The intent of this workshop is to educate any person working with EKS cluster in one way or another about Calico features and how to use them. While there are many capabilities that Calico provides, this workshop focuses on a subset of those that are used most often by different types of technical users.
In this workshop we are going to focus on these main use cases:
- East-West security, leveraging zero-trust security approach.
- Namespace isolation, leveraging Policy Recommendation engine to auto-generate policies to protect applications at namespace level.
- Egress access controls, using DNS policy to access external resources by their fully qualified domain names (FQDN).
- Host micro-segmentation, leveraging Calico policies to protect host ports and host based services.
- Observability, exploring various logs and application level metrics collected by Calico.
- Compliance, providing proof of security compliance.
- Security alerts, configuring alerts to notify security and operations teams of any security incidents or anomalous behaviors.
- Dynamic packet capture, capturing full packet payload on demand for further forensic analysis.
Calico User Group Slack is a great resource to ask any questions about Calico. If you are not a part of this Slack group yet, we highly recommend joining it to participate in discussions or ask questions. For example, you can ask questions specific to EKS and other managed Kubernetes services in the #eks-aks-gke-iks
channel.
It is recommended to use your personal AWS account which would have full access to AWS resources. If using a corporate AWS account for the workshop, make sure to check with account administrator to provide you with sufficient permissions to create and manage EKS clusters and Load Balancer resources.
- Calico Cloud trial account
- for instructor-led workshop use instructions in the email you receive to request a Calico Trial account
- for self-paced workshop follow the link to register for a Calico Trial account
- AWS account and credentials to manage AWS resources
- Terminal or Command Line console to work with AWS resources and EKS cluster
- most common environments are Cloud9, Mac OS, Linux, Windows WSL2
Git
netcat
This workshop has been designed to use AWS Cloud9 instance as a workspace environment. If you're familiar with the tools listed in prerequisites section, feel free to use a workspace environment you are most comfortable with.
- Module 1: Setting up workspace environment
- Module 2: Creating EKS cluster
- Module 3: Joining EKS cluster to Calico Cloud
- Module 4: Configuring demo applications
- Module 5: Enable application layer monitoring (L7 logs)
- Module 6: Namespace isolation
- Module 7: Using security controls
- Module 8: Using egress access controls
- Module 9: Securing EKS hosts
- Module 10: Using observability tools
- Module 11: Using compliance reports
- Module 12: Using alerts
- Module 13: Dynamic packet capture
- Module 14: Deep packet inspection
- Module 15: Vulnerability management
-
Delete application stack to clean up any
loadbalancer
services.kubectl delete -f demo/dev/app.manifests.yaml kubectl delete -f https://raw.githubusercontent.com/GoogleCloudPlatform/microservices-demo/master/release/kubernetes-manifests.yaml
-
Delete EKS cluster.
eksctl delete cluster --name tigera-workshop
-
Delete EC2 Key Pair.
If you created EC2 KeyPair for the EKS cluster, you can remove it if no longer needed.
export KEYPAIR_NAME='<set_keypair_name>' aws ec2 delete-key-pair --key-name $KEYPAIR_NAME
-
Delete Cloud9 instance.
Navigate to
AWS Console
>Services
>Cloud9
and remove your workspace environment, e.g.tigera-workspace
. -
Delete IAM role created for this workshop.
# use your local shell to set AWS credentials if needed # otherwise skip these two lines and execute commands below export AWS_ACCESS_KEY_ID="<your_accesskey_id>" export AWS_SECRET_ACCESS_KEY="<your_secretkey>" # delete IAM role IAM_ROLE='tigera-workshop-admin' ADMIN_POLICY_ARN=$(aws iam list-policies --query 'Policies[?PolicyName==`AdministratorAccess`].Arn' --output text) aws iam detach-role-policy --role-name $IAM_ROLE --policy-arn $ADMIN_POLICY_ARN aws iam remove-role-from-instance-profile --instance-profile-name $IAM_ROLE --role-name $IAM_ROLE # if this command fails, you can remove the role via AWS Console once you delete the Cloud9 instance aws iam delete-instance-profile --instance-profile-name $IAM_ROLE aws iam delete-role --role-name $IAM_ROLE