EKS and Calico Cloud: Hands-on workshop

Welcome

In this EKS-focused workshop, you will work with AWS and Calico Cloud to learn how to utilize:

• The Observability plane of Calico to visualize traffic and help with tracing and troubleshooting:

  • Pod to pod traffic within the cluster
  • Egress traffic from cluster workloads to external IPs/FQDNs
  • Ingress traffic to cluster workloads from external IPs
  • The effects of network policy chain on a workload (once applied), and understand the decision of the path of a packet and why it was Allowed or Denied

• Calico Cloud offers 3 observability tools, Service Graph, FlowViz and Kibana, that we will look at in more detail in this workshop

• The Network Security features of Calico to secure the workload traffic by utilizing:

  • Workload isolation by Kubernetes Namespaces
  • Global threatfeeds to deny traffic to and from malicious IPs external to the cluster
  • Zero-trust/Default-deny network policy posture for cluster workloads to only explicitly allow required traffic and fulfil compliance stadard control criteria requirements (like PCI or SOC2)
  • Using Calico Policy tiers to segregate network policy hierarchy by allowing different teams to have different levels of control over the cluster security posture by responsibility, and prevent misconfigurations
  • Using NetworkSets to establish scalable workload access controls for egress using FQDN/DNS policy to create an allow-list to access specific 3rd party services

Time Requirements

A timeslot of 4 hours has been allocated to complete this workshop and leave room for questions and any debugging.

Workshop Environment Preparation

Warning

For this workshop, you are expected to have access to a previously created EKS cluster.

• Please, follow the instructions on the repository below if you don't have it ready:

  Calico Cloud on EKS - Workshop Environment Preparation

• We will run this workshop from the AWS CloudShell, as described in that repository.

• To start your cluster, we will scale the nodegroup up to 2 nodes using eksctl. Reload the environment variables that were created in your AWS CloudShell first and then scale the nodegroup up.

• Ensure the nodegroup variable is populated into the workshopvars.env file:

  export NGNAME=$(eksctl get nodegroups --cluster $CLUSTERNAME --region $REGION | grep $CLUSTERNAME | awk -F ' ' '{print $2}') && \
  echo export NGNAME=$NGNAME >> ~/workshopvars.env

• Use the following command:

  source ~/workshopvars.env
  eksctl scale nodegroup $NGNAME \
  --cluster $CLUSTERNAME \
  --region $REGION \
  --nodes 2 \
  --nodes-max 2 \
  --nodes-min 2

Modules

This workshop is organized in sequential modules. One module will build up on top of the previous module, so please, follow the order as proposed below.

Module 1 - Connect your EKS cluster to Calico Cloud
Module 2 - Observe traffic flows in Calico Cloud
Module 3 - Zero-Trust Workload Access Control with Namespace Isolation Recommendation
Module 4 - Workload Isolation with Microsegmentation
Module 5 - Ingress and Egress access control using NetworkSets
Module 6 - Enabling Encryption in Transit with WireGuard
Module 7 - Clean up

---

Useful links

• Project Calico
• Calico Academy - Get Calico Certified!
• O’REILLY EBOOK: Kubernetes security and observability
• Calico Users - Slack

Follow us on social media

• LinkedIn
• Twitter
• YouTube
• Slack
• Github
• Discuss

Note: The examples and sample code provided in this workshop are intended to be consumed as instructional content. These will help you understand how Calico Cloud can be configured to build a functional solution. These examples are not intended for use in production environments.