How Fortinet and Tigera Protect Kubernetes in the Enterprise

What Problems are We Solving?

Container use continues to grow, and Kubernetes is the most widely adopted container orchestration system, managing nearly half of all container deployments.1 Successful integration of container services within the enterprise depends heavily on access to external resources such as databases, cloud services, third-party application programming interfaces (APIs), and other applications. All this egress activity must be controlled for security and compliance reasons. In a recent container adoption survey, 61% of correspondents, a super-majority, listed data security as their top challenge.2

Kubernetes Requires a Different Approach to Access Control

Traditional IP-based access control doesn’t work in Kubernetes, where workloads are ephemeral, typically stateless, and use short-term IP addresses. While the Calico Enterprise security management interface provides customized control within the Kubernetes environment, using Calico Enterprise security in isolation from existing enterprise network security leaves organizations with disparate policy-enforcement regimes.

Disparate Network Security Systems Introduce Unwanted Complexity

Maintaining two separate network security systems hinders visibility into routing and connectivity within and between Kubernetes clusters. This complicates the process of troubleshooting issues that span Kubernetes and external environments. Because enterprise monitoring tools lack Kubernetes context, the impact of security policy changes are hard to predict, and the unintended consequences are difficult to diagnose.

Enterprise Application Rollouts Require a Unified Approach to Network Security

To enable the successful transition of Calico-based Kubernetes pilot projects to enterprise-wide application rollouts, companies must be able to extend their existing enterprise security architecture into the Kubernetes environment. In response, Fortinet and Tigera jointly developed a suite of Calico solutions for the Fortinet Security Fabric. These solutions deliver both north-south and east-west visibility and protection, as well as compliance enablement and advanced threat-intelligence capabilities for Kubernetes clusters.

Kubernetes Production Deployments Must be Visible and Compliant

Lack of visibility also has compliance implications. Like any on-premises or cloud-based networked services, Kubernetes production containers must fulfill both organizational and regulatory security requirements. If compliance teams can’t trace the history of incidents across the entire infrastructure, they can’t adequately satisfy cluster audits. Meanwhile, other enterprise teams—such as Platform, Security, and Networking—will want to ensure that approved network security policies are faithfully reproduced across all Kubernetes clusters.

To address these Kubernetes challenges in the enterprise, Tigera and Fortinet are integrating Tigera Calico Enterprise and the Fortinet Security Fabric. Together, Fortinet and Tigera have developed four key integrations that help ensure consistent and robust security, visibility, control, and compliance:

FortiManager Calico Kubernetes Controller enables Kubernetes cluster management from the FortiManager centralized management platform. This Fabric Connector translates FortiManager policies into granular Kubernetes network policies and pushes them out to the individual clusters in all Kubernetes environments. The Kubernetes environment becomes an integral part of the Fortinet Security Fabric, and can be seen and controlled from the FortiManager console.

FortiGate Calico Kubernetes Controller enables FortiGate next-generation firewalls (NGFWs) to control egress from Kubernetes pods to applications. It does this by automatically populating Kubernetes workload source IPs in FortiManager address group objects. FortiManager then deploys the updated object packages to FortiGate, so that FortiGate can enforce the access rules. This means that developers who add new containers to a Kubernetes pod can use business-level tags (such as department name or role) to identify them and rely on the controller to handle the underlying access rule configurations.

FortiGuard Threat Feed integration enriches the Calico Enterprise threat database with global real-time threat intelligence from FortiGuard Labs. Calico Enterprise users gain broader protection from malicious traffic at the source in the Kubernetes cluster. For FortiGuard subscribers, this integration ensures that the most robust protection will cover their Kubernetes environment as well, at no additional cost.

The Calico FortiSIEM plug-in event correlation and risk management solution delivers the telemetry (metadata) that Calico Enterprise creates—including DNS logs, flow logs, and audit logs—into the Fortinet security information and event management (SIEM) environment. This helps security operations (SecOps) teams leverage FortiSIEM to better design and automate their workflows for incident response.

Tigera Calico Enterprise for Fortinet solutions leverage Tigera’s Kubernetes expertise and broad installed base to benefit Fortinet Security Fabric customers.

How does this Integration Benefit Fortinet and Tigera Customers?

Fortinet Dynamic Cloud Security solutions integrated with Tigera Calico Enterprise bring Kubernetes deployments into the fold of the Fortinet Security Fabric. Organizations migrating to Kubernetes architectures maintain their security posture and ensure the successful adoption of the Kubernetes platform throughout the enterprise. This results in a collaborative security culture that ensures that security success is jointly owned by Platform, Security, Compliance, Networking and DevOps teams.

On an operational level, integration between Fortinet and Tigera technologies provides the comprehensive insight needed to speed up troubleshooting, reducing mean time to resolution. These integrated technologies also reduce operational complexity, which reduces staff and training costs and minimizes configuration errors that can add significant attack risk to the organization. Security architects can also demonstrate the reduced risk in a timely fashion to comply with internal and external data-protection rules.

Join us for our March 31 event: How to secure Kubernetes networks using Calico Enterprise and Fortinet

To learn more about deploying Tigera Calico Enterprise for Fortinet solutions in your organization, please contact [email protected]

1 RightScale 2019 State of the Cloud Report,” Flexera, 2019
2 2019 Container Adoption Survey,” Portworx, 2019


Free Online Training
Access Live and On-Demand Kubernetes Tutorials

Calico Enterprise – Free Trial
Solve Common Kubernetes Roadblocks and Advance Your Enterprise Adoption

Join our mailing list

Get updates on blog posts, workshops, certification programs, new releases, and more!