How Capital One used eBPF and Cilium to build a secure, maintainable PaaS
”We are a bank. Everything is security first. We had to have a way to audit the network traffic down to the specific application that initiated the connection.”
Building out for multiple teams
But: Dragon was not initially built as a multi-tenant platform! Scaling it up meant that the platform needed to meet these requirements:
- Secure network isolation
- Network visibility and auditing
- Maintenance and performance overhead reduction
- Scale past iptables limits
eBPF and Cilium to the rescue
- IPsec between nodes
- Cluster Mesh, including cluster level Network Policies
- Flexible Network Policies
- Reduced iptables complexity, leading to reduced operational complexity
- Layer 7 filter and outbound DNS name policies
- Better troubleshooting policies with the Cilium CLI
Enhanced observability with Hubble
Part of Cilium is Hubble, Cilium’s distributed networking and security observability platform for cloud native workloads. It is built on top of Cilium and eBPF to enable deep visibility into the communication and behavior of services as well as the networking infrastructure in a transparent manner.
Capital One quickly identified the enhanced observability Hubble could provide for their case:
- Durable audit log storage and enterprise SIEM integration into security workflows
- Tracking network traffic down to the specific binary, crucial for threat hunting.
- Hubble observe command, helping with overall troubleshooting
- Hubble UI service map, making network traffic flows visible to teams
- Exporting network flow logs to logging stacks.
With these added capabilities teams were enabled to do more right from day one.
Multi-tenant capabilities for a multi-team future
As a result, Capital One decided to use Isovalent Cilium Enterprise as their solution for their multi tenant clusters. It met the list of requirements, added many interesting features, provided extensive insight, while adding very little maintenance and performance overhead. It provided security and networking observability out of the box, the teams at Capital One didn’t have to write custom code.
By introducing Cilium into Dragon, Capital One was able to transform the PaaS to a multi-tenant platform, making it available to multiple teams, keeping it secure and providing team-specific observability.
Subscribe to newsletter
Get updates on webinars, blog posts, new releases and more!