This document discusses holistic security for Kubernetes with Calico and NeuVector. It begins with an introduction to Calico and how it provides enhanced zero trust security. It describes how Calico is used in RKE2 and Rancher and provides vulnerability management with NeuVector. The rest of the document goes into details about Calico's security policies, identity-aware microsegmentation, compliance and encryption features. It also provides an overview of NeuVector's supply chain security, runtime security, vulnerability scanning and compliance scanning capabilities to provide layered security for containers.

1. “
Holistic security for Kubernetes with
Calico and NeuVector
Jan Bruder - Suse Rancher
Jeremy Guerrand - Tigera

2. © 2021 Tigera, Inc. Proprietary and Confidential
2
● Introduction to Calico
● Enhanced Zero Trust Security with Calico
● Calico in RKE2 and Rancher
● Vulnerability Management with Neuvector
Agenda

3. Calico

4. © 2021 Tigera, Inc. Proprietary and Confidential
4
Calico Open Source - Foundation for Zero Trust Workload Security
50k+
Enterprises
1M+
Clusters
8M+
Nodes
166
Countries
>50%
of Fortune 100
1.4B+
Docker Pulls
Most adopted container networking and security solution

5. © 2021 Tigera, Inc. Proprietary and Confidential
5
Built on Calico Open Source
Choice of Data Plane
› Pluggable Data Plane
› eBPF, Linux, Windows, VPP
Full Kubernetes Network
policy support
› Full implementation
Kubernetes network policies
› Additional support for policies
across namespaces
Kubernetes Native
Security Policy Model
› Declarative security policies
› Unified model from host to
application layers
Best in class
performance
› Blazing fast performance
› Minimal CPU usage & occupancy
› Lower costs
Workload
Interoperability
› Unified policy across hosts,
bare-metal, VMs, and containers
› Mix and match workload types
Scalable Networking with
Encryption
› Exceptional scalability
› Advanced IP Address Management

6. © 2021 Tigera, Inc. Proprietary and Confidential
6
Security Policies
6
Policy as code
● Represent as code that is deployed alongside microservices
● Fully automate the end-to-end deployment process including
security
Policy Tiers
● Define the order in which security policies are evaluated
● Higher policy tiers evaluate first
● Self-service deployments cannot overrider higher policy tiers
Policy Recommendation
● Auto-generate a recommended policy based on ingress and
egress traffic between existing service

7. © 2021 Tigera, Inc. Proprietary and Confidential
7
Zero-Trust Workload Access Controls
7
Egress Gateway to leverage existing firewalls
● Assign a fixed IP to a pod or namespace for use with network
firewalls
● Leverage existing firewall rules to limit access to and from pods
DNS Policies to control access on a per-pod basis
● Allow/Deny access from pods to 3rd party sites identified by
DNS names
● Limit access on a per-pod basis to external resources using
label selectors
Global and Namespaced Networksets
● Use IP subnetworks/CIDRs in security policies to control access from
pods

8. © 2021 Tigera, Inc. Proprietary and Confidential
8
Identity-aware Microsegmentation
8
Unified Identity-Aware Segmentation Model
● Unified segmentation model across hybrid and multi-cloud
environments
● Segment hosts, bare metals, VMs, containers, K8s, & cloud instances
● Correlate security with workload identity
Dynamic Segmentation
● Label based security policies to segment new workloads rapidly
● Deploy new workloads rapidly and at scale without policy updates
Upload Segmentation policies in milliseconds
● > High-performance distributed architecture to update policies
● > Update policies for 10s of thousands of servers in milliseconds

9. © 2021 Tigera, Inc. Proprietary and Confidential
9
Compliance and Encryption
Regulatory and Compliance Frameworks
● Comply with PCI, HIPAA, GDPR, SOC2, FIPs and other custom
frameworks
Data in Transit Encryption
● Leverage highly performant encryption using Wireguard
Evidence and Audit Reports
● Get started with pre-built reports and list of compliance controls

10. Calico and Rancher / RKE2

11. © 2021 Tigera, Inc. Proprietary and Confidential
11
Calico is the default CNI for RKE2 clusters

12. © 2021 Tigera, Inc. Proprietary and Confidential
12
Fully configurable through the Calico Operator

13. Vulnerability Management with Neuvector

14. © 2021 Tigera, Inc. Proprietary and Confidential
14
NeuVector
Limit the capabilities of containers
and prevent the deployment of
insecure images
14

15. © 2021 Tigera, Inc. Proprietary and Confidential
15
Supply Chain
Security
Runtime
Security
Vulnerability Scanning
Compliance Scanning
Admission Control
Runtime Scanning
Threat Based Controls
Zero-Trust Controls
Layered Security: Defense In Depth

16. © 2021 Tigera, Inc. Proprietary and Confidential
16
A typical supply chain
DEVELOPER
Commits
Code
Pass
Build
Admission
Control
CI/CD
PIPELINE
PRIV/PUB
REGISTRY
RUN-TIME

17. © 2021 Tigera, Inc. Proprietary and Confidential
17
Scanning images is
important
17

18. © 2021 Tigera, Inc. Proprietary and Confidential
18
Scanning images is not
enough
18

19. Demo

20. Thank You