Implementing holistic security for containers and Kubernetes with Calico and NeuVector by Jan Bruder & Jérémy Guerrand.pdf

•

0 likes•30 views

This document discusses holistic security for Kubernetes with Calico and NeuVector. It begins with an introduction to Calico and how it provides enhanced zero trust security. It describes how Calico is used in RKE2 and Rancher and provides vulnerability management with NeuVector. The rest of the document goes into details about Calico's security policies, identity-aware microsegmentation, compliance and encryption features. It also provides an overview of NeuVector's supply chain security, runtime security, vulnerability scanning and compliance scanning capabilities to provide layered security for containers.

Presentations & Public Speaking

“
Holistic security for Kubernetes with
Calico and NeuVector
Jan Bruder - Suse Rancher
Jeremy Guerrand - Tigera

© 2021 Tigera, Inc. Proprietary and Conﬁdential
2
● Introduction to Calico
● Enhanced Zero Trust Security with Calico
● Calico in RKE2 and Rancher
● Vulnerability Management with Neuvector
Agenda

© 2021 Tigera, Inc. Proprietary and Conﬁdential
4
Calico Open Source - Foundation for Zero Trust Workload Security
50k+
Enterprises
1M+
Clusters
8M+
Nodes
166
Countries
>50%
of Fortune 100
1.4B+
Docker Pulls
Most adopted container networking and security solution

© 2021 Tigera, Inc. Proprietary and Conﬁdential
5
Built on Calico Open Source
Choice of Data Plane
› Pluggable Data Plane
› eBPF, Linux, Windows, VPP
Full Kubernetes Network
policy support
› Full implementation
Kubernetes network policies
› Additional support for policies
across namespaces
Kubernetes Native
Security Policy Model
› Declarative security policies
› Unified model from host to
application layers
Best in class
performance
› Blazing fast performance
› Minimal CPU usage & occupancy
› Lower costs
Workload
Interoperability
› Unified policy across hosts,
bare-metal, VMs, and containers
› Mix and match workload types
Scalable Networking with
Encryption
› Exceptional scalability
› Advanced IP Address Management

© 2021 Tigera, Inc. Proprietary and Conﬁdential
6
Security Policies
6
Policy as code
● Represent as code that is deployed alongside microservices
● Fully automate the end-to-end deployment process including
security
Policy Tiers
● Define the order in which security policies are evaluated
● Higher policy tiers evaluate first
● Self-service deployments cannot overrider higher policy tiers
Policy Recommendation
● Auto-generate a recommended policy based on ingress and
egress traffic between existing service

© 2021 Tigera, Inc. Proprietary and Conﬁdential
7
Zero-Trust Workload Access Controls
7
Egress Gateway to leverage existing firewalls
● Assign a fixed IP to a pod or namespace for use with network
firewalls
● Leverage existing firewall rules to limit access to and from pods
DNS Policies to control access on a per-pod basis
● Allow/Deny access from pods to 3rd party sites identified by
DNS names
● Limit access on a per-pod basis to external resources using
label selectors
Global and Namespaced Networksets
● Use IP subnetworks/CIDRs in security policies to control access from
pods

© 2021 Tigera, Inc. Proprietary and Conﬁdential
8
Identity-aware Microsegmentation
8
Unified Identity-Aware Segmentation Model
● Unified segmentation model across hybrid and multi-cloud
environments
● Segment hosts, bare metals, VMs, containers, K8s, & cloud instances
● Correlate security with workload identity
Dynamic Segmentation
● Label based security policies to segment new workloads rapidly
● Deploy new workloads rapidly and at scale without policy updates
Upload Segmentation policies in milliseconds
● > High-performance distributed architecture to update policies
● > Update policies for 10s of thousands of servers in milliseconds

© 2021 Tigera, Inc. Proprietary and Conﬁdential
9
Compliance and Encryption
Regulatory and Compliance Frameworks
● Comply with PCI, HIPAA, GDPR, SOC2, FIPs and other custom
frameworks
Data in Transit Encryption
● Leverage highly performant encryption using Wireguard
Evidence and Audit Reports
● Get started with pre-built reports and list of compliance controls

© 2021 Tigera, Inc. Proprietary and Conﬁdential
11
Calico is the default CNI for RKE2 clusters

© 2021 Tigera, Inc. Proprietary and Conﬁdential
12
Fully configurable through the Calico Operator

© 2021 Tigera, Inc. Proprietary and Conﬁdential
14
NeuVector
Limit the capabilities of containers
and prevent the deployment of
insecure images
14

© 2021 Tigera, Inc. Proprietary and Conﬁdential
15
Supply Chain
Security
Runtime
Security
Vulnerability Scanning
Compliance Scanning
Admission Control
Runtime Scanning
Threat Based Controls
Zero-Trust Controls
Layered Security: Defense In Depth

© 2021 Tigera, Inc. Proprietary and Conﬁdential
16
A typical supply chain
DEVELOPER
Commits
Code
Pass
Build
Admission
Control
CI/CD
PIPELINE
PRIV/PUB
REGISTRY
RUN-TIME

© 2021 Tigera, Inc. Proprietary and Conﬁdential
17
Scanning images is
important
17

© 2021 Tigera, Inc. Proprietary and Conﬁdential
18
Scanning images is not
enough
18

Similar to Implementing holistic security for containers and Kubernetes with Calico and NeuVector by Jan Bruder & Jérémy Guerrand.pdf

Join our resident Kubernetes and modern apps experts in a discussion of the challenges of Kubernetes traffic management in today’s technology landscape. While Kubernetes Ingress gets most of the attention, how you handle egress traffic is just as important. Egress isn’t just about traffic leaving a cluster, either, but also concerns traffic among managed and unmanaged services within the cluster. We demo a solution using NGINX Service Mesh and NGINX Ingress Controller to control egress from the cluster and between NGINX Service Mesh and unmanaged services. Whether you’re new to modern application architectures, or looking to improve your current microservices deployment, this webinar is for you. Join this webinar to learn: * Solutions to common challenges when managing traffic in Kubernetes * How to control both ingress and egress in a single configuration * Which solutions from NGINX can best serve your needs, depending on your requirements * About NGINX Service Mesh and NGINX Ingress Controller with live demos

Control Kubernetes Ingress and Egress Together with NGINX

NGINX, Inc.

Edge applications today require strong networks and connections to core data center products. Supermicro’s Twin systems deliver performance from the edge to the core or cloud data center and leverage our latest content delivery network (CDN) technologies. Join this webinar to learn about the different Supermicro CDN technologies that support Edge Computing based on 3GPP standards and have proven successful for our customers. Product experts will also discuss the importance of an elastic CDN to optimize the availability of resources for low-latency and high-bandwidth applications and share an introduction to our new GrandTwin® server.

Optimize Content Delivery with Multi-Access Edge Computing

Rebekah Rodriguez

Cloud Computing Services from Pakistan...

Weatherly Cloud Inc.

Confidential Computing overview

Mark Argent

Guardicore - Shrink Your Attack Surface with Micro-Segmentation

CSNP

Kubernetes best practices with GKE

GDG Cloud Bengaluru

CipherCloud for Any App

CipherCloud

CNCF Online - Data Protection Guardrails using Open Policy Agent (OPA).pdf

LibbySchulze

The concept of backhauling traffic to a centralized datacenter worked when both users and applications resided there. But, the migration of applications from the data center to the cloud requires organizations to rethink their branch and network architectures. What is the best approach to manage costs, reduce risk, and deliver the best user experience for all your users? Watch this webcast to uncover the five key requirements to overcome these challenges and securely route your branch traffic direct to the cloud.

Overcoming the Challenges of Architecting for the Cloud

Zscaler

SSIP Award Talk - Distinguished Recognition June 14, 2023 https://issip.org/issip-2023-excellence-in-service-innovation-awards/ Innovation: Helping you turn your sustainability strategy into action Summary: IBM LinuxONE Emperor 4 was designed, developed, and manufactured for end-to-end sustainability, all without compromising security, performance, or response time. Optimized to scale capacity up to 20 billion web transactions per day while reducing energy consumption and the physical and CO2 footprints. Organization: IBM (@IBM) Speaker: Nada Santiago (LI) (DC) https://www.linkedin.com/in/nada-santiago/ YouTube: https://youtu.be/UZ62AyZbSC4

20230614 LinuxONE Distinguished_Recognition ISSIP_Award_Talk.pptx

International Society of Service Innovation Professionals

How to Accelerate Your Application Delivery Process on Top of Kubernetes Usin...

Mirantis

Continuous Delivery with CloudBees Core

Bhavani Rao

Speakers: Ephraim Baron - Subject Matter Expert, Equinix Jeff Dickey - Chief Cloud Architect, Redapt Learn how Redapt and Equinix are working together to provide Cloud 2.0 infrastructure. Learn why, when, and how to securely scale cloud applications from your data center to a public cloud provider, such as AWS or Google. Learn how to overcome the challenges of capital preservation, compliance, security, performance, agility, and time to market of a production private cloud. Industry thought leaders Ephraim Baron of Equinix and Jeff Dickey of Redapt will take you through lessons learned and best practices for building your private cloud infrastructure and scaling it out to exceed the toughest application demands.

Connecting the Clouds - RightScale Compute 2013

RightScale

Simplify and secure your path to the multicloud future

MarketingArrowECS_CZ

Calico provides secure network connectivity for containers and virtual machine workloads. Calico creates and manages a flat layer 3 network, assigning each workload a fully routable IP address. Workloads can communicate without IP encapsulation or network address translation for bare metal performance, easier troubleshooting, and better interoperability. In environments that require an overlay, Calico uses IP-in-IP tunneling or can work with other overlay networking such as flannel. Calico also provides dynamic enforcement of network security rules. Using Calico’s simple policy language, you can achieve fine-grained control over communications between containers, virtual machine workloads, and bare metal host endpoints. Proven in production at scale, Calico features integrations with Kubernetes, OpenShift, Docker, Mesos, DC/OS, and OpenStack.

Project calico - introduction

Hazzim Anaya

CNCF On-Demand Webinar_ LitmusChaos Project Updates.pdf

LibbySchulze

vArmour - Securing the Modern Data Centre

Infront

Biznet GIO National Seminar on Digital Forensics

Yusuf Hadiwinata Sutandar

CohesiveFT and IBM joint EMEA Webinar - 20Jun13 Control and secure your applications on IBM SmartCloud Enterprise with Software Defined Networking from CohesiveFT. An IBM SmartCloud ready partner, CohesiveFT address issues of security and control to allow customers to take full advantage of cloud computing. Cohesive FT’s VNS3 Software Defined Networking is an overlay network which allows you to extend your data centers into the cloud, join clouds together and have control over end to end 256 bit encryption, IP addressing, topology and multicast protocols. The joint IBM and Cohesive webinar aired on June 20

CohesiveFT and IBM joint EMEA Webinar - 20Jun13

Cohesive Networks

Nginx app protect-for-meetup-v1.0-202006_lk

Juraj Hantak

Similar to Implementing holistic security for containers and Kubernetes with Calico and NeuVector by Jan Bruder & Jérémy Guerrand.pdf (20)

Control Kubernetes Ingress and Egress Together with NGINX

Optimize Content Delivery with Multi-Access Edge Computing

Cloud Computing Services from Pakistan...

Confidential Computing overview

Guardicore - Shrink Your Attack Surface with Micro-Segmentation

Kubernetes best practices with GKE

CipherCloud for Any App

CNCF Online - Data Protection Guardrails using Open Policy Agent (OPA).pdf

Overcoming the Challenges of Architecting for the Cloud

20230614 LinuxONE Distinguished_Recognition ISSIP_Award_Talk.pptx

How to Accelerate Your Application Delivery Process on Top of Kubernetes Usin...

Continuous Delivery with CloudBees Core

Connecting the Clouds - RightScale Compute 2013

Simplify and secure your path to the multicloud future

Project calico - introduction

CNCF On-Demand Webinar_ LitmusChaos Project Updates.pdf

vArmour - Securing the Modern Data Centre

Biznet GIO National Seminar on Digital Forensics

CohesiveFT and IBM joint EMEA Webinar - 20Jun13

Nginx app protect-for-meetup-v1.0-202006_lk

Recently uploaded

Understanding Poverty: A Community Questionnaire

bazilnaeem7

art integrated project of computer applications

marvelpwian65

Cymulate (Breach and Attack Simulation).

luckyk1575

A proposal aimed at transforming a key site in Canoga Park into a vibrant, mixed-use development. The project includes comprehensive location analysis, neighborhood context evaluation, and zoning and planning assessments. By leveraging the site’s strengths and addressing potential challenges, we plan to create a space that integrates residential, commercial, and public areas. The development will enhance connectivity, support community objectives, and provide economic benefits, all while aligning with local zoning regulations.

The Canoga Gardens Development Project. PDF

Rahsaan L. Browne

OC Streetcar Final Presentation-Downtown Santa Ana

Rahsaan L. Browne

The implementation of best practices for ensuring asset integrity is of paramount importance, as it safeguards our critical infrastructure and ensures operational excellence. One area of concern that demands our attention is Microbiologically Induced Corrosion (MIC), a phenomenon that poses a significant threat to the integrity of assets by accelerating the corrosion rate, potentially leading to equipment failure before their expected lifetime. It is estimated that up to 40% of internal corrosion in oil and gas pipelines can be attributed to MIC. Dr. Mahendara P. Singh, Ph.D. shed light on Microbiologically Induced Corrosion (MIC), a phenomenon that poses a significant threat to the integrity of assets in Oil & Gas Industry. Dr. Singh is Advisor at Kinben Innovation Pvt. Ltd. He was the Chief Research Manager at the Industrial Biotechnology Department of Indian Oil Corporation Ltd., Research & Development Centre. Contact Us to know more about our Services.

ACM CHT Best Inspection Practices Kinben Innovation MIC Slideshare.pdf

Kinben Innovation Private Limited

Deciding The Topic of our Magazine.pptx.

bazilnaeem7

• For a full set of 420+ questions. Go to https://skillcertpro.com/product/oracle-database-administration-i-1z0-082-exam-questions/ • SkillCertPro offers detailed explanations to each question which helps to understand the concepts better. • It is recommended to score above 85% in SkillCertPro exams before attempting a real exam. • SkillCertPro updates exam questions every 2 weeks. • You will get life time access and life time free updates • SkillCertPro assures 100% pass guarantee in first attempt.

Oracle Database Administration I (1Z0-082) Exam Dumps 2024.pdf

SkillCertProExams

Mogul Press: Shaping Contemporary Public Relations" delves into the transformative impact and evolutionary journey of mogul press in modern PR practices. From its inception, mogul press has been a pivotal force, leveraging its vast reach and influence to shape narratives, sway opinions, and amplify brands' voices. This document explores how mogul press has evolved in tandem with technological advancements and societal shifts, becoming an indispensable tool for PR professionals navigating the complex media landscape of today.

The Influence and Evolution of Mogul Press in Contemporary Public Relations.docx

Mogul Press

• For a full set of 340+ questions. Go to https://skillcertpro.com/product/servicenow-cis-discovery-exam-questions/ • SkillCertPro offers detailed explanations to each question which helps to understand the concepts better. • It is recommended to score above 85% in SkillCertPro exams before attempting a real exam. • SkillCertPro updates exam questions every 2 weeks. • You will get life time access and life time free updates • SkillCertPro assures 100% pass guarantee in first attempt.

ServiceNow CIS-Discovery Exam Dumps 2024

SkillCertProExams

05232024 Joint Meeting - Community Networking

Michael Orias

527598851-ppc-due-to-various-govt-policies.pdf

rajpreetkaur75080

Breathing in New Life_ Part 3 05 22 2024.pptx

FamilyWorshipCenterD

Bridging the Divide: Enhancing Public Engagement in Urban Development This paper delves into the critical role of public engagement in urban development, emphasizing the need for community involvement to create sustainable and inclusive urban spaces. It discusses the motivations behind public participation, the challenges faced in engaging diverse communities, and the strategies for overcoming these barriers. The paper also highlights successful case studies and explores the use of technology and effective communication to facilitate broader and more meaningful engagement. By examining these elements, the paper underscores the importance of bridging the gap between planners and residents to ensure urban development reflects the collective vision and needs of the community.

Writing Sample 2 -Bridging the Divide: Enhancing Public Engagement in Urban D...

Rahsaan L. Browne

Recently uploaded (14)

Understanding Poverty: A Community Questionnaire

art integrated project of computer applications

Cymulate (Breach and Attack Simulation).

The Canoga Gardens Development Project. PDF

OC Streetcar Final Presentation-Downtown Santa Ana

ACM CHT Best Inspection Practices Kinben Innovation MIC Slideshare.pdf

Deciding The Topic of our Magazine.pptx.

Oracle Database Administration I (1Z0-082) Exam Dumps 2024.pdf

The Influence and Evolution of Mogul Press in Contemporary Public Relations.docx

ServiceNow CIS-Discovery Exam Dumps 2024

05232024 Joint Meeting - Community Networking

527598851-ppc-due-to-various-govt-policies.pdf

Breathing in New Life_ Part 3 05 22 2024.pptx

Writing Sample 2 -Bridging the Divide: Enhancing Public Engagement in Urban D...

Implementing holistic security for containers and Kubernetes with Calico and NeuVector by Jan Bruder & Jérémy Guerrand.pdf

1. “ Holistic security for Kubernetes with Calico and NeuVector Jan Bruder - Suse Rancher Jeremy Guerrand - Tigera

3. Calico

4. © 2021 Tigera, Inc. Proprietary and Conﬁdential 4 Calico Open Source - Foundation for Zero Trust Workload Security 50k+ Enterprises 1M+ Clusters 8M+ Nodes 166 Countries >50% of Fortune 100 1.4B+ Docker Pulls Most adopted container networking and security solution

5. © 2021 Tigera, Inc. Proprietary and Conﬁdential 5 Built on Calico Open Source Choice of Data Plane › Pluggable Data Plane › eBPF, Linux, Windows, VPP Full Kubernetes Network policy support › Full implementation Kubernetes network policies › Additional support for policies across namespaces Kubernetes Native Security Policy Model › Declarative security policies › Unified model from host to application layers Best in class performance › Blazing fast performance › Minimal CPU usage & occupancy › Lower costs Workload Interoperability › Unified policy across hosts, bare-metal, VMs, and containers › Mix and match workload types Scalable Networking with Encryption › Exceptional scalability › Advanced IP Address Management

6. © 2021 Tigera, Inc. Proprietary and Conﬁdential 6 Security Policies 6 Policy as code ● Represent as code that is deployed alongside microservices ● Fully automate the end-to-end deployment process including security Policy Tiers ● Define the order in which security policies are evaluated ● Higher policy tiers evaluate first ● Self-service deployments cannot overrider higher policy tiers Policy Recommendation ● Auto-generate a recommended policy based on ingress and egress traffic between existing service

7. © 2021 Tigera, Inc. Proprietary and Conﬁdential 7 Zero-Trust Workload Access Controls 7 Egress Gateway to leverage existing firewalls ● Assign a fixed IP to a pod or namespace for use with network firewalls ● Leverage existing firewall rules to limit access to and from pods DNS Policies to control access on a per-pod basis ● Allow/Deny access from pods to 3rd party sites identified by DNS names ● Limit access on a per-pod basis to external resources using label selectors Global and Namespaced Networksets ● Use IP subnetworks/CIDRs in security policies to control access from pods

8. © 2021 Tigera, Inc. Proprietary and Conﬁdential 8 Identity-aware Microsegmentation 8 Unified Identity-Aware Segmentation Model ● Unified segmentation model across hybrid and multi-cloud environments ● Segment hosts, bare metals, VMs, containers, K8s, & cloud instances ● Correlate security with workload identity Dynamic Segmentation ● Label based security policies to segment new workloads rapidly ● Deploy new workloads rapidly and at scale without policy updates Upload Segmentation policies in milliseconds ● > High-performance distributed architecture to update policies ● > Update policies for 10s of thousands of servers in milliseconds

9. © 2021 Tigera, Inc. Proprietary and Conﬁdential 9 Compliance and Encryption Regulatory and Compliance Frameworks ● Comply with PCI, HIPAA, GDPR, SOC2, FIPs and other custom frameworks Data in Transit Encryption ● Leverage highly performant encryption using Wireguard Evidence and Audit Reports ● Get started with pre-built reports and list of compliance controls

10. Calico and Rancher / RKE2

13. Vulnerability Management with Neuvector

15. © 2021 Tigera, Inc. Proprietary and Conﬁdential 15 Supply Chain Security Runtime Security Vulnerability Scanning Compliance Scanning Admission Control Runtime Scanning Threat Based Controls Zero-Trust Controls Layered Security: Defense In Depth

19. Demo

20. Thank You

Implementing holistic security for containers and Kubernetes with Calico and NeuVector by Jan Bruder & Jérémy Guerrand.pdf

Recommended

Recommended

More Related Content

Similar to Implementing holistic security for containers and Kubernetes with Calico and NeuVector by Jan Bruder & Jérémy Guerrand.pdf

Similar to Implementing holistic security for containers and Kubernetes with Calico and NeuVector by Jan Bruder & Jérémy Guerrand.pdf (20)

Recently uploaded

Recently uploaded (14)

Implementing holistic security for containers and Kubernetes with Calico and NeuVector by Jan Bruder & Jérémy Guerrand.pdf