Authors: Dhiraj Sehgal Steve Griffith and Tommy Falgout
This is a 4-module workshop that walks you through the following to become and remain secure quickly:
Since AKS users are busy running cloud-native applications and to get started, this blog post should provide you a brief overview of what you can expect from each module in the workshop. You can register for the upcoming hands-on workshop here to learn about this in-depth and advanced topic, such as compliance and runtime threat defense.
Module 1: Implementing security controls
This module focuses on zero-trust workload access controls
Zero-trust workload access controls are the most effective way of reducing the attack surface by building access shields around the AKS workloads to ensure that only secure traffic is allowed to and from these workloads.
This module teaches you different techniques to secure the traffic between your cloud-native applications and external resources.
In this module, you will learn how to:
Example: Create a NetworkPolicy with egress rules with `action: Allow` and a `destination.domains` field specifying the domain names to which egress traffic is allowed.
apiVersion: projectcalico.org/v3
kind: NetworkPolicy
metadata:
name: allow-egress-to-domains
namespace: rollout-test
spec:
order: 1
selector: my-pod-label == 'my-value'
types:
- Egress
egress:
- action: Allow
destination:
domains:
- api.alice.com
- "*.example.com"
Detailed step-by-step hands-on module is available here:
https://github.com/tigera-solutions/calicocloud-aks-workshop/blob/main/modules/dns-egress-access-con...
Module 2: Monitoring if the security policies are working as expected
This module focuses on AKS-centric or self-managed Kubernetes cluster running on Microsoft Azure security and communication view of workloads
Users need to understand communication between namespaces, services, and deployments for security, application, and platform. Are the workload-to-workload communication and the container secure? Are the policies put in place working as expected? Use Calico’s Dynamic Service and Threat Graph to get a detailed runtime visualization of your AKS environment to understand microservice behavior and interaction easily.
In this module, you will learn how to:
Example: Select a namespace and highlight one of the services running in the cluster. Identify and resolve security and audit gaps, performance issues, connectivity breakdown, anomalous behavior, and security policy violations between namespaces, microservices, and pods in real-time from the UI.
Detailed step-by-step hands-on module is available here:
Module 3: Addressing a security gap with security policy
By default, Kubernetes is an open system with no built-in security controls. For example, without proper east-west security controls, a cyber attacker can gain unauthorized access to move laterally within a cluster in search of sensitive data and other high-value assets. Given the large attack surface within a Kubernetes cluster, isolating endpoints and preventing lateral movement using security policies is essential.
In this module, you will learn how to:
Example: Create your own security policies within assigned tiers and customize permissions based on organizational structure. Build policies hierarchy where the left-most tiers are given precedence over the right (security, platform, application). Control who can view/modify policies in specific tiers and record every change to tiers and policies for auditing and troubleshooting.
Detailed step-by-step hands-on module is available here:
Module 4: Troubleshooting a workload-to-workload communication issue
This module focuses on simple and customizable five or less clicks to troubleshoot a performance hot spot.
Applications are made up of composite microservices, and a single request often moves through 4 or more services. When you have hundreds of services interacting, pinpointing and troubleshooting becomes difficult.
Calico Dynamic Packet Capture is a self-service, on-demand tool for performing packet capture for a specific pod or collection of pods. It integrates with Kubernetes RBAC to limit and secure users’ access to the endpoints and namespaces assigned to them.
In this module, you will learn how to:
Example: Initiate packet capture from Calico’s Dynamic Service and Threat Graph based on your Kubernetes RBAC permissions. Customize the capture based on port, protocol, and duration. Download and share the captured data to analyze the issue and resolve it.
Detailed step-by-step hands-on module is available here:
https://github.com/tigera-solutions/calicocloud-aks-workshop/blob/main/modules/packet-capture.md
How to Get Started (Pre-requisites):
The modules use pre-built demo applications to speed up the learning experience, remove knowledge barriers, and show how easy it is to get started with implementing cloud-native security in your environment.
You will need to take the following steps to try these modules:
To join your AKS cluster to Calico Cloud, click on “Managed Clusters”:
Click on "connect cluster":
Choose Azure AKS, then click Next:
Run a kubectl apply the command to connect the cluster to Calico Cloud.
Microsoft Azure and AKS users can now learn how to implement active security controls for their cloud-native applications with simple easy-to-follow modules and address the most common security use cases for their applications.
If you run into any issues, feel free to reach out to us via contact us, Azure marketplace, or social media.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.