In today’s economy, digital assets (applications, data, and processes) determine business success. Cloud-native applications are designed to iterate rapidly, creating rapid time-to-value for businesses. Organizations that are able to rapidly build and deploy their applications have significant competitive advantage. To this end, more and more developers are creating and leading DevOps teams that not only drive application development, but also take on operational responsibilities formerly owned by platform and security teams.
Cloud-native applications are often designed and deployed as microservices. The development team that owns the microservice understands the behavior of the service, and is in the best position to define and manage the network security of their microservice. A self-service model enables developers to follow a simple workflow and generate network policies with minimal effort. When problems occur with. application connectivity, developers should be able to diagnose connectivity issues and resolve them quickly without having to depend on resources outside of the team.
Developers and DevOps teams can also take a leading role in managing security, which is an integral part of cloud-native applications. There are two aspects to security in the context of Kubernetes.
Cloud-native culture – In the cloud-native world, Development, DevOps, and SRE teams must work in unison.
Compliance boundaries – All business applications are subject to specific compliance requirements regarding firewall controls.
Developer-friendly products and processes – As organizations move from siloed operations to cloud-native, products and processes should support granular role-based access control (RBAC) that integrates with the infrastructure tooling.
Calico Enterprise has operationalized the concept of policy tiers, which support delegation of authority by organizational structure and area of responsibility (Platform, Security, DevOps, Default). An example of tiered policy structure is shown below.
With this approach, you can create your own tiers and customize permissions based on your organizational structure. Calico Enterprise ensures that the policies in the left-most tiers are given precedence over the right. Tiers are a Kubernetes object, so you can control who can view/modify policies in specific tiers. Every change of record to tiers and policies is captured, enabling you or auditors to go back in time for review or troubleshooting purposes.
Developers have access to their policies in Calico Enterprise. However, creating policies to lock down an application is not easy. Calico Enterprise simplifies the process for developers and DevOps teams, enabling them to manage the entire policy workflow.
Finally, Calico Enterprise collects a rich set of logs (flow, audit, DNS) and makes them available through a Kibana interface. You can create individual user credentials in Kibana that restrict access to service logs to specific individuals or groups.
Start with defining the access blueprint for policies and logs. This should be part of your overall cloud security blueprint. Next, translate the blueprint into Kubernetes and Calico Enterprise specific tiers, roles and role bindings. Then you can enforce access controls based on roles and structure. Define your policy management process, which should include an approval workflow. We find the GitOps workflow to be the most widely used among Tigera’s customer base. Here’s a sample workflow.
Additionally, check out these resources and working samples…
Free Online Training
Access Live and On-Demand Kubernetes Training
Calico Enterprise – Free Trial
Network Security, Monitoring, and Troubleshooting
for Microservices Running on Kubernetes
Get updates on blog posts, new releases and more!