Community Spotlight series: Calico Open Source user insights from Cloud Native Technologist, Jintao Zhang
In this issue of the Calico Community Spotlight series, I’ve asked Jintao Zhang from API7.ai to share his experience with Kubernetes and Calico Open Source. API7.ai is an open-source infrastructure software company that helps businesses manage and visualize business-critical traffic, such as APIs and microservices to accelerate business decisions through data. They have built API7 Cloud—an any-cloud, multi-location SaaS platform for deploying, controlling, visualizing, and monitoring APIs at scale. It allows users to manage and run their APIs anywhere in one place and increase runtime effortlessly, without worrying about the control plane. Let’s take a look at how Jintao started his Kubernetes journey, and the insights he gained from Calico Open Source.
Q: Please tell us a little bit about yourself, including where you currently work and what you do there.
I am currently working for API7.ai and my title is Cloud Native Technologist. I am mainly responsible for the Apache APISIX Ingress controller project and the service mesh project based on Apache APISIX.
Q: What orchestrator(s) have you been using?
Kubernetes.
Q: What cloud infrastructure(s) has been a part of your projects?
AWS (EKS) and Azure (AKS).
Q: There are many people who are just getting Continue reading
BYOCNI: Introducing Calico CNI for Azure AKS
Cloud-native applications running on Kubernetes rely on container network plugins to establish workload communication. While Azure Kubernetes Service (AKS) provides several supported networking options (kubenet and Azure CNI) that address the needs of most deployments, Microsoft recently introduced the ability to bring your own networking solution, called BYOCNI, to help users address more advanced networking requirements. This new feature enables AKS customers to run Calico networking on AKS.
This blog will walk you through some exciting capabilities you can unlock with Calico running in your AKS deployments.
Why use Calico networking on AKS?
Calico is the most widely adopted container networking and security solution for Kubernetes. Powering more than 100M containers across 2M+ nodes in 166 countries, Calico is supported across all major cloud providers and Kubernetes distributions. Calico gives you a choice of data planes, including eBPF, standard Linux networking, and Windows HNS-based workloads running in public clouds and/or on-prem, on a single node, or across a multi-thousand-node cluster. Whether you need to scale to thousands of microservices with eBPF, or add Windows workloads to your Kubernetes deployments, Calico has you covered.
Calico’s core design principles leverage cloud-native design best practices, combined with proven, standards-based network protocols trusted by Continue reading
Tigera has been awarded Microsoft’s 2022 Partner of the Year award for OSS on Azure
We are proud to announce that we have won the 2022 Microsoft OSS on Azure Partner of the Year award! The Microsoft Partner of the Year Awards recognize Microsoft partners that have developed and delivered outstanding Microsoft-based applications, services, and devices during the past year. Awards were classified in various categories, with honorees chosen from a set of more than 3,900 submitted nominations from more than 100 countries worldwide. Tigera was recognized for providing outstanding solutions and services for open source on Azure.
Since June 2021, Tigera and Microsoft Azure together provide users with active build, deploy, and runtime security with full-stack observability for securing, monitoring, and troubleshooting containers on Azure and AKS. Tigera works closely with Microsoft to offer networking, security, and observability for containerized workloads running in Microsoft Azure.
We are very proud to be recognized as Microsoft’s Partner of the Year for OSS on Azure as it re-affirms the reach and pervasiveness of Tigera’s Calico Open Source solution for container networking and security on Azure and AKS. As enterprises standardize across Microsoft Azure, customers require a resource-efficient and scalable networking and security solution that protects the workloads in a hybrid environment extending from the cloud (Azure and Continue reading
Zero-trust for cloud-native workloads – part 2: Mitigating future Log4j incidents
Zero-trust for cloud-native workloads – part 2: Mitigating future Log4j incidents
In my previous blog, I introduced the brief history of zero trust, the core pillars of a zero-trust model, and how to build a zero-trust model for cloud-native workloads. In this blog, you will learn how Calico can help mitigate vulnerabilities such as the recent zero-day Log4j vulnerability with its zero-trust workload security approach.
Zero trust: a quick refresher
The starting point for building a zero-trust model is understanding your attack and protect surface. The outcome of designing your security plan should be eliminating the attack surface completely.
Enterprises are realizing that the best approach to mitigating breaches and protecting their sensitive assets from both internal and external threats is by applying the three principles of zero trust to their security plan. These three principles are:
- Always use least-privilege access
- Always authenticate and authorize before providing access
- Always assume breach
While stakeholders are busy creating design architectures, collecting asset information, and considering tools required to achieve their zero trust goals, there are also new challenges that some decision-makers should consider. As microservices are becoming the de facto standard for application developers, it has introduced new technologies and methodologies Continue reading
Contributing Cool Community Content to Calico
It’s right there on our community page—the statement that “Project Calico is first and foremost a community.”
With that in mind, we wanted to make it easier for new contributors to get involved. It’s a win-win scenario—developers experience less frustration, they can get their work done, and have their contributions considered. Plus, the project can easily benefit from the contributions.
Recently, we have been doing a lot of work to simplify the contribution process, and to encourage, recognize, thank, and reward contributors. For example, earlier this year we announced our Calico Big Cats ambassador program and began using a single monorepo architecture. Read on and we’ll dig into that more.
In my role as Lead Developer Advocate for Project Calico, up until now, when I wanted to make a bug fix or improve something, I needed to feed that back to the development team for them to implement. In this blog post, though, I’m going to test out the new contribution process myself, document it for others, make improvements, and see what I can learn.
The Project Calico home page is a great place to find a contribution to make, so I headed there. Following the “Find a good Continue reading
Securing cloud workloads in 5 easy steps
As organizations transition from monolithic services in traditional data centers to microservices architecture in a public cloud, security becomes a bottleneck and causes delays in achieving business goals. Traditional security paradigms based on perimeter-driven firewalls do not scale for communication between workloads within the cluster and 3rd-party APIs outside the cluster. The traditional paradigm also does not provide granular access controls to the workloads and zero-trust architecture, leaving cloud-native applications with a larger attack surface.
Calico Cloud offers an easy 5-step process for fast-tracking your organization’s cloud-native application journey by making security a business enabler while mitigating risk.
Step 1: Visibility
Gaining visibility into workload-to-workload communication with all metadata context intact is one of the biggest challenges when it comes to deploying microservices. You can’t apply security controls to what you can’t see. The traffic is not just flowing from a client to a server in this new cloud native distributed architecture but also between namespaces that reside between many nodes, causing flow proliferation. With Calico Cloud, you get a dynamic visualization of all traffic flowing through your network in an easy-to-read UI.
Example 1: You can view all the inside and outside (east-west and north-south) connections directly from Calico’s Continue reading
Key advantages of the Calico eBPF data plane
Project Calico and eBPF
Project Calico has offered a production-ready data plane based on eBPF since September 2020, and it’s been available for technical evaluation for even longer (since February 2020).
The pre-requisites and limitations are simple to review, it’s easy to enable, and it’s easy to validate your configuration. So, there’s never been a better time to start experiencing the benefits!
You do know what those are, don’t you? Don’t worry if not! That’s what this blog post is about. We’ve reached a point where the journey is easy to make, if you know why you want to get there.
Key advantages of using Calico with eBPF
Calico is already the most widely deployed Kubernetes network security solution. What can eBPF do to help our winning formula further? I’ll dive into the details, but let’s look at the highest possible level first.
These three key benefits apply across all supported environments:
- General performance
- Native Kubernetes service handling
- Source IP preservation and Direct Server Return, or DSR
- Each of these benefits is significant and worth discussing in more detail.
Performance
Calico’s eBPF data plane achieves high performance in several ways. Firstly, it achieves higher throughput and/or less CPU Continue reading
What’s new in Calico Enterprise 3.14: WAF, Calico CNI on AKS, and support for RKE2
At Tigera, we strive to innovate at every opportunity thrown at us and deliver what you need! We have listened to what users ask and today we are excited to announce the early preview of Calico Enterprise 3.14. From new capabilities to product supportability and extending partnerships with our trusted partners, let’s take a look at some of the new features in this release.
Web application firewall (WAF)
Web applications are a critical aspect of any business, whether they are public facing or internal. There has been a fundamental shift in the way these applications are developed—as they have become more container-based and API-based, we refer to these as cloud-native applications.
To keep these modern web applications secure, we need to analyze all HTTP communication and block any malicious traffic traversing the web application. However, in a cloud-native environment, we can’t achieve this using simple network policies or by using perimeter network firewalls. Instead, a cloud-native web application firewall (WAF) would be necessary.
Fig. 1: Service annotation for workload-based WAF using Calico
This is why we have introduced a cloud-native WAF into Calico Enterprise that’s different from the traditional WAFs you may know. While most traditional WAFs are deployed Continue reading
Join me at PlatformCon 2022 to learn how to secure could-native applications using open source tools
PlatformCon 2022 is just around the corner and I’m excited to be speaking at the conference alongside other platform practitioners and pioneers. My talk, Using open-source software to secure cloud-native applications, will examine—you guessed it—how to use open-source software like Kubernetes to secure cloud-native applications.
I’m looking forward to giving this talk because I think this topic is extremely relevant to the Platform Engineering community. Cloud-native microservices applications bring so many amazing advantages for many software application needs, but they also bring lots of security challenges, and if those are handled incorrectly it can be a minefield. Ephemeral workloads appear and disappear, workload network addressing is transient, and traditional firewalls can’t police the data path effectively.
Open-source orchestration solutions like Kubernetes define an application-centric component called ‘NetworkPolicy,’ but they do not implement it. In my session I’ll discuss how, with a change of tools and mindset, open-source software can help to implement security for cloud-native applications whilst still allowing the user to benefit from all the advantages. I’m excited to help people understand how to get on the right path and give them enough information to make their own informed decision on how to proceed
What’s special Continue reading
Boosting your cluster networking with the Calico VPP data plane (beta)!
This is a guest post from Nathan Skrzypczak at Cisco. Nathan is part of a team of external contributors to Calico Open Source that have been working on an integration between Calico Open Source and Cisco’s data plane technology, VPP, for the last year.
Calico v3.23 is out, and with it a lot of new features! This release marks a long-awaited milestone for me and my team, as it includes the Calico VPP data plane (beta). So now seems to be a good time to reflect on what this integration actually is, and why we built it.
The Calico VPP data plane is the fourth data plane option for Calico. Alongside the Linux kernel, eBPF data plane, and Windows kernel, you can now choose to have packet processing done in a userspace network stack: the Vector Packet Processor (VPP). This means the service load-balancing, NAT-ing of packets, encapsulation, encryption and policies will all run in a user-space application. It all seems mostly transparent from the user’s perspective, is seamless to enable, and enabling it allows access to a series of really interesting features.
Quick packets yields more throughput
The first thing the Calico VPP data plane aims to Continue reading
Introducing our brand new (and free!) Calico Azure Course
Calico Open Source is an industry standard for container security and networking that offers high-performance cloud-native scalability and supports Kubernetes workloads, non-Kubernetes workloads, and legacy workloads. Created and maintained by Tigera, Calico Open Source offers a wide range of support for your choice of data plane whether it’s Windows, eBPF, Linux, or VPP.
We’re excited to announce our new certification course for Azure, Certified Calico Operator: Azure Expert! This free, self-paced course is the latest in our series of four courses. If you haven’t had a chance to complete our previous courses, I highly recommend enrolling in them in the following order (or as you prefer).
- Certified Calico Operator: Level 1
- Certified Calico Operator: AWS Expert
- Certified Calico Operator: eBPF
What will you gain from this course?
Whether you have little to no experience with cloud concepts, have entry-level DevOps and engineering experience, are keen to learn more about Azure or are already an Azure expert looking for a cloud networking and security solution, you will benefit from this course.
The course provides an introduction to Azure cloud, learnings about managed, self-managed and hybrid cluster deployment using Calico in Azure, and offers hands-on labs to help you explore most of Continue reading
Mitigating controls for cloud-native applications: Why you need them and how Calico Cloud can help
Fixing vulnerabilities can be hard—especially so for cloud-native applications. Let’s take a deeper look at why this is, and how mitigating controls can help secure your cloud-native applications.
Vulnerabilities are like earthquakes—its best to be prepared
The trials and tribulations of Log4j are now safely in our rearview mirror. Most of us responsible for operating a container platform like Kubernetes have navigated through the remediation efforts and disaster has been averted.
But it was a wake-up call for many, and at the very least a healthy reminder for all of us. There have been many infamous vulnerabilities before Log4j, and much like living in an area of the world where earthquakes can strike at any moment, much can be learned from the big ones that came before.
When Heartbleed was publicly disclosed in 2014 it sent shockwaves around the world. It was a critical vulnerability in the ubiquitous OpenSSL library—a cryptographic software library that is used to implement the Transport Layer Security (TLS) protocol. Most of the web relies on TLS to secure communication between clients and servers, and the vulnerability came about through a simple bug that resulted in improper input validation for heartbeats.
The bug existed in OpenSSL Continue reading
What’s New in Calico v3.23
Hey everyone. We’re excited to announce the release of Calico v3.23! Thanks to everyone in the community who contributed to the release. We could not have fitted this many improvements in without you. To view the detailed release notes, please visit us here. While we have many improvements in this release, here’s a brief overview of some of the larger features to be aware of.
IPv6 VXLAN support
Calico now supports VXLAN encapsulation for IPv6 networks. This expands our support for any users who have adopted IPv6.
VPP data plane beta
We are ecstatic to announce that the Calico VPP data plane has reached beta status! A huge thanks to the VPP team for working tirelessly over the last few releases to increase stability, performance, and feature compatibility. Try it out by visiting our documentation here.
Calico networking support in AKS
You can now install Calico networking in your AKS clusters to take advantage of all of the Calico networking features. To try it out, follow the Calico on AKS installation instructions. To learn more about using your own network plugin in AKS, see the AKS documentation here.
BGP enhancements
We have added new configuration options to allow for Continue reading
Community Spotlight series: Calico Open Source user insights from Ana Shmygla and Josef Janda, Jamf
In this installment of the Calico Community Spotlight series, I interviewed Ana Shmyglya and Josef Janda, who both work for Jamf. Last year, Josef wrote Migrating CNI plugin from kube-router to Calico on Kops managed Kubernetes cluster, and I wanted to dive deeper into his and Ana’s experience based on that blog post. We mainly talked about their respective teams, their responsibilities, and the challenges they have faced whilst using Kubernetes.
Q: What are your current roles and primary responsibilities?
Ana: I work in the Platform team. This basically means I am responsible for a team that maintains the core infrastructure, which includes the Kubernetes clusters that we run. We also own the underlying CNI of the clusters.
Josef: I work as a DevOps engineer on the team that maintains the internal development tools and other systems connected to the software delivery life cycle process.
Q: What orchestrator(s) have you been using?
Josef: We use Kubernetes. That’s basically the only orchestrator in our company.
Ana: Same for us as well, it’s Kubernetes across the company.
Q: What cloud infrastructure(s) has been part of your projects?
Ana: We use a couple of different providers, including AWS, but we only run Continue reading
The state of cloud-native security 2022 – Tigera’s new market report
We are excited to announce the publication of our first State of Cloud-Native Security market report! The report compiles survey results from more than 300 security and IT professionals worldwide (all of whom have direct container responsibilities), and explores organizations’ needs and challenges when it comes to containers and cloud-native applications, specifically in the areas of security, observability, and compliance.
Report highlights
Our survey results showcase the rise in cloud-native development, while identifying barriers and areas where organizations need support on their cloud-native journey. Some of the report’s key findings include:
- Cloud-native applications gain momentum but present security, compliance, and observability issues.
- While our survey found that 75% of companies are focusing development on cloud-native applications, the increased development (and deployment) also creates the need for more advanced observability and security capabilities.
- Containers require security solutions for runtime, access, and networking.
- 98% of organizations need container security, with runtime security topping the list.
- Cloud-native and container compliance requirements are driving delays and challenges.
- 95% of organizations report they have compliance requirements for cloud-native applications, with 84% stating that meeting these compliance requirements is challenging.
Why read the report?
The report gives organizations a chance to benchmark themselves against the findings, Continue reading
Community Spotlight series: Calico Open Source user insights from cloud solutions architect, Geoff Burke
In the first installment of our Community Spotlight series, I asked Geoff Burke from Tsunati to share his experience with Kubernetes and Calico Open Source. Geoff talks about how he got started with Kubernetes, the challenges that led him to search for a Container Network Interface (CNI), and why he has chosen Calico Open Source as his preferred CNI.
If you are just getting started with Kubernetes and curious about where other people start their journey, this blog post provides valuable insight and information.
Q: Please tell us a little bit about yourself, including where you currently work and what you do there.
I’m currently a senior cloud solutions architect at Tsunati. We are a data protection company and we focus on backup and recovery, mainly trying to help service providers enhance their services. We have a lot of virtualization expertise. In fact, I am a Veeam legend and a Veeam Vanguard. I also work quite intensely with Kasten by Veeam, which is a Kubernetes-native backup and recovery migration application.
Q: There are many people who are just getting started with Kubernetes and might have a lot of questions. Could you please talk a little bit about your own journey?
A practical guide to container networking
An important part of any Kubernetes cluster is the underlying containers. Containers are the workloads that your business relies on, what your customers engage with, and what shapes your networking infrastructure. Long story short, containers are arguably the soul of any containerized environment.
One of the most popular open-source container orchestration systems, Kubernetes, has a modular architecture. On its own, Kubernetes is a sophisticated orchestrator that helps you manage multiple projects in order to deliver highly available, scalable, and automated deployment solutions. But to do so, it relies on having a suite of underlying container orchestration tools.
This blog post focuses on containers and container networking. Throughout this post, you will find information on what a container is, how you can create one, what a namespace means, and what the mechanisms are that allow Kubernetes to limit resources for a container.
Containers
A container is an isolated environment used to run an application. By utilizing the power of cgroup, namespace, and filesystem from the Linux kernel, containers can be allocated with a limited amount of resources and filesystems inside isolated environments.
Note: Some applications deliver containers that use other technologies. In this post, I will focus on these Continue reading
A visual guide to Calico eBPF data plane validation
Validating the Calico eBPF Data Plane
In previous blog posts, my colleagues and I have introduced and explored the Calico eBPF data plane in detail, including learning how to validate that it is configured and running correctly. If you have the time, those are still a great read; you could dive in with the Calico eBPF Data Plane Deep-Dive.
However, sometimes a picture paints a thousand words! I was inspired by Daniele Polencic’s wonderful A Visual Guide on Troubleshooting Kubernetes Deployments. With his permission and kind encouragement, I decided to adapt the validation part of my previous deep-dive post to this easy-to-digest flowchart. Feel free to share it far and wide; wherever you think a Calico-learning colleague might benefit! It includes a link back here in case the diagram is updated in the future.
Next Steps
Did you know you can become a certified Calico operator? Learn container and Kubernetes networking and security fundamentals using Calico in this free, self-paced certification course.
There are additional level-two courses as well. One of them specifically addresses eBPF and the Calico eBPF data plane!
The post A visual guide to Calico eBPF data plane validation appeared first on Tigera.
How to secure Kubernetes at the infrastructure level: 10 best practices
Infrastructure security is something that is important to get right so that attacks can be prevented—or, in the case of a successful attack—damage can be minimized. It is especially important in a Kubernetes environment because, by default, a large number of Kubernetes configurations are not secure.
Securing Kubernetes at the infrastructure level requires a combination of host hardening, cluster hardening, and network security.
- Host hardening – Secures the servers or virtual machines on which Kubernetes is hosted
- Cluster hardening – Secures Kubernetes’s control plane components
- Network security – Ensures secure integration of the cluster with surrounding infrastructure
Let’s dive into each of these and look at best practices for securing both self-hosted and managed Kubernetes clusters.
Host hardening
There are many techniques that can be used to ensure a secure host. Here are three best practices for host hardening.
Use a modern immutable Linux distribution
If you have the flexibility to choose an operating system (i.e. your organization doesn’t standardize on one operating system across all infrastructure), use a modern immutable Linux distribution, such as Flatcar Container Linux or Bottlerocket. This type of operating system is specifically designed for containers and offers several benefits, including:
- Immutability – This type Continue reading