Container use continues to grow, and Kubernetes is the most widely adopted container orchestration system, managing nearly half of all container deployments. Nearly every enterprise on the planet is at some stage in their Kubernetes journey. Kubernetes’ greatest value in the enterprise is achieved when it becomes an integrated component within the existing IT environment. Successful integration of Kubernetes and container services within the enterprise depends heavily on access to external resources such as databases, cloud services, third-party application programming interfaces (APIs), and other applications. All this egress activity must be controlled for security and compliance reasons.
The Challenge: Kubernetes Requires a Different Approach to Access Control
Traditional IP-based access control doesn’t work in Kubernetes, where workloads are ephemeral, typically stateless, and use short-term IP addresses. Kubernetes workloads make heavy use of the network and generate a lot of east/west traffic. Firewalls don’t have the context required to understand Kubernetes traffic (namespace, pod, labels, container id, etc.). If you are deploying a conventional firewall within your Kubernetes architecture, you will lose all visibility into this traffic. This makes it impossible to troubleshoot networking issues, perform forensic analysis, or report on security controls for compliance.
While the Tigera Calico Enterprise security management interface provides customized control within the Kubernetes environment, using Calico Enterprise security in isolation from existing enterprise network security leaves organizations with disparate policy-enforcement approaches that introduce unwanted complexity. Maintaining two separate network security systems also hinders visibility into routing and connectivity within and between Kubernetes clusters. This complicates the process of troubleshooting issues that span Kubernetes and external environments.
Visibility into Kubernetes Infrastructure is Essential
Lack of visibility also has compliance implications. Like any on-premises or cloud-based networked services, Kubernetes production containers must address both organizational and regulatory security requirements. If compliance teams can’t trace the history of incidents across the entire infrastructure, they can’t adequately satisfy their audit requirements.
To enable the successful transition of Kubernetes pilot projects to enterprise-wide application rollouts, companies must be able to extend their existing enterprise security architecture into the Kubernetes environment. In response, Fortinet and Tigera jointly developed a suite of Calico Enterprise solutions for the Fortinet Security Fabric that deliver both north-south and east-west visibility, as well as compliance enablement and advanced threat-intelligence capabilities for Kubernetes clusters. Fortinet customers can extend their network security architecture to their Kubernetes environments to protect their Kubernetes-based infrastructure.
The Tigera and Fortinet joint solution supports all cloud-based and on-premises Kubernetes environments. With this architecture, Calico Enterprise will map security policies from FortiManager into each Kubernetes cluster in the cloud or on-premises. The joint solution enables Fortinet customers to enforce network security policies for traffic into and out of the Kubernetes cluster (North/South traffic) as well as traffic between pods within the cluster (East/West traffic).
Learn more in the Fortinet and Tigera webinar on June 17: Extending Your FortiGate Next-Gen Firewall to Kubernetes.
Key Fortinet and Tigera Integrations
Fortinet and Tigera have jointly developed four integrations that help ensure consistent visibility, control, security, and compliance:
- FortiManager Calico Kubernetes Controller enables Kubernetes cluster management from the FortiManager centralized management platform in the Fabric Management Center. This Fabric Controller translates FortiManager policies into granular Kubernetes network policies and pushes them out to the individual clusters in all Kubernetes environments. The Kubernetes environment becomes an integral part of the Fortinet Security Fabric and can be seen and controlled from the FortiManager console.