Authors: Dhiraj Sehgal Steve Griffith and Tommy Falgout
This is a 4-module workshop that walks you through the following to become and remain secure quickly:
- Implement simple and straightforward security controls in place
- Monitor if the security policies are working as expected
- Address a security gap with security policy
- Troubleshoot a workload-to-workload communication issue
Since AKS users are busy running cloud-native applications and to get started, this blog post should provide you a brief overview of what you can expect from each module in the workshop. You can register for the upcoming hands-on workshop here to learn about this in-depth and advanced topic, such as compliance and runtime threat defense.
Module 1: Implementing security controls
This module focuses on zero-trust workload access controls
Zero-trust workload access controls are the most effective way of reducing the attack surface by building access shields around the AKS workloads to ensure that only secure traffic is allowed to and from these workloads.
This module teaches you different techniques to secure the traffic between your cloud-native applications and external resources.
In this module, you will learn how to:
- Enforce controls using DNS egress policies by creating security policies specifying the domain names to which egress traffic is allowed
- Enable network firewalls to identify and secure cloud-native workloads
- Leverage NetworkSets for access control by using IPs/CIDRs in security controls
Example: Create a NetworkPolicy with egress rules with `action: Allow` and a `destination.domains` field specifying the domain names to which egress traffic is allowed.
apiVersion: projectcalico.org/v3
kind: NetworkPolicy
metadata:
name: allow-egress-to-domains
namespace: rollout-test
spec:
order: 1
selector: my-pod-label == 'my-value'
types:
- Egress
egress:
- action: Allow
destination:
domains:
- api.alice.com
- "*.example.com"
Detailed step-by-step hands-on module is available here:
https://github.com/tigera-solutions/calicocloud-aks-workshop/blob/main/modules/dns-egress-access-con...
Module 2: Monitoring if the security policies are working as expected
This module focuses on AKS-centric or self-managed Kubernetes cluster running on Microsoft Azure security and communication view of workloads
Users need to understand communication between namespaces, services, and deployments for security, application, and platform. Are the workload-to-workload communication and the container secure? Are the policies put in place working as expected? Use Calico’s Dynamic Service and Threat Graph to get a detailed runtime visualization of your AKS environment to understand microservice behavior and interaction easily.
In this module, you will learn how to:
- Create custom views to simplify observability and troubleshooting of workload-to-workload communication.
- Use the “Layers” capability to manage the scale of the graph and focus on the area of interest.
- Analyze detailed networking, DNS, and HTTP activity, while automatically filtering the raw flow log data.
- View alerts that are annotated directly on the graph to quickly point out security gaps
Example: Select a namespace and highlight one of the services running in the cluster. Identify and resolve security and audit gaps, performance issues, connectivity breakdown, anomalous behavior, and security policy violations between namespaces, microservices, and pods in real-time from the UI.
Detailed step-by-step hands-on module is available here:
Module 3: Addressing a security gap with security policy
By default, Kubernetes is an open system with no built-in security controls. For example, without proper east-west security controls, a cyber attacker can gain unauthorized access to move laterally within a cluster in search of sensitive data and other high-value assets. Given the large attack surface within a Kubernetes cluster, isolating endpoints and preventing lateral movement using security policies is essential.
In this module, you will learn how to:
- Define a clear label schema to enforce zero-trust security across your AKS clusters.
- Implement least privilege access controls for east-west traffic inside your AKS cluster.
- Use labels and service accounts to identify workloads and then define policies to allow/deny communication between them.
- Validate security policies using staging and preview techniques.
- Control how different teams can work on the same AKS cluster using policy tiers and Kubernetes RBAC.
Example: Create your own security policies within assigned tiers and customize permissions based on organizational structure. Build policies hierarchy where the left-most tiers are given precedence over the right (security, platform, application). Control who can view/modify policies in specific tiers and record every change to tiers and policies for auditing and troubleshooting.
Detailed step-by-step hands-on module is available here:
Module 4: Troubleshooting a workload-to-workload communication issue
This module focuses on simple and customizable five or less clicks to troubleshoot a performance hot spot.
Applications are made up of composite microservices, and a single request often moves through 4 or more services. When you have hundreds of services interacting, pinpointing and troubleshooting becomes difficult.
Calico Dynamic Packet Capture is a self-service, on-demand tool for performing packet capture for a specific pod or collection of pods. It integrates with Kubernetes RBAC to limit and secure users’ access to the endpoints and namespaces assigned to them.
In this module, you will learn how to:
- Initiate Dynamic Packet Capture from the Dynamic Service and Threat Graph.
- Configure port, protocol, schedule time, and duration.
- Get fast, simplified troubleshooting for microservices using Kibana dashboards.
Example: Initiate packet capture from Calico’s Dynamic Service and Threat Graph based on your Kubernetes RBAC permissions. Customize the capture based on port, protocol, and duration. Download and share the captured data to analyze the issue and resolve it.
Detailed step-by-step hands-on module is available here:
https://github.com/tigera-solutions/calicocloud-aks-workshop/blob/main/modules/packet-capture.md
How to Get Started (Pre-requisites):
The modules use pre-built demo applications to speed up the learning experience, remove knowledge barriers, and show how easy it is to get started with implementing cloud-native security in your environment.
You will need to take the following steps to try these modules:
- Sign up for an AKS cluster. If you already have an AKS cluster, use it for the lab. There are no restrictions on the type of AKS cluster. If you don’t have an AKS cluster, the Calico Cloud trial comes with a demo cluster and sample application Hipster Shop.
- Sign up for a Calico Cloud trial. This is a 14-day free trial without any feature usage restrictions. Go to https://www.calicocloud.io and click on Start Free Trial (no credit card required). Returning users can log in; new users can create an account.
To join your AKS cluster to Calico Cloud, click on “Managed Clusters”:
Click on "connect cluster":
Choose Azure AKS, then click Next:
Run a kubectl apply the command to connect the cluster to Calico Cloud.
Microsoft Azure and AKS users can now learn how to implement active security controls for their cloud-native applications with simple easy-to-follow modules and address the most common security use cases for their applications.
If you run into any issues, feel free to reach out to us via contact us, Azure marketplace, or social media.