Manager UI tutorial
What you will learn
- Manager UI features and controls
- How to gain visibility into clusters
Let's go through each item in the Manager UI left navbar from top to bottom. You can follow along using any cluster.
From the left navbar, click Dashboards.
The Dashboard provides a birds-eye view of cluster activity. Note the following:
- The filter panel at the top lets you change dashboard views and the time range.
- The Layout Settings shows the default metrics. To get WireGuard metrics for pod-to-pod and host-to-host encryption, you must enable WireGuard.
- For application-related dashboard cards to show data, like HTTP Response Codes or Url Requests, you need to configure L7 logs.
From the left navbar, select Service Graph, Default
Service Graph provides a point-to-point, topographical representation of network traffic within your cluster. It is the primary tool for visibility and troubleshooting.
Namespaces are the default view in Service Graph.
When you expand the top right panel
<<, you see a detailed view of the service-to-service communications for the namespace.
Nodes and edges
Lines going to/from nodes are called edges. When you click on a node or edge, the right panel shows details, and the associated flow logs are automatically filtered in the bottom panel.
Layers allow you to create meaningful groupings of resources so you can easily hide and show them on the graph. For example, you can group resources for different platform infrastructure types in your cluster like networking, storage, and logging.
Click the panel on the left (
>>) by the Namespaces breadcrumb, and then expand the Tigera components layer.
The Tigera components layer contains namespaces for Calico Enterprise networking components, and is a view of interest to Dev/Ops.
Click the vertical ellipses and select, Hide layer. Notice that only the business application namespaces remain visible in the graph.
To make this layer less visible, select Restore layer and click De-emphasize layer.
Logs, alerts, and capture jobs
The panel at the bottom below the graph provides tools for troubleshooting connectivity and performance issues. Logs (Flows, DNS, and HTTP) are the foundation of security and observability in Calico Enterprise. When you select a node or edge in the graph, logs are filtered for the node or service. For example, here is a flow log with details including how the policies were processed in tiers.
For convenience, the Alerts tab duplicates the alerts you have enabled in the Alerts tab in the left navbar. By default, alerts are not enabled.
Service Graph integrates a packet feature for capturing traffic for a specific namespace, service, replica set, daemonset, statefulset, or pod. You can then download capture files to your favorite visualization tool like WireShark.
Right-click on any endpoint to start or schedule a capture.
From the left navbar, select Service Graph, Flow Visualizations.
Flow Visualizer (also called, "FlowViz") is a Calico Enterprise tool for drilling down into network traffic within the cluster to troubleshoot issues. The most common use of Flow Visualizer is to drill down and pinpoint which policies are allowing and denying traffic between services.
From the left navbar, click Policies.
Network policy is the primary tool for securing a Kubernetes network. Policy is used to restrict network traffic (egress and ingress) in your cluster so only the traffic that you want to flow is allowed. Calico Enterprise supports these policies:
- Calico Enterprise network policy
- Calico Enterprise global network policy
- Kubernetes policy
Calico Enterprise uses tiers (also called, hierarchical tiers) to provide guardrails for managing network policy across teams. Policy tiers allow users with more authority (for example, Dev/ops users) to enforce network policies that take precedence over teams (for example, service owners and developers).
Policies Board is the default view for managing tiered policies.
Users typically use a mix of Policy Board and YAML files. Note that you can export one or all policies in a tier to YAML.
The Policy Board filter lets you filter by policy types and label selectors.
The following features provide more security and guardrails for teams.
Recommended a policy
In Policies Board, click Recommend a policy.
One of the first things you'll want to do after installation is to secure unprotected pods/workloads with network policy. (For example, Kubernetes pods allow traffic from any source by default.) The Recommend a policy feature generates policies that protect specific endpoints in the cluster. Users with minimal experience with network policy can easily get started.
When you create a policy, it is a best practice to stage it to evaluate the effects before enforcing it. After you verify that a staged network policy is allowing traffic as expected, you can enforce it.
When you edit a policy, you can select Preview to see how changes may affect existing traffic.
From the left navbar, click Endpoints.
This page is a list of all pods in the cluster (also known as workload endpoints).
This page lists all nodes associated with your cluster.
Network sets and global network sets are Calico Enterprise resources for defining IP subnetworks/CIDRs, which can be matched by standard label selectors in policy (Kubernetes or Calico Enterprise). They are a powerful feature for use/reuse and scaling policy.
A simple use case is to limit traffic to/from external networks. For example, you can create a global network set with "deny-list CIDR ranges 192.0.2.55/32 and 203.0.113.0/24", and then reference the network set in a global network policy. This also allows you to see this traffic in Service Graph.
If you have configured Calico Enterprise for multi-cluster management, you will see the Managed clusters option in the left navbar.
From the left navbar, click Managed clusters.
This page is where you switch views between clusters in Manager UI. When you connect to a different cluster, the entire Manager UI view changes to reflect the selected cluster.
From the left navbar, click Compliance.
Compliance tools that rely on periodic snapshots, do not provide accurate assessments of Kubernetes workloads against your compliance standards. Calico Enterprise compliance dashboard and reports provide a complete inventory of regulated workloads, along with evidence of enforcement of network controls for these workloads. Additionally, audit reports are available to see changes to any network security controls.
Compliance reports are based on archived flow logs and audit logs for all Calico Enterprise resources, and audit logs for Kubernetes resources in the Kubernetes API server.
Using the filter, you can select report types.
From the left navbar, select Activity, Timeline.
What changed, who did it, and when? This information is critical for security. Native Kubernetes doesn’t provide an easy way to capture audit logs for pods, namespaces, service accounts, network policies, and endpoints. The Calico Enterprise timeline provides audit logs for all changes to network policy and other resources associated with your Calico Enterprise deployment.
From the left navbar, selection Activity, Alerts.
How do you know if you have an infected workload? A possible threat? Calico Enterprise detects and alerts on unexpected network behavior that may indicate a security breach. You can create alerts for:
- Known attacks and exploits (for example, exploits found at Shopify, Tesla, Atlassian)
- DOS attempts
- Attempted connections to botnets and command and control servers
- Abnormal flow volumes or flow patterns based on machine learning
As shown, there are many types of alerts you can enable. None are enabled by default.
This page lets you enable/disable anomaly detectors that are preconfigured by Calico Enterprise. Anomaly detection uses Calico Enterprise Elasticsearch logs (flow logs, L7 logs, and DNS logs) to learn the behavior of cluster nodes, pods, services, and other entities that send log records (applications, load balancers, databases, etc.).
Calico Enterprise includes a fully-integrated deployment of Elastic to collect flow log data that drives key features like the Flow Visualizer, metrics in the Dashboard and Policy Board, policy automation, and testing features and security. Calico Enterprise also embeds Kibana so you can view raw log data for the traffic within your cluster.
From the left navbar, click Logs.
Calico Enterprise comes with built-in dashboards.
Kibana provides its own set of filtering capabilities to drill down into log data. For example, use filters to drill into flow log data for specific namespaces and pods. Or view details and metadata for a single flow log entry.
You can add threat intelligence feeds to Calico Enterprise to trace network flows of suspicious IP addresses and domains. Then, you can use network policy to block pods from contacting IPs or domains.
Now that you understand the basics, we recommend the following: