  • Added Calico networking support in AKS
  • BGP enhancements
  • Added container storage interface (CSI) support
  • Added Windows HostProcess containers support (tech preview)

V3.24 (August 18th 2022)

  • Added IPv6 WireGuard support
  • Added IPAM API enhancements
  • More operator installation configuration options
  • Added ability to split IP pools
  • Transitioned from pod security policies to pod security standards

Calico education and training

The newest addition to our Continue reading

1 3 4 5 6 7 14