{"id":38553,"date":"2018-11-08T22:40:06","date_gmt":"2018-11-08T19:40:06","guid":{"rendered":"https:\/\/www.altoros.com\/blog\/?p=38553"},"modified":"2018-11-09T21:21:54","modified_gmt":"2018-11-09T18:21:54","slug":"integrating-calico-and-istio-to-secure-zero-trust-networks-on-kubernetes","status":"publish","type":"post","link":"https:\/\/www.altoros.com\/blog\/integrating-calico-and-istio-to-secure-zero-trust-networks-on-kubernetes\/","title":{"rendered":"Integrating Calico and Istio to Secure Zero-Trust Networks on Kubernetes"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_79_2 counter-hierarchy ez-toc-counter ez-toc-transparent ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #999;color:#999\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #999;color:#999\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/www.altoros.com\/blog\/integrating-calico-and-istio-to-secure-zero-trust-networks-on-kubernetes\/#Networks_without_trust\" >Networks without trust<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/www.altoros.com\/blog\/integrating-calico-and-istio-to-secure-zero-trust-networks-on-kubernetes\/#How_can_Calico_and_Istio_help\" >How can Calico and Istio help?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/www.altoros.com\/blog\/integrating-calico-and-istio-to-secure-zero-trust-networks-on-kubernetes\/#Integrating_Calico_and_Istio\" >Integrating Calico and Istio<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/www.altoros.com\/blog\/integrating-calico-and-istio-to-secure-zero-trust-networks-on-kubernetes\/#Tigeras_enterprise_solution\" >Tigera&#8217;s enterprise solution<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/www.altoros.com\/blog\/integrating-calico-and-istio-to-secure-zero-trust-networks-on-kubernetes\/#Want_details_Watch_the_video\" >Want details? Watch the video!<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/www.altoros.com\/blog\/integrating-calico-and-istio-to-secure-zero-trust-networks-on-kubernetes\/#Related_video\" >Related video<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/www.altoros.com\/blog\/integrating-calico-and-istio-to-secure-zero-trust-networks-on-kubernetes\/#Further_reading\" >Further reading<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/www.altoros.com\/blog\/integrating-calico-and-istio-to-secure-zero-trust-networks-on-kubernetes\/#About_the_expert\" >About the expert<\/a><\/li><\/ul><\/nav><\/div>\n<h3><span class=\"ez-toc-section\" id=\"Networks_without_trust\"><\/span>Networks without trust<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>The concept of <a href=\"http:\/\/www.virtualstarmedia.com\/downloads\/Forrester_zero_trust_DNA.pdf\" rel=\"noopener\" target=\"_blank\">zero-trust networking<\/a> (ZTN) was introduced in 2010. At the core, the ZTN model means not allowing access to anyone unless they are authenticated and their request to a specific network resource has been authorized. ZTN builds on the following principles:<\/p>\n<ul>\n<li>Networks should always be assumed to be hostile.<\/li>\n<li>External and internal threats exist on the network at all times.<\/li>\n<li>Network locality is not sufficient for gaining trust.<\/li>\n<li>Every device, user, and workflow should be authenticated and authorized.<\/li>\n<li>Network policies must be dynamic and calculated from as many sources of data as possible.<\/li>\n<\/ul>\n<p>While ZTN can offer better security\u2014as all traffic needs to be verified\u2014it can also be a challenge to adapt. At a recent <a href=\"https:\/\/www.meetup.com\/Silicon-Valley-Cloud-Native-and-Kubernetes-Meetup\/events\/254991654\/\" rel=\"noopener\" target=\"_blank\">Kubernetes meetup<\/a> held in San Francisco, <a href=\"https:\/\/www.linkedin.com\/in\/andrewrandall\/\" rel=\"noopener\" target=\"_blank\">Andrew Randall<\/a> of Tigera illustrated how the combination of Istio and Calico can work together to ensure security for zero-trust networking on Kubernetes.<\/p>\n<p><center><a href=\"https:\/\/www.altoros.com\/blog\/wp-content\/uploads\/2018\/11\/Kubernetes-Zero-Trust-Security-Istio-Calico-Andrew-Randall-Tigera.jpg\"><img decoding=\"async\" src=\"https:\/\/www.altoros.com\/blog\/wp-content\/uploads\/2018\/11\/Kubernetes-Zero-Trust-Security-Istio-Calico-Andrew-Randall-Tigera-1024x576.jpg\" alt=\"\" width=\"640\" class=\"aligncenter size-large wp-image-38544\" \/><\/a><small>Andrew Randall at the Kubernetes meetup<\/small><\/center><\/p>\n<p>&nbsp;<\/p>\n<h3><span class=\"ez-toc-section\" id=\"How_can_Calico_and_Istio_help\"><\/span>How can Calico and Istio help?<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p><a href=\"https:\/\/www.tigera.io\/project-calico\/\" rel=\"noopener\" target=\"_blank\">Calico<\/a> is an open-source project designed to remove the complexities surrounding traditional software-defined networks and securing them through simple policy language in YAML. Calico is compatible with major cloud platforms, such as Kubernetes, OpenStack, Amazon Web Services, and Google Compute Engine.<\/p>\n<p><center><a href=\"https:\/\/www.altoros.com\/blog\/wp-content\/uploads\/2018\/11\/Kubernetes-Zero-Trust-Security-Istio-Calico-label-based-policy-v2.png\"><img decoding=\"async\" src=\"https:\/\/www.altoros.com\/blog\/wp-content\/uploads\/2018\/11\/Kubernetes-Zero-Trust-Security-Istio-Calico-label-based-policy-v2-1024x576.png\" alt=\"\" width=\"640\" class=\"aligncenter size-large wp-image-38549\" \/><\/a><small>An exemplary policy using label-based expressions (<a href=\"https:\/\/www.slideshare.net\/secret\/G9oUyHoePVNXWQ\" rel=\"noopener\" target=\"_blank\">Image credit<\/a>)<\/small><\/center><\/p>\n<p>Calico&#8217;s implementation of the Kubernetes <a href=\"https:\/\/kubernetes.io\/docs\/concepts\/services-networking\/network-policies\/\" rel=\"noopener\" target=\"_blank\">Network Policy API<\/a> enables granular selection and grouping. Policies are configured based on Kubernetes <a href=\"https:\/\/kubernetes.io\/docs\/concepts\/overview\/working-with-objects\/labels\/\" rel=\"noopener\" target=\"_blank\">labels<\/a>.<\/p>\n<blockquote><p><em>&#8220;If you&#8217;re trying to establish trust, just the fact that someone else is on the same network as you is not sufficient to say you trust them.&#8221; \u2014Andrew Randall, Tigera<\/em><\/p><\/blockquote>\n<p>These policies allow users to restrict access to specific services and separate development from production workloads. Policies are also dynamically updated through a distributed algorithm that determines what rules are required on each node in a cluster.<\/p>\n<blockquote><p><em>&#8220;Calico&#8217;s network policy API allows you to define at a granular level\u2014based on fundamental Kubernetes concepts like labels\u2014how you&#8217;re going to allow connections between workloads in your cluster.&#8221; \u2014Andrew Randall, Tigera<\/em><\/p><\/blockquote>\n<p>On the other hand, <a href=\"https:\/\/istio.io\/\" rel=\"noopener\" target=\"_blank\">Istio<\/a>, another open-source project, resides on the concept of a service mesh by installing an Envoy sidecar proxy as close as possible to an application. This enables management of both the proxy and the application. Recently, we&#8217;ve <a href=\"https:\/\/www.altoros.com\/blog\/using-istio-to-unify-microservices-with-a-service-mesh-on-kubernetes\/\">written<\/a> about using Istio and service mesh to achieve uniformity across microservices deployed to Kubernetes.<\/p>\n<p><center><a href=\"https:\/\/www.altoros.com\/blog\/wp-content\/uploads\/2018\/11\/Kubernetes-Zero-Trust-Security-Istio-Calico-service-mesh-mtls-sample-application.png\"><img decoding=\"async\" src=\"https:\/\/www.altoros.com\/blog\/wp-content\/uploads\/2018\/11\/Kubernetes-Zero-Trust-Security-Istio-Calico-service-mesh-mtls-sample-application-1024x576.png\" alt=\"\" width=\"640\" class=\"aligncenter size-large wp-image-38556\" \/><\/a><small>Example application of Istio (<a href=\"https:\/\/www.slideshare.net\/secret\/G9oUyHoePVNXWQ\" rel=\"noopener\" target=\"_blank\">Image credit<\/a>)<\/small><\/center><\/p>\n<p>In the context of security, Istio provides authentication and encryption through mutual <a href=\"http:\/\/Calico is an open-source project designed to remove the complexities surrounding traditional software-defined networks and securing them through simple policy language\" rel=\"noopener\" target=\"_blank\">TLS<\/a>\u2014where both client and server use certificates to verify identity\u2014and cryptographic certificates issued to each <code style=\"color: #222222; background-color: #e6e6e6; padding: 1px 2px;\">serviceAccount<\/code>. More importantly, Istio ensures that security is implemented in a consistent way across an application.<\/p>\n<blockquote><p><em>&#8220;Rather than implementing mutual TLS in the application, with Istio you drop in a sidecar into every pod and that takes care of encrypting the connections using mutual TLS.&#8221; \u2014Andrew Randall, Tigera<\/em><\/p><\/blockquote>\n<p>&nbsp;<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Integrating_Calico_and_Istio\"><\/span>Integrating Calico and Istio<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>On August 18, 2018, <a href=\"https:\/\/www.tigera.io\/blog\/announcing-calico-v3-2\" rel=\"noopener\" target=\"_blank\">Calico v3.2<\/a> was released. This combined Calico&#8217;s application layer policy with Istio to enable authentication and authorization of network traffic using varying parameters.<\/p>\n<p><center><a href=\"https:\/\/www.altoros.com\/blog\/wp-content\/uploads\/2018\/11\/Kubernetes-Zero-Trust-Security-Istio-Calico-architecture.png\"><img decoding=\"async\" src=\"https:\/\/www.altoros.com\/blog\/wp-content\/uploads\/2018\/11\/Kubernetes-Zero-Trust-Security-Istio-Calico-architecture-1024x576.png\" alt=\"\" width=\"640\" class=\"aligncenter size-large wp-image-38564\" \/><\/a><small>A sample architecture of Istio and Calico (<a href=\"https:\/\/www.slideshare.net\/secret\/G9oUyHoePVNXWQ\" rel=\"noopener\" target=\"_blank\">Image credit<\/a>)<\/small><\/center><\/p>\n<blockquote><p><em>&#8220;We take the network policy and apply that to the Istio proxy layer, as well. There&#8217;s an authorization API within Envoy, and it allows us to read the policies right there in the proxy as it&#8217;s managing the traffic going through. The key value here for the user is there isn&#8217;t a separate place they have to go to find Istio connectivity rules from the network policy connectivity rules.&#8221; \u2014Andrew Randall, Tigera<\/em><\/p><\/blockquote>\n<p>By integrating both Calico and Istio, the network policy language can be extended to include <code style=\"color: #222222; background-color: #e6e6e6; padding: 1px 2px;\">serviceAccounts<\/code>. This way, validation is done through both network identity and cryptographic certificate.<\/p>\n<p><center><a href=\"https:\/\/www.altoros.com\/blog\/wp-content\/uploads\/2018\/11\/Kubernetes-Zero-Trust-Security-Istio-Calico-tls-policy-service-account-names.png\"><img decoding=\"async\" src=\"https:\/\/www.altoros.com\/blog\/wp-content\/uploads\/2018\/11\/Kubernetes-Zero-Trust-Security-Istio-Calico-tls-policy-service-account-names-1024x576.png\" alt=\"\" width=\"640\" class=\"aligncenter size-large wp-image-38566\" \/><\/a><small>Network policy for <code style=\"color: #222222; background-color: #e6e6e6; padding: 1px 2px;\">serviceAccounts<\/code> (<a href=\"https:\/\/www.slideshare.net\/secret\/G9oUyHoePVNXWQ\" rel=\"noopener\" target=\"_blank\">Image credit<\/a>)<\/small><\/center><\/p>\n<blockquote><p><em>&#8220;I&#8217;m validating on both the network identity and the identity based on this certificate. Another endpoint can exfiltrate that certificate and try to connect, but if it doesn&#8217;t have the same network identity, it&#8217;s not going to get through. Equally, another endpoint can spoof the IP address of a valid client, but if it doesn&#8217;t have a certificate, it&#8217;s not going through.&#8221;<br \/>\n\u2014Andrew Randall, Tigera<\/em><\/p><\/blockquote>\n<p>Kubernetes labels can also be used in the network policy language.<\/p>\n<p><center><a href=\"https:\/\/www.altoros.com\/blog\/wp-content\/uploads\/2018\/11\/Kubernetes-Zero-Trust-Security-Istio-Calico-tls-policy-service-account-labels.png\"><img decoding=\"async\" src=\"https:\/\/www.altoros.com\/blog\/wp-content\/uploads\/2018\/11\/Kubernetes-Zero-Trust-Security-Istio-Calico-tls-policy-service-account-labels-1024x576.png\" alt=\"\" width=\"640\" class=\"aligncenter size-large wp-image-38567\" \/><\/a><small>A sample network policy for service account labels (<a href=\"https:\/\/www.slideshare.net\/secret\/G9oUyHoePVNXWQ\" rel=\"noopener\" target=\"_blank\">Image credit<\/a>)<\/small><\/center><\/p>\n<p>The network policy can also be configured to include a combination of attributes. For very strict policy controls, even connection methods can be defined.<\/p>\n<blockquote><p><em>&#8220;You&#8217;ve got super fine-grained rules, which are all about locking down connectivity to just what should be allowed.&#8221; \u2014Andrew Randall, Tigera<\/em><\/p><\/blockquote>\n<p><center><a href=\"https:\/\/www.altoros.com\/blog\/wp-content\/uploads\/2018\/11\/Kubernetes-Zero-Trust-Security-Istio-Calico-Andrew-Randall-Tigera-v2.jpg\"><img decoding=\"async\" src=\"https:\/\/www.altoros.com\/blog\/wp-content\/uploads\/2018\/11\/Kubernetes-Zero-Trust-Security-Istio-Calico-Andrew-Randall-Tigera-v2-1024x576.jpg\" alt=\"\" width=\"640\" class=\"aligncenter size-large wp-image-38578\" \/><\/a><small>Andrew Randall talking about ZTN<\/small><\/center><\/p>\n<p><a href=\"https:\/\/projectcalico.docs.tigera.io\/releases\/\" rel=\"noopener\" target=\"_blank\">Calico v3.3<\/a> was released on October 22, 2018. The project\u2019s progress can be tracked in <a href=\"https:\/\/github.com\/projectcalico\" rel=\"noopener\" target=\"_blank\">its GitHub repo<\/a>.<\/p>\n<p>&nbsp;<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Tigeras_enterprise_solution\"><\/span>Tigera&#8217;s enterprise solution<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>At the end of the presentation, Andrew showed a snippet of the <a href=\"https:\/\/www.tigera.io\/tigera-products\/compare-products\/\" rel=\"noopener\" target=\"_blank\">Tigera Secure Enterprise Edition<\/a>\u2014a platform that uses Calico and Istio under the hood to enable a ZTN model for enterprises. The solution removes the need to manually code network polices by using GUIs and other visual aids for traffic and security management.<\/p>\n<p><center><a href=\"https:\/\/www.altoros.com\/blog\/wp-content\/uploads\/2018\/11\/Kubernetes-Zero-Trust-Security-Istio-Calico-Tigera-Secure-Enterprise-Edition.png\"><img decoding=\"async\" src=\"https:\/\/www.altoros.com\/blog\/wp-content\/uploads\/2018\/11\/Kubernetes-Zero-Trust-Security-Istio-Calico-Tigera-Secure-Enterprise-Edition-1024x633.png\" alt=\"\" width=\"640\" class=\"aligncenter size-large wp-image-38597\" \/><\/a><small>Policies in Tigera Secure Enteprise Edition dashboard (<a href=\"https:\/\/www.tigera.io\/tigera-products\/compare-products\/\" rel=\"noopener\" target=\"_blank\">Image credit<\/a>)<\/small><\/center><\/p>\n<p>The Tigera Secure Enterprise Edition also provides visibility and traceability by logging all network traffic between microservices and applications. Furthermore, it can be configured to automatically quarantine workloads that are acting irregularly, as well as can send alerts for inspection.<\/p>\n<p><center><a href=\"https:\/\/www.altoros.com\/blog\/wp-content\/uploads\/2018\/11\/Kubernetes-Zero-Trust-Security-Istio-Calico-Tigera-Secure-Enterprise-Edition-overall-stats.png\"><img decoding=\"async\" src=\"https:\/\/www.altoros.com\/blog\/wp-content\/uploads\/2018\/11\/Kubernetes-Zero-Trust-Security-Istio-Calico-Tigera-Secure-Enterprise-Edition-overall-stats-1024x586.png\" alt=\"\" width=\"640\" class=\"aligncenter size-large wp-image-38598\" \/><\/a><small>Tigera Secure Enteprise Edition tracks overall network statistics (<a href=\"https:\/\/www.tigera.io\/tigera-products\/compare-products\/\" rel=\"noopener\" target=\"_blank\">Image credit<\/a>)<\/small><\/center><\/p>\n<p>Organizations with strict compliance and regulatory requirements can benefit from Tigera&#8217;s audit logs. These contain a detailed history of security controls and also include changes to security policies.<\/p>\n<p>As can be seen, though Istio and Calico secure each specific layers of a network, the combination of both technologies can be handy for Kubernetes deployments.<\/p>\n<p>&nbsp;<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Want_details_Watch_the_video\"><\/span>Want details? Watch the video!<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<table width=\"100%\">\n<tbody>\n<tr>\n<td>\n<div style=\"float: right; width: 45%; padding-left: 15px; font-size: 14px;\">\n<p><strong>Table of contents<\/strong><\/p>\n<ol>\n<li style=\"margin-bottom: 12px;\">What is zero-trust networking? (<a href=\"#wistia_ajx68vd6m1?time=120\">2&#8217;00&#8221;<\/a>)<\/li>\n<li style=\"margin-bottom: 12px;\">How does Calico help to achieve zero-trust security? (<a href=\"#wistia_ajx68vd6m1?time=290\">4&#8217;50&#8221;<\/a>)<\/li>\n<li style=\"margin-bottom: 12px;\">How does Istio comply with the ZTN model? (<a href=\"#wistia_ajx68vd6m1?time=478\">7&#8217;58&#8221;<\/a>)<\/li>\n<li style=\"margin-bottom: 12px;\">What new features are available in Calico v3.2? (<a href=\"#wistia_ajx68vd6m1?time=780\">13&#8217;00&#8221;<\/a>)<\/li>\n<li style=\"margin-bottom: 12px;\">How does Tigera Secure Enterprise Edition incorporate the combination of Calico and Istio? (<a href=\"#wistia_ajx68vd6m1?time=1015\">16&#8217;55&#8221;<\/a>)<\/li>\n<li style=\"margin-bottom: 12px;\">Questions and answers (<a href=\"#wistia_ajx68vd6m1?time=1262\">21&#8217;02&#8221;<\/a>)<\/li>\n<\/ol>\n<\/div>\n<p><script charset=\"ISO-8859-1\" src=\"\/\/fast.wistia.com\/assets\/external\/E-v1.js\" async><\/script><\/p>\n<div class=\"wistia_embed wistia_async_ajx68vd6m1\" style=\"height:320px;width:440px\">&nbsp;<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><small>These are the slides by Andrew.<\/small><\/p>\n<p><center><iframe loading=\"lazy\" src=\"https:\/\/www.slideshare.net\/slideshow\/embed_code\/key\/G9oUyHoePVNXWQ\" width=\"595\" height=\"485\" frameborder=\"0\" marginwidth=\"0\" marginheight=\"0\" scrolling=\"no\" style=\"border:1px solid #CCC; border-width:1px; margin-bottom:5px; max-width: 100%;\" allowfullscreen> <\/iframe><\/center><\/p>\n<p>&nbsp;<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Related_video\"><\/span>Related video<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p><small>At the meetup, <a href=\"https:\/\/www.linkedin.com\/in\/morellato\/\" rel=\"noopener\" target=\"_blank\">Simone Morellato<\/a> of VMware delivered a demo of the company&#8217;s container solutions for Kubernetes.<\/small><\/p>\n<p><center><script src=\"https:\/\/fast.wistia.com\/embed\/medias\/v3kp4i3nuz.jsonp\" async><\/script><script src=\"https:\/\/fast.wistia.com\/assets\/external\/E-v1.js\" async><\/script><\/p>\n<div class=\"wistia_embed wistia_async_v3kp4i3nuz\" style=\"height:360px;position:relative;width:640px\">\n<div class=\"wistia_swatch\" style=\"height:100%;left:0;opacity:0;overflow:hidden;position:absolute;top:0;transition:opacity 200ms;width:100%;\"><img decoding=\"async\" src=\"https:\/\/fast.wistia.com\/embed\/medias\/v3kp4i3nuz\/swatch\" style=\"filter:blur(5px);height:100%;object-fit:contain;width:100%;\" alt=\"\" onload=\"this.parentNode.style.opacity=1;\" \/><\/div>\n<\/div>\n<p><\/center><\/p>\n<p>&nbsp;<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Further_reading\"><\/span>Further reading<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<ul>\n<li><a href=\"https:\/\/www.altoros.com\/blog\/using-istio-to-unify-microservices-with-a-service-mesh-on-kubernetes\/\">Using Istio to Unify Microservices with a Service Mesh on Kubernetes<\/a><\/li>\n<li><a href=\"https:\/\/www.altoros.com\/blog\/improving-security-for-kubernetes-deployments-at-scale\/\">Improving Security for Kubernetes Deployments at Scale<\/a><\/li>\n<li><a href=\"https:\/\/www.altoros.com\/blog\/cloud-foundry-advisory-board-meeting-aug-2018-istio-and-eirini\/\">Cloud Foundry Advisory Board Meeting, Aug 2018: Istio and Eirini<\/a><\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<h3><span class=\"ez-toc-section\" id=\"About_the_expert\"><\/span>About the expert<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<div>\n<div style=\"float: right;\"><a href=\"https:\/\/www.linkedin.com\/in\/andrewrandall\/\"><img decoding=\"async\" src=\"https:\/\/www.altoros.com\/blog\/wp-content\/uploads\/2018\/11\/Andrew-Randall-tigera-bio.png\" alt=\"\" width=\"120\" class=\"aligncenter size-full wp-image-38575\" \/><\/a><\/div>\n<div style=\"width: 600px;\"><small><a href=\"https:\/\/www.linkedin.com\/in\/andrewrandall\/\" rel=\"noopener\" target=\"_blank\">Andrew Randall<\/a> is Co-founder and VP of Business Development at Tigera. He drives relationships with the company&#8217;s ecosystem partners, including the major public cloud providers and Kubernetes vendors, by ensuring they maintain a leadership position in the community, deliver integrated solutions, partner effectively in the field to drive joint deals, and collaborate effectively to provide joined-up support to joint customers. Andrew is passionate about technology and believes successful businesses deliver solutions and services that delight customers, the open-source community, and ecosystem partners. <\/small><\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Networks without trust<\/p>\n<p>The concept of zero-trust networking (ZTN) was introduced in 2010. At the core, the ZTN model means not allowing access to anyone unless they are authenticated and their request to a specific network resource has been authorized. ZTN builds on the following principles:<\/p>\n<p>Networks should always be assumed to [&#8230;]<\/p>\n","protected":false},"author":32,"featured_media":38600,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"content-type":"","footnotes":"","_links_to":"","_links_to_target":""},"categories":[7],"tags":[873,912],"class_list":["post-38553","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news-and-opinion","tag-cloud-native","tag-kubernetes"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v26.6 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Integrating Calico and Istio to Secure Zero-Trust Networks on Kubernetes | Altoros<\/title>\n<meta name=\"description\" content=\"While Calico removes network complexities and provides simple policy language, Istio ensures consistence and encrypts connections with mutual TLS.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.altoros.com\/blog\/integrating-calico-and-istio-to-secure-zero-trust-networks-on-kubernetes\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Integrating Calico and Istio to Secure Zero-Trust Networks on Kubernetes | Altoros\" \/>\n<meta property=\"og:description\" content=\"Networks without trust The concept of zero-trust networking (ZTN) was introduced in 2010. At the core, the ZTN model means not allowing access to anyone unless they are authenticated and their request to a specific network resource has been authorized. ZTN builds on the following principles: Networks should always be assumed to [...]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.altoros.com\/blog\/integrating-calico-and-istio-to-secure-zero-trust-networks-on-kubernetes\/\" \/>\n<meta property=\"og:site_name\" content=\"Altoros\" \/>\n<meta property=\"article:published_time\" content=\"2018-11-08T19:40:06+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2018-11-09T18:21:54+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.altoros.com\/blog\/wp-content\/uploads\/2018\/11\/Kubernetes-Zero-Trust-Security-Istio-Calico-Tigera-v2.gif\" \/>\n\t<meta property=\"og:image:width\" content=\"640\" \/>\n\t<meta property=\"og:image:height\" content=\"360\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/gif\" \/>\n<meta name=\"author\" content=\"Carlo Gutierrez\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Carlo Gutierrez\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.altoros.com\/blog\/integrating-calico-and-istio-to-secure-zero-trust-networks-on-kubernetes\/\",\"url\":\"https:\/\/www.altoros.com\/blog\/integrating-calico-and-istio-to-secure-zero-trust-networks-on-kubernetes\/\",\"name\":\"Integrating Calico and Istio to Secure Zero-Trust Networks on Kubernetes | Altoros\",\"isPartOf\":{\"@id\":\"https:\/\/www.altoros.com\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.altoros.com\/blog\/integrating-calico-and-istio-to-secure-zero-trust-networks-on-kubernetes\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.altoros.com\/blog\/integrating-calico-and-istio-to-secure-zero-trust-networks-on-kubernetes\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.altoros.com\/blog\/wp-content\/uploads\/2018\/11\/Kubernetes-Zero-Trust-Security-Istio-Calico-Tigera-v2.gif\",\"datePublished\":\"2018-11-08T19:40:06+00:00\",\"dateModified\":\"2018-11-09T18:21:54+00:00\",\"author\":{\"@id\":\"https:\/\/www.altoros.com\/blog\/#\/schema\/person\/833e109f77de753b2b472dca0236b442\"},\"breadcrumb\":{\"@id\":\"https:\/\/www.altoros.com\/blog\/integrating-calico-and-istio-to-secure-zero-trust-networks-on-kubernetes\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.altoros.com\/blog\/integrating-calico-and-istio-to-secure-zero-trust-networks-on-kubernetes\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.altoros.com\/blog\/integrating-calico-and-istio-to-secure-zero-trust-networks-on-kubernetes\/#primaryimage\",\"url\":\"https:\/\/www.altoros.com\/blog\/wp-content\/uploads\/2018\/11\/Kubernetes-Zero-Trust-Security-Istio-Calico-Tigera-v2.gif\",\"contentUrl\":\"https:\/\/www.altoros.com\/blog\/wp-content\/uploads\/2018\/11\/Kubernetes-Zero-Trust-Security-Istio-Calico-Tigera-v2.gif\",\"width\":640,\"height\":360},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.altoros.com\/blog\/integrating-calico-and-istio-to-secure-zero-trust-networks-on-kubernetes\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.altoros.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Integrating Calico and Istio to Secure Zero-Trust Networks on Kubernetes\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.altoros.com\/blog\/#website\",\"url\":\"https:\/\/www.altoros.com\/blog\/\",\"name\":\"Altoros\",\"description\":\"Insight\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.altoros.com\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.altoros.com\/blog\/#\/schema\/person\/833e109f77de753b2b472dca0236b442\",\"name\":\"Carlo Gutierrez\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.altoros.com\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/www.altoros.com\/blog\/wp-content\/uploads\/2021\/02\/CG_portrait-2-96x96.jpg\",\"contentUrl\":\"https:\/\/www.altoros.com\/blog\/wp-content\/uploads\/2021\/02\/CG_portrait-2-96x96.jpg\",\"caption\":\"Carlo Gutierrez\"},\"description\":\"Carlo Gutierrez is a Technical Writer at Altoros. As part of the editorial team, his focus has been on emerging technologies such as Cloud Foundry, Kubernetes, blockchain, and the Internet of Things. Prior to Altoros, he primarily wrote about enterprise and consumer technology. Carlo has over 12 years of experience in the publishing industry. Previously, he served as an Editor for PC World Philippines and Questex Asia, as well as a Designer for Tropa Entertainment.\",\"url\":\"https:\/\/www.altoros.com\/blog\/author\/carlo\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Integrating Calico and Istio to Secure Zero-Trust Networks on Kubernetes | Altoros","description":"While Calico removes network complexities and provides simple policy language, Istio ensures consistence and encrypts connections with mutual TLS.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.altoros.com\/blog\/integrating-calico-and-istio-to-secure-zero-trust-networks-on-kubernetes\/","og_locale":"en_US","og_type":"article","og_title":"Integrating Calico and Istio to Secure Zero-Trust Networks on Kubernetes | Altoros","og_description":"Networks without trust The concept of zero-trust networking (ZTN) was introduced in 2010. At the core, the ZTN model means not allowing access to anyone unless they are authenticated and their request to a specific network resource has been authorized. ZTN builds on the following principles: Networks should always be assumed to [...]","og_url":"https:\/\/www.altoros.com\/blog\/integrating-calico-and-istio-to-secure-zero-trust-networks-on-kubernetes\/","og_site_name":"Altoros","article_published_time":"2018-11-08T19:40:06+00:00","article_modified_time":"2018-11-09T18:21:54+00:00","og_image":[{"width":640,"height":360,"url":"https:\/\/www.altoros.com\/blog\/wp-content\/uploads\/2018\/11\/Kubernetes-Zero-Trust-Security-Istio-Calico-Tigera-v2.gif","type":"image\/gif"}],"author":"Carlo Gutierrez","twitter_misc":{"Written by":"Carlo Gutierrez","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/www.altoros.com\/blog\/integrating-calico-and-istio-to-secure-zero-trust-networks-on-kubernetes\/","url":"https:\/\/www.altoros.com\/blog\/integrating-calico-and-istio-to-secure-zero-trust-networks-on-kubernetes\/","name":"Integrating Calico and Istio to Secure Zero-Trust Networks on Kubernetes | Altoros","isPartOf":{"@id":"https:\/\/www.altoros.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.altoros.com\/blog\/integrating-calico-and-istio-to-secure-zero-trust-networks-on-kubernetes\/#primaryimage"},"image":{"@id":"https:\/\/www.altoros.com\/blog\/integrating-calico-and-istio-to-secure-zero-trust-networks-on-kubernetes\/#primaryimage"},"thumbnailUrl":"https:\/\/www.altoros.com\/blog\/wp-content\/uploads\/2018\/11\/Kubernetes-Zero-Trust-Security-Istio-Calico-Tigera-v2.gif","datePublished":"2018-11-08T19:40:06+00:00","dateModified":"2018-11-09T18:21:54+00:00","author":{"@id":"https:\/\/www.altoros.com\/blog\/#\/schema\/person\/833e109f77de753b2b472dca0236b442"},"breadcrumb":{"@id":"https:\/\/www.altoros.com\/blog\/integrating-calico-and-istio-to-secure-zero-trust-networks-on-kubernetes\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.altoros.com\/blog\/integrating-calico-and-istio-to-secure-zero-trust-networks-on-kubernetes\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.altoros.com\/blog\/integrating-calico-and-istio-to-secure-zero-trust-networks-on-kubernetes\/#primaryimage","url":"https:\/\/www.altoros.com\/blog\/wp-content\/uploads\/2018\/11\/Kubernetes-Zero-Trust-Security-Istio-Calico-Tigera-v2.gif","contentUrl":"https:\/\/www.altoros.com\/blog\/wp-content\/uploads\/2018\/11\/Kubernetes-Zero-Trust-Security-Istio-Calico-Tigera-v2.gif","width":640,"height":360},{"@type":"BreadcrumbList","@id":"https:\/\/www.altoros.com\/blog\/integrating-calico-and-istio-to-secure-zero-trust-networks-on-kubernetes\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.altoros.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Integrating Calico and Istio to Secure Zero-Trust Networks on Kubernetes"}]},{"@type":"WebSite","@id":"https:\/\/www.altoros.com\/blog\/#website","url":"https:\/\/www.altoros.com\/blog\/","name":"Altoros","description":"Insight","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.altoros.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/www.altoros.com\/blog\/#\/schema\/person\/833e109f77de753b2b472dca0236b442","name":"Carlo Gutierrez","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.altoros.com\/blog\/#\/schema\/person\/image\/","url":"https:\/\/www.altoros.com\/blog\/wp-content\/uploads\/2021\/02\/CG_portrait-2-96x96.jpg","contentUrl":"https:\/\/www.altoros.com\/blog\/wp-content\/uploads\/2021\/02\/CG_portrait-2-96x96.jpg","caption":"Carlo Gutierrez"},"description":"Carlo Gutierrez is a Technical Writer at Altoros. As part of the editorial team, his focus has been on emerging technologies such as Cloud Foundry, Kubernetes, blockchain, and the Internet of Things. Prior to Altoros, he primarily wrote about enterprise and consumer technology. Carlo has over 12 years of experience in the publishing industry. Previously, he served as an Editor for PC World Philippines and Questex Asia, as well as a Designer for Tropa Entertainment.","url":"https:\/\/www.altoros.com\/blog\/author\/carlo\/"}]}},"_links":{"self":[{"href":"https:\/\/www.altoros.com\/blog\/wp-json\/wp\/v2\/posts\/38553","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.altoros.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.altoros.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.altoros.com\/blog\/wp-json\/wp\/v2\/users\/32"}],"replies":[{"embeddable":true,"href":"https:\/\/www.altoros.com\/blog\/wp-json\/wp\/v2\/comments?post=38553"}],"version-history":[{"count":55,"href":"https:\/\/www.altoros.com\/blog\/wp-json\/wp\/v2\/posts\/38553\/revisions"}],"predecessor-version":[{"id":38635,"href":"https:\/\/www.altoros.com\/blog\/wp-json\/wp\/v2\/posts\/38553\/revisions\/38635"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.altoros.com\/blog\/wp-json\/wp\/v2\/media\/38600"}],"wp:attachment":[{"href":"https:\/\/www.altoros.com\/blog\/wp-json\/wp\/v2\/media?parent=38553"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.altoros.com\/blog\/wp-json\/wp\/v2\/categories?post=38553"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.altoros.com\/blog\/wp-json\/wp\/v2\/tags?post=38553"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}