This podcast is sponsored by InfluxData and KubeCon+CloudNativeCon. Tigera is a sponsor of The New Stack.
Christopher Liljenstolpe is the founder and chief technology officer of Tigera, a provider of cloud native security and networking software. He formed Tigera to offer commercial support for Project Calico, a control plane he created for cloud native applications. In this episode of The New Stack Analysts podcast, TNS Managing Editor Joab Jackson and TNS contributing analyst Janakiram MSV talk with Liljenstolpe about Calico’s creation, overlay networks, service meshes and IPv6.
- Originally created for OpenStack, Calico was designed to make it easy to get data packets from one part of the network to another, using the Internet technologies like IP routing, rather than switching, virtual networks, overlay networks or other complex approaches.
- This form of networking offers only a coarse-grained isolation across nodes, so Calico uses real-time distributed filtering engines to control which nodes can communicate with one another, in effect acting as a network policy enforcement tool.
- Anticipating containers, Calico was designed for very dynamic environments, and can manage hundreds of thousands of end-points that can change location at any time.
- Each host makes filtering decisions, allowing the system as a whole to easily scale. The filters can be located on the underlying hosts, and also can be installed in the pod itself to manage higher-level policies, working with data from services meshes and Kubernetes.
- To get the higher level data, Calico listens to events from the Kubernetes API Server, for metadata changes and policy additions from the Container Networking Interface (CNI) and the Kubernetes Policy API.
- Calico is not dependent on an orchestrator. It can also run on bare metal. It can also support and track non-Kubernetes legacy applications and cloud services.
- Calico meshes very well with Google’s Zero Trust Security model, which assume networks and hosts will be breached, and so limits the amount of damage that can be done. “We not only protect the rest of the workloads from the rest of the workload, we also protect the rest of the world from the workload,” Liljenstolpe said, talking about multiple authentication checks on both inbound and outbound traffic on a per-object basis.
- Although Calico superficially resembles a sort of SE Linux for networking, it is a lot easier to deploy and manage. “We tried to make this very easy to understand,” Liljenstolpe said.
- On Calico vs. Flannel: Flannel doesn’t have to be integrated with the underlying infrastructure. Calico can also operate in this “overlay network” mode, but can also integrate with the infrastructure for greater ease-of-use: no onloading and offloading of the overlay network, less address spaces are required. Tigera also contributes to the Flannel project.
- Calico and the Zero Trust model, in general, simplifies a lot of the overhead dealing with traditional security measures, such as making changes in the firewall rules, which typically involve submitting requests to the security team and waiting for a review against all the other policies. Calico’s tiered policy model streamlines this process by ensuring broad compliance policies (i.e. no PCI compliant component can communicate with a non-PCI components) are enforced while giving the freedom to developers to make the local changes alone.
- Tigera offers a number of visualization tools to understand where traffic flows. IP addresses, which change rapidly for sources, are annotated by the metadata from the orchestrator. Real-time compliance reports can be easily generated, or the data can be easily shipped off to a search engine, such as Elastic.
In this Edition:
1:43: What is Calico?
11:25: How does Calico get this information from Kubernetes, and how does this look for the Kubernetes administrator?
21:02: What is the difference between Flannel and Calico, and when should developers choose one over the other?
27:15: Why firewall changes take so long, and how Tigera aims to solve that problem
35:15: Moving into multi-cloud operations
37:36: Where do you see the Calico network stopping Istio from taking over, and where do you see these lines getting blurred and converging?
The OpenStack Foundation is a sponsor of The New Stack.