►
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
Present
this
topic
today
we
look
at
the
agenda,
we'll
start
with
the
application,
Level
security.
What
application
layer
is
what
layer
7
is
a
little
bit
of
information
about
istio
and
service
mesh.
Like
Raj
pointed
out,
you
know,
what's
the
deal
with
service
mesh
and
you
know
sidecars
and
all
that
with
containers,
and
do
you
really
need
a
service
mesh
to
you
know
help
with
security
and
observability
for
containers?
A
There
is
a
demo
in
the
end,
but
it's
not
going
to
be
the
full-fledged
demo
with
everything
that
is
spoken
about,
because
it
it
might
take
a
very
long
time
and
and
probably
not
the
right
person
to
do
it
and
I'm.
Currently,
not
you
know
Hands-On
with
technical
stuff,
but
I'll
try
to
do
my
best
to
it.
You
know
showing
how
Calico
can
be
installed.
What
what's
the
you
know,
the
nuts
and
rules
of
the
solution.
A
So
we'll
start
with
application
levels,
security
and
you
know
get
to
the
basics
of
what
application
layer
is
OSI
on
the
osm
model
and
so
on.
But
before
that,
since
we
are
dealing
with
containers
and
cubilities
for
today,
I
just
want
to
give
a
very
brief
introduction
to
containers
I'm,
not
sure
how
many
people
are
familiar
with
it.
But,
let's
you
know
just
look
at
on
a
very
high
level.
What
containers
are
I'm
sure
that
most
of
you
are
familiar
with
VMS
and
virtual
machines
and
so
on?
A
But
you
know:
what's
the
deal
about
containers
people
talk
about
Dockers
containers
kubernetes.
So
what
what
do
these
things
mean?
A
So
when
you
look
at
the
you
know,
simple
architecture
of
a
virtual
machine,
you
see
that
it
has
a
has
the
infrastructure
on
the
physical
components
of
you,
know
the
the
hypervisor,
the
esxi
servers
and
so
on.
It
has
a
has
on
a
host
operating
system
and
on
top
of
that
runs,
the
hypervisor
to
you
know
enable
virtualization
and
you
have
different
beams.
A
So
if
you
look
at
the
red
pillars,
app
one
app
to
and
F3
imagine
app
one
with
the
the
binaries
in
the
library
rules
and
the
guest
OS
that
forms
the
typical
virtual
machine.
So
you
have
you
know
three
years
shown
here.
It's
a
very
you
know
high
level,
logical
diagram,
but
that's
what
VMS
are.
It
shares
the
host
operating
system
and
the
hypervisor
piece,
but
it
has
a
guest
or
as
many
of
every
machine,
so
it
actually
requires
a
lot
of
resources.
A
When
you
look
at
it
when
you,
when
you
look
at
the
virtual
machine
itself
and
how
each
VM
has
to
run
a
guest
OS
on
that
and
quickly
look
at
the
right
side
of
the
diagram.
Where
you
look
at
containers
and
you
notice,
there
is
a
small
difference
that
the
containers
don't
have
any
guest
operating
system
on
it.
So
it
makes
it
much
more
efficient
in
terms
of
resources.
It
doesn't
resources,
so
I
mean
to
put
it
in
a
very
you
know,
simple
definition.
A
Containers
imagine
continues
to
be
lightweight
forms
of
virtual
machines
where
it
just
shares
the
the
OS
kernel
with
other
containers,
but
doesn't
have
any
type
of
you
know,
guess
not
reading
system
on
its
own.
Of
course
it
does
come
with
all
the
binaries
and
libraries
that's
needed
for
running
a
container,
and
that's
that's.
Basically
it-
and
it's
also
running
is
isolated
processes
in
the
user
space
on
the
host
operating
system,
and
there
is
also
another
you
know-
logo
right
in
front
of
the
container.
You
know
logical
diagram
here.
A
If,
if
you're
familiar
with
that,
then
you'll
probably
be
interested
in
the
the
you
know
the
future
slides
that
are
going
to
come
up.
So
that's
basically
kubernetes
and
so
Docker
started
the
whole
process
of
orchestrating
containers
using
dockersform
and
before
that
it
was,
you
know,
up
to
the
user
end
user
to
use
any
type
of
you
know
inbuilt
or
in-house
solution
for
orchestrating
containers,
because
the
way
containers
are
built.
It's
it's
a
very
complex
system.
A
There
has
to
be,
you
know,
hundreds
and
thousands
of
containers
running
for
an
application,
and
it
was
very
hard
to
manage
these
containers.
So
Docker
came
up
with
a
solution
to
initially
they
come.
They
came
up
with
the
solution
to
prepare
containers
for
runtime
and
so
on.
But
you
know
just
with
the
orchestration
part
it
was
It
was
kind
of
difficult
and
then
back
in
20
around
2014,
sometimes
Google
already
had
their
own.
You
know
version
of
kubernetes
running
in
their
data
center.
A
It
was
it
wasn't
out
in
the
open,
yet
they
were
just
using
it
as
a
in-house
project
and
then
looking
at
how
useful
it
was.
They
launched
it
in
the
open
and
became
an
open
source
project
and
they
donated
it
to
cncf,
which
is
the
cloud
native
computer
Foundation,
and
you
know
people
started
using
kubernetes
and
right
now,
it's
probably
the
most
adopted
container
orchestration
tool.
There
is
so
I
mean,
even
though
communities
is
open
source.
A
What
people
did
was
you
know,
companies
like
red,
hat,
AWS
and
Azure.
These
folks
took
communities,
and
you
know
put
kind
of
some
some
kind
of
the
wrapper
around
it.
Even
you
know
if
you've
not
heard
of
ranchers
they're,
another
managed
community
service,
I'm,
sorry
self-managed
community
service,
which
is
more
like
private
cloud
and
what
they
did
was
made
it
easier
for
people
to
use.
Kubernetes
kubernetes
made
it
easy
to
maintain
containers
and
you
know,
secure
and
control
the
container
Behavior.
A
But
then
all
these
services
like
Rancher
and
openshift,
they
made
it
easy
for
people
to
use
communities
all
right.
So
let's
look
at
you
know
application
via
security
and
observability.
So
by
default
kubernetes
it
doesn't
offer
any
type
of
security.
For
the
application
I
mean
there
is
definitely
some
kind
of
security
that
is
part
of
the
kubernetes
platform
itself,
with
respect
to
all
the
control
plane,
components
of
communities.
But
when
you
are
building
an
application,
it
doesn't
know
anything
about
the
workloads
or
the
containers
running
within
your
application.
A
Yeah
yeah,
so
so,
for
this
talk,
we'll
just
focus
on
you
know
how
application
layer,
security
and
observability
matters
for
kubernetes
and
containers
there's
a
lot
of
stuff
to
talk
about,
but
you
know
why
we
focus
on
application
layers
because
you
know
any
type
of
service.
That's
that's
running
in
microservices,
it's
actually
handled
on
this
layer
and
there
is
no
default.
A
You
know,
method
or
component
of
kubernetes
that
can
handle
this.
So
if
people
are
not
familiar,
some
of
you
might
not
be
familiar
with
the
OSI
model.
With
this
there's,
like
you
know,
basics
of
networking,
going
back
to
what
the
OSI
model
is,
you
could
do
a
you
know
if
you're
interested,
you
could
do
a
Google
searching
dream
more
about
this,
but
The
OSI
model
basically
talks
about
the
different.
A
Seven
layers
of
networking,
if
you,
if
you're
curious
what
happens
when
you
you
know
type
in
a
domain
address
on
your
browser,
you
could
actually
go
through
each
and
every
layer
on
this
model
and
you
know
explain
to
someone
how
internet
works.
Basically,
so
that's
that's
the
concept
of
the
OSI
model
and
what
you
see
on
the
topmost
layer
is
the
application
layer,
and
this
is
the
layer
where
you
know
I'm
sure
everyone
here
knows
about
HTTP
and
that's
the
protocol,
that's
part
of
the
layer
7.
A
and
that's
what
we
are
interested
in
when
we
say
application
layer
or
application
Level.
We
are
talking
about
linear,
7
and
http
in
this
case,
because
in
microservices
that's
the
most
common
type
of
communication
that
happens
within
our
services
and
I
mean
there
could
also
be
a
situation
where
these
services
use
https,
which
is
you
know,
secure.
If
you
keep
me,
but
most
likely,
it's
still
HTTP
and
these
Services
they
actually
what
they
do.
A
Is
they
invoke
a
web
API
request
and
it's
based
on
the
HTTP
protocol
and,
like
I,
said
the
problem.
Is
you
know
when
you
look
at
the
service
level?
Communication,
it's
all
about
monitoring
and
understanding.
What's
going
on
between
these
different
services
within
your
application
and
I
mean
folks,
if
you're
interested
in
knowing
more
about
microservices
and
containers
and
all
these
it's
it's
not
an
abstract
concept.
Anymore.
A
People
are
already
using
it
in
production,
most
websites,
most
apps
these
days,
I
mean
any
think
about
a
banking,
app
Financial,
app
think
about
your
insurance
application.
All
these
are
probably
running
containers
and
probably
managed
by
kubernetes
I
I.
Don't
want
to
give
a
very
specific
example,
because
you
might
not
know
these
businesses,
but
you
know
just
think
about
Visa
the
credit
card
service
so
that
they're,
probably
running
kubernetes
and
they've,
been
you
know
using
microservices
for
a
long
time.
A
A
So
what?
Oh
sorry,
so?
What
kind
of
observability
challenges
does
kubernetes
pose?
So
one
is
data,
collection
and
correlation.
The
problem
with
microservices
is
you
have
a
huge
amount
of
data
compared
to
monolith
application?
If
you
look
at
a
continuous
application,
the
just
the
amount
of
log
data
is
just
humongous
and
the
other
problem
with
large
amount
of
data
is
also
correlation.
A
So
how
do
you
understand
which
flow
log
belongs,
to
which
mode
which
you
know
HTTP
Response
Code
corresponds
to
which
container,
because
these
containers
are
running
in
the
hundreds
and
thousands
and
they
also
you
know
restart
I'll
get
to
that
later.
But
you
know
the
whole
thing
about
kubernetes.
A
Is
that
it's
designed
in
a
way
that
if
something
goes
wrong
with
your
container
or
let's
say
pod,
so
pod
is
actually
you
know,
I'm
bringing
in
too
many
terminologies
but
stay
with
me,
and
if
you
have
any
questions,
please
post
it
on
Q
a
I'll
pause,
my
recording
and
look
at
it
sorry
pause
my
presentation
and
look
at
the
questions.
So
pod
is
actually
a
communities
component,
which
is
the
smallest
unit
of
I,
would
say
smallest
unit
within
a
communities.
A
Environment
and
typically
a
pod
will
have
one
or
two
containers
or
a
couple
of
containers
running
within
a
pond,
and
you
know
use
pods
or
workloads
interchangeably,
so
it
all
means
the
same
and
correlation
between
all
these
data
is
just
you
know,
really
difficult
and
also
aggregation
of
these
data.
I
mean
you
cannot
just
randomly
present
the
user
with
a
ton
of
alerts
and
then
you
know,
ask
them
to
go
figure
it
out.
A
So
that
is.
That
is
a
challenge
and
also
you
know
when
I
said
kubernetes
context,
it
adds
communities
adds
a
layer
of
abstraction
on
top
of
the
host
or
the
VMS.
So,
while
collecting
and
aggregating
data
from
Individual
containers,
the
data
needs
to
be
coordinated
and
aggregated
at
different
levels
of
abstractions.
A
There's
one
more
challenge:
how
do
you
map
communities
policies
to
traffic
flow
in
real
time?
Because
when
you
look
at
security,
I
mean
it
has
gone
to
a
point
where
the
the
operations
include
the
operations
team.
Are
you
know,
looking
at
a
ton
of
alerts,
like
probably
a
big
Enterprise
like
Visa,
is
probably
looking
at
almost
10
000
alerts
per
day
or
even
per
hour.
So
you
need
a
mechanism
to
map
these
policies,
they
put
policies
to
traffic
flow
and
by
default
you
don't
get
that
with
communities.
A
I
mean
just
when,
when
you
look
at
you
know
the
teams
involved
with
handling
communities
and
containers,
the
challenge
really
is
actually
looking
at
service
to
Service
visibility.
So
one
is
it's
a
distributed.
Architecture
and
it
runs,
communities
can
run
applications
across
multiple
nodes
and
it's
very
difficult
to
Monitor
and
track
them.
A
You
also
need
a
granular
level
of
visibility,
and
you
cannot.
You
know
just
say
that
a
packet
is
going
from
this
node
to
that
node.
Without
any
context
of
you
know
what
the
timestamp
or
the
you
know,
the
other
details
of
the
particular
flow
you
need.
You
need
much
more
granular
level
of
context
within
the
communities,
workflows
itself
and,
of
course,
I
said
it's
a
dynamic
environment
when,
when
I
say
Dynamic,
imagine
a
pod
is,
you
know,
involved
in
the
application
it's
sending
out
traffic.
A
Something
goes
wrong
and
then
the
Pod
is
restarting.
You
need
to
have
the
historical
data
log
data
from
a
pod
that
is,
you
know,
been
restarted
and
also
the
new
part.
So
all
this
you
know,
combined
with
the
other
things
that
I've
been
talking
about,
makes
it
really
difficult
for
a
user
to
understand.
A
What's
going
on
and
also
I
mean
when
I
said,
communities
by
default
does
not
have
any
features,
so
just
using
the
native
form
of
kubernetes,
when
your
communities
will
not
give
you
any
built-in
tools
for
monitoring
or
troubleshooting,
you
won't
have
packet
capture,
you
will
not
have
you
know
any
dashboards
you're
just
presented
with
a
blank
screen
with
you
know
a
couple
of
cube,
curl
commands
at
your
disposal
and
it's
up
to
the
user
to
find
their
own
method
of
you
know.
Troubleshooting
all
these
problems.
A
There
are
some
built-in
metrics
and
logs,
but
I
mean
for
a
real
world
scenario.
I,
don't
think
those
are
useful.
A
Technique
pause
here:
if
you
have
any
questions
so
far,
please
feel
free
I'm,
not
an
expert
in
this
field.
So
if
I'm
not
able
to
answer
any
of
the
questions,
I'll,
definitely
you
know
take
it
to
my
team
and
come
back
with
answers.
If
it's
really
something
that
that
you're
interested
in
but
feel
free
to
ask
questions.
A
So
you
looked
at
the
challenges,
you
will
look
at
the
solution,
but
then
what
what
prompted
people
prompted
these?
You
know
people
to
come
up
with
Solutions?
What
what
do
you
actually
need
for
solving
these
problems
with
security
and
observable
so
one
you
would
need
flow
logs
basic.
You
have
to
have
you
know
information
of
layer,
7
traffic,
which
is
you
know
it
could
be
any
type
of
layers
of
pure
data.
A
It
can
be
a
start
time
and
end
time
of
the
pack
and
flow
it
could
be
the
number
of
bytes
in
and
bytes
out
and
within
you
know,
when
we
talk
about
communities
and
containers,
it's
also
important
to
know
the
source
and
destination
namespace
of
a
particular
flow
and
I've
just
introduced
another
term
for
you,
which
is
namespace.
So
namespace
is
a
Community
specific
done
that
they
use
and
think
of
namespace.
As
a
you
know,
a
logical
group
of
resources
that
perform
some
kind
of
work
within
an
application.
A
So
just
imagine
an
online
retail
store,
you
know
like
Amazon
or
something
and
they
have
a
checkout
service.
They
have
product
catalog
service.
So
these
imagine
the
product
catalog
and
checkout,
as
you
know,
namespaces
also
what
the
typical
suggestion
with
kubernetes
is.
If
you're
starting
out
with
just
you
know
few
couple
of
users,
don't
use
a
lot
of
you,
don't
use
more
than
one
namespace
start
with
the
default.
B
A
Based
on
the
complexity
and
scale
of
your
application,
you
can
start
creating
users.
I
mean
namespaces
typically
are
used
when
you
have
multiple
users
managing
the
application
developing
the
application.
So
that's
that's
the
fundamental
reason
for
the
concept
of
namespaces.
So
the
second
thing
that
you
need
for
security
and
Observatory
is
policies
so
without
policies.
You
cannot,
you
know
some
kind
of
security
policy,
you
cannot
block
or
allow
or
deny
or
drop
packets
at
layer
7.
So
you
need
some
kind
of
policies
and
kubernetes
policies.
A
Offer
fine-grained
access
at
all
and
when
you
look
at
a
security
itself,
you
have
to
have
protection
against.
You
know
the
application
layer,
threats,
I'm,
sure,
I,
introduce
the
concept
of
you,
know,
HTTP
and
all
that.
But
if
you've
heard
of
you
know
things
like
SQL
injection
or
cross-site
scripting
and
you
know
cookie
poisoning
all
these
happen
at
the
application
layer
and
someone
who
has
you
know
even
just
no
other
tools
in
there.
A
You
know
at
the
disposal,
but
just
has
access
to
your
internet
facing
application
with
just
your
web
page.
They
can
probably
create
you,
know
things
and
kind
of
infiltrate.
Your
applications
with
all
these
things
that
I
spoke
about.
You
know
the
SQL
injection
and
process
scripting
and
so
on.
Just
it's
a
couple
of
formses
or
some
kind
of
a
page
where
you
have
let's
say
a
username
password
field.
A
If
your
application
developer
is
not
being
careful
enough
to,
you
know,
develop,
look
at
all
the
security
and
set
modeling
while
creating
the
applications
in
your
for
sure
you're
going
to
get
breached.
So
you
need
something
at
the
application,
so
these
happen
at
layer
7
and
you
need
some
kind
of
protection
against
these
attacks
and
OS
top
10
is
actually
sort
of
as
preserved
as
a
non-profit
Community,
which
actually
has
a
list
of
you
know.
A
Top
10
threads
when
looking
at
application
layer
and
I
would
encourage
you
to
go
to
that
website
and
understand
what
these
that
means,
so
they
keep
refreshing
their
top
10
every
year.
I
think
I
have
a
couple
of
questions.
Let
me
look
at.
A
I,
don't
want
to
bore
everyone
with
just
talking
non-stop,
so
I
think
I'll
just
take
a
break
and
look
at
the
questions,
and
so
one
person
is
asking
to
what
extent
is
AI
implemented
to
provide
solution
for
proactive
issues.
I'm
sure
this
is,
you
know,
coming
from
all
the
news
about
chat,
GPT
and
all
the
you
know,
machine
learning
and
AI
that's
happening
right.
So
a
lot
of
Security
Solutions
are
actually
doing
machine
learning.
I,
don't
know
if
AI
can
be.
You
know
it
can
be
relevant
here.
A
It's
probably
a
long
way
to
go
and
that
aspect.
So
there
are
a
lot
of
solutions
which
use
machine
learning.
It's
not
no,
it's
not
something
that
hasn't
started
yet,
but
AI
I'm,
not
sure
about
that.
I.
Don't
think
we
are
at
a
stage
where
there
is
any
concept
of
AI,
with
security
and
Observatory,
or
even
anything
to
do
with
containers
any
type
of
Enterprise
applications.
A
One
more
question
or
comment
is
application
to
application.
Communication
is
mostly
API,
https
driven
can't
these
be
monitored,
I
mean
when
you
just
talk
about
I
I
mentioned
this
thing
about
monolith,
so
monolith
is
again
I'm.
Just
assuming
that
some
folks
in
the
meeting
are
not
familiar
with
it,
so
monolith
is
the
tradition
way
of
building
applications.
It's
the
exact
opposite
of
containerization
and
in
in
a
monolith,
application
I,
think
doing.
Monitoring
for
HTTP
communication
is
probably
easy
or
I
can
say
it
has
been
figured
out.
A
You
have
solutions
to
do
that,
but
my
point
was
specifically
about
containers
and
kubernetes.
It's
not.
The
problem
is
not
because
you
can't
build
a
solution
or
people
don't
know
how
HTTP
Works
within
continuous
and
communities.
It's
just
getting
all
the
information
you
know
putting
it
in
a
system
where
it's
going
to
give
you
a
clean
output
and
context
based
output
of
what
you
exactly
have
to
look
at
and
that's
the
reason
why
it's
not
it's
not
easy.
A
If
my
application
is
predicted
behind
waft,
do
I
need
to
take
any
additional
measures
so
yeah.
So
that's
a
excellent
question.
I'm
glad
you
asked
about
that.
I
was
just
talking
about
application
layer
threads
and
who
are
top
10,
so
web
application
file
versus
web
application
firewall,
and
you
can
actually
protect
your
application
with
a
vast,
but.
B
A
You
know
it's
a
whole
landscape
of
containers
and
kubernetes
is
so
different
and
people
are
still
understanding
the
service
to
service
Communications.
That
I'll
just
provide
some
answers
with
respect
to
apps.
So
typically,
when
you
deploy
a
vas
for
a
web
application
firewall,
you
put
it
as
a
perimeter.
A
So
imagine
you're,
developing
a
cloud
native
application
and
you're
putting
this
glass
at
the
perimeter
and
when
I
say
perimeter
I
have
to
you
know,
give
you
some
context
about
what
perimeter
is
with
respect
to
Humanities,
so
I'm
just
going
to
quickly,
maybe
I
think
I'm
I
can
show
you
A
visual
representation
of
what
a
communities
cluster
means.
A
So
if
you
go
to
the
communities
web
page,
it
has
something
called
kubernetes
components.
This
is
a
very
good
starting
point
to
understand
what
kubernetes
is
all
about.
So
you
see
this,
there
is
so
this
whole
gray
box.
That's
a
communities
cluster,
so
the
things
that
I
spoke
about
pods
and
nodes.
All
these.
B
A
Within
the
cluster
and
to
set
context
for
a
cluster,
let's
say
you
know:
you're
building
a
a
new
application.
Let's
say
You're
Building,
the
next
Instagram
I
would
say
for
a
company
like
that,
you
would
probably
need
just
one
cluster
to
start
with
and
based
on
scale.
A
You
might
want
to,
you
know,
add
one
more
cluster,
so
cluster
is
actually
very
high
level
Concept
in
kubernetes,
so
everything
within
a
cluster
is
on
part
of
the
microservice
architecture.
So
where
was
I?
I
was
talking
about
web
application
for
everyone
and
perimeter.
So
when
you
think
of
a
vaf,
a
traditional
web,
let's
say
imperva
or
any
other
web
you're,
putting
it
at
the
perimeter
where
it
has
information
about
traffic,
leaving
the
cluster
and
entering
the
cluster.
But
what
happens
within
the
cluster
that
is,
you
know,
communication
between
microservices?
A
It
is
oblivious
to
it.
It
has
no
idea
what
is
going
on
and
if
you,
if
you're
familiar
with
how
you
know,
threats
propagate
within
within
an
application,
if
you've
heard
of
lateral
movement,
your
wife
is
not
going
to
catch
that.
A
So,
let's
say
a
malicious
actor
is:
has
entered
your
application
and
they're
doing
some
kind
of
activity
where
there
is
a
part
of
it
where
you
know
it's
at
the
application,
layer
and
they're
sending
a
packet
with
the
HTTP
header
that
is
not
you
know
meant
to
which
is
which
is
not
meant
to
be
part
of
the
application,
so
that
is
when
web
application
firewall,
that
is
built
just
for
containers
and
communities
will
help,
and
that
is
why
you
cannot
use
a
regular
buff.
Of
course,
it's
a
good
question.
A
A
How
do
you
manage
customer
data
protection
while
implementing
flow
logs?
You
know
multi-tenant
loads,
so
oh
another
good
question
there
is
you'll
I'll,
probably
cover
that
in
the
next
few
slides
so
with
calico's
implementation.
Also,
Calico
is
you
know
the
solution
that
I'm
going
to
talk
about
today.
That's
the
solution
that
we
offered
from
tigera.
A
It's
it's
a
open
source,
right
solution
which
started
as
a
networking
and
security
solution,
and
we
built
you
know
multiple
things
on
top
of
that,
but
with
Calico,
when
you,
when
you're
talking
about
application
layer
things
one
way
what
we,
what
we've
done
is
we've
used
a
efficient
model
of
implementing
Envoy
as
a
demon
set
I,
know
I'm
getting
ahead
of
my
topic,
but
you
can
actually
do
you
can
actually
encrypt
flow.
You
know
traffic
at
layer
7
using
onwards.
A
So
that's
what
I
was
going
to
talk
about.
So
there
is
an
open
source
project
called
wireguard
and
we've
integrated
with
wireguard
bin
Calico,
and
you
can
actually
just
it's.
It's
actually
much
easier
than
other
types
of
encryption
where
you
don't
need
to
deal
with
certificates
and
keychains,
and
all
that
it's
just
a
simple
way
of
enabling
and
disabling
encryption
at
windows.
7..
So
I,
don't
know
if
you
have
answered
your
question
correctly,
but
if
you're
talking
about
you
know
data
encryption,
that's
one
way
to
do
it.
A
What
policies
are
required
at
application
leader.
So
that's
what
we're
going
to
cover
I
know.
You're
super
excited
to
look
at
policies,
but
we'll
cover
that
in
the
next
couple
of
slides
I'll
get
to
all
right.
A
Yeah,
that's
about
it.
Thanks
for
the
questions
it
was.
Actually.
You
know
it's
very
useful
for
me
to
understand
the
different
types
of
questions
that
you
guys
came
up
with,
so
appreciate
it
and,
please
feel
free
to
post
more
so
we
spoke
about
application,
layered
threats
and
Os
top
10,
so
the
other
you
know,
type
of
thread
that
is
common
with
any
type
of
application,
is
DDOS
which
is
distributed.
Denial
of
service
so
put
it
in
again.
A
If
you're
not
familiar
with
the
DDOS
attack,
I,
don't
know
how
many
of
you
grew
up
in
the
2007.
Email
was
hot,
and
people
spoke
about
email
bombs.
Where
you
could
send
someone.
If
you
hated
someone,
you
could
just
send
them
an
email
bond
which
has
about
10
000
or
20
000
emails
and
their
the
server
will
crash
and
they'll,
probably
not
get
an
email.
So
I
know
it's
a
bad
example,
but
something
that's
something
that's
very
similar
to
DDOS
attacks.
A
Someone
who
does
not
like
your
company
organization
is
trying
to
you
know,
bring
it
down,
they
can
send.
You
know
a
ton
of
HTTP
requests
to
your
application
and
you
know
bring
the
app
down.
So
that's
basically
a
very
high
level
explanation
for
what
it
DDOS
is,
and
this
also
happens
at
least
I'm
going
to
say,
history
request.
A
Obviously
it
happens
at
layer
7
and
you
need
some
kind
of
protection
to
at
least
detect
if
a
DDOS
attack
is
going
to
happen
and,
interestingly
I'm
just
you
know
not
sticking
to
the
slide
itself.
A
But
I
was
reading
an
article
about
how
Google's
security
team
actually
prevented
a
DDOS
attack
last
year,
which
was
you
know,
it
set
a
record
for
the
amount
of
requests
that
came
in
so
they
actually
had
a
Google
Cloud
customer
who
looked
at
you
know
some
weird
communication
within
the
network
and
Google
immediately
alerted
them
and
they
actually
saw
the
spike
of
requests
that
went
above.
You
know
above
40
million
requests.
A
So
it's
a
very
interesting
Topic
in
itself
and
how
it's
interesting,
how
you
know
these
Security
Solutions,
like
some
providers,
actually
combine
graphs
with
DDOS
and
it's
pretty
common
to
see
both
offered
by
the
same
company
so
yeah
with
Calico.
What
happens?
Is
you
can
actually
look
at
a
particular
layer,
7
field,
I?
Guess
it's
called
the
HTTP
request.
Spike,
let
me
collect
the
data
about,
and
you
know
any
anytime,
this
this
graph
goes
High.
The
the
request
spike
is
above
a
particular
level.
A
A
So
that's
another
security
challenge
or
you
know
things
that
you
need
and
finally,
just
visibility
into
service
to
server
communication.
When,
when
I
say
visibility,
it
could
mean
couple
of
things
for
different
things
for
different
people,
but
you
know
one.
One
great
aspect
is
actually
looking
at
how
your
nodes
and
clusters
and
names
cases
are
I
mean
all
these
are
I,
showed
you
the
diagram
and
the
kubernetes
website.
But
then,
when
you
actually
start
building
application
containers,
there
is
no
UI.
There's
no
visualization
of
how
these
things
look.
A
I
mean
you
probably
don't
have
an
idea
about
the
mapping
between
different
services.
So
that
is
a
problem
when
it
comes
to
visibility
and
also
you
know,
looking
at
actual
visibility
itself
in
terms
of
traffic
communication,
we
resolve
all
the
challenges
that
are
present
in
communities
so
yeah.
So
that's
that's
about
all
the
you
know,
things
that
are
needed,
and
you
know
another
byproduct
of
having
a
good
visibility
solution
or
observability
solution
is
looking
at
performance.
We
spoke
about
security
and
observability,
but
again
you
can
use
this
for
observability.
A
You
can
use
this
for
performance
issues
where
you
can
look
at
latency.
You
know
DNS
latency
and
you
know
any
type
of
HTTP
errors,
or
you
know
a
lot
of
data
that
you
can
look
at
to
see
how
your
application
is
performing.
This
is
I
think
very
useful
for
devops
and
SRE
teams
where
they
are,
you
know,
required
to
see
or
make
sure
that
the
application
performs
well.
A
I
think
I
might
have
another
question
and
you
said
within
kubernetes:
it's
difficult
to
monitor,
threats
can
Sims
or
help
enzyme
or
obligating
those
data.
So
a
Sim
or
a
sword
will
sword,
cannot
identify
any
I
mean
sometimes
I
think
it
can,
but
some
definitely
even
though
they
might
not
require
you
know,
context
about
the
container
itself.
What
Solutions,
typically
what
the
solution
do
is
like
even
Calico.
We
actually
export
data
from
our.
A
A
Sim
can
have
its
own,
you
know
style
of
identifying
data
or
you
know
looking
at
less
or
any
type
of
issues.
So
it's
a
good
question
again
and
it
is
you.
A
Level
of
identification
that
you
can
use,
so
you
can
use
some
and
so
on,
but
it
is
not
sufficient.
It
just
you
know
plug
in
a
Sim
solution
within
your
communities,
environment
it
it
will
not
be
able
to
so
since
it
doesn't
sit
in
the
same
level
as
the
infrastructure
it
doesn't
set
in
the
infrastructure
level
that
doesn't
understand
communities.
You
know
Concepts,
so
it's
difficult
to
correlate
data
which
a
solution
that
Calico
can
do
and
then
export
logs
to
some.
A
So
we
we
basically
partner
with
a
lot
of
Sim
and
soil
companies
to
help
with
getting
data.
A
Can
you
please
check
any
links
which
describe
more
about
how
gcp
provided
us?
Let
me
find
out
maybe
towards
the
end
of
the
presentation,
but
if
you
just
Google,
for
you
know
DDOS
that
Google
Cloud,
you
will
probably
get
that
result,
but
yeah
I'll
try
to
get
that
towards
the
end
of
the
session.
A
We
talked
about
operational
aspects.
Okay,
sorry
I
need
to
repeat
the
question
out
loud
because
others
cannot
hear
it.
So
the
first
question
was
about
when
you
said,
within
kubernetes,
it's
difficult
to
monitor,
threats
can
seem
or
soar
help
in
identifying
or
aggregating
those
data.
So
that
was
answered
and
then
link
about
the
gcp
example
that
I
gave
about
leaders
attack.
That
is
the
second
one.
The
third
one
is.
You
have
talked
about
the
operational
aspects
of
managing
kubernetes
security.
A
That's
a
very
good
question.
So,
if
you're
talking
about
you
know
compliance
I'm
assuming
that's
what
the
question
is
about,
compliance
is
actually
very
hard
with
these
Solutions,
because
if
you
ever
work
with
auditing
and
policies,
auditing
and
compliance,
what
they
would
some
of
them
would
require.
Is
you
know
historical
data,
and
if
you
go
tell
them
that
hey,
my
part
is
started,
so
I
cannot
give
you
that
information
we
are
going
to.
You
know
they're.
A
Compliance
or
you're,
not
you,
will
not
be
allowed
to
run
your
business,
so
we
actually
so
Calico
by
default,
doesn't
offer
that.
But
you
know,
if
you
look
at
our
Enterprise
solutions,
they
do
offer
some
kind
of
compliance.
A
You
know
solution,
so
it
is
actually
very
difficult
to
do
it.
If
you
don't
have
the
right
tools
and
you're,
absolutely
right,
I
mean
to
get
the
contextual
data
about
which
pod
has
restarted.
What
data
you
know
it
was
carrying
and
all
that
you
can
actually.
So
there
are
a
couple
of
things:
one
is
compliance
like
gdpr,
HIPAA
and
PCI.
A
So
what
you
would
need
is
a
regular
reporting
facility
that
will
give
you
you
know
detailed
reports,
either
by
the
hour
or
the
day
week
months
so
on,
and
you
know
you
need
to
have
some
kind
of
customization
within
the
reports
itself.
You
cannot,
you
know,
just
rely
on
basic
reports
and
you
need
to
probably
middle
around
with
some
of
the
customizations
like
the
the
time
range,
or
even
you
know
the
type
of
data
that
you
want
and
the
other
type
of
security
posture
Auditors
about
you
know.
A
I
spoke
about
the
communities
control
plane
and
if,
if
this
control
plane
is
not
hardened,
security
hardened
you'll,
obviously
have
you
know
three
factors:
attacking
your
infrastructure
or
your
platform
and
you.
So
there
is
a
concept
of
concept
called
kspm,
which
is
kubernetes
security,
posture
management
very
similar
to
the
cspn,
just
Cloud
security,
posture
management.
A
So
kspm,
as
you
know,
you
can
again
get
reports
telling
you
how
secure
your
communities,
infrastructures-
and
you
know
one
example-
would
be
something
called
assist-
benchmarks
I'm,
not
sure
if
this
person
is
familiar,
but
this
benchmarks
is
actually
a
set
of
Standards
where
it
will
tell
you.
You
know
your
let's
say
in
your
communities
platform,
there's
something
called
hcd
or
API
server,
how
these
different
components
are
configured.
A
If
you
know
someone
setting
up
kubernetes
for
the
first
time
is
not
familiar
about
these
things
and
if
you
know
it
is
given
privilege
access,
you're,
given
pseudo
root
access
to
you
know
to
everyone
in
the
organization,
things
can
just
go
haywire
and
you
need
some
kind
of
a
you
know,
method
to
make
sure
that
these
things
are
secure
and
yeah.
A
The
Hope
answers
that,
thanks
for
those
questions-
and
let
me
continue
so
moving
on-
we
were
talking
about
the
challenges
so
solution
is
I
mean
how
do
you
solve
for
these
challenges
or
problems?
A
We
know
that
most
of
the
service
to
Service
traffickers
and
the
application
Level
and
what
Calico
does
is
I'm
here
to
talk
about
calico,
which
is
you
know,
the
open
source
solution
that
came
out,
maybe
around
2016.
Just
when
kubernetes
adoption
was
increasing.
This
came
out
of
you
know
calicos.
Basically,
it
started
as
a
software
defined
networking
solution
for
open,
trying
to
remember
I
think
it
was
open,
not
open
shift.
It
was
another.
A
You
know,
sdn
solution
that
was
in
the
market
and
these
folks
at
meta
switch
we're
trying
to
come
up
with
a
with
a
more
elegant
solution
for
that
and
that's
how
Calico
started
and
what
happened
from
there
is
they
also
designed
a
cni
which
is
container
networking
interface?
So
cni
is
basically,
you
know
a
way
to
provide
networking
for
containers.
A
So
you
know
that
kubernetes
is
orchestrating
these
containers.
It
has
you
know,
information
on
what
the
state
of
the
the
application
is.
But
how
do
you
put
you
know?
How
do
you
make
sure
that
these
different
pods
and
workloads
communicate
with
each
other?
You
need
some
kind
of
a
networking.
Tool,
imagine
you
know
a
switch
or
a
router.
You
cannot
obviously
put
some
kind
of
a
Hardware
switch
in
between
or
a
router
between.
So
sdn
is
you
know
the
answer
and
you
you
need.
A
A
There
are
two
primary
use
cases
for
a
cni
Oneness,
providing
the
networking
providing
layer,
three
networking
for
containers
and
the
other
one
is
also
handling
the
the
IP
addresses,
which
is
in
the
form
of
ipam
IP
address
management
system,
so
Calico
is
started
as
a
cni
and
you
know
started
building
out
things
like
policies
where
it
became
the
default
policies
for
a
lot
of
communities
deployments,
so
cubanities
by
itself
has
policies
by
default
which
is
actually
based
on
Calico.
A
So
when
you
install
kubernetes
and
if
you
look
at
communities
Network
policies,
that
is
nothing
but
Calico
that
is
running,
so
that
is
the
open
source
version
and
what
we
do
for
application.
Level
observability
is
I,
mentioned
sidecar
and
you
know
service
mesh
and
things
like
that.
So,
let's
get
into
that
piece
now,
so
we
provide
microservices
observability
using
Envoy.
So
onward
is
it's
it's
like
a
proxy
that
sits
between
your
workload
and
you
know
the
other
services.
A
So
imagine
that
you
know
it's
called
a
sidecar
because
it
sits
right
next
to
the
workload
and
any
type
of
service
level
communication
that
needs
to
happen
with
other
workloads.
It
goes
through
the
sidecar
proxy
and
that's
basically,
you
know
the
it
brings
in
another
control
plane
to
the
equation
and
it
just
gets.
You
know
more
complex,
but
you
know
that's
the
only
way
to
do
it.
A
So,
let's,
let's
see
what
what
is
happening
here
so
envoy
can
be
integrated
with
Calico
to
provide
you
know,
service
to
level
communication,
but
when
I
say
integrated,
it's
actually,
we've
used
Envoy
to
be
installed
in
a
very
easy
Manner
and
if
you're
the
the
when
I
say
it
gets
complicated,
I'm
talking
about
using
Envoy
without
Calico
in
the
picture
at
all.
A
So
if
you,
if
you
don't,
have
Calico,
and
if
you
want
to
look
at
services
to
service
communication,
the
only
way
is
to
install
you
know
Envoy
or
history
on
your
own
and
some
kind
of
a
service
mesh
and
look
at
all
these
things.
But
the
complexity
and
the
problem
comes
when
managing
istio
or
on
y
itself.
So
we
have
taken
that
you
know
challenge
or
problem
out
of
the
equation
and
made
it
very
simple
if
you're
using
Calico,
it's
just
you
know
a
couple
of
commands
and
you're
good
to
go.
A
You'll
get
all
these
benefits
that
are.
You
know
that
we're
going
to
see
so
what
it
does
is.
So
when
you
install
Envoy
as
a
sidecar,
what
provides
is
it
will
provide
flow
logs
for
application,
Level
traffic,
so
all
the
HTTP,
you
know
metrics
and
things
that
you
are
interested
in
I,
don't
know
if
this
screenshot
is.
A
Can
see?
Okay,
okay,
so
it
has.
You
know,
HTTP,
request,
duration,
requests
over
time.
You
know
all
the
different
types
of
metrics
and,
and
also
the
best
part
about
this
is
it'll.
Give
you
information
with
with
context.
That
is
where
which
namespace
this
is
coming
from.
So
if
you
look
at
the.
A
So
if
you
look
at
L7
all
services,
it
talks
about
front-end
card
service,
currency
servers,
you
so
you
can
actually
drill
down
and
see
which
particular
service
is
performing,
how
it's
performing
and
so
on
so
yeah
and
the
other
thing
is.
It
also
provides
a
valuable
metadata
about
these
flows.
So
metadata
is,
you
know
the
data
that
is
enriched
on
top
of
the
regular.
A
You
know
L7
data
that
you
see
so
that
will
be
you
know
things
like
which
part
is
it
coming
from
with
the
when
which
node
the
Pod
is
part
of,
and
so
on
and
I
think
I
mentioned
this
before
it
also
allows
people
to
when
you
use
Calico.
It
allows
people
to
use
wireguard
as
an
encryption
technique
where
for
data
and
Transit
encryption
you
can
just
enable
wire
guard
without
the
need
to
do
anything.
So
it's
automatically
encrypted
all
L7
traffic
is
encrypted
when
you
enable
wirecut.
A
So
that's
another
benefit
and
that's
how
Calico
is
you
know,
providing
a
solution
for
all
the
challenges
that
we
looked
at.
A
So
I
think
this
slide
is
just
talking
about
all
the
different
types
of
flow
log
data
that
you
see.
You
know
source
and
destination.
Namespace
I
think
I
mentioned
this:
the
the
URLs,
the
Response
Code.
So
many
you
know
fields
that
that
can
be
useful
while
troubleshooting.
A
Yeah,
so
when
I
spoke
about
service
mesh,
it
actually
really
brings
in
a
lot
of
complexity,
because
I
mentioned
it
ads
in
another
new
control
plane
to
your
equation.
So
you
need
to
know
how
service
mesh
works.
You
need
to
understand.
You
know
how
to
maintain,
install
that
upgrade
it
and
so
on,
and
that
is
almost
like
having
another
solution
on
top
of
communities
so
with
Calico.
What
you
get
is
the
same
benefits
of
a
service
mesh
and
an
easier
way
to
use
some
of
the
benefits.
A
So
you
know
the
most
popular
use.
Cases
for
the
service
mesh
will
be
observability
and
security.
You
know
things
like
encryption,
they
spoke
about.
You
don't
need
to
use
a
service
mesh
for
encryption
because
you
already
have
wired
card
enabled
you
need
to
look
at
service
service
communication.
You
get
that
with
you
know
onwards.
A
sidecar
model
you've
already
installed
that
with
Calico,
so
you
don't
need
to
install
a
service
mesh
like
HD
or
separately.
A
So
we've
integrated
everything
within
categories.
A
Again
so
I
think
someone
asked
about
security
posture
and
it's
you
know,
that's
also
another
benefit.
You
meet
the
organization
or
Regulatory
Compliance,
so
some
of
the
compliance
requirements
will
be
specifically
around
application,
Level
application
protection.
So
someone
asked
about
Waf
and
I
shared
some
information
on
RAF.
There
is
that
I
some
compliance,
religion
standards
which
actually
require
you
to
specifically
there
is
that
there
is
a
line
item
where
you
have
to
say:
I
have
a
web
application
firewall
installed
to
be.
A
You
know
to
pass
your
compliance
exam
so
that
that's
another
use
case.
Let
me
take
a
pause
and
look
at
some
q.
A
oh.
A
So
the
first
question
is
how
to
analyze
flow
logs.
Will
it
not
be
humongous?
It
will
be
humongous.
Yes,
it
is
true,
but
again
I
think
I'm,
not
sure
what
role
you
play,
but
for
folks
who
are
familiar
in
the
security
you
know
business
and
if
you're,
if
you've
used
Solutions
like
in
ndr
or
an
EDR,
you
know
medical
detection
and
response
Solutions
or
even
Sims.
A
It
is
a
lot
of
data,
but
then
the
the
a
task
for
these
solution
providers,
like
you
know,
let's
say
Splunk,
causes
some
solution,
provider
or
a
store
solution,
or
even
you
know,
Calico,
for
example.
The
task
is
to
make
it
easier
for
the
user
to
analyze
things
quickly.
You
know
it's
not
if
you
use
Calico
or
I'm.
Just
you
know
talking
about
all
the
other
Solutions
available
for
different
reasons.
A
Instead
of
taking
ads-
and
you
know
not
our
maybe
days
or
weeks,
the
idea
is
to
bring
it
down
to
a
couple
of
minutes
or
even
hours.
So
you
do
have
you
know
various
features
to
analyze
flow
logs
in
a
much
more
easier
way
and
that's
the
whole
concept
of
coming
up
with
Solutions,
which
can
do
that
and
when
I
say
it's
the
task
of
these
solution
providers.
What
we
do
is
with
Calico.
You
can
actually
look
at
slow
laws.
A
You
can
actually
drill
down
with
something
called
service
graph.
We
have
something
called
Dynamic
service
and
thread
graph
and
what
it
will
show
is
visually.
It
will
show
you
the
namespaces
start
with
the
cluster
it'll
show
the
namespaces
and
different
workloads,
and
you
can
actually
drill
down
to
each
level
up
to
a
pod
level
and
actually
see
the
flow
log.
So
it
doesn't
have
to
be.
You
know
flow
logs
at
the
cluster
level
where
it
will
be
like
you
know,
maybe
millions
of
entries.
A
So
that's
the
whole
concept
of
Calico
or
any
I'm
sure
there
are
other
providers
which
do
the
same
thing
so
yeah.
The
second
question
is
kind
of
rough
parenthesis:
CDN
providers
plus
internal
plus
some
sort
process
and
security,
log
analysis
and
open
vulnerability.
Analysis
using
Splunk
in
Optics,
maybe
address
this
issue
yeah.
It
can
definitely
address
the
issue
for
application,
Level
security.
A
So
it's
what
I've
covered
so
far
and
when
you
say
internal
web
I'm
hoping
you
mean
the
Waf
that
I
was
talking
about
where
there
is
something
that
is
installed
within
the
cluster.
So
you
know
one
of
our
products
actually
has
a
solution
called
workload-centric
buff.
A
You
can
actually
it's
part
of
our
offering
and
I
I
think
I've
looked
at
a
lot
of
solutions
like
Palo
Alto
and
you
know
other
big
players
and
it's
actually
very
hard
to
find
something
that
is
at
the
workload
level
and
we've
actually
leveraged
an
open
source
web
solution.
A
Let
me
recollect
what
the
the
name
of
that
solution
is.
I'll,
I'll,
think
about
it.
If
it
crosses
my
mind,
I'll,
let
you
know,
but
you're
right
I
mean
to
address
this
issue.
You
do
you
can
use
all
the
combinations
and
multiple
solutions
that
you've
spoken
about,
but
you
know
the
idea
is
who
can
provide
that?
Who
can
provide
that
internal
buff
that
we've
spoken
about-
and
this
is
just
one
aspect
of
security
within
containers
and
kubernetes?
It's
not
just
application
layer
or
it's
not.
A
You
know
an
attacker
can
come
into
your
container
where
there
is
no
concept
of
any
network
he's
just
you
know,
there
is
some
vulnerability
in
your
container
image
and
the
attacker
he
or
she
is
getting
into
the
Container
at
runtime
doing
something
within
the
kernel.
All
this
is
not
going
to.
You
know,
be
detected
through
a
laugh
or
a
Sim
or
a
soul.
A
So
I
understand
the
question,
but
then
there
is
just
so
many
things
to
to
contain
a
security
that
just
one
solution
is
not
going
to
protect
you
and
the
the
idea
is
you
know
people
are
trying
to
build
single
one
single
solution
which
can
actually
do
multiple
things.
Just
like
a
UTM
there's
another
question:
how
does
the
onboarding
onboarding
process
work
to
integrate
Calico
if
you're
asking
about
onboarding
process
to
install
Calico
or
integrate
you
stay
with
Calico?
A
A
A
A
B
B
A
B
B
A
Okay,
yeah
so
I'm
the
documentation
link,
so
the
onboarding
process,
if
you're
talking
about
how
to
install
Calico
or
how
to
install
istio
or
Envoy
with
Calico
everything
is
in
that
page.
You
could
definitely
go
to
that
and
you
know
look
at
how
things
are
done.
Can
there's
another
question:
can
calculate
data
be
taken
into
tools
like
Prometheus
or
grafana,
not
with
the
open
source
but
yeah?
We
do
have
a
way
to.
A
We
have
our
own
kibana
dashboards,
but
there
is
a
you
know:
a
facility
to
export
it
to
Prometheus
and
grafana
and
I
think
the
documentation
should
probably
cover
that
do
Cloud
providers,
the
other,
the
last
question
or
actually
one
more
question
is:
do
Cloud
providers
like
AWS
or
Azure
support
Calico
from
their
own
kubernetes
management
capabilities,
okay,
yeah
they
do
and
they
do
it
in
a
very
different
way.
You
know
AWS,
eks
or
elastic
community
service
for
people
who
are
not
familiar.
A
So
that's
a
kubernetes
managed
service
that
is
provided
by
AWS,
so
they
do
offer
Calico
as
a
choice
of
cni
or
even
policy.
So
when
I
say
they
do
it
differently,
eks
does
it
in
a
different
way.
You
can
actually
use
just
Calico
for
cni
or
use
Calico
without
a
cni
and
use
it
for
security
policies
with
Azure.
A
You
can
actually
There's
A
New
Concept
called
bring
your
own
cni,
where
previously
Azure
had
no
option
of
any
other
cni
except
their
own,
which
is
I,
think
which
was
called
Azure,
vpcc,
cni
and
cubenet
and
I
mean
the
the
interesting
thing
is
azure
VPC
cni
itself
was
actually
California
underneath,
but
I.
Don't
know
why
we
never
promoted
that.
A
But
right
now
they
have
a
concept
of
bring
your
own
cni,
where
you
can
actually
bring
Calico
as
a
cni,
and
on
top
of
that
either
without
the
cni
or
the
cni,
you
can
have
Calico
integrated
with
AKs
on
Azure
for
security
policies.
So
yeah
we
do.
We
do
support
all
major
public
Cloud
providers,
you're
also
available
on
Reddit,
open,
shared
Rancher.
A
What
else
Google
Cloud
yeah
everything
one
more
question
when
you
use
the
term
workloads
it
refers
to
what
Elemental
level
of
granularity
a
few
examples.
A
few
examples
will
help
create
questions.
It's
actually
yeah
I,
think
I
mentioned
I
interchangeably,
use
workload
or
odds,
I
mean
when,
when
you
say
workloads,
it's
actually
any
unit
of
compute,
which
is
programmed
to
do
a
particular
work.
A
So
in
this
case,
okay,
typically,
when
you
talk
about
communities
in
containers,
a
workload
is
actually
a
pawn
so
and
when
I
say
thought
it's
actually,
you
know
thought
is
running
one
or
two
containers
within
that,
so
you
could
even
remove
that
abstraction
and
say
a
container
can
be
a
workload.
So
it's
kind
of
a
generic
term.
But
when
I
say
workloads
in
this
case,
so
imagine
your
application
is
doing
multiple
things.
A
You
have
different
services
for
different
parts
of
your
application
and
when
a
particular,
let's
say
in
your
retail
application,
you
have
checkout
service.
Checkout
service
will
have
I
think
again.
Smaller
chunks
of
software
and
each
piece
of
software
can
be
part
of
as
a
workload
and
that
will
ultimately
be
a
poor.
A
So
moving
on
I
think
we've
looked
at
all
the
challenges
and
solutions
how
Calico
solves
for
this
problem.
I
I
did
mention
you
know:
istio
side,
cards,
service,
mesh
and
so
on.
Let
me
provide
a
little
more
add
a
little
more
color
on
what
these
things
mean.
So
when
you
typically
have
an
application,
you
build
an
application.
You
would
need-
and
here
I'm
talking
about
containerized
application.
A
You
would
need
a
way
to
interact
with
the
application
right
with
to
you
know,
understand
the
security,
understand,
performance
and
observability
and
so
on,
and
you
don't
want
to
disrupt
by
sending
in
multiple
requests
when
you
know
when
it
is
in
production,
so
you
need
to
use
some
kind
of
a
debugger
or
you
need
to
smoke
traffic.
You
see
no
package,
you
need
to
sniff
out
packets
to
look
at
traffic
and
in
for
this
scenario,
what
people
did
was
come
up
with
a
sidecar
model.
A
I
think
I
mentioned
this,
but
yeah
sidecar
model
is
basically
it
puts
a
proxy
in
front
of
your
worker
mode
again
and
bringing
another
term
here
in
worker
mode
is
a
community
specific
term
where
it's
nothing,
but
you
know
nodes
that
participate
in
the
application
so
that
that's
all
a
local
node
is
so
you
have.
A
You
know
a
kind
of
you
have
a
proxy
in
front
of
these
nodes
so
that
any
communication
that
goes
outside
goes
through
this
proxy,
and
you
know
all
these
features
and
functionality
around
observable
and
security
that
you
need
is
taken
out
of
this
proxy
and
used.
So
it
kind
of
becomes
a
Gateway
for
your
application
and
Calico.
Like
I
said
we
integrate
seamlessly
with
istio
wellforce
layer,
7
Network
policy
within
the
SDS
mesh,
so
I
think
someone
asked
about
policy
implementation
so
and
that's
how
that's
where
it
goes.
A
So
we
provide
Calico
is
known
for
its
Network
policy
implementation
at
a
much
more
granular
level
than
than
basic
kubernetes
policies,
and
what
you
can
do
is
add,
so
these
policies
usually
work
at
layer
three
or
four
and
with
the
istio
integration
you
can
actually
add
application
layer,
attributes
like
HTTP
methods,
put
or
get
those
things
or
even
you
can
include
actual
URL
paths
in
your
policies
and
that's
basically
how
you
do
it
and
what
what
it
means
by
pod
injection
is.
A
These
two
annotations
that
are
shown
here
now
is
to
your
injection,
equal
enabled
and
sidecar
istio.io,
slash
inject
equal
to
true.
We
use
these
two
annotations
and
you
can
let
the
istio
Pod
injector
know
which
workloads
require
onward
proxy.
You
basically
use
this
during
you
know:
implementation
of
the
application
layer.
You
know
implementing
integrating
sto
with
Calico.
So
to
do
this,
we
need
to
install
istio
and
configure
Envoy,
but
once
you
do
that,
it's
simple,
you
know
a
couple
of
commands
after
this.
A
A
When
I
say
service
measures,
you
know
any
anything
that
is
used
to
describe
the
network
of
microservices
that
make
up
applications
and
any
type
of
interaction
that
goes
on
within
them.
So
that
is
basically
a
service
mesh
service
mesh
like
the
open
source
plug
istio,
is
also
open
source,
and
it's
it's
you
know,
think
about
service
mesh
as
a
way
to
control
how
different
parts
of
an
application
share
data
with
one
another.
A
Trying
to
come
up
with
an
example
but
anyway,
so
it's
a
dedicated
infrastructure
layer
built
right
into
the
application
and,
like
I,
said
it's
usually
implemented
as
a
sidecar
proxy
and
traffic
flows
through
this
cyclard
proxy,
and
you
can,
you
know,
have
all
types
of
controls
with
traffic
management
and
security
and
since
it
controls
you
know
any
English
and
equals
traffic
to
the
services.
You
can
extract
information
using
this
mesh.
A
If
there
is
a
HTTP
call,
you
can
figure
it
out
and
you
can
send
it
for
monitoring.
You
can
find
out
who's
using
SSL
who's,
sharing,
SSL,
search
to
scenes
or
use
SSL
certificate
to
see
inside
the
traffic.
A
Picture
guys,
okay,
so
this
is
another.
You
know,
representation
of
what
a
service
mesh
architecture
typically
looks
like
so
I
mentioned
it
introduces
a
new
control
plane
and
when
you,
you
know,
look
at
this
diagram.
What
you
can
see
is
the
service
mesh
will
let
proxies
to
discover
applications.
So
you
see
service
B
and
service
D,
and
there
is
a
proxy
sitting
in
right
in
front
of
it,
and
this
is
where
you
apply
the
application
to
your
policies
to
control.
Sorry.
A
So,
for
instance,
if
you
know
let's
say
there
is
a
website,
you
have
my
site.com
and
you
have
a
URL
specifically
within
that
saying:
mysite.com
do
not
enter
you,
don't
want
anyone
to
enter.
There's
no
way
for
you
to
deny
access
to
this
URL.
Unless
you
change
some,
you
know
server,
config
or
disabling
the
network,
but
with
service
mesh.
What
you
can
do
is
tap
into
layer
7
and
write
a
policy
for
that
particular
URL,
so
that
you
either
block
Ingress
or
English
traffic
to
this
URL.
A
A
And
yeah,
and
as
I
mentioned,
we
have
a
seamless
integration
with
any
service
mesh
and
especially
for
istio.
It
lets
you
enforce
application
to
your
attributes
like
HTTP
methods
and
path.
A
Excuse
me,
and
some
of
the
benefits
for
of
doing
this.
You
know
integration
with
istio
is
you
can
control
traffic
at
the
Pod
level,
it'll?
Restricting
this
traffic
inside
and
outside
pods
and
you
know,
mitigate
common
threats
to
steer,
enabled
apps
you
get
a
you,
can
adopt
a
zero
test,
Network
model
for
security,
including
traffic
encryption,
which
is
you
know,
probably
another
requirement
for
compliance.
A
It'll,
give
you
multiple
multiple
enforcement
points
and
also
multiple
identity
criteria
for
Authentication
and
the
last
benefit
is
you
know
it's
a
familiar
policy
language
once
you
install
Calico
and
you're
using
Calico
for
Network
policies,
you
don't
have
to
learn
a
new
type
of
policy
language
to
control,
application
layer.
You
know
traffic,
okay
or
you
don't
even
need
to
know
how
history
works.
A
All
right,
so,
when
you
look
at
Calico
integration,
you,
there
are
two
types:
one
is
calico
Network
policy
and
the
second
is
calico
Global
Network
policy
and
the
differences
I
remember
I
mentioned
about
namespaces,
so
Calico
Network
policy
is
actually
namespace
level,
so
you
can
enforce
restrictions
or
exceptions
within
a
namespace
and
what
Global
Network
policy
does
is
for
the
entire
cluster.
A
A
Next
slide
is
actually
I,
don't
know
if
I
want
to
get
into
details,
but
this
you
know
the
high
level
architecture
diagram
of
how
Calico
is
designed
to
understand.
Yeah
I
mean
Calico,
not
just
Calico
as
a
whole,
but
Calico
with
Envoy
is
a
sidecar
model.
This
is
how
it's
designed,
so
you
see
something
called
Felix.
So
Felix
is
the
brain
of
Calico
and
it's
the
control
plane
portion
that
lets
underline
infrastructure
know
that
you
know
this
a
particular
traffic
is
allowed
or
not
allowed.
A
So
let's
say
when
you
create
a
Calico
policy.
What
happens
is
it
goes
to
Felix
and,
depending
on
how
many
nodes
Felix
will
is
inside
the
Calico
node
demon
set
so
depending
on
the
data
plane?
If
it's
evpf4,
you
know,
standard
Linux,
it'll
create
either
IP
tables
or
evpf
programs
to
you
know
limit
or
permit
whatever
you're
trying
to
write,
and
there
is
no
mention
of
ebpf
here
on
this
slide,
but
if
you're,
if
you're
interested,
if
you
want
to
know
more
about
evpf
I,
would
encourage
you
to
again.
A
A
Get
to
the
kernel
level
of
any
system,
any
application,
and
without
disturbing
you
know
the
application
itself.
We
can
actually
get
a
lot
of
things
done.
You
can
actually
create
a
Sandbox
environment.
You
can
write
your
own
programs
to
get
internal
level
details
and
you
know
it's
it's.
The
adoption
and
usage
is
just
exploded.
People
are
going
crazy
about
ebpf
an
option
in
the
container
space,
so
I
would
I
would
suggest
doing
a
little
more.
You
know,
reading
on
your
own,
about
ebpf,
so
yeah.
So
it's
it's.
A
Actually
a
data
plane
concept,
so
you
either
have
you
prepare
for
standard
Linux
and
what
Felix
Felix
will
do
is
tell
dicaster
is
to
inform
the
proxy.
So
you
see
Envoy
that
is
sitting
right
next
to
the
workload
to
it'll,
inform
the
proxy
on
the
decision.
You
know
either
let
the
traffic
go
through
or
drop
it
off
or
block
them.
A
So
yeah,
that's
about
you,
know
the
the
architecture
of
how
a
Calico
policy
works
with
Envoy
for
application
layer.
So
this
is
how
internally
the
policy
flow
happens.
A
I
think
I
I
don't
have
anything
else
to
share
with
respect
to
the
topic,
but
I'll
just
you
know
briefly
talk
about
what
project
Calico
is
so
I
mentioned.
Already
it's
the
it's
an
open
source
project
and
we've
you
know
I
had
had
a
huge
adoption
rate
with
a
lot
of
companies
using
it.
A
It's
a
very
active
community,
so
you
could,
if
you're
on
slack,
you
can
join
the
channel
if
you're
on
Twitter
or
LinkedIn,
you
can
follow
project
Calico
I
mean
this
community
talks
about
Cloud,
networking
and
security,
and
if
you,
if
you're
having
any
you
know
issues
or
problems
with
using
Calico,
you
can
ask
people
on
the
community.
So
we
have
about
8
000
slack
members,
you
know
the
channel
members
and
about
I.
Think
roughly
so
this
one
says:
320,
it's
not
updated,
I!
Think
right
now.
A
Currently
we
have
about
500
active
contributors
to
the
project,
so
I'm
sure
we
all
know
how
open
source
projects
working
I
mean
just
the
fact
that
Calico
is
actually
currently
running
on
two
million
nodes.
Is
you
know
Testament
to
the
fact
that
it's
it's
one
of
the
most
widely
used
security
and
networking
Solutions
other
things.
A
So
it's
so
it's
a
community
behind
a
purely
approach
to
Virtual
networking
and
security.
It's
used
in
highly
scalable
data
centers.
You
can
also
use
calculus
or
you
know,
VMS
and
Native
host
based
workloads.
It's
not
just
for
containers.
Like
I
said
it's
it's
an
sdn
and
it
also
supports
multiple
architectures
and
Platforms
in
I
already
mentioned
the
different
public
Cloud
vendors
and
priority
sorry,
private
Cloud
vendors.
A
That
can
support
Calico,
and
it's
also,
you
know
the
best
part
about
this-
is
it's
designed
to
be
modular,
so
we
have
something
called
a
plugable
data,
plane
and
I
just
mentioned,
or
spoke
about
evpf
and
Linux.
So
we
support
any
type
of
data
plane.
It
doesn't
matter
if
you're
running,
ebps,
workloads
or
Linux
or
even
Windows,
there's
simply
called
hns
or
host
network
service
for
Windows
environments.
So
Calico
will
work
on
any
type
of
data
plane
and
in
the
future.
A
A
I,
don't
know
if
you're
able
to
indicate
yeah,
okay,
I,
think
I
mentioned
about
yeah
the
EVPs
data
planes
and,
of
course-
and
you
know
just
looking
at
this
slide
categorithm.
So
some
of
the
benefits
you
know,
choice
of
data
plane,
you
get
it's
a
plugable
data
plane
model
and
also
for
performance.
There's
been.
You
know,
a
lot
of
studies
and
articles
written
by
some
community
members,
who've
tested
Calico
with
other
Solutions
and
found
out
that
you
know
for
different
Benchmark
studies.
A
Calculus
come
out
with
flying
colors
with
respect
to
you
know,
CPU
usage
and
cost
and
of
course,
I
mentioned
about
the
different
types
of
workloads,
and
it's
also
exceptionally
scalable
did
I
mention.
We
do
layer,
3
networking,
so
basically
the
the
protocol
behind
it
is
bgp
and
you
know
bgp
Powers,
the
entire
internet,
so
if
bgp
can
handle
internet
Calico
can
handle
the
internet
too.
So
so,
when
it
comes
to
kubernetes
itself,
it's
a
Humanities
native
security
policy
model.
So
it's
declarative
in
nature.
A
You
don't
need
to
understand
totally
different
solution.
If
you
are
familiar
with
How
kubernetes,
you
know
declaration.
All
these.
You
know
the
different
yaml
and
deployments
work.
It's
it's
a
unified
model.
You
can
easily
understand
California.
A
A
So
the
whole
concept
of
service
mesh
itself
is
to
actually
Implement
security
controls
and
the
problem
also
with
that
is
how
you
configure
and
use
a
service
mesh.
So
there
is
implementation
at
the
service
level
itself.
A
A
So
cnap
is
if
people
are
not
familiar
with
that
term,
it's
it's
a
Gartner
term
which
stands
for
cloud
native
application
protection
platform,
so
I
mean
it's
just
another
way
of
talking
about
one
solution
which
can
do
multiple
things.
So
when
you
say
Cena
when
you
say
cloud
native,
there
are
so
many
so
most
Cloud
native
applications
are
built
group
containers
and
with
container
security,
as
I
mentioned
before
you
don't.
A
You
cannot
say
that
you
know
taking
care
of
security
with
just
installing
Calico,
open
source
or
just
installing
you
know
a
scene.
So
it's
it's
a
whole,
a
range
of
problems
that
you
can
look
at
from
a
security
standpoint,
all
the
way
from
build
time
to
runtime.
There
are
so
many
you
know,
threats
that
can
occur
during
build
time
and
runtime.
So,
let's
say
you're,
you
know
tasked
with
deploying
a
container
I
mean
deploying
an
application
with
containers.
So
you
take
this.
A
You
know,
base
image,
put
different
layers
on
top
and
extensions
and
libraries
and
to
use
a
container
runtime
to
make
it
a
container.
So
a
synapse
task
is
to
make
sure
that
all
these
stages
like
will
deploy
and
runtime.
You
have
some
kind
of
a
solution.
Security
solution
that
takes
care
of
the
entire
cic
life
cycle,
so
California,
open
source
itself
cannot
be
a
c
lab
because
it
doesn't
offer
all
the
capabilities.
But
are
you
know
commercial
offerings?
A
Do
you
know
much
more
than
what
Calico
open
source
can
do
so
that
that
is
a
scene.
A
So,
with
Calico
open
source,
what
you
get
is
security
policies
and
the
cnap
is
much
more
than
just
security
policies
can
Calico
log
any
changes
to
Containers
nodes
if
I
make
any
changes
in
its
collection
environment.
How
is
that
is
that.
A
I'm
not
sure
if
I
understand
this
question,
but
so
I
think,
if
you're
talking
about
the
changes
that
you're
making
within
Calico
itself,
if
you
can
track
these,
yes,
you
can.
But
let
me
read
the
question
again:
can
Calico
log
any
changes
to
Containers
nodes
if
I
make
any
changes
in
its
production,
environment.
A
So
I,
okay,
if
you're
changing
any
parameters
within
containers,
I,
don't
think
it
can
track
everything
and
anything
anything
to
do
with
yeah.
So
you're
talking
about
the
data
plane
if
you're
talking
about
traffic,
Network
and
security
policies,
yes,
but
depending
on
what
you're
asking
I
mean
if
it's
something
to
do
with
the
application
itself,
I,
don't
think
you
can
interact
with
anything
I,
don't
think
any
solution
what's
happening.
A
I'm
sorry,
everyone
100
share
on
one
third
question
means.
B
B
A
Yeah
I
mean
again
brand
slide
to
show
how
popular
we
are.
Character
is
running
on
two
million
nodes
and
we
have
about
1
billion
Docker
tools
and
it's
running
on
about
50
000
Enterprise.
B
Can
you
can
you
run
that
the
poll
and
okay.