-
Notifications
You must be signed in to change notification settings - Fork 12
K8s Calico
kimschles edited this page Jun 6, 2019
·
2 revisions
Drew Oetzel of Tigera at the June 2019 Kubernetes Colorado Meetup
- Calico is Networking for containers
- Open source project
- Lives at layer 3
-
Calico can hand out IPS to your pods (IPAM)
- different subnets per namespace
- you can assign static IP addresses to pods
-
Secure your inner K8s networking with policies
- secure your east/west traffic
- prevent malicious behavior from spreading
- block insider threat/insider error
- calico runs as a pod that is a daemonset
- calico uses etcd, either the master's etcd or it's own instance
- calico rewrites IP table rules
- K8s is designed to let your workloads talk to each other
- this is by design, but it makes it easy for a malicious actor to access all workloads
- Options for securing routes:
- Remove unnecessary outes in staging and production
- Namespace isolation
- Custom: a combination of eliminating routes and namespace isolation
- labels are key/value pairs that are attached to objects
- you can attach policies to labels
- A way of finding a set of objects that do or do not have a specific label
- You can apply policies to these groups
- simple, built-in policies applied with
kubectl - you cannot do global policies, only namespace-specific
- allow-only rules
- supports global network policies (not limited by namespaces!)
- supports service accounts
- you can setup policies related to service accounts
- deny rules
- you cannot setup a zero-trust network (AKA a whitelist network)
- policy orders
- network sets (you can apply labels to a set of IP addresses)
- supports non-kubernetes nodes
- Calico policies are applied with
calicoctl, notkubectl - People usually spin up a calico pod and run the commands from that pod, but you can download
calicoctlon your machine
The gem from this talk:
vms share hardware, containers share the kernel
source: {}:{}is an open set