Archive

Category Archives for "Tigera.io"

Join me at PlatformCon 2022 to learn how to secure could-native applications using open source tools

PlatformCon 2022 is just around the corner and I’m excited to be speaking at the conference alongside other platform practitioners and pioneers. My talk, Using open-source software to secure cloud-native applications, will examine—you guessed it—how to use open-source software like Kubernetes to secure cloud-native applications.

I’m looking forward to giving this talk because I think this topic is extremely relevant to the Platform Engineering community. Cloud-native microservices applications bring so many amazing advantages for many software application needs, but they also bring lots of security challenges, and if those are handled incorrectly it can be a minefield. Ephemeral workloads appear and disappear, workload network addressing is transient, and traditional firewalls can’t police the data path effectively.

Open-source orchestration solutions like Kubernetes define an application-centric component called ‘NetworkPolicy,’ but they do not implement it. In my session I’ll discuss how, with a change of tools and mindset, open-source software can help to implement security for cloud-native applications whilst still allowing the user to benefit from all the advantages. I’m excited to help people understand how to get on the right path and give them enough information to make their own informed decision on how to proceed

What’s special Continue reading

Boosting your cluster networking with the Calico VPP data plane (beta)!

This is a guest post from Nathan Skrzypczak at Cisco. Nathan is part of a team of external contributors to Calico Open Source that have been working on an integration between Calico Open Source and Cisco’s data plane technology, VPP, for the last year.

Calico v3.23 is out, and with it a lot of new features! This release marks a long-awaited milestone for me and my team, as it includes the Calico VPP data plane (beta). So now seems to be a good time to reflect on what this integration actually is, and why we built it.

The Calico VPP data plane is the fourth data plane option for Calico. Alongside the Linux kernel, eBPF data plane, and Windows kernel, you can now choose to have packet processing done in a userspace network stack: the Vector Packet Processor (VPP). This means the service load-balancing, NAT-ing of packets, encapsulation, encryption and policies will all run in a user-space application. It all seems mostly transparent from the user’s perspective, is seamless to enable, and enabling it allows access to a series of really interesting features.

Quick packets yields more throughput

The first thing the Calico VPP data plane aims to Continue reading

Introducing our brand new (and free!) Calico Azure Course

Calico Open Source is an industry standard for container security and networking that offers high-performance cloud-native scalability and supports Kubernetes workloads, non-Kubernetes workloads, and legacy workloads. Created and maintained by Tigera, Calico Open Source offers a wide range of support for your choice of data plane whether it’s Windows, eBPF, Linux, or VPP.

We’re excited to announce our new certification course for Azure, Certified Calico Operator: Azure Expert! This free, self-paced course is the latest in our series of four courses. If you haven’t had a chance to complete our previous courses, I highly recommend enrolling in them in the following order (or as you prefer).

  1. Certified Calico Operator: Level 1
  2. Certified Calico Operator: AWS Expert
  3. Certified Calico Operator: eBPF

What will you gain from this course?

Whether you have little to no experience with cloud concepts, have entry-level DevOps and engineering experience, are keen to learn more about Azure or are already an Azure expert looking for a cloud networking and security solution, you will benefit from this course.

The course provides an introduction to Azure cloud, learnings about managed, self-managed and hybrid cluster deployment using Calico in Azure, and offers hands-on labs to help you explore most of Continue reading

Mitigating controls for cloud-native applications: Why you need them and how Calico Cloud can help

Fixing vulnerabilities can be hard—especially so for cloud-native applications. Let’s take a deeper look at why this is, and how mitigating controls can help secure your cloud-native applications.

Vulnerabilities are like earthquakes—its best to be prepared

The trials and tribulations of Log4j are now safely in our rearview mirror. Most of us responsible for operating a container platform like Kubernetes have navigated through the remediation efforts and disaster has been averted.

But it was a wake-up call for many, and at the very least a healthy reminder for all of us. There have been many infamous vulnerabilities before Log4j, and much like living in an area of the world where earthquakes can strike at any moment, much can be learned from the big ones that came before.

When Heartbleed was publicly disclosed in 2014 it sent shockwaves around the world. It was a critical vulnerability in the ubiquitous OpenSSL library—a cryptographic software library that is used to implement the Transport Layer Security (TLS) protocol. Most of the web relies on TLS to secure communication between clients and servers, and the vulnerability came about through a simple bug that resulted in improper input validation for heartbeats.

The bug existed in OpenSSL Continue reading

What’s New in Calico v3.23

Hey everyone. We’re excited to announce the release of Calico v3.23! Thanks to everyone in the community who contributed to the release. We could not have fitted this many improvements in without you. To view the detailed release notes, please visit us here. While we have many improvements in this release, here’s a brief overview of some of the larger features to be aware of.

IPv6 VXLAN support

Calico now supports VXLAN encapsulation for IPv6 networks. This expands our support for any users who have adopted IPv6.

VPP data plane beta

We are ecstatic to announce that the Calico VPP data plane has reached beta status! A huge thanks to the VPP team for working tirelessly over the last few releases to increase stability, performance, and feature compatibility. Try it out by visiting our documentation here.

Calico networking support in AKS

You can now install Calico networking in your AKS clusters to take advantage of all of the Calico networking features. To try it out, follow the Calico on AKS installation instructions. To learn more about using your own network plugin in AKS, see the AKS documentation here.

BGP enhancements

We have added new configuration options to allow for Continue reading

Community Spotlight series: Calico Open Source user insights from Ana Shmygla and Josef Janda, Jamf

In this installment of the Calico Community Spotlight series, I interviewed Ana Shmyglya and Josef Janda, who both work for Jamf. Last year, Josef wrote Migrating CNI plugin from kube-router to Calico on Kops managed Kubernetes cluster, and I wanted to dive deeper into his and Ana’s experience based on that blog post. We mainly talked about their respective teams, their responsibilities, and the challenges they have faced whilst using Kubernetes.

Q: What are your current roles and primary responsibilities?

Ana: I work in the Platform team. This basically means I am responsible for a team that maintains the core infrastructure, which includes the Kubernetes clusters that we run. We also own the underlying CNI of the clusters.

Josef: I work as a DevOps engineer on the team that maintains the internal development tools and other systems connected to the software delivery life cycle process.

Q: What orchestrator(s) have you been using?

Josef: We use Kubernetes. That’s basically the only orchestrator in our company.

Ana: Same for us as well, it’s Kubernetes across the company.

Q: What cloud infrastructure(s) has been part of your projects?

Ana: We use a couple of different providers, including AWS, but we only run Continue reading

The state of cloud-native security 2022 – Tigera’s new market report

We are excited to announce the publication of our first State of Cloud-Native Security market report! The report compiles survey results from more than 300 security and IT professionals worldwide (all of whom have direct container responsibilities), and explores organizations’ needs and challenges when it comes to containers and cloud-native applications, specifically in the areas of security, observability, and compliance.

Report highlights

Our survey results showcase the rise in cloud-native development, while identifying barriers and areas where organizations need support on their cloud-native journey. Some of the report’s key findings include:

  • Cloud-native applications gain momentum but present security, compliance, and observability issues.
    • While our survey found that 75% of companies are focusing development on cloud-native applications, the increased development (and deployment) also creates the need for more advanced observability and security capabilities.
  • Containers require security solutions for runtime, access, and networking.
    • 98% of organizations need container security, with runtime security topping the list.
  • Cloud-native and container compliance requirements are driving delays and challenges.
    • 95% of organizations report they have compliance requirements for cloud-native applications, with 84% stating that meeting these compliance requirements is challenging.

Why read the report?

The report gives organizations a chance to benchmark themselves against the findings, Continue reading

Community Spotlight series: Calico Open Source user insights from cloud solutions architect, Geoff Burke

In the first installment of our Community Spotlight series, I asked Geoff Burke from Tsunati to share his experience with Kubernetes and Calico Open Source. Geoff talks about how he got started with Kubernetes, the challenges that led him to search for a Container Network Interface (CNI), and why he has chosen Calico Open Source as his preferred CNI.

If you are just getting started with Kubernetes and curious about where other people start their journey, this blog post provides valuable insight and information.

Q: Please tell us a little bit about yourself, including where you currently work and what you do there.

I’m currently a senior cloud solutions architect at Tsunati. We are a data protection company and we focus on backup and recovery, mainly trying to help service providers enhance their services. We have a lot of virtualization expertise. In fact, I am a Veeam legend and a Veeam Vanguard. I also work quite intensely with Kasten by Veeam, which is a Kubernetes-native backup and recovery migration application.

Q: There are many people who are just getting started with Kubernetes and might have a lot of questions. Could you please talk a little bit about your own journey?

Continue reading

A practical guide to container networking

An important part of any Kubernetes cluster is the underlying containers. Containers are the workloads that your business relies on, what your customers engage with, and what shapes your networking infrastructure. Long story short, containers are arguably the soul of any containerized environment.

One of the most popular open-source container orchestration systems, Kubernetes, has a modular architecture. On its own, Kubernetes is a sophisticated orchestrator that helps you manage multiple projects in order to deliver highly available, scalable, and automated deployment solutions. But to do so, it relies on having a suite of underlying container orchestration tools.

This blog post focuses on containers and container networking. Throughout this post, you will find information on what a container is, how you can create one, what a namespace means, and what the mechanisms are that allow Kubernetes to limit resources for a container.

Containers

A container is an isolated environment used to run an application. By utilizing the power of cgroup, namespace, and filesystem from the Linux kernel, containers can be allocated with a limited amount of resources and filesystems inside isolated environments.

Note: Some applications deliver containers that use other technologies. In this post, I will focus on these Continue reading

A visual guide to Calico eBPF data plane validation

Validating the Calico eBPF Data Plane

In previous blog posts, my colleagues and I have introduced and explored the Calico eBPF data plane in detail, including learning how to validate that it is configured and running correctly. If you have the time, those are still a great read; you could dive in with the Calico eBPF Data Plane Deep-Dive.

However, sometimes a picture paints a thousand words! I was inspired by Daniele Polencic’s wonderful A Visual Guide on Troubleshooting Kubernetes Deployments. With his permission and kind encouragement, I decided to adapt the validation part of my previous deep-dive post to this easy-to-digest flowchart. Feel free to share it far and wide; wherever you think a Calico-learning colleague might benefit! It includes a link back here in case the diagram is updated in the future.

Next Steps

Did you know you can become a certified Calico operator? Learn container and Kubernetes networking and security fundamentals using Calico in this free, self-paced certification course.

There are additional level-two courses as well. One of them specifically addresses eBPF and the Calico eBPF data plane!

The post A visual guide to Calico eBPF data plane validation appeared first on Tigera.

How to secure Kubernetes at the infrastructure level: 10 best practices

Infrastructure security is something that is important to get right so that attacks can be prevented—or, in the case of a successful attack—damage can be minimized. It is especially important in a Kubernetes environment because, by default, a large number of Kubernetes configurations are not secure.

Securing Kubernetes at the infrastructure level requires a combination of host hardening, cluster hardening, and network security.

  • Host hardening – Secures the servers or virtual machines on which Kubernetes is hosted
  • Cluster hardening – Secures Kubernetes’s control plane components
  • Network security – Ensures secure integration of the cluster with surrounding infrastructure

Let’s dive into each of these and look at best practices for securing both self-hosted and managed Kubernetes clusters.

Host hardening

There are many techniques that can be used to ensure a secure host. Here are three best practices for host hardening.

Use a modern immutable Linux distribution

If you have the flexibility to choose an operating system (i.e. your organization doesn’t standardize on one operating system across all infrastructure), use a modern immutable Linux distribution, such as Flatcar Container Linux or Bottlerocket. This type of operating system is specifically designed for containers and offers several benefits, including:

Defense in depth with Calico Cloud

Last month, we announced the launch of our active cloud-native application runtime security. Calico Cloud’s active runtime security helps security teams secure their containerized workloads with a holistic approach to threat detection, prevention, and mitigation.

As security teams look to secure these workloads, it’s also critical that they employ a defense-in-depth strategy. Calico Cloud’s active runtime security can detect, prevent, and mitigate threats across the entire cyber kill chain for containerized workloads.

What is the cyber kill chain?

The cyber kill chain is a framework used to track the steps a threat actor might take as they attempt to execute a cyber attack on your organization. The cyber kill chain was originally developed by Lockheed Martin to adapt the military concept that details the structure of an attack for cybersecurity threats. Today, this framework is used by security teams from a wide range of organizations to understand and respond to cybersecurity threats.

The Lockheed Martin cyber kill chain consists of seven stages:

  • Reconnaissance: An attacker assesses potential targets and tactics for an attack
  • Weaponization: An attacker prepares the attack by obtaining or setting up the appropriate infrastructure
  • Delivery: An attacker launches their attack
  • Exploitation: An attacker gains access to their Continue reading

Zero-trust for cloud-native workloads

There has been a huge uptick in microservices adoption in the data analytics domain, primarily aided by machine learning (ML) and artificial intelligence (AI) projects. Some of the reasons why containers are popular among ML developers is the ease of portability, scalability, and quick access to data using services—specifically network services. The rise of cloud-native applications, especially for big data in the analytics sector, makes these applications a prime target for cyber crime.

Preventing threat actors from breaching the network and accessing critical data or applications is a daunting task for one team or individual to take on alone. DevOps and security engineers, SREs, and platform architects all need to work together to facilitate the process. These teams are usually presented with two challenges:

  • Since the fundamental architecture model of microservices is distributed, it is imperative that east-west traffic is present. With most common deployments using a multi-cloud or hybrid model, there is no real network perimeter.
  • One or more microservices will access external services such as 3rd-party cloud services, APIs, and applications, resulting in multiple ingress/egress points for north-south traffic.

This article talks about what organizations need to know about zero trust for cloud-native workloads, and how zero trust Continue reading

How to maximize K3s resource efficiency using Calico’s eBPF data plane

Amazon’s custom-built Graviton processor allows users to create ARM instances in the AWS public cloud, and Rancher K3s is an excellent way to run Kubernetes in these instances. By allowing a lightweight implementation of Kubernetes optimized for ARM with a single binary, K3s simplifies the cluster initialization process down to executing a simple command.

In an earlier article, I discussed how ARM architecture is becoming a rival to x86 in cloud computing, and steps that can be taken to leverage this situation and be prepared for this new era. Following the same narrative, in this article I’ll look at an example of the Calico eBPF data plane running on AWS, using Terraform to bootstrap our install to AWS, and Rancher K3s to deploy the cluster.

A few changes to Calico are needed for ARM compatibility, including updating parts, enabling eBPF, and compiling operators for the ARM64 environment:.

  • Tigera Operator Tigera Operator is the recommended way to install Calico.
  • go-build go-build is a container environment packed with all the utilities that Calico requires in its compilation process.
  • Calico-node Calico-node is the pod that hosts Felix (i.e. it is the brain that carries control plane decisions fto Continue reading

What a more holistic approach to cloud-native security and observability looks like

The rise of cloud native and containerization, along with the automation of the CI/CD pipeline, introduced fundamental changes to existing application development, deployment, and security paradigms. Because cloud native is so different from traditional architectures, both in how workloads are developed and how they need to be secured, there is a need to rethink our approach to security in these environments.

As stated in this article, security for cloud-native applications should take a holistic approach where security is not an isolated concern, but rather a shared responsibility. Collaboration is the name of the game here. In order to secure cloud-native deployments, the application, DevOps, and security teams need to work together to make sure security happens earlier in the development cycle and is more closely associated with the development process.

Since Kubernetes is the most popular container orchestrator and many in the industry tend to associate it with cloud native, let’s look at this holistic approach by breaking it down into a framework for securing Kubernetes-native environments.

Framework

At a high level, the framework for securing cloud-native environments consists of three stages: build, deploy, and runtime.

Build

In the build stage, developers write code and the code gets compiled, Continue reading

Calico Cloud: Active Build and Runtime Security for Cloud-Native Applications

Calico Cloud has just celebrated its 1-year anniversary! And what better way to celebrate than to launch new features and capabilities that help users address their most urgent cloud security needs.

Over the past year, the Tigera team has seen rapid adoption of Calico Cloud for security and observability of cloud-native applications. With this new release, Calico Cloud becomes the first in the industry to offer the most comprehensive active cloud-native application security that goes beyond detecting threats to limit exposure and automatically mitigate risks in real time.

With news of new zero-day threats emerging almost every day (e.g. Argo CD, Chrome Browser), the current security approach needs to evolve. We need active build, deploy, and runtime security, all together, instead of using a siloed approach. Security threats, vulnerabilities, and risks for all three areas should be addressed together, by the same security platform, rather than using multiple disjointed tools. Calico Cloud does just that!

With Calico Cloud, you can reduce your cloud-native application’s attack surface, harness machine learning to combat runtime security risks from known and unknown zero-day threats, enable continuous compliance, and prioritize and mitigate the risks from vulnerabilities and attacks.

Let’s take a look Continue reading

Why you need Tigera’s new active cloud-native application security

First-generation security solutions for cloud-native applications have been failing because they apply a legacy mindset where the focus is on vulnerability scanning instead of a holistic approach to threat detection, threat prevention, and remediation. Given that the attack surface of modern applications is much larger than in traditional apps, security teams are struggling to keep up and we’ve seen a spike in breaches.

To better protect cloud-native applications, we need solutions that focus on threat prevention by reducing the attack surface. With this foundation, we can then layer on threat detection and threat mitigation strategies.

I have exciting news to share on this front! Today, Tigera launched new capabilities in its Calico product line to help you address your most urgent cloud security needs. Before getting into a discussion about the features themselves, I’d like to talk about the driving force behind the changes, our thought process, and why we’re well-positioned to bring these to market.

A new runtime security model

To properly secure modern cloud-native applications, we need to use a modern architecture that aligns with them. At Tigera, we’ve created a model we call active cloud-native application runtime security. This model has three components:

Introducing our exciting new ambassador program: Calico Big Cats

The Project Calico community is one of the most collaborative and supportive communities in the open-source space. Our community has shown great engagement through the years, which has helped us maintain and grow the project.

Thanks to our 200+ contributors from all over the world, Calico Open Source (the solution born out of the project) is powering 1.5M+ nodes daily across 166 countries. Our engineering team is committed to maintaining Calico Open Source as the leading standard for container and Kubernetes networking and security!

Given our community’s passion for Project Calico, we wanted to give its members a chance to inspire others by telling their stories. To this end, we are very excited to announce our new Calico Big Cats ambassador program!

What is Calico Big Cats?

Calico Big Cats is an ambassador program that provides a platform for our community to talk about their experiences with Calico. The goal is to help community members connect, inspire, and share common challenges and ways to overcome these challenges using Calico and other tools.

Why join Calico Big Cats?

If you have experience with Project Calico, recognize its value in the open-source networking and security domain, and are passionate about sharing Continue reading

Is ARM architecture the future of cloud computing?

Central processing units (CPUs) can be compared to the human brain in that their unique architecture allows them to solve mathematical equations in different ways. x86 is the dominant architecture used in cloud computing at the time of this writing; however, it is worth noting that this architecture is not efficient for every scenario, and its proprietary nature is causing an industry shift toward ARM.

ARM (Advanced RISC Machines) is a type of CPU architecture that powers most tablets and smartphones, as well as the fastest supercomputer in the world (supercomputer Fugaku). ARM’s low power consumption and high computational performance make it a worthy rival for x86 in cloud computing.

In this article, I will talk about a few popular ARM projects, the main difference between x86 and ARM architectures, and explore how we can prepare developers for the future by providing them with an ARM-based container environment.

ARM versus x86

Companies are increasing their pursuit to leverage ARM in order to reduce both cost and energy consumption. While x86 remains a proprietary CPU architecture, ARM provides licenses to other companies allowing them to design their own custom-built processors using ARM’s patented technology.

Amazon’s custom-designed Graviton processor is a great Continue reading

How to Monitor Calico’s eBPF Data Plane for Proactive Cluster Management

Monitoring is a critical part of any computer system that has been brought in to a production-ready state. No IT system exists in true isolation, and even the simplest systems interact in interesting ways with the systems “surrounding” them. Since compute time, memory, and long-term storage are all finite, it’s necessary at the very least to understand how these things are being allocated.

Why Does the Calico eBPF Data Plane Support Metrics?

Perhaps this question seems contrived. However, it’s always worth spending a moment thinking about reasons before adding any technical complexity to a distributed system! After all, they are already quite complicated! So why does the Calico eBPF data plane support metrics through Prometheus and Grafana?

Well, the Calico eBPF data plane is production ready and widely deployed, so a well-configured Kubernetes cluster with the Calico eBPF data plane correctly enabled will be stable and reliable. However, distributed systems are inherently complex and when dealing with them, it is generally good practice to instrument and baseline metrics wherever they are available. Doing so provides many benefits, especially for capacity planning, change management, and as an early-warning or smoke-testing system.

Additionally, seeing a running distributed system fully instrumented can be Continue reading

1 5 6 7 8 9 14