Implementing holistic security for containers and Kubernetes with Calico and NeuVector by Jan Bruder & Jérémy Guerrand.pdf
•
0 likes•30 views
This document discusses holistic security for Kubernetes with Calico and NeuVector. It begins with an introduction to Calico and how it provides enhanced zero trust security. It describes how Calico is used in RKE2 and Rancher and provides vulnerability management with NeuVector. The rest of the document goes into details about Calico's security policies, identity-aware microsegmentation, compliance and encryption features. It also provides an overview of NeuVector's supply chain security, runtime security, vulnerability scanning and compliance scanning capabilities to provide layered security for containers.
Recommended
More Related Content
Similar to Implementing holistic security for containers and Kubernetes with Calico and NeuVector by Jan Bruder & Jérémy Guerrand.pdf
Similar to Implementing holistic security for containers and Kubernetes with Calico and NeuVector by Jan Bruder & Jérémy Guerrand.pdf (20)
Recently uploaded
Recently uploaded (19)
Implementing holistic security for containers and Kubernetes with Calico and NeuVector by Jan Bruder & Jérémy Guerrand.pdf
- 1. “ Holistic security for Kubernetes with Calico and NeuVector Jan Bruder - Suse Rancher Jeremy Guerrand - Tigera
- 2. © 2021 Tigera, Inc. Proprietary and Confidential 2 ● Introduction to Calico ● Enhanced Zero Trust Security with Calico ● Calico in RKE2 and Rancher ● Vulnerability Management with Neuvector Agenda
- 3. Calico
- 4. © 2021 Tigera, Inc. Proprietary and Confidential 4 Calico Open Source - Foundation for Zero Trust Workload Security 50k+ Enterprises 1M+ Clusters 8M+ Nodes 166 Countries >50% of Fortune 100 1.4B+ Docker Pulls Most adopted container networking and security solution
- 5. © 2021 Tigera, Inc. Proprietary and Confidential 5 Built on Calico Open Source Choice of Data Plane › Pluggable Data Plane › eBPF, Linux, Windows, VPP Full Kubernetes Network policy support › Full implementation Kubernetes network policies › Additional support for policies across namespaces Kubernetes Native Security Policy Model › Declarative security policies › Unified model from host to application layers Best in class performance › Blazing fast performance › Minimal CPU usage & occupancy › Lower costs Workload Interoperability › Unified policy across hosts, bare-metal, VMs, and containers › Mix and match workload types Scalable Networking with Encryption › Exceptional scalability › Advanced IP Address Management
- 6. © 2021 Tigera, Inc. Proprietary and Confidential 6 Security Policies 6 Policy as code ● Represent as code that is deployed alongside microservices ● Fully automate the end-to-end deployment process including security Policy Tiers ● Define the order in which security policies are evaluated ● Higher policy tiers evaluate first ● Self-service deployments cannot overrider higher policy tiers Policy Recommendation ● Auto-generate a recommended policy based on ingress and egress traffic between existing service
- 7. © 2021 Tigera, Inc. Proprietary and Confidential 7 Zero-Trust Workload Access Controls 7 Egress Gateway to leverage existing firewalls ● Assign a fixed IP to a pod or namespace for use with network firewalls ● Leverage existing firewall rules to limit access to and from pods DNS Policies to control access on a per-pod basis ● Allow/Deny access from pods to 3rd party sites identified by DNS names ● Limit access on a per-pod basis to external resources using label selectors Global and Namespaced Networksets ● Use IP subnetworks/CIDRs in security policies to control access from pods
- 8. © 2021 Tigera, Inc. Proprietary and Confidential 8 Identity-aware Microsegmentation 8 Unified Identity-Aware Segmentation Model ● Unified segmentation model across hybrid and multi-cloud environments ● Segment hosts, bare metals, VMs, containers, K8s, & cloud instances ● Correlate security with workload identity Dynamic Segmentation ● Label based security policies to segment new workloads rapidly ● Deploy new workloads rapidly and at scale without policy updates Upload Segmentation policies in milliseconds ● > High-performance distributed architecture to update policies ● > Update policies for 10s of thousands of servers in milliseconds
- 9. © 2021 Tigera, Inc. Proprietary and Confidential 9 Compliance and Encryption Regulatory and Compliance Frameworks ● Comply with PCI, HIPAA, GDPR, SOC2, FIPs and other custom frameworks Data in Transit Encryption ● Leverage highly performant encryption using Wireguard Evidence and Audit Reports ● Get started with pre-built reports and list of compliance controls
- 10. Calico and Rancher / RKE2
- 11. © 2021 Tigera, Inc. Proprietary and Confidential 11 Calico is the default CNI for RKE2 clusters
- 12. © 2021 Tigera, Inc. Proprietary and Confidential 12 Fully configurable through the Calico Operator
- 13. Vulnerability Management with Neuvector
- 14. © 2021 Tigera, Inc. Proprietary and Confidential 14 NeuVector Limit the capabilities of containers and prevent the deployment of insecure images 14
- 15. © 2021 Tigera, Inc. Proprietary and Confidential 15 Supply Chain Security Runtime Security Vulnerability Scanning Compliance Scanning Admission Control Runtime Scanning Threat Based Controls Zero-Trust Controls Layered Security: Defense In Depth
- 16. © 2021 Tigera, Inc. Proprietary and Confidential 16 A typical supply chain DEVELOPER Commits Code Pass Build Admission Control CI/CD PIPELINE PRIV/PUB REGISTRY RUN-TIME
- 17. © 2021 Tigera, Inc. Proprietary and Confidential 17 Scanning images is important 17
- 18. © 2021 Tigera, Inc. Proprietary and Confidential 18 Scanning images is not enough 18
- 19. Demo
- 20. Thank You