I’ve been recommending Calico Open Source, for container networking and security not long after it rolled out about six years ago. But, if you’d like more help and features, Calico Enterprise, a self-managed platform for Kubernetes security and observability across hybrid or multicloud configurations — any cloud, any Kubernetes distribution — VMs and bare metal also demands your attention.
There are many problems with organizational-level packet capture. These include:
- Limiting access to packet capture by organizational roles.
- Takes hours to days to set up packet capture instead of making it part of the code. The mere thought of trying to do this with Wireshark makes me shudder.
- Extremely difficult to capture the right amount of data without blowing your storage and compute costs.
- Spend days and weeks correlating data collected from different Kubernetes components such as namespaces, workloads, pods, and microservices.
With Dynamic Packet Capture, parent company Tigera claims you can collect the data you need when you need it without blood, sweat and tears. That done, you can filter the data based on protocol and port to fine-tune their capture for faster debugging and subsequent analysis for shorter time-to-resolution. It also makes it easier to correlate data across different Kubernetes services, namespaces, workloads, and pods. With all that at hand, along with workload and Kubernetes context you can quickly pinpoint problems and then resolve them. I like this. I like this a lot.
The Dynamic Packet Capture functionality also can work hand-in-glove with Kubernetes role-based access control (RBAC). That means you can assign access by role to cut down your security and compliance risk. Good-bye unintentional HIPAA, PCI, SOC2, etc., etc. compliance violations.
The latest Calico Enterprise 3.9 also provides Envoy integration with the data plane as a DaemonSet. This makes it less invasive to microservice pods. This is handy for application-level observability and control.
This can be a lot easier than setting up a service mesh for the same jobs, That’s because:
- Users only need to manage and operate one Envoy proxy per node, instead of multiple sidecars for each pod. That’s a much smaller potential attack surface.
- Application-level information that includes Kubernetes-related context and correlation with other components allows for easier troubleshooting.
- The use of DaemonSet instead of multiple sidecars on a per-node basis leads to less CPU and memory consumption.
Last, but by no means least, with 3.9 you get data-in-transit encryption for node-to-node communication within Microsoft AKS and Amazon Web Services‘ EKS.
Sounds good to you? Already know and like Calico? Give this a try. It might be just what you need for your Kubernetes network and security.
The New Stack is a wholly owned subsidiary of Insight Partners, an investor in the following companies mentioned in this article: Tigera.
Amazon Web Services and Tigera are sponsors of The New Stack.