In this EKS-focused workshop, you will work with AWS and Calico Cloud to learn how implement implement microsegmentation to achieve workload isolation in multi-tenant design.
Cloud-native applications require a modern approach based on the zero-trust principles of identity-based access, least privilege access, and proactively detecting threats and reducing the blast radius in case of a breach.
Calico Cloud enables fine-grained, zero-trust workload access controls between your microservices and external databases, cloud services, APIs, and other applications. It also prevents the lateral movement of threats with identity-aware segmentation that works across all of your workload environments, including hosts, VMs, Kubernetes components, and services.
You will come away from this workshop with an understanding of how others in your industry are securing and observing cloud-native applications in AWS, along with best practices that you can implement in your organization.
The estimated time to complete this workshop is 60-90 minutes.
- Cloud Professionals
- DevSecOps Professional
- Site Reliability Engineers (SRE)
- Solutions Architects
- Anyone interested in Calico Cloud :)
- Learn how to create and deploy policies based on FQDNs, Layer 7, Networksets.
- Stage, preview and enforce network policies.
- Leverage recommended policies based on workload traffic to enforce access.
- Get started with namespace isolation for default-deny or zero-trust initiatives.
Warning
For this workshop, you are expected to have access to a previously created EKS cluster.
-
Please, follow the instructions on the repository below if you don't have it ready:
-
We will run this workshop from the AWS CloudShell, as described in that repository.
-
To start your cluster, we will scale the nodegroup up to 2 nodes using
eksctl. Reload the environment variables that were created in your AWS CloudShell first and then scale the nodegroup up. -
Ensure the nodegroup variable is populated into the
workshopvars.envfile:source ~/workshopvars.env export NGNAME=$(eksctl get nodegroups --cluster $CLUSTERNAME --region $REGION | grep $CLUSTERNAME | awk -F ' ' '{print $2}') && \ echo export NGNAME=$NGNAME >> ~/workshopvars.env
-
Use the following command:
eksctl scale nodegroup $NGNAME \ --cluster $CLUSTERNAME \ --region $REGION \ --nodes 2 \ --nodes-max 2 \ --nodes-min 2
This workshop is organized in sequential modules. One module will build up on top of the previous module, so please, follow the order as proposed below.
Module 1 - Connect the EKS cluster to Calico Cloud
Module 2 - Implement Workload Access Control with Namespace Isolation Recommendation
Module 3 - Workload Isolation with Microsegmentation
Module 4 - Ingress and Egress access control using NetworkSets
Module 5 - Application Level Observability
Module 6 - Clean up
- Project Calico
- Calico Academy - Get Calico Certified!
- O’REILLY EBOOK: Kubernetes security and observability
- Calico Users - Slack
Follow us on social media:
Important
The examples and sample code provided in this workshop are intended to be consumed as instructional content. These will help you understand how Calico Cloud can be configured to build a functional solution. These examples are not intended for use in production environments.