The surge of cloud-native applications has propelled Kubernetes into the forefront, revolutionizing how we manage and deploy workloads. However, this exponential growth has also increased the security challenges, and attack surface, DevOps and Security teams must address. As we discussed in a previous blog post, traditional network security measures fall short when presented with Kubernetes’ dynamic nature, demanding a paradigm shift towards more adaptable solutions.

In my previous blog post, What you can’t do with Kubernetes network policies (unless you use Calico): Policies to all namespaces or pods, I talked about this use case from the list of nine things you cannot implement using basic Kubernetes network policy — policies to all namespaces or pods. In this blog post, we’ll be focusing on the next use case — advanced policy querying and reachability tooling.

One recurrent point in our first interaction with Kubernetes users is the difficulty of implementing security controls on their Kubernetes clusters where tenant or workload isolation is required during rollout or runtime. This happens due to one of the following reasons: Calico provides several features and capabilities to cover each one of the above points with Policy Recommendation, Policy Board, and Dynamic Service and Threat Graph.

Enterprises that deploy Kubernetes in corporate data centers or cloud environments often use Cisco Secure Firewall to protect their networks and cloud resources. These firewalls are crucial for examining traffic coming from Kubernetes clusters. However, accurately determining the origin of this traffic as it passes through Cisco Secure Firewall can be challenging.

We’re happy to announce that Tigera recently achieved Amazon Web Services (AWS) Security Competency status. This designation recognizes the security capabilities of Tigera’s Calico Cloud platform in helping customers secure their AWS workloads and achieve their cloud security goals. To receive the designation, AWS Partners must possess deep AWS expertise and deliver solutions seamlessly on AWS.

Kubernetes offers excellent scalability and flexibility to your infrastructure. Yet, in the midst of this transformation, we’ve all grappled with the difficulties of local IPv4 addressing which usually leads to the implementation of Network Address Translation (NAT) and unfolds complexities that we’d instead like to avoid. As if that weren’t enough, the scarcity of public IPv4 addresses and their expensive rental costs loom over our digital ambitions.

Over the past year, we’ve been building something new for Calico Cloud that’s aimed at helping anyone who is charged with improving the security of their Kubernetes clusters. I’m excited to announce that Calico Cloud is releasing new capabilities for security posture management called Security Scoring and Recommended Actions.

In my previous blog post, I touched upon some challenges with how NGFW container firewalls are built and how it takes a team of firewall specialists to deploy, configure and maintain the firewall platform. In this blog I will illustrate the challenges in detail and demonstrate the simplicity of the Calico container firewall platform.

Considering the vast attack surface and flat network architecture, Kubernetes workloads are particularly susceptible to network-based threats. While following best practices like workload access controls, workload-centric IDS/IPS, and WAF can help prevent and block attacks, anomaly detection has become crucial in today’s IT landscape to proactively anticipate security threats.

Many AWS customers have security requirements that are well beyond what AWS Security Groups or AWS Network Access Control Lists can offer in terms of scalability and security. That’s why many of them turn to AWS Network Firewall as a common solution.