Manager UI tutorial

What you will learn

• Manager UI features and controls
• How to gain visibility into clusters

Let's go through each item in the Manager UI left navbar from top to bottom. You can follow along using any cluster.

Dashboard

From the left navbar, click Dashboards.

The Dashboard provides a birds-eye view of cluster activity. Note the following:

• The filter panel at the top lets you change dashboard views and the time range.
• The Customize Layout menu lets you choose what components are displayed on the dashboard. To get WireGuard metrics for pod-to-pod and host-to-host encryption, you must enable WireGuard.
• For application-related dashboard cards to show data, like HTTP Response Codes or Url Requests, you need to configure L7 logs.

Service Graph

From the left navbar, select Service Graph, Default

Service Graph provides a point-to-point, topographical representation of network traffic within your cluster. It is the primary tool for visibility and troubleshooting.

Namespaces

Namespaces are the default view in Service Graph.

When you expand the top right panel <<, you see a detailed view of the service-to-service communications for the namespace.

Nodes and edges

Lines going to/from nodes are called edges. When you click on a node or edge, the right panel shows details, and the associated flow logs are automatically filtered in the bottom panel.

Layers

Layers allow you to create meaningful groupings of resources so you can easily hide and show them on the graph. For example, you can group resources for different platform infrastructure types in your cluster like networking, storage, and logging.

Click the panel on the left (>>) by the Namespaces breadcrumb, and then expand the Tigera components layer.

The Tigera components layer contains namespaces for Calico Cloud networking components, and a view of interest to Dev/Ops.

Click the vertical ellipses and select, Hide layer. Notice that only the business application namespaces remain visible in the graph.

To make this layer less visible, select Restore layerand click De-emphasize layer.

Logs, alerts, and capture jobs

The panel at the bottom below the graph provides tools for troubleshooting connectivity and performance issues. Logs (Flows, DNS, and HTTP) are the foundation of security and observability in Calico Cloud. When you select a node or edge in the graph, logs are filtered for the node or service. For example, here is a flow log with details including how the policies were processed in tiers.

Alerts

For convenience, the Alerts tab duplicates the alerts you have enabled in the Alerts tab in the left navbar. By default, alerts are not enabled.

Capture jobs

Service Graph integrates a packet feature for capturing traffic for a specific namespace, service, replica set, daemonset, statefulset, or pod. You can then download capture files to your favorite visualization tool like WireShark.

Right-click on any endpoint to start or schedule a capture.

Flow Visualizations

From the left navbar, select Service Graph, Flow Visualizations.

Flow Visualizer (also called, "FlowViz") is a Calico Cloud tool for drilling down into network traffic within the cluster to troubleshoot issues. The most common use of Flow Visualizer is to drill down and pinpoint which policies are allowing and denying traffic between services.

Policies

From the left navbar, click Policies.

Network policy is the primary tool for securing a Kubernetes network. Policy is used to restrict network traffic (egress and ingress) in your cluster so only the traffic that you want to flow is allowed. Calico Cloud supports these policies:

• Calico Cloud network policy
• Calico Cloud global network policy
• Kubernetes policy

Calico Cloud uses tiers (also called, hierarchical tiers) to provide guardrails for managing network policy across teams. Policy tiers allow users with more authority (for example, Dev/ops user) to enforce network policies that take precedence over teams (for example, service owners and developers).

Policies Board is the default view for managing tiered policies.

Users typically use a mix of Policy Board and YAML files. Note that you can export one or all policies in a tier to YAML.

The Policy Board filter lets you filter by policy types and label selectors.

The following features provide more security and guardrails for teams.

Recommended a policy

In Policies Board, click Recommend a policy.

One of the first things you'll want to do after installation is to secure unprotected pods/workloads with network policy. (For example, Kubernetes pods allow traffic from any source by default.) The Recommend a policy feature generates policies that protect specific endpoints in the cluster. Users with minimal experience with network policy can easily get started.

Policy stage

When you create a policy, it is a best practice to stage it to evaluate the effects before enforcing it. After you verify that a staged network policy is allowing traffic as expected, you can enforce it.

Preview

When you edit a policy, you can select Preview to see how changes may affect existing traffic.

Endpoints

From the left navbar, click Endpoints.

Endpoint Details

This page is a list of all pods in the cluster (also known as workload endpoints).

Node List

This page lists all nodes associated with your cluster.

Network Sets

Network sets and global network sets are Calico Cloud resources for defining IP subnetworks/CIDRs, which can be matched by standard label selectors in policy (Kubernetes or Calico Cloud). They are a powerful feature for use/reuse and scaling policy.

A simple use case is to limit traffic to/from external networks. For example, you can create a global network set with "deny-list CIDR ranges 192.0.2.55/32 and 203.0.113.0/24", and then reference the network set in a global network policy. This also allows you to see this traffic in Service Graph.

Managed clusters

From the left navbar, click Managed clusters.

This page is where you switch views between clusters in Manager UI. When you connect to a different cluster, the entire Manager view changes to reflect the selected cluster.

Compliance Reports

From the left navbar, click Compliance.

Compliance tools that rely on periodic snapshots, do not provide accurate assessments of Kubernetes workloads against your compliance standards. Calico Cloud compliance dashboard and reports provide a complete inventory of regulated workloads, along with evidence of enforcement of network controls for these workloads. Additionally, audit reports are available to see changes to any network security controls.

Compliance reports are based on archived flow logs and audit logs for all Calico Cloud resources, and audit logs for Kubernetes resources in the Kubernetes API server.

Using the filter, you can select report types.

Activity

From the left navbar, select Activity, Timeline.

Timeline

What changed, who did it, and when? This information is critical for security. Native Kubernetes doesn’t provide an easy way to capture audit logs for pods, namespaces, service accounts, network policies, and endpoints. The Calico Cloud timeline provides audit logs for all changes to network policy and other resources associated with your Calico Cloud deployment.

From the left navbar, selection Activity, Alerts.

Alerts

How do you know if you have an infected workload? A possible threat? Calico Cloud detects and alerts on unexpected network behavior that may indicate a security breach. You can create alerts for:

• Known attacks and exploits (for example, exploits found at Shopify, Tesla, Atlassian)
• DOS attempts
• Attempted connections to botnets and command and control servers

Logs

Calico Cloud includes a fully-integrated deployment of Elastic to collect flow log data that drives key features like the Flow Visualizer, metrics in the Dashboard and Policy Board, policy automation, and testing features and security. Calico Cloud also embeds Kibana so you can view raw log data for the traffic within your cluster.

From the left navbar, click Logs.

Dashboards

Calico Cloud comes with built-in dashboards.

Log data

Kibana provides its own set of filtering capabilities to drill down into log data. For example, use filters to drill into flow log data for specific namespaces and pods. Or view details and metadata for a single flow log entry.

Threat feeds

You can add threat intelligence feeds to Calico Cloud to trace network flows of suspicious IP addresses and domains. Then, you can use network policy to block pods from contacting IPs or domains.

Now that you understand the basics, we recommend the following:

• Service Graph tutorial
• Understanding policy tiers
• Understanding network sets