K8s Calico - kimschles/schlesinger-knowledge GitHub Wiki

Herding Cats : Network Policies For Security and Auditing Using Calico"

Drew Oetzel of Tigera at the June 2019 Kubernetes Colorado Meetup

Slides

What is Calico?

  • Calico is Networking for containers
  • Open source project
  • Lives at layer 3

Benefits of Calico

  • Calico can hand out IPS to your pods (IPAM)

    • different subnets per namespace
    • you can assign static IP addresses to pods

  • Secure your inner K8s networking with policies

    • secure your east/west traffic
    • prevent malicious behavior from spreading
    • block insider threat/insider error

How Calico Works

  • calico runs as a pod that is a daemonset
  • calico uses etcd, either the master's etcd or it's own instance
  • calico rewrites IP table rules

Ways to Lock Down Communicate Between workloads

  • K8s is designed to let your workloads talk to each other
    • this is by design, but it makes it easy for a malicious actor to access all workloads
  • Options for securing routes:
  1. Remove unnecessary outes in staging and production
  2. Namespace isolation
  3. Custom: a combination of eliminating routes and namespace isolation

K8s Concepts used by Calico

Labels

  • labels are key/value pairs that are attached to objects
  • you can attach policies to labels

Label Selectors

  • A way of finding a set of objects that do or do not have a specific label
  • You can apply policies to these groups

NetworkPolicy Resource

  • simple, built-in policies applied with kubectl
  • you cannot do global policies, only namespace-specific
  • allow-only rules

How Calico Improves on the native K8s Network Policy

  • supports global network policies (not limited by namespaces!)
  • supports service accounts
    • you can setup policies related to service accounts
  • deny rules
    • you cannot setup a zero-trust network (AKA a whitelist network)
  • policy orders
  • network sets (you can apply labels to a set of IP addresses)
  • supports non-kubernetes nodes

calicoctl

  • Calico policies are applied with calicoctl, not kubectl
  • People usually spin up a calico pod and run the commands from that pod, but you can download calicoctl on your machine

The gem from this talk:

vms share hardware, containers share the kernel source: {}: {} is an open set