SlideShare ist ein Scribd-Unternehmen logo

Protecting host with calico

Als PPT, PDF herunterladen
Anirban Sen Chowdhary
Anirban Sen Chowdhary

Protecting host with calico

Technologie
1 von 12
Anirban Sen Chowdhary
Project Calico, a Tigera open-source project that provides a  layer 3 network implementation, aimed at scalable datacenter  deployments. Compared to traditional network overlays, Calico  provides a more efficient implementation with minimal packet  encapsulation. This allows better usage of node resources and a  simple yet powerful network stack for your infrastructure. 
Calico is able to secure the network interfaces of the host itself with the security policy model. RHEL (7.1, 7.2, 7.3, 7.4) Ubuntu (16.04, 17.04) SLES (12, 12 SP1, 12 SP2) It supports the same rich security policy model for host endpoints that it supports for workload endpoints. It does not support setting IPs or policing MAC addresses for host interfaces, it assumes that the interfaces are configured by the underlying network fabric.
Build Calico components: Calico components include calicoctl and calico/node . There are two ways to build calicoctl: natively, and dockerized calico/node can be regarded as a helper container that bundles together the various components required for networking containers with Calico.
Project Calico defines endpoints as network interfaces. Endpoints are generally two types: Host and Workload. Host endpoints defines network interfaces that are static with respect to Calico’s perspective. Workload endpoints involves lifecycles that are managed by an orchestrator and are typically created and destroyed in conjunction with scheduling and destroying workloads. Also, Calico distinguishes workload endpoints from host endpoints by a configurable prefix. As we know, within the Calico policy data model, both types of endpoints can be associated with a set of labels, where the orchestrator supports the concept of labels, such as Kubernetes, then these come from the orchestrator. Or else they can be applied to the endpoint via Calico’s APIs.
Run Calico to Secure Host Interfaces: After building calictoctl and calico-felix, it is ready to run as follows: 1) Creating basic connectivity and Calico policy 2) Creating host endpoint objects 3) Creating more security policy All these 3 steps are defined in next slides.
1) Creating basic connectivity and Calico policy: At the beginning when a host endpoint is added, if there is no security policy for that endpoint, so Calico will default to denying traffic to/from that endpoint. Need to create a failsafe Calico security policy Need to create a single policy resource, which can be applied to all known endpoints, allows inbound ssh access from a defined “management” subnet, allows outbound connectivity to etcd on a particular IP. cat << EOF | calicoctl create -f - - apiVersion: v1 kind: policy metadata: name: failsafe spec: selector: "all()" order: 0 ingress: - action: allow protocol: tcp source: nets: - "<your management CIDR>" destination: ports: [22] - action: allow protocol: icmp egress: - action: allow protocol: tcp destination: nets: - "<your etcd IP>/32" ports: [<your etcd ports>] - action: allow protocol: udp destination: ports: [67] EOF
2) Creating host endpoint objects: For each host endpoint that we want Calico to secure, we’ll need to create a host endpoint object in etcd. We can use the calicoctl create command to create a host endpoint resource (hostEndpoint). Generally, there will be 2 ways to specify the interface that a host endpoint should refer to. Specify 1) Name of the interface 2) Expected IP address. In both the cases, we’ll also need to know the name given to the Calico node running on the host that owns the interface; which in most cases this will be the same as the hostname of the host.
If we take an example to secure the interface named eth2 with IP 10.0.0.3 on host my- host, run the command below: We need to remember while running this command to replace the bracket with appropriate values for our deployment. cat << EOF | calicoctl create -f - - apiVersion: v1 kind: hostEndpoint metadata: name: <name of endpoint> node: <node name or hostname> labels: role: webserver environment: production spec: interfaceName: eth2 profiles: [<list of profile IDs>] expectedIPs: ["10.0.0.3"] EOF
3) Creating more security policy: selector-based security policy with bare-metal workloads should be used that allows ordered policy to be applied to endpoints that match particular label selectors. example, we could add a second policy for webserver access: cat << EOF | dist/calicoctl create -f - - apiVersion: v1 kind: policy metadata: name: webserver spec: selector: "role=="webserver"" order: 100 ingress: - action: allow protocol: tcp destination: ports: [80] egress: - action: allow EOF
For more information visit https://www.projectcalico.org/ https://docs.projectcalico.org/v2.6/introduction/ https://blog.tigera.io/tagged/calico
Protecting host with calico

Empfohlen

Getting started with project calico
Getting started with project calicoGetting started with project calico
Getting started with project calicoAnirban Sen Chowdhary
 
Calico using vagrant and virtual box
Calico using vagrant and virtual boxCalico using vagrant and virtual box
Calico using vagrant and virtual boxAnirban Sen Chowdhary
 
Deploying calico on docker
Deploying calico on dockerDeploying calico on docker
Deploying calico on dockerAnirban Sen Chowdhary
 
Calico using rkt
Calico using rktCalico using rkt
Calico using rktAnirban Sen Chowdhary
 
Calico integration
Calico integrationCalico integration
Calico integrationAnirban Sen Chowdhary
 
Deploying calico on kubernetes
Deploying calico on kubernetesDeploying calico on kubernetes
Deploying calico on kubernetesAnirban Sen Chowdhary
 
Calico in networking mode
Calico in networking modeCalico in networking mode
Calico in networking modeAnirban Sen Chowdhary
 
Calico and BGP
Calico and BGPCalico and BGP
Calico and BGPAnirban Sen Chowdhary
 

Empfohlen

Getting started with project calico
Getting started with project calicoGetting started with project calico
Getting started with project calicoAnirban Sen Chowdhary
 
Calico using vagrant and virtual box
Calico using vagrant and virtual boxCalico using vagrant and virtual box
Calico using vagrant and virtual boxAnirban Sen Chowdhary
 
Deploying calico on docker
Deploying calico on dockerDeploying calico on docker
Deploying calico on dockerAnirban Sen Chowdhary
 
Calico using rkt
Calico using rktCalico using rkt
Calico using rktAnirban Sen Chowdhary
 
Calico integration
Calico integrationCalico integration
Calico integrationAnirban Sen Chowdhary
 
Deploying calico on kubernetes
Deploying calico on kubernetesDeploying calico on kubernetes
Deploying calico on kubernetesAnirban Sen Chowdhary
 
Calico in networking mode
Calico in networking modeCalico in networking mode
Calico in networking modeAnirban Sen Chowdhary
 
Calico and BGP
Calico and BGPCalico and BGP
Calico and BGPAnirban Sen Chowdhary
 
Calico to secure host interfaces
Calico to secure host interfacesCalico to secure host interfaces
Calico to secure host interfacesD.Rajesh Kumar
 
Calico 3
Calico 3Calico 3
Calico 3Anirban Sen Chowdhary
 
Calico and mesos
Calico and mesosCalico and mesos
Calico and mesosAnirban Sen Chowdhary
 
Calico and ubuntu
Calico and ubuntuCalico and ubuntu
Calico and ubuntuAnirban Sen Chowdhary
 
Calico and open shift
Calico and open shiftCalico and open shift
Calico and open shiftAnirban Sen Chowdhary
 
Calico and simple policy
Calico and simple policyCalico and simple policy
Calico and simple policyAnirban Sen Chowdhary
 
Simplifying and Securing your OpenShift Network with Project Calico
Simplifying and Securing your OpenShift Network with Project CalicoSimplifying and Securing your OpenShift Network with Project Calico
Simplifying and Securing your OpenShift Network with Project CalicoAndrew Randall
 
Calico architecture
Calico architectureCalico architecture
Calico architectureD.Rajesh Kumar
 
Kubernetes networking & Security
Kubernetes networking & SecurityKubernetes networking & Security
Kubernetes networking & SecurityVietnam Open Infrastructure User Group
 
20170705 kubernetes with calico
20170705 kubernetes with calico20170705 kubernetes with calico
20170705 kubernetes with calicoIsaac Tseng
 
Kubernetes networking: Introduction to overlay networks, communication models...
Kubernetes networking: Introduction to overlay networks, communication models...Kubernetes networking: Introduction to overlay networks, communication models...
Kubernetes networking: Introduction to overlay networks, communication models...Murat Mukhtarov
 
Kuryr-Kubernetes: The perfect match for networking cloud native workloads - I...
Kuryr-Kubernetes: The perfect match for networking cloud native workloads - I...Kuryr-Kubernetes: The perfect match for networking cloud native workloads - I...
Kuryr-Kubernetes: The perfect match for networking cloud native workloads - I...Cloud Native Day Tel Aviv
 
Container Networking: the Gotchas (Mesos London Meetup 11 May 2016)
Container Networking: the Gotchas (Mesos London Meetup 11 May 2016)Container Networking: the Gotchas (Mesos London Meetup 11 May 2016)
Container Networking: the Gotchas (Mesos London Meetup 11 May 2016)Andrew Randall
 
Using OpenContrail with Kubernetes
Using OpenContrail with KubernetesUsing OpenContrail with Kubernetes
Using OpenContrail with KubernetesMatt Baldwin
 
Container Networking - State of the Ecosystem [ContainerConf, Mannheim, Nov 2...
Container Networking - State of the Ecosystem [ContainerConf, Mannheim, Nov 2...Container Networking - State of the Ecosystem [ContainerConf, Mannheim, Nov 2...
Container Networking - State of the Ecosystem [ContainerConf, Mannheim, Nov 2...Karthik Prabhakar
 
Deploying vn fs with kubernetes pods and vms
Deploying vn fs with kubernetes pods and vmsDeploying vn fs with kubernetes pods and vms
Deploying vn fs with kubernetes pods and vmsLibbySchulze1
 
Intro to Project Calico: a pure layer 3 approach to scale-out networking
Intro to Project Calico: a pure layer 3 approach to scale-out networkingIntro to Project Calico: a pure layer 3 approach to scale-out networking
Intro to Project Calico: a pure layer 3 approach to scale-out networkingPacket
 
Kubernetes Networking
Kubernetes NetworkingKubernetes Networking
Kubernetes NetworkingCJ Cullen
 
Overview of OpenDaylight Container Orchestration Engine Integration
Overview of OpenDaylight Container Orchestration Engine IntegrationOverview of OpenDaylight Container Orchestration Engine Integration
Overview of OpenDaylight Container Orchestration Engine IntegrationMichelle Holley
 
Kubernetes Networking
Kubernetes NetworkingKubernetes Networking
Kubernetes NetworkingGiragadurai Vallirajan
 
Lan to lan vpn
Lan to lan vpnLan to lan vpn
Lan to lan vpnRohit Pardasani
 
Drive into calico architecture part 2
Drive into calico architecture part 2Drive into calico architecture part 2
Drive into calico architecture part 2Anirban Sen Chowdhary
 

Weitere ähnliche Inhalte

Was ist angesagt?

Calico to secure host interfaces
Calico to secure host interfacesCalico to secure host interfaces
Calico to secure host interfacesD.Rajesh Kumar
 
Simplifying and Securing your OpenShift Network with Project Calico
Simplifying and Securing your OpenShift Network with Project CalicoSimplifying and Securing your OpenShift Network with Project Calico
Simplifying and Securing your OpenShift Network with Project CalicoAndrew Randall
 
20170705 kubernetes with calico
20170705 kubernetes with calico20170705 kubernetes with calico
20170705 kubernetes with calicoIsaac Tseng
 
Kubernetes networking: Introduction to overlay networks, communication models...
Kubernetes networking: Introduction to overlay networks, communication models...Kubernetes networking: Introduction to overlay networks, communication models...
Kubernetes networking: Introduction to overlay networks, communication models...Murat Mukhtarov
 
Kuryr-Kubernetes: The perfect match for networking cloud native workloads - I...
Kuryr-Kubernetes: The perfect match for networking cloud native workloads - I...Kuryr-Kubernetes: The perfect match for networking cloud native workloads - I...
Kuryr-Kubernetes: The perfect match for networking cloud native workloads - I...Cloud Native Day Tel Aviv
 
Container Networking: the Gotchas (Mesos London Meetup 11 May 2016)
Container Networking: the Gotchas (Mesos London Meetup 11 May 2016)Container Networking: the Gotchas (Mesos London Meetup 11 May 2016)
Container Networking: the Gotchas (Mesos London Meetup 11 May 2016)Andrew Randall
 
Using OpenContrail with Kubernetes
Using OpenContrail with KubernetesUsing OpenContrail with Kubernetes
Using OpenContrail with KubernetesMatt Baldwin
 
Container Networking - State of the Ecosystem [ContainerConf, Mannheim, Nov 2...
Container Networking - State of the Ecosystem [ContainerConf, Mannheim, Nov 2...Container Networking - State of the Ecosystem [ContainerConf, Mannheim, Nov 2...
Container Networking - State of the Ecosystem [ContainerConf, Mannheim, Nov 2...Karthik Prabhakar
 
Deploying vn fs with kubernetes pods and vms
Deploying vn fs with kubernetes pods and vmsDeploying vn fs with kubernetes pods and vms
Deploying vn fs with kubernetes pods and vmsLibbySchulze1
 
Intro to Project Calico: a pure layer 3 approach to scale-out networking
Intro to Project Calico: a pure layer 3 approach to scale-out networkingIntro to Project Calico: a pure layer 3 approach to scale-out networking
Intro to Project Calico: a pure layer 3 approach to scale-out networkingPacket
 
Kubernetes Networking
Kubernetes NetworkingKubernetes Networking
Kubernetes NetworkingCJ Cullen
 
Overview of OpenDaylight Container Orchestration Engine Integration
Overview of OpenDaylight Container Orchestration Engine IntegrationOverview of OpenDaylight Container Orchestration Engine Integration
Overview of OpenDaylight Container Orchestration Engine IntegrationMichelle Holley
 

Was ist angesagt? (20)

Calico to secure host interfaces
Calico to secure host interfacesCalico to secure host interfaces
Calico to secure host interfaces
 
Calico 3
Calico 3Calico 3
Calico 3
 
Calico and mesos
Calico and mesosCalico and mesos
Calico and mesos
 
Calico and ubuntu
Calico and ubuntuCalico and ubuntu
Calico and ubuntu
 
Calico and open shift
Calico and open shiftCalico and open shift
Calico and open shift
 
Calico and simple policy
Calico and simple policyCalico and simple policy
Calico and simple policy
 
Simplifying and Securing your OpenShift Network with Project Calico
Simplifying and Securing your OpenShift Network with Project CalicoSimplifying and Securing your OpenShift Network with Project Calico
Simplifying and Securing your OpenShift Network with Project Calico
 
Calico architecture
Calico architectureCalico architecture
Calico architecture
 
Kubernetes networking & Security
Kubernetes networking & SecurityKubernetes networking & Security
Kubernetes networking & Security
 
20170705 kubernetes with calico
20170705 kubernetes with calico20170705 kubernetes with calico
20170705 kubernetes with calico
 
Kubernetes networking: Introduction to overlay networks, communication models...
Kubernetes networking: Introduction to overlay networks, communication models...Kubernetes networking: Introduction to overlay networks, communication models...
Kubernetes networking: Introduction to overlay networks, communication models...
 
Kuryr-Kubernetes: The perfect match for networking cloud native workloads - I...
Kuryr-Kubernetes: The perfect match for networking cloud native workloads - I...Kuryr-Kubernetes: The perfect match for networking cloud native workloads - I...
Kuryr-Kubernetes: The perfect match for networking cloud native workloads - I...
 
Container Networking: the Gotchas (Mesos London Meetup 11 May 2016)
Container Networking: the Gotchas (Mesos London Meetup 11 May 2016)Container Networking: the Gotchas (Mesos London Meetup 11 May 2016)
Container Networking: the Gotchas (Mesos London Meetup 11 May 2016)
 
Using OpenContrail with Kubernetes
Using OpenContrail with KubernetesUsing OpenContrail with Kubernetes
Using OpenContrail with Kubernetes
 
Container Networking - State of the Ecosystem [ContainerConf, Mannheim, Nov 2...
Container Networking - State of the Ecosystem [ContainerConf, Mannheim, Nov 2...Container Networking - State of the Ecosystem [ContainerConf, Mannheim, Nov 2...
Container Networking - State of the Ecosystem [ContainerConf, Mannheim, Nov 2...
 
Deploying vn fs with kubernetes pods and vms
Deploying vn fs with kubernetes pods and vmsDeploying vn fs with kubernetes pods and vms
Deploying vn fs with kubernetes pods and vms
 
Intro to Project Calico: a pure layer 3 approach to scale-out networking
Intro to Project Calico: a pure layer 3 approach to scale-out networkingIntro to Project Calico: a pure layer 3 approach to scale-out networking
Intro to Project Calico: a pure layer 3 approach to scale-out networking
 
Kubernetes Networking
Kubernetes NetworkingKubernetes Networking
Kubernetes Networking
 
Overview of OpenDaylight Container Orchestration Engine Integration
Overview of OpenDaylight Container Orchestration Engine IntegrationOverview of OpenDaylight Container Orchestration Engine Integration
Overview of OpenDaylight Container Orchestration Engine Integration
 
Kubernetes Networking
Kubernetes NetworkingKubernetes Networking
Kubernetes Networking
 

Ähnlich wie Protecting host with calico

Drive into calico architecture part 2
Drive into calico architecture part 2Drive into calico architecture part 2
Drive into calico architecture part 2Anirban Sen Chowdhary
 
26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rulesFreddy Buenaño
 
Replacing iptables with eBPF in Kubernetes with Cilium
Replacing iptables with eBPF in Kubernetes with CiliumReplacing iptables with eBPF in Kubernetes with Cilium
Replacing iptables with eBPF in Kubernetes with CiliumMichal Rostecki
 
MuleSoft Meetup Roma - Runtime Fabric Series (From Zero to Hero) - Sessione 2
MuleSoft Meetup Roma - Runtime Fabric Series (From Zero to Hero) - Sessione 2MuleSoft Meetup Roma - Runtime Fabric Series (From Zero to Hero) - Sessione 2
MuleSoft Meetup Roma - Runtime Fabric Series (From Zero to Hero) - Sessione 2Alfonso Martino
 
Calico with open stack
Calico with open stackCalico with open stack
Calico with open stackD.Rajesh Kumar
 
Automating cloud security - Jonny Griffin
Automating cloud security - Jonny GriffinAutomating cloud security - Jonny Griffin
Automating cloud security - Jonny GriffinJonnathan Griffin
 
Converting your linux Box in security Gateway Part – 2 (Looking inside VPN)
Converting your linux Box in security Gateway Part – 2 (Looking inside VPN)Converting your linux Box in security Gateway Part – 2 (Looking inside VPN)
Converting your linux Box in security Gateway Part – 2 (Looking inside VPN)n|u - The Open Security Community
 
First Steps Developing Embedded Applications using Heterogeneous Multi-core P...
First Steps Developing Embedded Applications using Heterogeneous Multi-core P...First Steps Developing Embedded Applications using Heterogeneous Multi-core P...
First Steps Developing Embedded Applications using Heterogeneous Multi-core P...Toradex
 
Linux kernel-rootkit-dev - Wonokaerun
Linux kernel-rootkit-dev - WonokaerunLinux kernel-rootkit-dev - Wonokaerun
Linux kernel-rootkit-dev - Wonokaerunidsecconf
 
ebpf and IO Visor: The What, how, and what next!
ebpf and IO Visor: The What, how, and what next!ebpf and IO Visor: The What, how, and what next!
ebpf and IO Visor: The What, how, and what next!Affan Syed
 
Generating Signatures for cyberattacks.
Generating Signatures for cyberattacks.Generating Signatures for cyberattacks.
Generating Signatures for cyberattacks.Shyamsundar Das
 
Cisco Malware: A new risk to consider in perimeter security designs
Cisco Malware: A new risk to consider in perimeter security designsCisco Malware: A new risk to consider in perimeter security designs
Cisco Malware: A new risk to consider in perimeter security designsManuel Santander
 
Performance analysis of container-based networking Solutions for high-perform...
Performance analysis of container-based networking Solutions for high-perform...Performance analysis of container-based networking Solutions for high-perform...
Performance analysis of container-based networking Solutions for high-perform...IJECEIAES
 
2008-09-09 IBM Interaction Conference, Red Hat Update for System z
2008-09-09 IBM Interaction Conference, Red Hat Update for System z2008-09-09 IBM Interaction Conference, Red Hat Update for System z
2008-09-09 IBM Interaction Conference, Red Hat Update for System zShawn Wells
 
Integrating Ansible Tower with security orchestration and cloud management
Integrating Ansible Tower with security orchestration and cloud managementIntegrating Ansible Tower with security orchestration and cloud management
Integrating Ansible Tower with security orchestration and cloud managementJoel W. King
 
[OpenStack 하반기 스터디] Interoperability with ML2: LinuxBridge, OVS and SDN
[OpenStack 하반기 스터디] Interoperability with ML2: LinuxBridge, OVS and SDN[OpenStack 하반기 스터디] Interoperability with ML2: LinuxBridge, OVS and SDN
[OpenStack 하반기 스터디] Interoperability with ML2: LinuxBridge, OVS and SDNOpenStack Korea Community
 
20151222_Interoperability with ML2: LinuxBridge, OVS and SDN
20151222_Interoperability with ML2: LinuxBridge, OVS and SDN20151222_Interoperability with ML2: LinuxBridge, OVS and SDN
20151222_Interoperability with ML2: LinuxBridge, OVS and SDNSungman Jang
 

Ähnlich wie Protecting host with calico (20)

Lan to lan vpn
Lan to lan vpnLan to lan vpn
Lan to lan vpn
 
Drive into calico architecture part 2
Drive into calico architecture part 2Drive into calico architecture part 2
Drive into calico architecture part 2
 
26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules
 
Replacing iptables with eBPF in Kubernetes with Cilium
Replacing iptables with eBPF in Kubernetes with CiliumReplacing iptables with eBPF in Kubernetes with Cilium
Replacing iptables with eBPF in Kubernetes with Cilium
 
MuleSoft Meetup Roma - Runtime Fabric Series (From Zero to Hero) - Sessione 2
MuleSoft Meetup Roma - Runtime Fabric Series (From Zero to Hero) - Sessione 2MuleSoft Meetup Roma - Runtime Fabric Series (From Zero to Hero) - Sessione 2
MuleSoft Meetup Roma - Runtime Fabric Series (From Zero to Hero) - Sessione 2
 
Calico with open stack
Calico with open stackCalico with open stack
Calico with open stack
 
Automating cloud security - Jonny Griffin
Automating cloud security - Jonny GriffinAutomating cloud security - Jonny Griffin
Automating cloud security - Jonny Griffin
 
Converting your linux Box in security Gateway Part – 2 (Looking inside VPN)
Converting your linux Box in security Gateway Part – 2 (Looking inside VPN)Converting your linux Box in security Gateway Part – 2 (Looking inside VPN)
Converting your linux Box in security Gateway Part – 2 (Looking inside VPN)
 
First Steps Developing Embedded Applications using Heterogeneous Multi-core P...
First Steps Developing Embedded Applications using Heterogeneous Multi-core P...First Steps Developing Embedded Applications using Heterogeneous Multi-core P...
First Steps Developing Embedded Applications using Heterogeneous Multi-core P...
 
Linux kernel-rootkit-dev - Wonokaerun
Linux kernel-rootkit-dev - WonokaerunLinux kernel-rootkit-dev - Wonokaerun
Linux kernel-rootkit-dev - Wonokaerun
 
VPN presentation - moeshesh
VPN presentation - moesheshVPN presentation - moeshesh
VPN presentation - moeshesh
 
Module 06 (1).pdf
Module 06 (1).pdfModule 06 (1).pdf
Module 06 (1).pdf
 
ebpf and IO Visor: The What, how, and what next!
ebpf and IO Visor: The What, how, and what next!ebpf and IO Visor: The What, how, and what next!
ebpf and IO Visor: The What, how, and what next!
 
Generating Signatures for cyberattacks.
Generating Signatures for cyberattacks.Generating Signatures for cyberattacks.
Generating Signatures for cyberattacks.
 
Cisco Malware: A new risk to consider in perimeter security designs
Cisco Malware: A new risk to consider in perimeter security designsCisco Malware: A new risk to consider in perimeter security designs
Cisco Malware: A new risk to consider in perimeter security designs
 
Performance analysis of container-based networking Solutions for high-perform...
Performance analysis of container-based networking Solutions for high-perform...Performance analysis of container-based networking Solutions for high-perform...
Performance analysis of container-based networking Solutions for high-perform...
 
2008-09-09 IBM Interaction Conference, Red Hat Update for System z
2008-09-09 IBM Interaction Conference, Red Hat Update for System z2008-09-09 IBM Interaction Conference, Red Hat Update for System z
2008-09-09 IBM Interaction Conference, Red Hat Update for System z
 
Integrating Ansible Tower with security orchestration and cloud management
Integrating Ansible Tower with security orchestration and cloud managementIntegrating Ansible Tower with security orchestration and cloud management
Integrating Ansible Tower with security orchestration and cloud management
 
[OpenStack 하반기 스터디] Interoperability with ML2: LinuxBridge, OVS and SDN
[OpenStack 하반기 스터디] Interoperability with ML2: LinuxBridge, OVS and SDN[OpenStack 하반기 스터디] Interoperability with ML2: LinuxBridge, OVS and SDN
[OpenStack 하반기 스터디] Interoperability with ML2: LinuxBridge, OVS and SDN
 
20151222_Interoperability with ML2: LinuxBridge, OVS and SDN
20151222_Interoperability with ML2: LinuxBridge, OVS and SDN20151222_Interoperability with ML2: LinuxBridge, OVS and SDN
20151222_Interoperability with ML2: LinuxBridge, OVS and SDN
 

Mehr von Anirban Sen Chowdhary

Overview in ringcentral digital line
Overview in ringcentral digital lineOverview in ringcentral digital line
Overview in ringcentral digital lineAnirban Sen Chowdhary
 
RingCentral application development overview
RingCentral application development overviewRingCentral application development overview
RingCentral application development overviewAnirban Sen Chowdhary
 
Overview on ring central errors part 4
Overview on ring central errors part 4Overview on ring central errors part 4
Overview on ring central errors part 4Anirban Sen Chowdhary
 
Setting up your ring central sandbox in steps
Setting up your ring central sandbox in stepsSetting up your ring central sandbox in steps
Setting up your ring central sandbox in stepsAnirban Sen Chowdhary
 
Overview on ring central errors: part 2
Overview on ring central errors: part 2Overview on ring central errors: part 2
Overview on ring central errors: part 2Anirban Sen Chowdhary
 
Call recording overview ring central
Call recording overview ring centralCall recording overview ring central
Call recording overview ring centralAnirban Sen Chowdhary
 
Ring central engaging with amazon alexa
Ring central engaging with amazon alexaRing central engaging with amazon alexa
Ring central engaging with amazon alexaAnirban Sen Chowdhary
 
How ring central sdk changing the game
How ring central sdk changing the gameHow ring central sdk changing the game
How ring central sdk changing the gameAnirban Sen Chowdhary
 
When ring central connect salesforce
When ring central connect salesforceWhen ring central connect salesforce
When ring central connect salesforceAnirban Sen Chowdhary
 
Ring central connecting salesforce overview
Ring central connecting salesforce overviewRing central connecting salesforce overview
Ring central connecting salesforce overviewAnirban Sen Chowdhary
 
Ring central call logs overview (part 2)
Ring central call logs overview (part 2)Ring central call logs overview (part 2)
Ring central call logs overview (part 2)Anirban Sen Chowdhary
 

Mehr von Anirban Sen Chowdhary (20)

Change the game with Game changer
Change the game with Game changerChange the game with Game changer
Change the game with Game changer
 
Ring central desktop app overview
Ring central desktop app overviewRing central desktop app overview
Ring central desktop app overview
 
Overview in ringcentral digital line
Overview in ringcentral digital lineOverview in ringcentral digital line
Overview in ringcentral digital line
 
Some basics with ring central
Some basics with ring centralSome basics with ring central
Some basics with ring central
 
Ring central and python
Ring central and pythonRing central and python
Ring central and python
 
RingCentral application development overview
RingCentral application development overviewRingCentral application development overview
RingCentral application development overview
 
Cloze connect ringcentral
Cloze connect ringcentralCloze connect ringcentral
Cloze connect ringcentral
 
Overview on ring central errors part 4
Overview on ring central errors part 4Overview on ring central errors part 4
Overview on ring central errors part 4
 
Setting up your ring central sandbox in steps
Setting up your ring central sandbox in stepsSetting up your ring central sandbox in steps
Setting up your ring central sandbox in steps
 
Overview on ring central errors: part 2
Overview on ring central errors: part 2Overview on ring central errors: part 2
Overview on ring central errors: part 2
 
Overview on ring central errors
Overview on ring central errorsOverview on ring central errors
Overview on ring central errors
 
Call recording overview ring central
Call recording overview ring centralCall recording overview ring central
Call recording overview ring central
 
Ring central engaging with amazon alexa
Ring central engaging with amazon alexaRing central engaging with amazon alexa
Ring central engaging with amazon alexa
 
How ring central sdk changing the game
How ring central sdk changing the gameHow ring central sdk changing the game
How ring central sdk changing the game
 
When ring central connect salesforce
When ring central connect salesforceWhen ring central connect salesforce
When ring central connect salesforce
 
Mule 4 connecting ring central
Mule 4 connecting ring centralMule 4 connecting ring central
Mule 4 connecting ring central
 
Ring central sdk
Ring central sdkRing central sdk
Ring central sdk
 
Ring central with okta
Ring central with oktaRing central with okta
Ring central with okta
 
Ring central connecting salesforce overview
Ring central connecting salesforce overviewRing central connecting salesforce overview
Ring central connecting salesforce overview
 
Ring central call logs overview (part 2)
Ring central call logs overview (part 2)Ring central call logs overview (part 2)
Ring central call logs overview (part 2)
 

Kürzlich hochgeladen

Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 

Kürzlich hochgeladen (20)

Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 

Protecting host with calico

  • 3. Calico is able to secure the network interfaces of the host itself with the security policy model. RHEL (7.1, 7.2, 7.3, 7.4) Ubuntu (16.04, 17.04) SLES (12, 12 SP1, 12 SP2) It supports the same rich security policy model for host endpoints that it supports for workload endpoints. It does not support setting IPs or policing MAC addresses for host interfaces, it assumes that the interfaces are configured by the underlying network fabric.
  • 4. Build Calico components: Calico components include calicoctl and calico/node . There are two ways to build calicoctl: natively, and dockerized calico/node can be regarded as a helper container that bundles together the various components required for networking containers with Calico.
  • 5. Project Calico defines endpoints as network interfaces. Endpoints are generally two types: Host and Workload. Host endpoints defines network interfaces that are static with respect to Calico’s perspective. Workload endpoints involves lifecycles that are managed by an orchestrator and are typically created and destroyed in conjunction with scheduling and destroying workloads. Also, Calico distinguishes workload endpoints from host endpoints by a configurable prefix. As we know, within the Calico policy data model, both types of endpoints can be associated with a set of labels, where the orchestrator supports the concept of labels, such as Kubernetes, then these come from the orchestrator. Or else they can be applied to the endpoint via Calico’s APIs.
  • 6. Run Calico to Secure Host Interfaces: After building calictoctl and calico-felix, it is ready to run as follows: 1) Creating basic connectivity and Calico policy 2) Creating host endpoint objects 3) Creating more security policy All these 3 steps are defined in next slides.
  • 7. 1) Creating basic connectivity and Calico policy: At the beginning when a host endpoint is added, if there is no security policy for that endpoint, so Calico will default to denying traffic to/from that endpoint. Need to create a failsafe Calico security policy Need to create a single policy resource, which can be applied to all known endpoints, allows inbound ssh access from a defined “management” subnet, allows outbound connectivity to etcd on a particular IP. cat << EOF | calicoctl create -f - - apiVersion: v1 kind: policy metadata: name: failsafe spec: selector: "all()" order: 0 ingress: - action: allow protocol: tcp source: nets: - "<your management CIDR>" destination: ports: [22] - action: allow protocol: icmp egress: - action: allow protocol: tcp destination: nets: - "<your etcd IP>/32" ports: [<your etcd ports>] - action: allow protocol: udp destination: ports: [67] EOF
  • 8. 2) Creating host endpoint objects: For each host endpoint that we want Calico to secure, we’ll need to create a host endpoint object in etcd. We can use the calicoctl create command to create a host endpoint resource (hostEndpoint). Generally, there will be 2 ways to specify the interface that a host endpoint should refer to. Specify 1) Name of the interface 2) Expected IP address. In both the cases, we’ll also need to know the name given to the Calico node running on the host that owns the interface; which in most cases this will be the same as the hostname of the host.
  • 9. If we take an example to secure the interface named eth2 with IP 10.0.0.3 on host my- host, run the command below: We need to remember while running this command to replace the bracket with appropriate values for our deployment. cat << EOF | calicoctl create -f - - apiVersion: v1 kind: hostEndpoint metadata: name: <name of endpoint> node: <node name or hostname> labels: role: webserver environment: production spec: interfaceName: eth2 profiles: [<list of profile IDs>] expectedIPs: ["10.0.0.3"] EOF
  • 10. 3) Creating more security policy: selector-based security policy with bare-metal workloads should be used that allows ordered policy to be applied to endpoints that match particular label selectors. example, we could add a second policy for webserver access: cat << EOF | dist/calicoctl create -f - - apiVersion: v1 kind: policy metadata: name: webserver spec: selector: "role=="webserver"" order: 100 ingress: - action: allow protocol: tcp destination: ports: [80] egress: - action: allow EOF
  • 11. For more information visit https://www.projectcalico.org/ https://docs.projectcalico.org/v2.6/introduction/ https://blog.tigera.io/tagged/calico