This document summarizes a presentation about securing Windows workloads in a hybrid Kubernetes cluster. It begins with an overview of Calico and describes what a hybrid cluster is. It then discusses running Windows containers and the need to choose container base images wisely. The presentation covers how Calico can be used to secure Windows workloads by providing networking and policy enforcement capabilities. It concludes with information about demo environments and resources for working with Windows and Kubernetes.

1. Securing Windows
workloads
Thursday, Jun 02, 2022

2. Your Speaker Today:
● Reza Ramezanpour - Developer
Advocate @ Tigera (Project
Calico)

3. Agenda
● Calico overview
● A hybrid cluster
● Windows workloads
● Securing Windows workloads
● Demo

4. Calico overview
01

5. https://projectcalico.org
https://slack.projectcalico.org
@projectcalico
https://github.com/projectcalico/community
https://discuss.projectcalico.org
6000+
Slack channel members
150+
Contributors
1,000,000+
Nodes powered by Calico every day

6. eBPF iptables HNS

7. Host Network Service

8. A hybrid cluster
02

9. © 2022 Tigera, Inc. Proprietary and Confidential
9
What is a hybrid cluster?

10. © 2022 Tigera, Inc. Proprietary and Confidential
10
● Linux node (System)
● Windows Server 2019 or higher
● Kubernetes v1.21 or higher
● A CNI
Hybrid environment
(psst try Calico)

11. Windows workloads
03

12. © 2022 Tigera, Inc. Proprietary and Confidential
12
Windows Containers
● Run anywhere *
● Deploy at scale
● Lightweight *
● Isolated *

13. © 2022 Tigera, Inc. Proprietary and Confidential
13
Choose your base image wisely
It can be lightweight
Windows Server (ltsc2022+) ServerCore NanoServer
7GB+ 4.8GB+ 2.5GB+ 90M+

14. © 2022 Tigera, Inc. Proprietary and Confidential
14
Kernel Compatibility

15. © 2022 Tigera, Inc. Proprietary and Confidential
15
Isolation

16. Securing Windows workloads
04

17. © 2022 Tigera, Inc. Proprietary and Confidential
17
● Networking
● Policy engine
Securing workloads
K8s Node
Networking layer
eth0 eth1
Network Foundation
CNI

18. Demo (Azure Cloud)
05

19. Demo (On-premises)
06

20. Stuff used for the demo:
https://github.com/frozenprocess/Tigera-Presentations/tr
ee/master/2022-06-02.CNCF-securing-windows-workloa
ds
Do-It-Yourself Resources
When things are not working:
Github: https://github.com/frozenprocess
Twitter: https://twitter.com/fr0zenprocess
Linkedin: https://www.linkedin.com/in/rramezanpour/

22. academy.tigera.io

23. Follow us on:
Kubernetes.io
https://kubernetes.io/docs/tasks/administer-cluster/kubeadm/adding-
windows-nodes/
---
Calico for WIndows
https://projectcalico.docs.tigera.io/getting-started/windows-calico/
---
AKS Netwokring
https://www.youtube.com/watch?v=JyLtg_SJ1lo
---
Kubernetes Windows (community)
https://github.com/kubernetes-sigs/sig-windows-tools
----
containerd
https://github.com/containerd/containerd
---
Wincontiner workload
https://github.com/frozenprocess/wincontainer
Credits

24. Follow us on:
Thank you!