Microsegmentation #1396
Microsegmentation #1396
Conversation
❌ Deploy Preview for tigera failed. Why did it fail? →Built without sensitive environment variables
|
use-cases/microsegmentation.mdx
Outdated
|
|
||
| Lorem ipsum dolor sit amet, consectetur adipiscing elit. Curabitur mattis odio lacus. Cras at pulvinar ipsum. Fusce euismod quam in tincidunt ornare. Maecenas a augue in mauris mattis feugiat mattis id nulla. Sed molestie ex lobortis fermentum faucibus. Curabitur venenatis dignissim ante non dapibus. Nam posuere enim in mauris pretium, a finibus dolor vulputate. Nam porta ex quis eros sagittis ullamcorper. Mauris eget urna et risus sollicitudin varius. Mauris vel elit in est dictum porta. Nunc faucibus felis et ipsum dignissim, sed sodales urna gravida. Nulla id velit eu elit pretium congue. Quisque volutpat odio quis sem posuere, ac facilisis ex consectetur. | ||
| This guide will walk Kubernetes users how to approach and implement segmenting their environment with network policies to achieve different levels of security granularity, depending on the requirement to segment at a cluster, tenant, namespace or workload level. |
There was a problem hiding this comment.
This guide will walk Kubernetes users how to approach
I think it should be:
Walk ... through
use-cases/microsegmentation.mdx
Outdated
|
|
||
| Aliquam et augue in sem rhoncus fermentum. Nam sit amet sapien mollis risus imperdiet tincidunt vel vel augue. Donec sit amet enim at odio sagittis placerat. Integer est libero, luctus quis libero nec, fermentum fermentum purus. Phasellus nec mauris luctus, condimentum magna ut, malesuada ligula. Aliquam tincidunt lacinia ornare. Vivamus elit elit, tincidunt non purus ac, eleifend suscipit velit. In interdum aliquam magna, efficitur fringilla lacus. | ||
| Traditional firewalls, some of which Calico can integrate with, are well suited to securing system perimeters, but were not designed with dynamic, containerized environments in mind. Instead, this is implemented using purpose-built network policies that allow for different levels of granularity to secure workloads, applications, namespaces, or clusters. Network policies are the tool of choice for achieving network security over traditional firewalls due to their ability to apply to Kubernetes objects based on label selectors and not IP addresses, which are often dynamic and ephemeral. |
There was a problem hiding this comment.
Instead, this is implemented using
How about
Instead, Calico is implemented using
For me at first read it was unclear what "this" referred to.
use-cases/microsegmentation.mdx
Outdated
| - advanced policy organization, management and visualization, | ||
| - observability features, | ||
| - automatic policy recomendations, | ||
| - policy staging, and more. |
There was a problem hiding this comment.
Perhaps DNS policy would be worth mentioning?
use-cases/microsegmentation.mdx
Outdated
|
|
||
| Before implementing a segmentation strategy in a cluster there are a few key high-level concepts that must be understood. | ||
| These are: | ||
| Security Domains |
There was a problem hiding this comment.
Should these have bullets and header references?
|
@mapgirll Thanks, these changes do a great job of incorporating the suggestions we discussed last week. I'm happy enough with the overall copy to move on to line edits. |
|
|
||
| Pellentesque mollis sodales ullamcorper. Aliquam ac magna felis. Suspendisse sed nibh ultricies, congue nibh in, convallis turpis. Sed rutrum luctus massa, ut volutpat lectus auctor at. In ut justo in augue aliquet dictum. Donec sed ligula et metus condimentum aliquam. Maecenas viverra quis velit vitae congue. Vivamus eget felis sodales, suscipit arcu sed, tincidunt lectus. | ||
| ### What is microsegmentation? |
There was a problem hiding this comment.
I think the brief paragraph in this section doesn't quite answer the question. Instead it goes right into how Calico can get the job done, which is more the subject of the next section.
I suggest you limit this section to microsegmentation as a broad concept, and then get into Calico-specific information in the next section.
Since you mostly use the terms 'segment' and and 'segmentation' throughout, a good approach to this section might be to explain microsegmentation as a subset of segmentation.
There was a problem hiding this comment.
I have tried this in lines 15-20.
use-cases/microsegmentation.mdx
Outdated
| * DNS policy, | ||
| * policy staging, and more. | ||
|
|
||
| ### Types of segmentation |
There was a problem hiding this comment.
This title doesn't quite seem right. I think something more along the lines of "Things that you can isolate/segment" would be stronger.
Segmentation targets/objects for Kubernetes clusters?
There was a problem hiding this comment.
What about Microsegmentation at different levels?
I've modified line 37 with this suggestion.
|
|
||
| When organizations need to segment and isolate their Kubernetes environments this is typically done at three different levels: [Workload Isolation](https://www.tigera.io/blog/enabling-microsegmentation-with-calico-enterprise-2/), [Namespace Isolation](https://www.tigera.io/blog/automated-namespace-isolation-with-calico/) and [Tenant Isolation](https://www.tigera.io/blog/deep-dive/implementing-tenant-isolation-in-multi-tenant-kubernetes-clusters/). | ||
|
|
||
| #### Workload isolation |
There was a problem hiding this comment.
These three headings might be better like this:
Isolating workloads
Isolating namespaces
Isolating tenants
Incidentally, what's the difference between 'segment' and 'isolate'? Segment is an awkward word to use. Can we just use one or the other primarily?
There was a problem hiding this comment.
I think there is overlap, and I think the references to isolation are more conceptual (or a verb?) where you're isolating something. The security domains are that something that you're isolating.
Anyway, this terminology didn't come from me so I'd be in favour of keeping it as it's in line with all our other content from SA and CS. Or if based on my terrible description/distinction you can think of a simple way to explain it within this c doc, I'm open to suggestions.
| This protects each tenant from lateral movement at an infrastructure level where a malicious or opportunistic actor may seek to obtain or steal high value assets, damage or misuse applications. | ||
| If one tenant is compromised, the risk to other tenants on the same infrastructure is significantly reduced. | ||
|
|
||
| ## Foundational concepts for microsegmentation |
There was a problem hiding this comment.
BTW, this title was just a suggestion, there may be better.
There was a problem hiding this comment.
I liked the title so kept it.
|
|
||
| If you are a Calico Enterprise or Calico Cloud user there are more features available that enable a faster and easier microsegmentation experience. | ||
|
|
||
| ### Security domains |
There was a problem hiding this comment.
Can you explain the difference between what you identify above as "Types of segmentation" and "Security domains"?
I could well just not be understanding something basic. But there appears to be a lot of overlap between the two ideas.
There was a problem hiding this comment.
I touched on this in my previous comment reply.
I also modified line 78 to:
Anyone implementing microsegmentation and zero-trust should first identify all of the security domains that need to be secured**, which is what you need to secure.**
use-cases/microsegmentation.mdx
Outdated
|
|
||
| ### Identification of security domains | ||
|
|
||
| When identifying security domains or applications to secure, you may also want to consider application criticality and compliance requirements. |
There was a problem hiding this comment.
You've started out with a 'you may also'. What about the main part? How do I get started with identifying my security domains?
I feel like there's some more basic information missing here, or some sort of theory. For example, should I just find every microsegmentable element in my infrastructure and lock it down? Do I need to balance security and ease of use?
The checklist at the end of this section suggests a path towards something, but I don't really know what to do with it.
I understand that this is difficult, given that this needs to apply to everyone. But are there general steps or concepts that we can flesh out?
There was a problem hiding this comment.
I have tried to add more information through L217-L223.
I imagine if someone's got this far through the doc they're reading it because they have an idea of what needs securing in their organization. When I listened to customer call recordings about microsegmentation the customer already knew roughly what they needed to secure, they just needed help with how. My assumption for the target audience is that this is sufficient.
use-cases/microsegmentation.mdx
Outdated
| * Organizational security posture (zero-trust will require more stringent segmentation) | ||
| * Criticality of applications or security domains | ||
|
|
||
| ### Developing policy framework |
There was a problem hiding this comment.
A few lines to introduce what we're doing here would be good.
There was a problem hiding this comment.
I think I've done this: L233-L244
mapgirll
force-pushed
the
microsegmentation
branch
from
2911163 to
33617b1
Compare
mapgirll
force-pushed
the
microsegmentation
branch
from
33617b1 to
147575c
Compare
|
Main content included in #1423 |
Product Version(s):
Issue:
Link to docs preview:
SME review:
DOCS review:
Additional information:
Merge checklist: