Kubernetes / Linux / Security

Project Calico: Kubernetes Security as SaaS

22 Feb 2021 12:11pm, by

It’s not easy to secure our favorite container orchestration program Kubernetes. But, companies and projects, such as Jetstack with cert-manager, are trying to make it more manageable. The latest business to take on this tough job is Tigera, the Project Calico creator and maintainer, with software as a service (SaaS) for Kubernetes security and observability, Calico Cloud.

Odds are you already know about Calico. First created for OpenStack, Calico simplified moving data packets over cloud networks using Internet Protocol (IP) routing, rather than switching, virtual networks, overlay networks, or other more complicated approaches. Since IP only gives you coarse-grained isolation across nodes, Calico added a real-time distributed filtering engine to control how the nodes talk to each one. This, in effect, enabled you to use Calico as a network policy enforcement tool.

Since its early days, Calico has also embraced extended Berkeley Packet Filter (eBPF). This recent addition to the Linux kernel acts as an in-kernel virtual machine (VM) where it provides even faster extensible network packet filtering.

Take this new, faster, and more flexible data plane model, and besides using Calico as a layer 3 network to route packets between pods, Calico can easily be used for network security.

To get to higher-level data, Calico listens to events from the Kubernetes API Server, for metadata changes and policy additions from the Container Networking Interface (CNI) and the Kubernetes Policy API. Making it even more useful, Calico doesn’t actually need Kubernetes or any other orchestrator. That means you can also use it to support, secure, and track legacy applications and cloud services. Pretty darn handy right?

Put it all together and Calico also works well with the Google Zero Trust Security model. This assumes networks and hosts will be breached, and automatically limits how much an attack can do. As Christopher Liljenstolpe, Tigera’s founder and chief technology officer has said, “We not only protect the rest of the workload from the rest of the workload, we also protect the rest of the world from the workload.” While that may worry you that, like SELinux, this means it’s very complex, Liljenstolpe assures users that “We tried to make this very easy to understand.”

What Calico Cloud brings to the table is a single pane of glass interface. You can use this across multicluster and multicloud Kubernetes environments to deploy a standard set of egress access controls, enforce security policies for compliance, and observe and troubleshoot applications.

Specifically, Calico Cloud addresses five different Kubernetes clusters network security issues.

First, it provides North-South controls since microservices often need to communicate with services or API endpoints running outside the Kubernetes cluster. Implementing access control from Kubernetes pods to external endpoints is hard. Most traditional or cloud provider’s firewalls do not understand the Kubernetes context which forces the ops team to allow traffic from the entire cluster or a set of worker nodes.

Calico Cloud answers these concerns with a DNS Policy, which enables the use of domain names in Calico security policies to control access to resources outside the cluster. It also provides an egress gateway to route traffic from a specific namespace to ensure consistent network identity outside the cluster. For Amazon Web Services (AWS) users, it also extends group membership to pods in the cluster for fine-grained access controls with resources in an Amazon Virtual Private Cloud (VPC).

Next up to deal with East-West security issues. These can arise when attackers find vulnerable pod/service accounts with overly powerful security privileges. To deal with this, Calico Cloud uses microsegmentation and a single security policy framework across your multicloud, VM, and Kubernetes environments backed up with a “defense-in-depth” approach.

To secure your data within your container network, since most traditional security and compliance approaches don’t work for highly dynamic and ephemeral Kubernetes workloads, Calico Cloud deploys the new Linux Wireguard VPN. It also uses an Intrusion Detection System (IDS) and reports and alerts to keep you on top of any would-be external attackers.

Since it’s a SaaS, there’s no up-front cost. You can try Calico Cloud in two different service offerings: A Starter subscription that is priced at $0.05 per node hour or $350 per node annually; and a Pro subscription priced at $0.08 per node hour or $561 per node annually. You can compare options and precisely calculate monthly spending. There’s also a Calico Cloud 14-day free trial.

A newsletter digest of the week’s most important stories & analyses.