Encryption of transmitted data in Calico Enterprise

We are pleased to announce that Calico Enterprise, the leading solution for Kubernetes networking, security and visibility in hybrid and multi-cloud environments, now includes data encryption.

Calico Enterprise is known for its rich set of network security tools to protect containerized workloads by limiting traffic TO and FROM trusted sources. They include, but are not limited to, implementation of existing security control practices in Kubernetes, egress control using DNS policies, extending the firewall to Kubernetes, and intrusion detection and threat protection… However, as Kubernetes evolves, we see the need for an even deeper approach to protecting sensitive data that falls within the scope of compliance requirements.

Not all threats come from outside the company. According to Gartner, nearly 75% of violations are due to staff actions within the company: employees, ex-employees, contractors or business partners who have access to inside information about company security, data and computer systems. This level of data vulnerability is unacceptable for organizations with stringent security and compliance requirements. Regardless of where the threat comes from, only the legitimate owner of the encryption key has access to encrypted data, which protects the data in the event of an unauthorized access attempt.

Several regulatory standards establish data protection and compliance requirements for organizations and specify the use of encryption tools, including SOX, HIPAA, GDPR and PCI… For example, the Payment Card Industry Data Security Standard (PCI DSS) applies to organizations that handle branded credit cards and was created to strengthen controls over cardholder data to reduce fraud. PCI DSS requires organizations to encrypt credit card account numbers stored in their databases and keep data in transit secure. Compliance is checked annually or quarterly.

Calico Enterprise solves this problem by using WireGuard to implement encryption of transmitted data. WireGuard aligns with Tigera’s “batteries-included” approach to Kubernetes networking, security, and observability. WireGuard works as a Linux kernel module and provides better performance and lower CPU utilization than IPsec and OpenVPN tunneling protocols. Kubernetes CNI Independent Benchmarks have shown that Calico with encryption enabled works in 6 times fasterthan any other solution on the market.

WireGuard works as a module inside the Linux kernel and provides better performance and lower CPU usage than the IPsec and OpenVPN tunneling protocols. Enabling data encryption on Calico Enterprise is easy … all you need is a Kubernetes cluster deployed on the host operating system with WireGuard. For a complete list of supported operating systems and installation instructions, visit the WireGuard website.

CNI performance tests

The industry standard for Kubernetes networking and network security, Calico powers over a million Kubernetes nodes every day. Calico is the only CNI capable of supporting three data planes from one unified control panel… Regardless of what you are using – eBPF, Linux or Windows data plane; Calico delivers incredible performance and exceptional scalability, as proven in the latest benchmarks.

The latest benchmark of Kubernetes network plugins (CNI) over a 10 Gb / s network published Alexis Ducastel, CKA / CKAD Kubernetes and founder of InfraBuilder. The test was based on CNI versions that were current and updated as of August 2020. Only CNIs that can be configured with a single yaml file have been tested and compared, including:

  • Antrea V. 0. 9. 1
  • Calico v3. 16
  • Canal v3.16 (Flannel + Calico network policies)
  • Cilium 1.8.2
  • Flanel 0.12.0
  • Kube-router – latest version (2020-08-25)
  • WeaveNet 2.7.0

Among all tested by CNI, Calico was the clear winner, showing superiority in almost all categories and achieving excellent results, which are shown in the table below. In fact, Calico is the CNI’s preferred choice for the primary use cases presented by the author in the summary of the report.

Check out the complete results of the latest benchmark tests of Kubernetes CNI… You can also run the benchmark on your own cluster using the tool Kubernetes Network Benchmark Tool from InfraBuilder.

Similar Posts

Leave a Reply