network and security management comes to Kubernetes

Does the future of AppDynamics, Cisco’s application performance monitoring solution, run through Kubernetes? In any case, this is what Calisti and Panoptica’s announcement suggested. In the making within the supplier’s R&D cell, Emerging Tech & Incubation, these tools serve respectively to simplify the routing between containers and detect their defects.

“At Cisco, we provide connectivity, security and observation at the infrastructure level. One of the projects of Emerging Tech & Incubation is to do the same, but at the application level and more precisely at the cloud-native application level,” said Guillaume de Saint Marc, the chief engineer leading this cell, during an interview awarded to MagIT on the occasion of the Cisco Live event.

“Our goal is to establish Cisco in new areas. That of microservices applications on Kubernetes seems to give us enough diffused possibilities to bring something to the market,” he adds, specifying that Calisti and Panoptica are based on different components that Cisco has made open source under the name of supervision. of the CNCF, the foundation responsible for projects related to Kubernetes.

Calisti to regain control of Mesh services

Calisti is a graphical console that aims to become the control tower for Mesh services. In the Kubernetes universe, a Service Mesh is the logical network between all instances of all services in an application.

Each instance (a container or a pod of several complementary containers, such as a LAMP stack) has a proxy on the physical or virtual machine it runs on, called a “sidecar”, which applies functions to the network. These include inbound and outbound request authorization, traffic telemetry, and even on-the-fly data encryption and decryption. At the center of this logical network, a control plane directs communication: it defines the access rules between services and distributes the load between instances of the same service.

Control plane and sidecars are classic open source software Istio and Envoy. But unlike a data center infrastructure where routers and gateways are installed and configured once with standard commands, Istio and Envoy containers are provided by developers when they deploy their applications. In addition, they communicate with each other via APIs that developers also program. Worse, the more an application’s load increases, the more Kubernetes instances it will create, the more complex the Service Mesh will be.

“The problem with a Kubernetes application is that developers have to worry about connectivity and security for any service, including when they release a new version of a service. And sometimes even for each pod. It can quickly turn into hell and in this case you won’t even try to track the activity of a pod because you won’t even know where to look,” explains Guillaume de Saint Marc.

“Calisti wants to take complexity into account. This allows you to easily control who speaks to whom, how the pods are segmented, or even visualize telemetry information from an aerial perspective. †

Thus, in the demonstration that LeMagIT was able to attend, Calisti identified a connectivity issue on certain pods. It showed that in this case it was due to traffic congestion on the Ethernet cables that the physical machines running these pods were connected to. A particularly difficult situation to identify from Kubernetes. With Calisti, it becomes trivial to prioritize streams to pods running on another machine, which doesn’t have the same bandwidth drop.

Calisti makes it possible to make some very complex configurations by hand. “You can assign connectivity percentages to containers. That is, for example, you could have the new version 2 of a service in production coexist with version 1 and assign it, say, 10% or 20% of the load distributions, just to test it in real-world situations. , without too much risk of penalizing your application for a bug. And in the course of the success of your tests, you increase its share of support, until you completely decommission version 1”, explains our interlocutor.

Panoptics, to make up for developers’ carelessness

Unlike Calisti, which is installed on-premise, Panoptica is a SaaS application. The goal is to test all possible vulnerabilities in a Kubernetes cluster. It doesn’t use an agent, but requires the cluster manager to assign it an administrator account to do its job.

Panoptics works in three phases. The first is querying infrastructure credentials for ports that shouldn’t be left open, user accounts that shouldn’t be, or risky routing rules. Rather than reinventing the wheel, the Emerging Tech & Incubation team decided to allow the user to integrate the vulnerability scanner of their choice: Kube-Bench, Kube-Hunter, KubeAudit, etc.

The second phase, the most important, consists of debugging the APIs according to the OSWAP Top Ten, the developer’s bible in the field of security by design. But not alone. “Panoptics mainly starts with identifying which APIs are being used. In this case, the software interrogates the Service Mesh Control Plan because it sees them all pass by. And believe me, at this stage you are in for the biggest surprises”, says Guillaume de Saint Marc.

“You usually have three types of APIs. There are those that expose your application so that third-party services can communicate with them. In general, these are the only ones that have had safety work done. There are internal ones that developers use to send requests to their services. Below that, you’ll always come across tons of completely unprotected APIs, which everyone thought had been removed from the code, but in fact continue to work. †

“And then you have calls to external APIs. You can’t imagine how many calls to third-party SaaS services we find developers make without telling anyone, just because it makes it easier for them. The problem is, nobody checks that these aren’t online services sucking your data at the expense of the regulations the company is trying to follow! †

Cisco has already made the engines of the first two phases, KubeClarity and APIClarity, open source. The third is still under development. It will also consist of testing the vulnerabilities of the Serverless services used by an application (online features billed based on the amount of data they need to process, rather than the computation time consumed by their VMs or containers).

“In fact, Serverless services are basically identical to third-party SaaS services: they are still calls to APIs, except that their good security practices are known and we can rely on a series of specifically customized tests,” said Guillaume de Saint Marc.

To an administration suite

Ultimately, Cisco wants to make Panoptica a complete security suite, which in its open source version should be called OpenClarity. The difference between the open source and commercial versions is that the second will have the full graphical environment. Likewise, Calisti can be considered a turnkey installation of Istio and Envoy, with the addition of a graphics console.

“Our idea is to provide companies with complete tools that will help developers anticipate how their applications need to be elastic, allowing operations personnel to ensure that security solutions are compatible with the application,” Saint Mark’s Guillaume said.

Calisti and Panoptica, which should hit the market by the end of the summer, are both coming with a “freemium” version. That is, free of charge up to a certain number of controlled bodies.

Officially, they are not currently associated with any family of Cisco products. The provider is even blurring the tracks by suggesting it could integrate them with Intersight, its private cloud management platform based on its UCS servers and Nexus routers. A rumor that is not necessarily meaningless, given that Cisco, like all infrastructure providers that have thrived on virtualization, is under pressure from the market to move its infrastructure into the Kubernetes era.

However, all application optimization products to date have been sold from Cisco under the AppDynamics brand name. LeMagIT was also able to find that the Emerging Tech & Incubation cell was under the authority of Liz Centoni, now General Manager of AppDynamics.

Leave a Comment