Vulnerability management: 3 best practices and tips for image building and scanning
As enterprises adopt containers, microservices, and Kubernetes for cloud-native applications, vulnerability management is crucial to improve the security posture of containerized workloads throughout build, deploy, and runtime. Securing your build artifacts and deployment pipeline, especially when it comes to images, is extremely important. By following best practices for image building and scanning throughout the application development and deployment process, you can help ensure the security of the containers and workloads in your environment.
Let’s look at some of the nuances of choosing a base image, hardening your container image, and container image scanning, including tips on choosing an appropriate scanning solution and tackling privacy concerns.
Choose an appropriate base image
It’s important to choose a base image that reduces the attack surface of your container. I recommend using a distroless or scratch image because they contain only the application and its runtime dependencies. Both types of images improve your security posture by reducing the attack surface and exposure to vulnerabilities.
If for some reason you can’t use a distroless or scratch image, choose a minimal distro. Modern immutable Linux distributions, such as Bottlerocket and Flatcar Container Linux, can be used as base images for containers, as can minimal versions Continue reading
What’s new in Calico Cloud: General availability of new container security features
Summer is almost over but we are bringing the heat back with the official release of Tigera’s new container security features. With this official launch, Calico leads the industry by offering a complete line of solutions across every stage of a cloud-native application CI/CD pipeline. From a new and improved approach to scanning container images for vulnerabilities to strengthening runtime security with improved performance, we’ve significantly improved and enhanced our Image Assurance and Runtime Threat Defense features for this exciting new phase of our Calico Cloud offering. Let’s take a look at the new container security features of this release.
Vulnerability management through Image Assurance
Scanning container images for vulnerabilities is a critical first step in stopping malicious software from being deployed. As business demands grow, development teams are pushed to churn out updates and new features faster. As a result, DevOps teams require assistance to help them quickly identify vulnerabilities in the registries where the container images are pulled from. Calico Cloud is now offering a CLI-based scanner for on-demand scanning, where customers can locally scan for vulnerabilities in their build stage. A lightweight downloadable binary is all it takes to perform these scans and integrate the process into Continue reading
Implementing zero-trust workload security on Amazon EKS with Calico
Whether you’re migrating to the cloud via lift-and-shift deployments, or re-architecting to a cloud-native architecture, the migration itself and adopting a microservices architecture is no easy feat. To accelerate their cloud-native journey, many organizations opt for a managed Kubernetes service, as the skill and resources required to run a container orchestration system at scale are demanding.
Fully integrated with core Amazon Web Services (AWS) technologies, easy-to-use, and most importantly, scalable, Amazon Elastic Kubernetes Service (EKS) is one of the most popular managed Kubernetes services for organizations running containerized applications in cloud.
The next immediate challenge after migrating to the cloud is security and compliance. As an AWS Competency Partner, Tigera’s suite of solutions, including Calico Cloud, Calico Enterprise, and Calico Open Source, are built to solve these challenges. These solutions are created with EKS security in mind, enabling users to implement zero-trust workload access controls along with microsegmentation to apply workload isolation during runtime.
In a new joint blog post with the AWS Partner Network, AWS Solutions Architect, Andrew Park, and Tigera’s Director of Solution and Partner Marketing, Dhiraj Sehgal, guides users through the journey of implementing zero-trust workload access controls and identity-aware microsegmentation for multi-tenant workloads in Continue reading
Rethinking security roles and organizational structure for the cloud
As more and more applications and application development move to the cloud, traditional security roles and organizational structures are being shaken up. Why is that and what are the benefits of a cloud-first approach for business?
Traditional vs. cloud model
Application development in the traditional model, especially in larger companies, can be thought of as a linear process—similar to a baton being passed between teammates (e.g. the application team hands off the baton to the security team). In this model, each team has their own area of expertise, such as networking, infrastructure, or security, and the application development process is self-contained within each team.
The downside to this model is that responsibilities are siloed, and interactions and hand-offs between teams create friction. For example, if one team needs something from another, they need to submit a ticket and deal with wait time. In the traditional model, it’s not unusual for the application development and deployment process to last weeks or months, and then there are bug fixes and new release rollouts to contend with.
A cloud model, on the other hand, offers several benefits, including automation, abstraction, and simplicity. The high degree of automation in cloud-native infrastructure in general Continue reading
Community Spotlight series: Calico Open Source user insights from Sr. Software Developer, Burak Tahtacıoğlu
In this issue of the Calico Community Spotlight series, I’ve asked Burak Tahtacioglu from ParkLab Technology to share his experience with Kubernetes and Calico Open Source. Let’s take a look at how Burak started his Kubernetes journey, and the insights he gained from Calico Open Source.
Q: Please tell us a little bit about yourself, including where you currently work and what you do there.
I am a Sr. Software Developer in our Developer Experience team. I’m in charge of a team that maintains the core infrastructure, which includes the Kubernetes clusters we run. We also have the base CNI of the clusters. I am mainly responsible for Kubernetes processes, Istio service mesh, and Apache APISIX API Gateway processes of scaled applications.
Q: What orchestrator(s) have you been using?
Kubernetes.
Q: What cloud infrastructure(s) has been a part of your projects?
Amazon EKS and RKE.
Q: There are many people who are just getting started with Kubernetes and might have a lot of questions. Could you please talk a little bit about your own journey?
I first used container (LXC) processes in my development environment and applied them to the applications I was consulting. Then I started my Continue reading
Troubleshooting microservices: Challenges and best practices
When people hear ‘microservices’ they often think about Kubernetes, which is a declarative container orchestrator. Because of its declarative nature, Kubernetes treats microservices as entities, which presents some challenges when it comes to troubleshooting. Let’s take a look at why troubleshooting microservices in a Kubernetes environment can be challenging, and some best practices for getting it right.
Why is troubleshooting microservices challenging?
To understand why troubleshooting microservices can be challenging, let’s look at an example. If you have an application in Kubernetes, you can deploy it as a pod and leverage Kubernetes to scale it. The entity is a pod that you can monitor. With microservices, you shouldn’t monitor pods; instead, you should monitor services. So you can have a monolithic workload (a single container deployed as a pod) and monitor it, but if you have a service made up of several different pods, you need to understand the interactions between those pods to understand how the service is behaving. If you don’t do that, what you think is an event might not really be an event (i.e. might not be material to the functioning of the service).
When it comes to monitoring microservices, you need to monitor at Continue reading
Quick and easy vulnerability management with Calico Cloud
As more enterprises adopt containers, microservices, and Kubernetes for their cloud-native applications, they need to be aware of the vulnerabilities in container images during build and runtime that can be exploited. In this blog, I will demonstrate how you can implement vulnerability management in CI/CD pipelines, perform image assurance during build time, and enforce runtime threat defense to protect your workloads from security threats.
Image scanning and automatic blocking of high-risk images
The majority of images in CI/CD pipelines have vulnerabilities, misconfigurations, or both. An active cloud-native application protection platform (CNAPP) should scan, identify, and list vulnerabilities in container images based on databases such as NIST and NVD. The active CNAPP should then help teams build security policies to determine which images should be deployed or blocked based on several factors such as severity, last scan timestamp, and organizational exceptions. Given the sheer amount of vulnerabilities that appear daily, users will be easily overwhelmed if they have to address all existing vulnerabilities. Security teams will have to build a deploy/block criteria to prioritize vulnerabilities that they will address first—a workflow that is easy to start but difficult to manage and operate long-term. Hence, security teams should look for a security Continue reading
What is eBPF and what are its use cases
With the recent advancements in service delivery through containers, Linux has gained a lot of popularity in cloud computing by enabling digital businesses to expand easily regardless of their size or budget. These advancements have also brought a new wave of attack, which is challenging to address with the same tools we have been using for non cloud-native environments. eBPF offers a new way to interact with the Linux kernel, allowing us to reexamine the possibilities that once were difficult to achieve.
In this post, I will go through a brief history of the steps that eBPF had to take to become the Swiss army knife inside the Linux kernel and point out how it can be used to achieve security in a cloud-native environment. I will also share my understanding of what happens inside the kernel that prevents BPF programs from wreaking havoc on your operating system.
BPF history
In the early days of computing, Unix was a popular solution for capturing network traffic, and using CMU/Stanford packet filter (CSPF) to capture packets using 64KB PDP-11 was gaining popularity by the second. Without a doubt, this was a pioneering work and a leap forward for its time but like Continue reading
Getting started with container security
A couple of days ago, I was checking my Twitter feed and saw a tweet from someone saying how frustrated he was that DockerHub (a renowned container registry) was down. Someone else replied to the tweet, recommending the tweet’s author to check out Google’s repository, where they have DockerHub mirrors in Google Cloud.
My first reaction was “Nice! How clever of this person (or Google) to have thought of this idea.” My next thought was, wait. This could lead to potential security risks for some developers who are not familiar with how these registries are updated and what images go into these mirrored sites. Imagine when application developers are busy scrambling to check-in their latest update to the CI/CD pipeline of the software they are building, and in that time crunch, their go-to container registry is down. Do developers really have the time to check if there are vulnerable images in every registry they use? Will there be an easy, streamlined way to automatically scan the images no matter which registry developers use to pull their images? The short answer is yes, and we will look into that in this blog.
Scan all your container assets with Calico Cloud
Why your security teams are not ready for containers and Kubernetes, and what you can do about it
From a people perspective and an organizational standpoint, many CISOs have said that their security teams are not ready for containers and Kubernetes. This isn’t surprising, given the stark contrast between where we were less than a decade ago and where we are today in terms of systems architecture. I am of course referring to the cloud-native era, which has ushered in a whole new architectural approach.
With Kubernetes at the center asserting its domination, it’s time to start thinking about how we can best prepare security teams for this new era. To do that, let’s look at why they’re struggling in the first place (spoiler alert: it’s because organizations are struggling, too).
Security and organizational structure in the era of cloud-native computing
In the traditional software development and deployment model, things were quite static. We can think of the traditional model as a relay race where the baton was passed from the development team to the platform team to the security team. While this model works well for traditional application architectures, this type of organizational structure is less effective for new architectures for container orchestration and Kubernetes-native applications, where everything is dynamic and highly automated.
But perhaps the most Continue reading
Calico workload-centric web application firewall (WAF): A better way to secure cloud-native applications
Container-based web applications built on microservices architecture, whether public-facing or internal, are critical to businesses. This new class of applications is commonly referred to as cloud-native applications. Read on to find out why traditional WAFs are no longer enough to protect cloud-native applications and how Calico’s new workload-centric WAF solves this problem.
Background
HTTP is the lingua franca for modern, RESTful APIs and microservices communication. Traditionally, organizations have deployed WAF at the perimeter level to protect web applications against external attacks. A WAF provides visibility and enforces security controls on external traffic that passes through it. However, for cloud-native applications, where the concept of a perimeter does not exist, the same visibility and control need to be provided at the workload level inside the cluster.
In a survey conducted by information security research center Ponemon Institute to probe the state of the WAF market, more than 600 respondents noted the following:
- 86% of organizations experienced application-layer attacks that bypassed their WAF in the last 12 months.
- While 66% of respondents consider WAF to be an important security tool, over 40% use their WAFs only to generate alerts (not to block attacks).
Source: Ponemon Institute – “The State of Web Application Continue reading
Community Spotlight series: Calico Open Source user insights from Cloud Native Technologist, Jintao Zhang
In this issue of the Calico Community Spotlight series, I’ve asked Jintao Zhang from API7.ai to share his experience with Kubernetes and Calico Open Source. API7.ai is an open-source infrastructure software company that helps businesses manage and visualize business-critical traffic, such as APIs and microservices to accelerate business decisions through data. They have built API7 Cloud—an any-cloud, multi-location SaaS platform for deploying, controlling, visualizing, and monitoring APIs at scale. It allows users to manage and run their APIs anywhere in one place and increase runtime effortlessly, without worrying about the control plane. Let’s take a look at how Jintao started his Kubernetes journey, and the insights he gained from Calico Open Source.
Q: Please tell us a little bit about yourself, including where you currently work and what you do there.
I am currently working for API7.ai and my title is Cloud Native Technologist. I am mainly responsible for the Apache APISIX Ingress controller project and the service mesh project based on Apache APISIX.
Q: What orchestrator(s) have you been using?
Kubernetes.
Q: What cloud infrastructure(s) has been a part of your projects?
AWS (EKS) and Azure (AKS).
Q: There are many people who are just getting Continue reading
BYOCNI: Introducing Calico CNI for Azure AKS
Cloud-native applications running on Kubernetes rely on container network plugins to establish workload communication. While Azure Kubernetes Service (AKS) provides several supported networking options (kubenet and Azure CNI) that address the needs of most deployments, Microsoft recently introduced the ability to bring your own networking solution, called BYOCNI, to help users address more advanced networking requirements. This new feature enables AKS customers to run Calico networking on AKS.
This blog will walk you through some exciting capabilities you can unlock with Calico running in your AKS deployments.
Why use Calico networking on AKS?
Calico is the most widely adopted container networking and security solution for Kubernetes. Powering more than 100M containers across 2M+ nodes in 166 countries, Calico is supported across all major cloud providers and Kubernetes distributions. Calico gives you a choice of data planes, including eBPF, standard Linux networking, and Windows HNS-based workloads running in public clouds and/or on-prem, on a single node, or across a multi-thousand-node cluster. Whether you need to scale to thousands of microservices with eBPF, or add Windows workloads to your Kubernetes deployments, Calico has you covered.
Calico’s core design principles leverage cloud-native design best practices, combined with proven, standards-based network protocols trusted by Continue reading
Tigera has been awarded Microsoft’s 2022 Partner of the Year award for OSS on Azure
We are proud to announce that we have won the 2022 Microsoft OSS on Azure Partner of the Year award! The Microsoft Partner of the Year Awards recognize Microsoft partners that have developed and delivered outstanding Microsoft-based applications, services, and devices during the past year. Awards were classified in various categories, with honorees chosen from a set of more than 3,900 submitted nominations from more than 100 countries worldwide. Tigera was recognized for providing outstanding solutions and services for open source on Azure.
Since June 2021, Tigera and Microsoft Azure together provide users with active build, deploy, and runtime security with full-stack observability for securing, monitoring, and troubleshooting containers on Azure and AKS. Tigera works closely with Microsoft to offer networking, security, and observability for containerized workloads running in Microsoft Azure.
We are very proud to be recognized as Microsoft’s Partner of the Year for OSS on Azure as it re-affirms the reach and pervasiveness of Tigera’s Calico Open Source solution for container networking and security on Azure and AKS. As enterprises standardize across Microsoft Azure, customers require a resource-efficient and scalable networking and security solution that protects the workloads in a hybrid environment extending from the cloud (Azure and Continue reading
Zero-trust for cloud-native workloads – part 2: Mitigating future Log4j incidents
Zero-trust for cloud-native workloads – part 2: Mitigating future Log4j incidents
In my previous blog, I introduced the brief history of zero trust, the core pillars of a zero-trust model, and how to build a zero-trust model for cloud-native workloads. In this blog, you will learn how Calico can help mitigate vulnerabilities such as the recent zero-day Log4j vulnerability with its zero-trust workload security approach.
Zero trust: a quick refresher
The starting point for building a zero-trust model is understanding your attack and protect surface. The outcome of designing your security plan should be eliminating the attack surface completely.
Enterprises are realizing that the best approach to mitigating breaches and protecting their sensitive assets from both internal and external threats is by applying the three principles of zero trust to their security plan. These three principles are:
- Always use least-privilege access
- Always authenticate and authorize before providing access
- Always assume breach
While stakeholders are busy creating design architectures, collecting asset information, and considering tools required to achieve their zero trust goals, there are also new challenges that some decision-makers should consider. As microservices are becoming the de facto standard for application developers, it has introduced new technologies and methodologies Continue reading
Contributing Cool Community Content to Calico
It’s right there on our community page—the statement that “Project Calico is first and foremost a community.”
With that in mind, we wanted to make it easier for new contributors to get involved. It’s a win-win scenario—developers experience less frustration, they can get their work done, and have their contributions considered. Plus, the project can easily benefit from the contributions.
Recently, we have been doing a lot of work to simplify the contribution process, and to encourage, recognize, thank, and reward contributors. For example, earlier this year we announced our Calico Big Cats ambassador program and began using a single monorepo architecture. Read on and we’ll dig into that more.
In my role as Lead Developer Advocate for Project Calico, up until now, when I wanted to make a bug fix or improve something, I needed to feed that back to the development team for them to implement. In this blog post, though, I’m going to test out the new contribution process myself, document it for others, make improvements, and see what I can learn.
The Project Calico home page is a great place to find a contribution to make, so I headed there. Following the “Find a good Continue reading
Securing cloud workloads in 5 easy steps
As organizations transition from monolithic services in traditional data centers to microservices architecture in a public cloud, security becomes a bottleneck and causes delays in achieving business goals. Traditional security paradigms based on perimeter-driven firewalls do not scale for communication between workloads within the cluster and 3rd-party APIs outside the cluster. The traditional paradigm also does not provide granular access controls to the workloads and zero-trust architecture, leaving cloud-native applications with a larger attack surface.
Calico Cloud offers an easy 5-step process for fast-tracking your organization’s cloud-native application journey by making security a business enabler while mitigating risk.
Step 1: Visibility
Gaining visibility into workload-to-workload communication with all metadata context intact is one of the biggest challenges when it comes to deploying microservices. You can’t apply security controls to what you can’t see. The traffic is not just flowing from a client to a server in this new cloud native distributed architecture but also between namespaces that reside between many nodes, causing flow proliferation. With Calico Cloud, you get a dynamic visualization of all traffic flowing through your network in an easy-to-read UI.
Example 1: You can view all the inside and outside (east-west and north-south) connections directly from Calico’s Continue reading
Key advantages of the Calico eBPF data plane
Project Calico and eBPF
Project Calico has offered a production-ready data plane based on eBPF since September 2020, and it’s been available for technical evaluation for even longer (since February 2020).
The pre-requisites and limitations are simple to review, it’s easy to enable, and it’s easy to validate your configuration. So, there’s never been a better time to start experiencing the benefits!
You do know what those are, don’t you? Don’t worry if not! That’s what this blog post is about. We’ve reached a point where the journey is easy to make, if you know why you want to get there.
Key advantages of using Calico with eBPF
Calico is already the most widely deployed Kubernetes network security solution. What can eBPF do to help our winning formula further? I’ll dive into the details, but let’s look at the highest possible level first.
These three key benefits apply across all supported environments:
- General performance
- Native Kubernetes service handling
- Source IP preservation and Direct Server Return, or DSR
- Each of these benefits is significant and worth discussing in more detail.
Performance
Calico’s eBPF data plane achieves high performance in several ways. Firstly, it achieves higher throughput and/or less CPU Continue reading
What’s new in Calico Enterprise 3.14: WAF, Calico CNI on AKS, and support for RKE2
At Tigera, we strive to innovate at every opportunity thrown at us and deliver what you need! We have listened to what users ask and today we are excited to announce the early preview of Calico Enterprise 3.14. From new capabilities to product supportability and extending partnerships with our trusted partners, let’s take a look at some of the new features in this release.
Web application firewall (WAF)
Web applications are a critical aspect of any business, whether they are public facing or internal. There has been a fundamental shift in the way these applications are developed—as they have become more container-based and API-based, we refer to these as cloud-native applications.
To keep these modern web applications secure, we need to analyze all HTTP communication and block any malicious traffic traversing the web application. However, in a cloud-native environment, we can’t achieve this using simple network policies or by using perimeter network firewalls. Instead, a cloud-native web application firewall (WAF) would be necessary.
Fig. 1: Service annotation for workload-based WAF using Calico
This is why we have introduced a cloud-native WAF into Calico Enterprise that’s different from the traditional WAFs you may know. While most traditional WAFs are deployed Continue reading