Kubernetes Goes Mainstream? With Calico, Yes
Visionaries and early adopters no longer dominate the Kubernetes world.
At KubeCon, Tigera announced updates to its Calico security platform with the mainstream user in mind. Created and maintained by Tigera, Calico is an open-source “networking and network security solution” for Kubernetes, virtual machines, and bare-metal workloads, according to its GitHub page. It offered a solution for networking connectivity and security policy enforcement between workloads.
In the update, they updated five capabilities and stitched them together to make one solution and present that to a user in a simple, easy-to-consume manner. These include a vulnerability score, configuration hardening, runtime security, network security, and observability.
The goal is to give the user a cohesive picture of the cluster’s overall security by providing a scoring on a zero to 100 basis, Tipirneni said. Scores get tracked over time. A recommendation engine may then provide actions to improve the overall score.
The platform measures the risk profile, for example, how the environment handles egress traffic, determining if the proper egress controls are in order.
“Because workloads are dynamic inside of a Kubernetes environment, it is very difficult to establish egress controls using traditional legacy security tools,” Tipirneni said. So, as a simple matter of fact, do you have those security controls or not?”
Another example: does the Kubernetes environment allow for workload isolation?
“Do you have that in place?” he asked. “Or do you not have that in place? That’s another measure of how secure your cluster is. The third example I’ll give you is, maybe three or four years ago, it was good enough to be able to spit out the vulnerability scores on a CVS on a scale of one to 10, how many images you have and what their scores were. But what customers are saying is that it’s not enough, they want to understand the runtime behavior, about which of those images are actually being invoked at runtime. And that really drives the risk profile of a security cluster. So that’s another example of what we’re baking into the security score.”
But what about accuracy?
“That’s why it’s really critical to understand the actual flow of data across the network, between these microservices,” Tipirneni said. “And you know, that’s the foundation we use. And that’s why we’re uniquely positioned to build something like this. So we’re not guessing any of this. Everything is built on empirical data, if you know, so, the blue services are talking to green services. That’s factual data, right? And we’re actually building a lot of algorithms and heuristics based on observed behavior as opposed to anything that we’re projecting.”