SlideShare a Scribd company logo

Calico to secure host interfaces

Download as PPT, PDF
D.Rajesh Kumar
D.Rajesh Kumar

The document discusses how to use Calico to secure the network interfaces of a host, called "host endpoints", in addition to workload endpoints like containers and VMs. Calico supports the same security policy model for host endpoints as it does for workloads. It distinguishes host and workload interfaces by configurable prefix. The steps to enable host endpoint security include installing Calico's Felix daemon, initializing the etcd database, adding basic connectivity policy, and creating host endpoint objects for each interface in etcd.

1 of 10
Calico to Secure Host Interfaces Rajesh Kumar
2 Calico to Secure Host Interfaces Will discuss how to use Calico to secure the network interfaces of the host itself (as opposed to those of any container/VM workloads that are present on the host). We call such interfaces “host endpoints”, to distinguish them from “workload endpoints” (such as containers or VMs). Calico supports the same rich security policy model for host endpoints that it supports for workload endpoints. Host endpoints can have labels, and their labels are in the same “namespace” as those of workload endpoints. This allows security rules for either type of endpoint to refer to the other type (or a
3 Calico to Secure Host Interfaces Calico does not support setting IPs or policing MAC addresses for host interfaces, it assumes that the interfaces are configured by the underlying network fabric. Calico distinguishes workload endpoints from host endpoints by a configurable prefix. Unless you happen to have host interfaces whose name matches the default for that prefix (cali), you won’t need to change it. In case you do, see the InterfacePrefix configuration value at Configuring Felix. Interfaces that start with a value listed in InterfacePrefix are assumed to be workload interfaces. Others are
4 Calico to Secure Host Interfaces As of Calico v2.1.0, Calico applies host endpoint security policy both to traffic that is terminated locally, and to traffic that is forwarded between host endpoints. Previously, policy was only applied to traffic that was terminated locally. The change allows Calico to be used to secure a NAT gateway or router. Calico supports selector-based policy as normal when running on a gateway or router allowing for rich, dynamic security policy based on the labels attached to your workloads.
5 Calico to Secure Host Interfaces Note: If you have a host with workloads on it then traffic that is forwarded to workloads bypasses the policy applied to host endpoints. If that weren’t the case, the host endpoint policy would need to be very broad to allow all traffic destined for any possible workload. Since version 2.1.0, Calico applies host endpoint policy to traffic that is being forwarded between host interfaces.
6 Installation overview To make use of Calico’s host endpoint support, you will need to follow these steps, described in more detail below: •download the calicoctl binary •create an etcd cluster, if you haven’t already •install Calico’s Felix daemon on each host •initialize the etcd database •add policy to allow basic connectivity and Calico function •create host endpoint objects in etcd for each interface you want Calico to police (in a later release, we plan to support interface templates to remove the
7 Creating an etcd cluster If you haven’t already created an etcd cluster for your Calico deployment, you’ll need to create one. To create a single-node etcd cluster for testing, download an etcd v3.x release from the etcd releases archive; we recommend using the most recent bugfix release. Then follow the instructions on that page to unpack and run the etcd binary. To create a production cluster, you should follow the guidance in the etcd manual. In particular, the clustering guide.
8 Creating an etcd cluster If you haven’t already created an etcd cluster for your Calico deployment, you’ll need to create one. To create a single-node etcd cluster for testing, download an etcd v3.x release from the etcd releases archive; we recommend using the most recent bugfix release. Then follow the instructions on that page to unpack and run the etcd binary. To create a production cluster, you should follow the guidance in the etcd manual. In particular, the clustering guide.
Thank You
Thank You

Recommended

Calico architecture
Calico architectureCalico architecture
Calico architecture
D.Rajesh Kumar
 
Deploying calico on docker
Deploying calico on dockerDeploying calico on docker
Deploying calico on docker
Anirban Sen Chowdhary
 
Project calico - introduction
Project calico - introductionProject calico - introduction
Project calico - introduction
Hazzim Anaya
 
Deploying calico on kubernetes
Deploying calico on kubernetesDeploying calico on kubernetes
Deploying calico on kubernetes
Anirban Sen Chowdhary
 
Calico using rkt
Calico using rktCalico using rkt
Calico using rkt
Anirban Sen Chowdhary
 
Drive into calico architecture
Drive into calico architectureDrive into calico architecture
Drive into calico architecture
Anirban Sen Chowdhary
 
Metaswitch Project Calico
Metaswitch Project CalicoMetaswitch Project Calico
Metaswitch Project Calico
Andrew Kennedy
 
Container Networking: the Gotchas (Mesos London Meetup 11 May 2016)
Container Networking: the Gotchas (Mesos London Meetup 11 May 2016)Container Networking: the Gotchas (Mesos London Meetup 11 May 2016)
Container Networking: the Gotchas (Mesos London Meetup 11 May 2016)
Andrew Randall
 

Recommended

Calico architecture
Calico architectureCalico architecture
Calico architecture
D.Rajesh Kumar
 
Deploying calico on docker
Deploying calico on dockerDeploying calico on docker
Deploying calico on docker
Anirban Sen Chowdhary
 
Project calico - introduction
Project calico - introductionProject calico - introduction
Project calico - introduction
Hazzim Anaya
 
Deploying calico on kubernetes
Deploying calico on kubernetesDeploying calico on kubernetes
Deploying calico on kubernetes
Anirban Sen Chowdhary
 
Calico using rkt
Calico using rktCalico using rkt
Calico using rkt
Anirban Sen Chowdhary
 
Drive into calico architecture
Drive into calico architectureDrive into calico architecture
Drive into calico architecture
Anirban Sen Chowdhary
 
Metaswitch Project Calico
Metaswitch Project CalicoMetaswitch Project Calico
Metaswitch Project Calico
Andrew Kennedy
 
Container Networking: the Gotchas (Mesos London Meetup 11 May 2016)
Container Networking: the Gotchas (Mesos London Meetup 11 May 2016)Container Networking: the Gotchas (Mesos London Meetup 11 May 2016)
Container Networking: the Gotchas (Mesos London Meetup 11 May 2016)
Andrew Randall
 
Simplifying and Securing your OpenShift Network with Project Calico
Simplifying and Securing your OpenShift Network with Project CalicoSimplifying and Securing your OpenShift Network with Project Calico
Simplifying and Securing your OpenShift Network with Project Calico
Andrew Randall
 
Simple, Scalable and Secure Networking for Data Centers with Project Calico
Simple, Scalable and Secure Networking for Data Centers with Project CalicoSimple, Scalable and Secure Networking for Data Centers with Project Calico
Simple, Scalable and Secure Networking for Data Centers with Project Calico
Emma Gordon
 
Calico and BGP
Calico and BGPCalico and BGP
Calico and BGP
Anirban Sen Chowdhary
 
How we built Packet's bare metal cloud platform
How we built Packet's bare metal cloud platformHow we built Packet's bare metal cloud platform
How we built Packet's bare metal cloud platform
Packet
 
Container Networking - State of the Ecosystem [ContainerConf, Mannheim, Nov 2...
Container Networking - State of the Ecosystem [ContainerConf, Mannheim, Nov 2...Container Networking - State of the Ecosystem [ContainerConf, Mannheim, Nov 2...
Container Networking - State of the Ecosystem [ContainerConf, Mannheim, Nov 2...
Karthik Prabhakar
 
Let's Talk about Packet
Let's Talk about PacketLet's Talk about Packet
Let's Talk about Packet
Packet
 
Calico and mesos
Calico and mesosCalico and mesos
Calico and mesos
Anirban Sen Chowdhary
 
Calico 3
Calico 3Calico 3
Calico 3
Anirban Sen Chowdhary
 
20170705 kubernetes with calico
20170705 kubernetes with calico20170705 kubernetes with calico
20170705 kubernetes with calico
Isaac Tseng
 
Calico and juju
Calico and jujuCalico and juju
Calico and juju
Anirban Sen Chowdhary
 
Container network security
Container network securityContainer network security
Container network security
Daisuke Nakajima
 
Interop2018 contrail ContrailEnterpriseMulticloud
Interop2018 contrail ContrailEnterpriseMulticloudInterop2018 contrail ContrailEnterpriseMulticloud
Interop2018 contrail ContrailEnterpriseMulticloud
Daisuke Nakajima
 
The Challenges of Becoming Cloud Native
The Challenges of Becoming Cloud NativeThe Challenges of Becoming Cloud Native
The Challenges of Becoming Cloud Native
Ben Hall
 
MidoNet 101
MidoNet 101MidoNet 101
MidoNet 101
alexbikfalvi
 
Open contrailmeetup
Open contrailmeetupOpen contrailmeetup
Open contrailmeetup
Daisuke Nakajima
 
Dangerous Demo, Metaswitch TADSummit 2015, Paul Drew
Dangerous Demo, Metaswitch TADSummit 2015, Paul DrewDangerous Demo, Metaswitch TADSummit 2015, Paul Drew
Dangerous Demo, Metaswitch TADSummit 2015, Paul Drew
Alan Quayle
 
Microservices for Enterprises - Consistent Network & Security services for Co...
Microservices for Enterprises - Consistent Network & Security services for Co...Microservices for Enterprises - Consistent Network & Security services for Co...
Microservices for Enterprises - Consistent Network & Security services for Co...
Dhananjay Sampath
 
Cisco Live 2017: Container networking deep dive with Docker Enterprise Editio...
Cisco Live 2017: Container networking deep dive with Docker Enterprise Editio...Cisco Live 2017: Container networking deep dive with Docker Enterprise Editio...
Cisco Live 2017: Container networking deep dive with Docker Enterprise Editio...
Sanjeev Rampal
 
Contrail integrated with Kubernetes and Openstack
Contrail integrated with Kubernetes and OpenstackContrail integrated with Kubernetes and Openstack
Contrail integrated with Kubernetes and Openstack
Daisuke Nakajima
 
Networking For Nested Containers: Magnum, Kuryr, Neutron Integration
Networking For Nested Containers: Magnum, Kuryr, Neutron IntegrationNetworking For Nested Containers: Magnum, Kuryr, Neutron Integration
Networking For Nested Containers: Magnum, Kuryr, Neutron Integration
Fawad Khaliq
 
Protecting host with calico
Protecting host with calicoProtecting host with calico
Protecting host with calico
Anirban Sen Chowdhary
 
Calico with open stack
Calico with open stackCalico with open stack
Calico with open stack
D.Rajesh Kumar
 

More Related Content

What's hot

Simplifying and Securing your OpenShift Network with Project Calico
Simplifying and Securing your OpenShift Network with Project CalicoSimplifying and Securing your OpenShift Network with Project Calico
Simplifying and Securing your OpenShift Network with Project Calico
Andrew Randall
 
Simple, Scalable and Secure Networking for Data Centers with Project Calico
Simple, Scalable and Secure Networking for Data Centers with Project CalicoSimple, Scalable and Secure Networking for Data Centers with Project Calico
Simple, Scalable and Secure Networking for Data Centers with Project Calico
Emma Gordon
 
Calico and BGP
Calico and BGPCalico and BGP
Calico and BGP
Anirban Sen Chowdhary
 
How we built Packet's bare metal cloud platform
How we built Packet's bare metal cloud platformHow we built Packet's bare metal cloud platform
How we built Packet's bare metal cloud platform
Packet
 
Container Networking - State of the Ecosystem [ContainerConf, Mannheim, Nov 2...
Container Networking - State of the Ecosystem [ContainerConf, Mannheim, Nov 2...Container Networking - State of the Ecosystem [ContainerConf, Mannheim, Nov 2...
Container Networking - State of the Ecosystem [ContainerConf, Mannheim, Nov 2...
Karthik Prabhakar
 
Let's Talk about Packet
Let's Talk about PacketLet's Talk about Packet
Let's Talk about Packet
Packet
 
Calico and mesos
Calico and mesosCalico and mesos
Calico and mesos
Anirban Sen Chowdhary
 
20170705 kubernetes with calico
20170705 kubernetes with calico20170705 kubernetes with calico
20170705 kubernetes with calico
Isaac Tseng
 
Calico and juju
Calico and jujuCalico and juju
Calico and juju
Anirban Sen Chowdhary
 
Container network security
Container network securityContainer network security
Container network security
Daisuke Nakajima
 
Interop2018 contrail ContrailEnterpriseMulticloud
Interop2018 contrail ContrailEnterpriseMulticloudInterop2018 contrail ContrailEnterpriseMulticloud
Interop2018 contrail ContrailEnterpriseMulticloud
Daisuke Nakajima
 
The Challenges of Becoming Cloud Native
The Challenges of Becoming Cloud NativeThe Challenges of Becoming Cloud Native
The Challenges of Becoming Cloud Native
Ben Hall
 
MidoNet 101
MidoNet 101MidoNet 101
MidoNet 101
alexbikfalvi
 
Open contrailmeetup
Open contrailmeetupOpen contrailmeetup
Open contrailmeetup
Daisuke Nakajima
 
Dangerous Demo, Metaswitch TADSummit 2015, Paul Drew
Dangerous Demo, Metaswitch TADSummit 2015, Paul DrewDangerous Demo, Metaswitch TADSummit 2015, Paul Drew
Dangerous Demo, Metaswitch TADSummit 2015, Paul Drew
Alan Quayle
 
Microservices for Enterprises - Consistent Network & Security services for Co...
Microservices for Enterprises - Consistent Network & Security services for Co...Microservices for Enterprises - Consistent Network & Security services for Co...
Microservices for Enterprises - Consistent Network & Security services for Co...
Dhananjay Sampath
 
Cisco Live 2017: Container networking deep dive with Docker Enterprise Editio...
Cisco Live 2017: Container networking deep dive with Docker Enterprise Editio...Cisco Live 2017: Container networking deep dive with Docker Enterprise Editio...
Cisco Live 2017: Container networking deep dive with Docker Enterprise Editio...
Sanjeev Rampal
 
Contrail integrated with Kubernetes and Openstack
Contrail integrated with Kubernetes and OpenstackContrail integrated with Kubernetes and Openstack
Contrail integrated with Kubernetes and Openstack
Daisuke Nakajima
 
Networking For Nested Containers: Magnum, Kuryr, Neutron Integration
Networking For Nested Containers: Magnum, Kuryr, Neutron IntegrationNetworking For Nested Containers: Magnum, Kuryr, Neutron Integration
Networking For Nested Containers: Magnum, Kuryr, Neutron Integration
Fawad Khaliq
 

What's hot (20)

Simplifying and Securing your OpenShift Network with Project Calico
Simplifying and Securing your OpenShift Network with Project CalicoSimplifying and Securing your OpenShift Network with Project Calico
Simplifying and Securing your OpenShift Network with Project Calico
 
Simple, Scalable and Secure Networking for Data Centers with Project Calico
Simple, Scalable and Secure Networking for Data Centers with Project CalicoSimple, Scalable and Secure Networking for Data Centers with Project Calico
Simple, Scalable and Secure Networking for Data Centers with Project Calico
 
Calico and BGP
Calico and BGPCalico and BGP
Calico and BGP
 
How we built Packet's bare metal cloud platform
How we built Packet's bare metal cloud platformHow we built Packet's bare metal cloud platform
How we built Packet's bare metal cloud platform
 
Container Networking - State of the Ecosystem [ContainerConf, Mannheim, Nov 2...
Container Networking - State of the Ecosystem [ContainerConf, Mannheim, Nov 2...Container Networking - State of the Ecosystem [ContainerConf, Mannheim, Nov 2...
Container Networking - State of the Ecosystem [ContainerConf, Mannheim, Nov 2...
 
Let's Talk about Packet
Let's Talk about PacketLet's Talk about Packet
Let's Talk about Packet
 
Calico and mesos
Calico and mesosCalico and mesos
Calico and mesos
 
Calico 3
Calico 3Calico 3
Calico 3
 
20170705 kubernetes with calico
20170705 kubernetes with calico20170705 kubernetes with calico
20170705 kubernetes with calico
 
Calico and juju
Calico and jujuCalico and juju
Calico and juju
 
Container network security
Container network securityContainer network security
Container network security
 
Interop2018 contrail ContrailEnterpriseMulticloud
Interop2018 contrail ContrailEnterpriseMulticloudInterop2018 contrail ContrailEnterpriseMulticloud
Interop2018 contrail ContrailEnterpriseMulticloud
 
The Challenges of Becoming Cloud Native
The Challenges of Becoming Cloud NativeThe Challenges of Becoming Cloud Native
The Challenges of Becoming Cloud Native
 
MidoNet 101
MidoNet 101MidoNet 101
MidoNet 101
 
Open contrailmeetup
Open contrailmeetupOpen contrailmeetup
Open contrailmeetup
 
Dangerous Demo, Metaswitch TADSummit 2015, Paul Drew
Dangerous Demo, Metaswitch TADSummit 2015, Paul DrewDangerous Demo, Metaswitch TADSummit 2015, Paul Drew
Dangerous Demo, Metaswitch TADSummit 2015, Paul Drew
 
Microservices for Enterprises - Consistent Network & Security services for Co...
Microservices for Enterprises - Consistent Network & Security services for Co...Microservices for Enterprises - Consistent Network & Security services for Co...
Microservices for Enterprises - Consistent Network & Security services for Co...
 
Cisco Live 2017: Container networking deep dive with Docker Enterprise Editio...
Cisco Live 2017: Container networking deep dive with Docker Enterprise Editio...Cisco Live 2017: Container networking deep dive with Docker Enterprise Editio...
Cisco Live 2017: Container networking deep dive with Docker Enterprise Editio...
 
Contrail integrated with Kubernetes and Openstack
Contrail integrated with Kubernetes and OpenstackContrail integrated with Kubernetes and Openstack
Contrail integrated with Kubernetes and Openstack
 
Networking For Nested Containers: Magnum, Kuryr, Neutron Integration
Networking For Nested Containers: Magnum, Kuryr, Neutron IntegrationNetworking For Nested Containers: Magnum, Kuryr, Neutron Integration
Networking For Nested Containers: Magnum, Kuryr, Neutron Integration
 

Similar to Calico to secure host interfaces

Protecting host with calico
Protecting host with calicoProtecting host with calico
Protecting host with calico
Anirban Sen Chowdhary
 
Calico with open stack
Calico with open stackCalico with open stack
Calico with open stack
D.Rajesh Kumar
 
Calico and open shift
Calico and open shiftCalico and open shift
Calico and open shift
Anirban Sen Chowdhary
 
IBM Cloud Pak for Integration 2020.2.1 installation
IBM Cloud Pak for Integration 2020.2.1 installation IBM Cloud Pak for Integration 2020.2.1 installation
IBM Cloud Pak for Integration 2020.2.1 installation
khawkwf
 
Drive into calico architecture part 2
Drive into calico architecture part 2Drive into calico architecture part 2
Drive into calico architecture part 2
Anirban Sen Chowdhary
 
Kayobe_desc
Kayobe_descKayobe_desc
Kayobe_desc
ssuser8fea38
 
Deploying Cloud Native Red Team Infrastructure with Kubernetes, Istio and Envoy
Deploying Cloud Native Red Team Infrastructure with Kubernetes, Istio and Envoy Deploying Cloud Native Red Team Infrastructure with Kubernetes, Istio and Envoy
Deploying Cloud Native Red Team Infrastructure with Kubernetes, Istio and Envoy
Jeffrey Holden
 
MuleSoft Meetup Vancouver 5th Virtual Event
MuleSoft Meetup Vancouver 5th Virtual EventMuleSoft Meetup Vancouver 5th Virtual Event
MuleSoft Meetup Vancouver 5th Virtual Event
Vikalp Bhalia
 
MuleSoft Meetup Roma - Runtime Fabric Series (From Zero to Hero) - Sessione 2
MuleSoft Meetup Roma - Runtime Fabric Series (From Zero to Hero) - Sessione 2MuleSoft Meetup Roma - Runtime Fabric Series (From Zero to Hero) - Sessione 2
MuleSoft Meetup Roma - Runtime Fabric Series (From Zero to Hero) - Sessione 2
Alfonso Martino
 
Jfrog artifactory as private docker registry
Jfrog artifactory as private docker registryJfrog artifactory as private docker registry
Jfrog artifactory as private docker registry
Vipin Mandale
 
26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules
Freddy Buenaño
 
Security Tips to run Docker in Production
Security Tips to run Docker in ProductionSecurity Tips to run Docker in Production
Security Tips to run Docker in Production
Gianluca Arbezzano
 
As a Service: Cloud Foundry on OpenStack - Lessons Learnt
As a Service: Cloud Foundry on OpenStack - Lessons LearntAs a Service: Cloud Foundry on OpenStack - Lessons Learnt
As a Service: Cloud Foundry on OpenStack - Lessons Learnt
Animesh Singh
 
Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3
Velocidex Enterprises
 
Cloud Platform Symantec Meetup Nov 2014
Cloud Platform Symantec Meetup Nov 2014Cloud Platform Symantec Meetup Nov 2014
Cloud Platform Symantec Meetup Nov 2014
Miguel Zuniga
 
Squid proxy-configuration-guide
Squid proxy-configuration-guideSquid proxy-configuration-guide
Squid proxy-configuration-guidejasembo
 
ACRN Kata Container on ACRN
ACRN Kata Container on ACRNACRN Kata Container on ACRN
ACRN Kata Container on ACRN
Project ACRN
 
Features supported by squid proxy server
Features supported by squid proxy serverFeatures supported by squid proxy server
Features supported by squid proxy server
Proxies Rent
 
Escape the defaults - Configure Sling like AEM as a Cloud Service
Escape the defaults - Configure Sling like AEM as a Cloud ServiceEscape the defaults - Configure Sling like AEM as a Cloud Service
Escape the defaults - Configure Sling like AEM as a Cloud Service
Robert Munteanu
 
Pluggable Infrastructure with CI/CD and Docker
Pluggable Infrastructure with CI/CD and DockerPluggable Infrastructure with CI/CD and Docker
Pluggable Infrastructure with CI/CD and Docker
Bob Killen
 

Similar to Calico to secure host interfaces (20)

Protecting host with calico
Protecting host with calicoProtecting host with calico
Protecting host with calico
 
Calico with open stack
Calico with open stackCalico with open stack
Calico with open stack
 
Calico and open shift
Calico and open shiftCalico and open shift
Calico and open shift
 
IBM Cloud Pak for Integration 2020.2.1 installation
IBM Cloud Pak for Integration 2020.2.1 installation IBM Cloud Pak for Integration 2020.2.1 installation
IBM Cloud Pak for Integration 2020.2.1 installation
 
Drive into calico architecture part 2
Drive into calico architecture part 2Drive into calico architecture part 2
Drive into calico architecture part 2
 
Kayobe_desc
Kayobe_descKayobe_desc
Kayobe_desc
 
Deploying Cloud Native Red Team Infrastructure with Kubernetes, Istio and Envoy
Deploying Cloud Native Red Team Infrastructure with Kubernetes, Istio and Envoy Deploying Cloud Native Red Team Infrastructure with Kubernetes, Istio and Envoy
Deploying Cloud Native Red Team Infrastructure with Kubernetes, Istio and Envoy
 
MuleSoft Meetup Vancouver 5th Virtual Event
MuleSoft Meetup Vancouver 5th Virtual EventMuleSoft Meetup Vancouver 5th Virtual Event
MuleSoft Meetup Vancouver 5th Virtual Event
 
MuleSoft Meetup Roma - Runtime Fabric Series (From Zero to Hero) - Sessione 2
MuleSoft Meetup Roma - Runtime Fabric Series (From Zero to Hero) - Sessione 2MuleSoft Meetup Roma - Runtime Fabric Series (From Zero to Hero) - Sessione 2
MuleSoft Meetup Roma - Runtime Fabric Series (From Zero to Hero) - Sessione 2
 
Jfrog artifactory as private docker registry
Jfrog artifactory as private docker registryJfrog artifactory as private docker registry
Jfrog artifactory as private docker registry
 
26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules
 
Security Tips to run Docker in Production
Security Tips to run Docker in ProductionSecurity Tips to run Docker in Production
Security Tips to run Docker in Production
 
As a Service: Cloud Foundry on OpenStack - Lessons Learnt
As a Service: Cloud Foundry on OpenStack - Lessons LearntAs a Service: Cloud Foundry on OpenStack - Lessons Learnt
As a Service: Cloud Foundry on OpenStack - Lessons Learnt
 
Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3
 
Cloud Platform Symantec Meetup Nov 2014
Cloud Platform Symantec Meetup Nov 2014Cloud Platform Symantec Meetup Nov 2014
Cloud Platform Symantec Meetup Nov 2014
 
Squid proxy-configuration-guide
Squid proxy-configuration-guideSquid proxy-configuration-guide
Squid proxy-configuration-guide
 
ACRN Kata Container on ACRN
ACRN Kata Container on ACRNACRN Kata Container on ACRN
ACRN Kata Container on ACRN
 
Features supported by squid proxy server
Features supported by squid proxy serverFeatures supported by squid proxy server
Features supported by squid proxy server
 
Escape the defaults - Configure Sling like AEM as a Cloud Service
Escape the defaults - Configure Sling like AEM as a Cloud ServiceEscape the defaults - Configure Sling like AEM as a Cloud Service
Escape the defaults - Configure Sling like AEM as a Cloud Service
 
Pluggable Infrastructure with CI/CD and Docker
Pluggable Infrastructure with CI/CD and DockerPluggable Infrastructure with CI/CD and Docker
Pluggable Infrastructure with CI/CD and Docker
 

More from D.Rajesh Kumar

Mule soft meetup_-_finland_september_25th__2020 v2.0
Mule soft meetup_-_finland_september_25th__2020 v2.0Mule soft meetup_-_finland_september_25th__2020 v2.0
Mule soft meetup_-_finland_september_25th__2020 v2.0
D.Rajesh Kumar
 
Meetup bangalore-sept5th 2020 (1)
Meetup bangalore-sept5th 2020 (1)Meetup bangalore-sept5th 2020 (1)
Meetup bangalore-sept5th 2020 (1)
D.Rajesh Kumar
 
Mule soft meetup_-_finland_july_11th__2020
Mule soft meetup_-_finland_july_11th__2020Mule soft meetup_-_finland_july_11th__2020
Mule soft meetup_-_finland_july_11th__2020
D.Rajesh Kumar
 
Bangalore mulesoft meetup#10
Bangalore mulesoft meetup#10Bangalore mulesoft meetup#10
Bangalore mulesoft meetup#10
D.Rajesh Kumar
 
Meetup bangalore 9_novupdated
Meetup bangalore 9_novupdatedMeetup bangalore 9_novupdated
Meetup bangalore 9_novupdated
D.Rajesh Kumar
 
Meetup bangalore aug31st2019
Meetup bangalore aug31st2019Meetup bangalore aug31st2019
Meetup bangalore aug31st2019
D.Rajesh Kumar
 
Meetup bangalore june29th2019
Meetup bangalore june29th2019Meetup bangalore june29th2019
Meetup bangalore june29th2019
D.Rajesh Kumar
 
mulesoft meetup @ bangalore
mulesoft meetup @ bangaloremulesoft meetup @ bangalore
mulesoft meetup @ bangalore
D.Rajesh Kumar
 
Meetup_Bangalore_Rajesh
Meetup_Bangalore_RajeshMeetup_Bangalore_Rajesh
Meetup_Bangalore_Rajesh
D.Rajesh Kumar
 
Calico and container
Calico and containerCalico and container
Calico and container
D.Rajesh Kumar
 
Calico docker+ipam
Calico docker+ipamCalico docker+ipam
Calico docker+ipam
D.Rajesh Kumar
 
Calico and how interprets neutron api
Calico and how interprets neutron apiCalico and how interprets neutron api
Calico and how interprets neutron api
D.Rajesh Kumar
 
Calico with open stack and chef
Calico with open stack and chefCalico with open stack and chef
Calico with open stack and chef
D.Rajesh Kumar
 
Calico with docker
Calico with dockerCalico with docker
Calico with docker
D.Rajesh Kumar
 
Object Store in Mule
Object Store in MuleObject Store in Mule
Object Store in Mule
D.Rajesh Kumar
 
Slack connector with in MULE
Slack connector with in MULESlack connector with in MULE
Slack connector with in MULE
D.Rajesh Kumar
 
MuleSoft Offers a Data Migration Solution
MuleSoft Offers a Data Migration SolutionMuleSoft Offers a Data Migration Solution
MuleSoft Offers a Data Migration Solution
D.Rajesh Kumar
 
Mule version-crowd highlights
Mule version-crowd highlightsMule version-crowd highlights
Mule version-crowd highlights
D.Rajesh Kumar
 
Mule ctf
Mule ctfMule ctf
Mule ctf
D.Rajesh Kumar
 
Sdlc with mule esb
Sdlc with mule esbSdlc with mule esb
Sdlc with mule esb
D.Rajesh Kumar
 

More from D.Rajesh Kumar (20)

Mule soft meetup_-_finland_september_25th__2020 v2.0
Mule soft meetup_-_finland_september_25th__2020 v2.0Mule soft meetup_-_finland_september_25th__2020 v2.0
Mule soft meetup_-_finland_september_25th__2020 v2.0
 
Meetup bangalore-sept5th 2020 (1)
Meetup bangalore-sept5th 2020 (1)Meetup bangalore-sept5th 2020 (1)
Meetup bangalore-sept5th 2020 (1)
 
Mule soft meetup_-_finland_july_11th__2020
Mule soft meetup_-_finland_july_11th__2020Mule soft meetup_-_finland_july_11th__2020
Mule soft meetup_-_finland_july_11th__2020
 
Bangalore mulesoft meetup#10
Bangalore mulesoft meetup#10Bangalore mulesoft meetup#10
Bangalore mulesoft meetup#10
 
Meetup bangalore 9_novupdated
Meetup bangalore 9_novupdatedMeetup bangalore 9_novupdated
Meetup bangalore 9_novupdated
 
Meetup bangalore aug31st2019
Meetup bangalore aug31st2019Meetup bangalore aug31st2019
Meetup bangalore aug31st2019
 
Meetup bangalore june29th2019
Meetup bangalore june29th2019Meetup bangalore june29th2019
Meetup bangalore june29th2019
 
mulesoft meetup @ bangalore
mulesoft meetup @ bangaloremulesoft meetup @ bangalore
mulesoft meetup @ bangalore
 
Meetup_Bangalore_Rajesh
Meetup_Bangalore_RajeshMeetup_Bangalore_Rajesh
Meetup_Bangalore_Rajesh
 
Calico and container
Calico and containerCalico and container
Calico and container
 
Calico docker+ipam
Calico docker+ipamCalico docker+ipam
Calico docker+ipam
 
Calico and how interprets neutron api
Calico and how interprets neutron apiCalico and how interprets neutron api
Calico and how interprets neutron api
 
Calico with open stack and chef
Calico with open stack and chefCalico with open stack and chef
Calico with open stack and chef
 
Calico with docker
Calico with dockerCalico with docker
Calico with docker
 
Object Store in Mule
Object Store in MuleObject Store in Mule
Object Store in Mule
 
Slack connector with in MULE
Slack connector with in MULESlack connector with in MULE
Slack connector with in MULE
 
MuleSoft Offers a Data Migration Solution
MuleSoft Offers a Data Migration SolutionMuleSoft Offers a Data Migration Solution
MuleSoft Offers a Data Migration Solution
 
Mule version-crowd highlights
Mule version-crowd highlightsMule version-crowd highlights
Mule version-crowd highlights
 
Mule ctf
Mule ctfMule ctf
Mule ctf
 
Sdlc with mule esb
Sdlc with mule esbSdlc with mule esb
Sdlc with mule esb
 

Recently uploaded

GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Jeffrey Haguewood
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
Prayukth K V
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
Paul Groth
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
Product School
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
Thijs Feryn
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Thierry Lestable
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
Product School
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
UiPathCommunity
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
BookNet Canada
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Product School
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Inflectra
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 

Recently uploaded (20)

GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 

Calico to secure host interfaces

  • 1. Calico to Secure Host Interfaces Rajesh Kumar
  • 2. 2 Calico to Secure Host Interfaces Will discuss how to use Calico to secure the network interfaces of the host itself (as opposed to those of any container/VM workloads that are present on the host). We call such interfaces “host endpoints”, to distinguish them from “workload endpoints” (such as containers or VMs). Calico supports the same rich security policy model for host endpoints that it supports for workload endpoints. Host endpoints can have labels, and their labels are in the same “namespace” as those of workload endpoints. This allows security rules for either type of endpoint to refer to the other type (or a
  • 3. 3 Calico to Secure Host Interfaces Calico does not support setting IPs or policing MAC addresses for host interfaces, it assumes that the interfaces are configured by the underlying network fabric. Calico distinguishes workload endpoints from host endpoints by a configurable prefix. Unless you happen to have host interfaces whose name matches the default for that prefix (cali), you won’t need to change it. In case you do, see the InterfacePrefix configuration value at Configuring Felix. Interfaces that start with a value listed in InterfacePrefix are assumed to be workload interfaces. Others are
  • 4. 4 Calico to Secure Host Interfaces As of Calico v2.1.0, Calico applies host endpoint security policy both to traffic that is terminated locally, and to traffic that is forwarded between host endpoints. Previously, policy was only applied to traffic that was terminated locally. The change allows Calico to be used to secure a NAT gateway or router. Calico supports selector-based policy as normal when running on a gateway or router allowing for rich, dynamic security policy based on the labels attached to your workloads.
  • 5. 5 Calico to Secure Host Interfaces Note: If you have a host with workloads on it then traffic that is forwarded to workloads bypasses the policy applied to host endpoints. If that weren’t the case, the host endpoint policy would need to be very broad to allow all traffic destined for any possible workload. Since version 2.1.0, Calico applies host endpoint policy to traffic that is being forwarded between host interfaces.
  • 6. 6 Installation overview To make use of Calico’s host endpoint support, you will need to follow these steps, described in more detail below: •download the calicoctl binary •create an etcd cluster, if you haven’t already •install Calico’s Felix daemon on each host •initialize the etcd database •add policy to allow basic connectivity and Calico function •create host endpoint objects in etcd for each interface you want Calico to police (in a later release, we plan to support interface templates to remove the
  • 7. 7 Creating an etcd cluster If you haven’t already created an etcd cluster for your Calico deployment, you’ll need to create one. To create a single-node etcd cluster for testing, download an etcd v3.x release from the etcd releases archive; we recommend using the most recent bugfix release. Then follow the instructions on that page to unpack and run the etcd binary. To create a production cluster, you should follow the guidance in the etcd manual. In particular, the clustering guide.
  • 8. 8 Creating an etcd cluster If you haven’t already created an etcd cluster for your Calico deployment, you’ll need to create one. To create a single-node etcd cluster for testing, download an etcd v3.x release from the etcd releases archive; we recommend using the most recent bugfix release. Then follow the instructions on that page to unpack and run the etcd binary. To create a production cluster, you should follow the guidance in the etcd manual. In particular, the clustering guide.