Consider an enterprise hybrid cloud deployment with hundreds of nodes and thousands of pods. These systems are running business applications with different levels of security requirements. A first-order security and compliance requirement in such a scenario is to ensure that a pod or host is only allowed to talk to authorized destinations. Now consider the real life scenario where there’s a churn rate (pods/hosts being added/removed) of hundreds of pods/minute. The challenge is to continue enforcing these security controls in near real time despite a high churn rate.
An efficient mechanism for security controls has a direct impact on productivity. Ideally, you do not want to wait days for an access policy to be granted through a ticketing process, nor do you want to wait precious minutes for a policy change to take effect.
Security controls have two broad categories, East-West (E-W) and North-South (N-S). Egress access control refers to N-S security on egress. The following are typical use cases of egress access control:
Network Policy in Calico Enterprise helps you address the use cases above.
Calico Enterprise uses a single policy language across all resources (pods, VMs, bare metal). The egress access control for pods is enforced on the pod-to-host interfaces. The egress access control for hosts is enforced on the host interface. At the heart of the enforcement is the concept of labels.
Consider a simple example as shown below. This policy applies to a selector with key=my-pod-label, and value=my-value. This label can be present on a pod or a host.
The access rule of the policy permits access to any destination with key=color and value=red. That destination can be any resource (pod, host, networkset etc.). This is the elegance of having a single policy language across all your hosts and pods.
The backend processing of access policies is equally simple. Calico runs a daemon on every Kubernetes node and non-Kubernetes host that you protect. Any change in configuration is sent to etcd (Kubernetes datastore). Calico-nodes watch for any change and pull the change. Calico is proven to scale in large-scale deployments with thousands of nodes.
It is a core feature of Calico Enterprise. Refer to the sample blueprints.
The important part is to have a solid egress control framework that scales as you expand clusters, teams and applications.
To learn more about egress access control…
Policy rules in Calico: https://docs.projectcalico.org/security/policy-rules
Protect Kubernetes nodes in Calico: https://docs.projectcalico.org/security/kubernetes-nodes
Automatic host endpoints: https://docs.tigera.io/security/kubernetes-nodes#host-endpoints
Domain name in policy rules for pods and hosts: https://docs.tigera.io/security/domain-based-policy#trusted-dns-servers
Get updates on blog posts, new releases and more!