Tigera unveiled several updates to Calico designed to help organizations securely scale Kubernetes workloads on a single, unified platform. Key enhancements include a built-in web application firewall (WAF) for the Calico Ingress Gateway and policy guidance for Calico Cloud Free Tier.
Fragmented solutions for managing and securing Kubernetes cause operational friction and expand an organization’s attack surface. The latest enhancements to Calico enable organizations to implement consistent and adaptable security controls across distributed, multi-cluster Kubernetes environments without compromising operational speed.
Calico Ingress Gateway with Integrated WAF Functionality at Runtime
Kubernetes ingress traffic is a common entry point for attacks, making the ability to analyze application-layer protocols such as HTTP and gRPC for threats fundamental.
Calico Ingress Gateway now includes built-in WAF capabilities that enable organizations to inspect, authorize, and secure ingress traffic during runtime. The integrated WAF engine streamlines operations and reduces complexity by delivering consistent threat detection across both ingress points and internal services. It enables organizations to define and enforce security policies directly at the ingress gateway, allowing deep inspection of HTTP and gRPC traffic and proactively blocking known threats before they reach workloads.
Policy Recommendations for Calico Cloud Free Tier
Platform teams often lack visibility into service-to-service communication and workload interactions. This creates challenges when defining policies and introduces risks such as overly permissive or restrictive policies.
The latest updates to Calico combat this challenge. Calico Cloud Free Tier can generate network policy recommendations for Kubernetes clusters. Calico analyzes the flow logs that are generated from workloads, and automatically recommends staged policies for each namespace that can be used for isolation. These new capabilities enable platform and security teams to implement effective network segmentation without extensive experience in authoring network policies and workload communication.
Centralized Log Forwarding for Virtual Machines and Bare Metal Hosts
Organizations encounter operational challenges with the distributed nature of log forwarding on bare metal hosts and virtual machines (VMs) outside of Kubernetes. Without centralized log forwarding, configuring log forwarding to third-party data stores requires individual setup and authorization on each host or VM, hindering operational efficiency and adding additional costs.
Calico now supports centralized log forwarding for VM and bare metal hosts running outside of Kubernetes. With Calico, logs are collected at a central point, either at the management cluster or a standalone cluster that manages VM and bare metal hosts. From these centralized points, logs can be seamlessly forwarded to an organization’s preferred external log store. This centralized approach to log forwarding significantly improves scalability and simplifies operations for large environments.
Improved Visualization in Calico Service Graph
Newly-improved iconography in Calico Service Graph also allows users to easily differentiate between Kubernetes cluster nodes and standalone VM and bare metal hosts that are running Calico outside of Kubernetes. This enhanced iconography groups and displays the two types of nodes separately and allows teams to automatically filter and view flow logs associated with these connections.
“As organizations scale their Kubernetes environments, many struggle to ensure security due to the siloed, disparate solutions used for Kubernetes security,” said Phil DiCorpo, Senior Director of Product Management at Tigera. “Calico’s new capabilities are a testament to our ongoing commitment to delivering a single, comprehensive platform that enables security across every aspect of the customer’s Kubernetes journey.”
To learn more about the latest innovations to Calico, visit the website here.
Related News:
Calico Open Source 3.30 Enhances Kubernetes Security and Observability
