2019 was a big year for Kubernetes adoption, and 2020 is sure to exceed that pace. Already, we have seen a large number of organizations migrating their workloads to Kubernetes (k8s) both in public and private clouds as they embrace a hybrid cloud strategy. With so much at stake, what are you currently using for network security inside your k8s cluster?
Let’s take a step back to a time when you were deploying applications to VMs in AWS, GCP or Azure (in the case of public clouds) or vSphere, etc. in private clouds. One of the most important tasks before provisioning infrastructure and deploying applications was to chalk out firewall considerations. These requirements were fulfilled using security group rules in the case of AWS or firewall rules in GCP. We all understand their importance. But doing the same involving Kubernetes was extremely challenging. Today, we can solve those problems for you with just a few clicks.
Present Scenario – What If?
Most recently with the increase in k8s adoption we have seen operations and platform teams hustling to implement a plethora of monitoring tools, logging backends and CI/CD tools. While all of this is happening, in-cluster network security can sometimes be overlooked. Most cluster architectures only take care of traffic flow in the entire VPC and/or subnet in which the cluster nodes are provisioned, but tend to forget about securing the East-West traffic within the cluster.
Sometimes it’s just a matter of priorities. You are rapidly deploying new versions of software to your clusters, monitoring performance and collecting logs but forget about the free flow of traffic around the cluster. Think of a scenario where someone deploys a pod running a Docker image with some vulnerabilities. If that pod is compromised, then the attack surface will be huge. The attacker can not only gain access to that particular pod, but everything else running inside the cluster as well. The damage does not stop there. All other resources running in the same VPC are also exposed along with the hosted services that are accessible using the node security groups.
If configuring firewall rules was the top most priority in traditional infrastructure running non-containerized workloads, should it not be the same case with containerized workloads and k8s? Our customers tell us that the overwhelming answer is “Yes!” And at Tigera, we can help you extend your traditional firewalls to protect k8s workloads. When you are running revenue-driving applications with sensitive data in Kubernetes clusters, network security is no longer an option. It is an absolute must.
A step towards a more secure future
Adopting Kubernetes is really a journey, not an event. Depending on where you are on that journey, we can help you. We are the people who invented Project Calico and are uniquely positioned to advise and guide you throughout each stage of your journey. Project Calico is a free and open source project that allows you to manage simple, highly scalable and secure networks policies for your VMs, bare metal or containers. It’s a great way to get started with k8s and has become the industry’s favorite Kubernetes networking and network security solution.
If you’re at a more advanced level and are using k8s in a pre-production environment, you may wish to consider Calico Essentials. We have the expertise to help you build the most scalable design early in your Kubernetes journey, to avoid scalability and performance issues down the road. If you’re even further along and you need help with moving your k8s workloads into production, we can help there, too.
Calico Enterprise supercharges network security for your Kubernetes workloads and helps secure East-West traffic flow. It integrates seamlessly with AWS security groups and GCP firewall rules, and provides you with fine-grained access to other cloud hosted services such as AWS Redshift or AWS RDS. Why stop there? You also get flow logs for visibility and troubleshooting and security controls to help you meet compliance requirements. We have highly-trained and ever-evolving Machine Learning models in place to detect anomalies in the traffic flow and raise alerts before it is too late.
A big challenge with implementing network policies is the fear of accidentally blocking traffic which could lead to a service outage. With Calico Enterprise, you can create staged network policies and visualize their impact on the flow before deploying. Once you’re confident that the policy is sound, you can go ahead and enforce it. All this with just a few simple clicks on the Calico Enterprise console.
We understand how operations teams are hesitant to introduce new software into an existing cluster. Therefore, we have created a fully-provisioned k8s cluster environment for you to trial Calico Enterprise. Click here to get started with your trial and someone from our team will be happy to assist you.