Introducing: Application Layer Policy

Security is a moving target. Each year we see more sophisticated attacks and ever larger scale breaches. At the same time, enterprises are calling for more deployment flexibility—across availability zones and cloud providers—to meet worldwide customer demand and exacting uptime requirements.

These two forces have led to the development and popularization of the Zero Trust Network Security Model. The core idea behind this model is that we abandon the assumption that network locality is sufficient to establish trust. Instead, we authenticate and authorize each network flow using multiple attributes. Crucially, each workload is issued the means to cryptographically prove its identity as part of the authentication process.

In this way, trust is removed from the network. While this might seem scary at first, it is actually quite liberating since it frees us from complex configuration for securing traffic from zone-to-zone or cloud-to-cloud. However, Zero Trust Networks have been a challenge to realize, requiring custom glue code to integrate authentication, authorization, encryption and policy enforcement at multiple points in the application stack.

Since, at Tigera, we are trying to bring secure application connectivity to all adopters of cloud native technologies, we thought long and hard about how to enable the Zero Trust approach in a way that would be easily consumable by everyone.

Today we are announcing Application Layer Policy for Calico, which, when combined with the open source Istio project, will make it simple for anyone to build their own Zero Trust Networks. Application Layer Policy builds on Calico’s proven policy model, extending Calico to support policy from the Network Layer all the way up to the Application Layer.

Application Layer Policy for Calico has the following benefits:

• Operational simplicity and ease of adoption
  • Unified L3-7 policy following well established Kubernetes idioms
  • Label-based flexibility puts organizations in control
  • Fully compatible with existing Calico Policy
• Cloud native & legacy
  • Works with containers, VMs and standalone hosts
  • Allows incremental adoption of Istio
  • Single policy management API for across diverse deployments

Istio places a high-performance application layer proxy (Envoy, originally built by the Lyft team, and now a project within the Cloud Native Computing Foundation) in front of each workload to which all application connectivity functions are delegated. In this way the workloads form a “service mesh.” The proxy provides consistent and centrally managed functions without application code changes, and the distributed data plane allows horizontal scale-out. These functions enhance reliability (e.g. retries and circuit breaking), visibility (e.g. metrics and tracing), and security—the focus of this announcement. The Istio control plane issues key and certificate pairs to each workload which can be used for mutually authenticated TLS for all workload-to-workload connections.

“It’s great to see Tigera playing an active role in the Istio community and extending Kubernetes network policy support to application level enforcement using Istio. In fact, Google Kubernetes Engine already offers Calico for enforcing Kubernetes network policy controls and we look forward to customers using this capability with both GKE and Istio. The work they are doing with Calico integration is a nice addition to the Istio security options available to users.”

– Varun Talwar, Product Manager at Google for Istio.

Application Layer Policy builds on this authentication layer to enact fine-grained access control. When an operator enables access to a service via Application Layer Policy, Calico performs multiple checks including against the workload ID in the certificate, and network layer information like expected IP provided by the cluster manager (e.g. Kubernetes). Multi-layer checks are performed automatically—there is no need to write multiple policies for the different layers. Application Layer Policy can be substantially more fine grained than existing policy, down to the API method or resource.

In addition to multiple authorization checks, Application Layer Policy is also enforced at multiple locations: the existing iptables enforcement and a new enforcement point built into the Istio proxy. Multiple layers of defenses impede attackers, yet are now easy to configure thanks to the unified Application Layer Policy in Calico which provides a single point of control for developers and operators.

“I’m excited to see the Istio and Envoy contributions from the team at Tigera. Properly securing microservices is one of the hardest things to get right, and I think a lot of folks are going to be interested in the capabilities they are building.”

– Matt Klein, Software Engineer at Lyft and maintainer of Envoy

Like Calico, Istio is designed to support multiple environments including containers, VMs and bare metal to bridge the gap from existing systems and deployments to newer cloud native workloads. Application Layer Policy can be gradually adopted and built into existing deployments. Cryptographic verification of identity is enforced as soon as Istio is enabled for a workload; policy changes are not required.

Calico is available in hosted Kubernetes offerings from Google and IBM (Amazon EKS and Microsoft AKS both coming soon!), and works in every other major cloud via a manifest install.

“We selected Calico as our Kubernetes network provider due to the simplicity of its IP management for containers and specifically for its ability to support Kubernetes network policies. We are excited about Calico’s introduction of Application Layer Policy and we are looking forward to exposing this new feature into the IBM Cloud Container Service.”

– Dan Berg, Distinguished Engineer for Container Service at IBM

Application Layer Policy for Calico is available today as an early-access preview. Check out the code on GitHub and work through some example policies that demonstrate its power. In the coming weeks we will be working hard to move it from preview to production readiness in an upcoming version of Calico. We will also be building enterprise grade configurability and visibility options for Application Layer Policy in upcoming Tigera offerings (stay tuned for some exciting news on that front!).

Find us this week at CloudNativeCon / KubeCon in Austin, where we will be at booth D5, and I will be highlighting Calico Application Layer Policy in my keynote “Progress Toward Zero Trust Kubernetes Networks” at 10:15am on Thursday Dec 7th.