We are pleased to announce that Calico Enterprise , the leading solution for Kubernetes networking, security and visibility in hybrid and multi-cloud environments, now includes encryption of data in transit.
Calico Enterprise is known for its rich set of tools to protect the network security of container workloads by limiting traffic TO and FROM a trusted source. These include, but are not limited to, implementing existing Kubernetes security practices , egress monitoring with DNS policies , extending the Kubernetes firewall , and intrusion detection and threat protection.... However, as Kubernetes evolves, we see a need for an even deeper approach to protecting sensitive data that falls within the scope of compliance requirements.
Not all threats come from outside the company. According to Gartner, almost 75% of violations are due to employee actionswithin the company: employees, ex-employees, contractors or business partners who have access to inside information about the company's security, data and computer systems. This level of data vulnerability is unacceptable for organizations with stringent security and compliance requirements. Regardless of where the threat comes from, only the legitimate owner of the encryption key has access to encrypted data, which protects the data in the event of unauthorized access attempts.
Several regulatory standards establish data protection and compliance requirements for organizations and specify the use of encryption tools, including SOX , HIPAA , GDPR and PCI . For example, the Payment Card Industry Data Security Standard (PCI DSS) applies to organizations that handle branded credit cards and was created to strengthen controls over cardholder data to reduce fraud. PCI DSS requires organizations to encrypt credit card account numbers stored in their databases and keep data in transit secure. Compliance is checked annually or quarterly.
Calico Enterprise solves this problem using WireGuardto implement encryption of transmitted data. WireGuard aligns with Tigera's "batteries-included" approach to Kubernetes networking, security and observability. WireGuard works as a Linux kernel module and provides better performance and lower CPU utilization than IPsec and OpenVPN tunneling protocols. Kubernetes CNI independent benchmarks have shown that Calico with encryption enabled is 6x faster than any other solution on the market
WireGuardworks as a module inside the Linux kernel and provides better performance and lower CPU usage than the IPsec and OpenVPN tunneling protocols. Enabling data encryption on Calico Enterprise is easy ... all you need is a Kubernetes cluster deployed on the host operating system with WireGuard. For a complete list of supported operating systems and installation instructions, visit the WireGuard website.
CNI performance tests
The industry standard for Kubernetes networking and network security, Calico powers over a million Kubernetes nodes every day. Calico is the only CNI capable of supporting three data planes from one unified control panel . Regardless of what you are using - eBPF, Linux or Windows data plane; Calico delivers incredible performance and exceptional scalability, as proven in the latest benchmarks.
The latest benchmark of Kubernetes network plugins (CNI) over a 10 Gbps network was published by Alexis Ducastel, CKA / CKAD Kubernetes and founder of InfraBuilder. The test was based on CNI versions that were current and updated as of August 2020. Only CNIs that can be configured with a single yaml file have been tested and compared, including:
- Antrea V. 0. 9. 1
- Calico v3. 16
- Canal v3.16 (Flannel + Calico network policies)
- Cilium 1.8.2
- Flanel 0.12.0
- Kube-router - latest version (2020-08-25)
- WeaveNet 2.7.0
Among all tested by CNI, Calico was the clear winner, excelling in almost all categories and achieving excellent results, which are summarized in the table below. In fact, Calico is the CNI's preferred choice for the primary use cases presented by the author in the summary of the report.
Check out the full results of the latest Kubernetes CNI benchmarks . You can also run the benchmark on your own cluster using InfraBuilder's Kubernetes Network Benchmark Tool .