Calico to secure host interfaces
Download as PPT, PDF0 likes266 views
The document discusses how to use Calico to secure the network interfaces of a host, called "host endpoints", in addition to workload endpoints like containers and VMs. Calico supports the same security policy model for host endpoints as it does for workloads. It distinguishes host and workload interfaces by configurable prefix. The steps to enable host endpoint security include installing Calico's Felix daemon, initializing the etcd database, adding basic connectivity policy, and creating host endpoint objects for each interface in etcd.
Calico to secure host interfaces
- 1. Calico to Secure Host Interfaces Rajesh Kumar
- 2. 2 Calico to Secure Host Interfaces Will discuss how to use Calico to secure the network interfaces of the host itself (as opposed to those of any container/VM workloads that are present on the host). We call such interfaces “host endpoints”, to distinguish them from “workload endpoints” (such as containers or VMs). Calico supports the same rich security policy model for host endpoints that it supports for workload endpoints. Host endpoints can have labels, and their labels are in the same “namespace” as those of workload endpoints. This allows security rules for either type of endpoint to refer to the other type (or a
- 3. 3 Calico to Secure Host Interfaces Calico does not support setting IPs or policing MAC addresses for host interfaces, it assumes that the interfaces are configured by the underlying network fabric. Calico distinguishes workload endpoints from host endpoints by a configurable prefix. Unless you happen to have host interfaces whose name matches the default for that prefix (cali), you won’t need to change it. In case you do, see the InterfacePrefix configuration value at Configuring Felix. Interfaces that start with a value listed in InterfacePrefix are assumed to be workload interfaces. Others are
- 4. 4 Calico to Secure Host Interfaces As of Calico v2.1.0, Calico applies host endpoint security policy both to traffic that is terminated locally, and to traffic that is forwarded between host endpoints. Previously, policy was only applied to traffic that was terminated locally. The change allows Calico to be used to secure a NAT gateway or router. Calico supports selector-based policy as normal when running on a gateway or router allowing for rich, dynamic security policy based on the labels attached to your workloads.
- 5. 5 Calico to Secure Host Interfaces Note: If you have a host with workloads on it then traffic that is forwarded to workloads bypasses the policy applied to host endpoints. If that weren’t the case, the host endpoint policy would need to be very broad to allow all traffic destined for any possible workload. Since version 2.1.0, Calico applies host endpoint policy to traffic that is being forwarded between host interfaces.
- 6. 6 Installation overview To make use of Calico’s host endpoint support, you will need to follow these steps, described in more detail below: •download the calicoctl binary •create an etcd cluster, if you haven’t already •install Calico’s Felix daemon on each host •initialize the etcd database •add policy to allow basic connectivity and Calico function •create host endpoint objects in etcd for each interface you want Calico to police (in a later release, we plan to support interface templates to remove the
- 7. 7 Creating an etcd cluster If you haven’t already created an etcd cluster for your Calico deployment, you’ll need to create one. To create a single-node etcd cluster for testing, download an etcd v3.x release from the etcd releases archive; we recommend using the most recent bugfix release. Then follow the instructions on that page to unpack and run the etcd binary. To create a production cluster, you should follow the guidance in the etcd manual. In particular, the clustering guide.
- 8. 8 Creating an etcd cluster If you haven’t already created an etcd cluster for your Calico deployment, you’ll need to create one. To create a single-node etcd cluster for testing, download an etcd v3.x release from the etcd releases archive; we recommend using the most recent bugfix release. Then follow the instructions on that page to unpack and run the etcd binary. To create a production cluster, you should follow the guidance in the etcd manual. In particular, the clustering guide.
- 9. Thank You
- 10. Thank You