Networking & Security for Mesos - Meetupfiles.meetup.com/14353592/mesos-meetup-nyc-2016-02b.pdf ·...
Transcript of Networking & Security for Mesos - Meetupfiles.meetup.com/14353592/mesos-meetup-nyc-2016-02b.pdf ·...
![Page 1: Networking & Security for Mesos - Meetupfiles.meetup.com/14353592/mesos-meetup-nyc-2016-02b.pdf · the libnetwork API, but it is not well integrated with Mesos! Tighter integration](https://reader033.fdocuments.in/reader033/viewer/2022042219/5ec565c1d68084568c75fe08/html5/thumbnails/1.jpg)
@projectcalico Project Calico is sponsored by
Sponsored by
Networking & Security for MesosAN IP FOR EVERY CONTAINER… AND MORE!
Christopher Liljenstolpe February 24, 2016
![Page 2: Networking & Security for Mesos - Meetupfiles.meetup.com/14353592/mesos-meetup-nyc-2016-02b.pdf · the libnetwork API, but it is not well integrated with Mesos! Tighter integration](https://reader033.fdocuments.in/reader033/viewer/2022042219/5ec565c1d68084568c75fe08/html5/thumbnails/2.jpg)
@projectcalico Project Calico is sponsored by
The #1 Challenge for Cloud?
Recent data breaches due to hacking or poor securityhttp://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
Cloud-native app
architectures are driving100-1000x growth in workloadsin an era of heightened
security threats
![Page 3: Networking & Security for Mesos - Meetupfiles.meetup.com/14353592/mesos-meetup-nyc-2016-02b.pdf · the libnetwork API, but it is not well integrated with Mesos! Tighter integration](https://reader033.fdocuments.in/reader033/viewer/2022042219/5ec565c1d68084568c75fe08/html5/thumbnails/3.jpg)
@projectcalico Project Calico is sponsored by
Enterprise security is still in the middle ages
![Page 4: Networking & Security for Mesos - Meetupfiles.meetup.com/14353592/mesos-meetup-nyc-2016-02b.pdf · the libnetwork API, but it is not well integrated with Mesos! Tighter integration](https://reader033.fdocuments.in/reader033/viewer/2022042219/5ec565c1d68084568c75fe08/html5/thumbnails/4.jpg)
@projectcalico Project Calico is sponsored by
Medieval security architecture
![Page 5: Networking & Security for Mesos - Meetupfiles.meetup.com/14353592/mesos-meetup-nyc-2016-02b.pdf · the libnetwork API, but it is not well integrated with Mesos! Tighter integration](https://reader033.fdocuments.in/reader033/viewer/2022042219/5ec565c1d68084568c75fe08/html5/thumbnails/5.jpg)
@projectcalico Project Calico is sponsored by
“Oh, hey! I just love these things! … Crunchy on the outside and a chewy center!”
![Page 6: Networking & Security for Mesos - Meetupfiles.meetup.com/14353592/mesos-meetup-nyc-2016-02b.pdf · the libnetwork API, but it is not well integrated with Mesos! Tighter integration](https://reader033.fdocuments.in/reader033/viewer/2022042219/5ec565c1d68084568c75fe08/html5/thumbnails/6.jpg)
@projectcalico Project Calico is sponsored by
Fast forward to the present
![Page 7: Networking & Security for Mesos - Meetupfiles.meetup.com/14353592/mesos-meetup-nyc-2016-02b.pdf · the libnetwork API, but it is not well integrated with Mesos! Tighter integration](https://reader033.fdocuments.in/reader033/viewer/2022042219/5ec565c1d68084568c75fe08/html5/thumbnails/7.jpg)
@projectcalico Project Calico is sponsored by
Increased complexity
![Page 8: Networking & Security for Mesos - Meetupfiles.meetup.com/14353592/mesos-meetup-nyc-2016-02b.pdf · the libnetwork API, but it is not well integrated with Mesos! Tighter integration](https://reader033.fdocuments.in/reader033/viewer/2022042219/5ec565c1d68084568c75fe08/html5/thumbnails/8.jpg)
@projectcalico Project Calico is sponsored by
Resource Fungibility
![Page 9: Networking & Security for Mesos - Meetupfiles.meetup.com/14353592/mesos-meetup-nyc-2016-02b.pdf · the libnetwork API, but it is not well integrated with Mesos! Tighter integration](https://reader033.fdocuments.in/reader033/viewer/2022042219/5ec565c1d68084568c75fe08/html5/thumbnails/9.jpg)
@projectcalico Project Calico is sponsored by
Tear down the walls?
![Page 10: Networking & Security for Mesos - Meetupfiles.meetup.com/14353592/mesos-meetup-nyc-2016-02b.pdf · the libnetwork API, but it is not well integrated with Mesos! Tighter integration](https://reader033.fdocuments.in/reader033/viewer/2022042219/5ec565c1d68084568c75fe08/html5/thumbnails/10.jpg)
@projectcalico Project Calico is sponsored by
The opportunity?
![Page 11: Networking & Security for Mesos - Meetupfiles.meetup.com/14353592/mesos-meetup-nyc-2016-02b.pdf · the libnetwork API, but it is not well integrated with Mesos! Tighter integration](https://reader033.fdocuments.in/reader033/viewer/2022042219/5ec565c1d68084568c75fe08/html5/thumbnails/11.jpg)
@projectcalico Project Calico is sponsored by
The opportunity?
![Page 12: Networking & Security for Mesos - Meetupfiles.meetup.com/14353592/mesos-meetup-nyc-2016-02b.pdf · the libnetwork API, but it is not well integrated with Mesos! Tighter integration](https://reader033.fdocuments.in/reader033/viewer/2022042219/5ec565c1d68084568c75fe08/html5/thumbnails/12.jpg)
@projectcalico Project Calico is sponsored by
The Dynamic, Distributed Firewall
NetworkFabric
eth0eth0
eth0
192.168.1.2Ro
utin
g
Rout
ing
eth0
192.168.1.3
eth0
192.168.1.4
eth0
192.168.1.7
eth0
192.168.1.6
eth0
192.168.1.5
10.0.0.1 10.0.0.2
![Page 13: Networking & Security for Mesos - Meetupfiles.meetup.com/14353592/mesos-meetup-nyc-2016-02b.pdf · the libnetwork API, but it is not well integrated with Mesos! Tighter integration](https://reader033.fdocuments.in/reader033/viewer/2022042219/5ec565c1d68084568c75fe08/html5/thumbnails/13.jpg)
@projectcalico Project Calico is sponsored by
WorkloadB2001:db8::2
WorkloadA2001:db8::1
The Dynamic, Distributed Firewall: Worked Example
Felix
WorkloadC2001:db8::3
Felix
1. to 2001:db8::2 port 80 allow2. to 2001:db8::3 port 80 allow3. from <qaRobots> port 443 allow4. default deny
A: loadBal; QAB: webAppC: webApploadBal: allow 80 to webAppwebApp: allow 80 fm loadBal
QA: allow 443 fm <qaRobots>
Pub: allow 443 fm any
1. from 2001:db8::1 port 80 allow2. default deny
1. from 2001:db8::1 port 80 allow2. default deny
Pub
any
![Page 14: Networking & Security for Mesos - Meetupfiles.meetup.com/14353592/mesos-meetup-nyc-2016-02b.pdf · the libnetwork API, but it is not well integrated with Mesos! Tighter integration](https://reader033.fdocuments.in/reader033/viewer/2022042219/5ec565c1d68084568c75fe08/html5/thumbnails/14.jpg)
@projectcalico Project Calico is sponsored by
Mesos / HAProxy introduce another problem…
Host [10.0.0.1]
Application[172.17.0.2]
A service[172.17.0.3]
… another[172.17.0.4]
IP:10.0.0.1:80IP:10.0.0.1:80IP:10.0.0.1:8080
![Page 15: Networking & Security for Mesos - Meetupfiles.meetup.com/14353592/mesos-meetup-nyc-2016-02b.pdf · the libnetwork API, but it is not well integrated with Mesos! Tighter integration](https://reader033.fdocuments.in/reader033/viewer/2022042219/5ec565c1d68084568c75fe08/html5/thumbnails/15.jpg)
@projectcalico Project Calico is sponsored by
The Solution…
![Page 16: Networking & Security for Mesos - Meetupfiles.meetup.com/14353592/mesos-meetup-nyc-2016-02b.pdf · the libnetwork API, but it is not well integrated with Mesos! Tighter integration](https://reader033.fdocuments.in/reader033/viewer/2022042219/5ec565c1d68084568c75fe08/html5/thumbnails/16.jpg)
@projectcalico Project Calico is sponsored by
Mesos AgentMesos Agent
Project Calico & Mesos – Logical Architecture
Mesos Agent
Host Kernel
Workload (container
or VM)
Workload (container
or VM)
Workload (container
or VM)…
…
Efficient Packet Forwarding(IP per workload, direct integration with cloud fabric)
Policy Enforcement
Policy Enforcement
Policy Enforcement
Security Policy
Routes &Addresses
Mesos Master
![Page 17: Networking & Security for Mesos - Meetupfiles.meetup.com/14353592/mesos-meetup-nyc-2016-02b.pdf · the libnetwork API, but it is not well integrated with Mesos! Tighter integration](https://reader033.fdocuments.in/reader033/viewer/2022042219/5ec565c1d68084568c75fe08/html5/thumbnails/17.jpg)
@projectcalico Project Calico is sponsored by
Net-modules Work Flow – Actual Architecture
Update task state
Plug-‐in (Calico)AgentMasterFramework
IPAM
Networkvirtualizer
Get IP
Isolatormodule
Isolate (IP, policy)
Cleanupmodule
Launch task (NetworkInfo)
Launch task (NetworkInfo)
Task update (NetworkInfo)
Task update (NetworkInfo)
Mesos module
Network plug-‐in
![Page 18: Networking & Security for Mesos - Meetupfiles.meetup.com/14353592/mesos-meetup-nyc-2016-02b.pdf · the libnetwork API, but it is not well integrated with Mesos! Tighter integration](https://reader033.fdocuments.in/reader033/viewer/2022042219/5ec565c1d68084568c75fe08/html5/thumbnails/18.jpg)
@projectcalico Project Calico is sponsored by
§ Mesos cluster with 2 agents§ Launching 4 probe tasks
§ Each probe listens to port 9000§ Each probe tries to reach all other probes
§ We want all 4 to launch successfully (no port conflicts)
§ We want to isolate them into two groups of 2 probes
Demonstration of basic network isolation
![Page 19: Networking & Security for Mesos - Meetupfiles.meetup.com/14353592/mesos-meetup-nyc-2016-02b.pdf · the libnetwork API, but it is not well integrated with Mesos! Tighter integration](https://reader033.fdocuments.in/reader033/viewer/2022042219/5ec565c1d68084568c75fe08/html5/thumbnails/19.jpg)
@projectcalico Project Calico is sponsored by
Demonstration (video)
![Page 20: Networking & Security for Mesos - Meetupfiles.meetup.com/14353592/mesos-meetup-nyc-2016-02b.pdf · the libnetwork API, but it is not well integrated with Mesos! Tighter integration](https://reader033.fdocuments.in/reader033/viewer/2022042219/5ec565c1d68084568c75fe08/html5/thumbnails/20.jpg)
@projectcalico Project Calico is sponsored by
§ Net-modules supported with Mesos containerizersince Mesos 0.26§ IP per container§ IP Address Management (IPAM)§ DNS-based service discovery (Mesos-DNS)§ Network isolation
§ Try it out – https://github.com/mesosphere/net-modules§ Includes step-by-step instructions to repeat the demo
Where are we at today?
![Page 21: Networking & Security for Mesos - Meetupfiles.meetup.com/14353592/mesos-meetup-nyc-2016-02b.pdf · the libnetwork API, but it is not well integrated with Mesos! Tighter integration](https://reader033.fdocuments.in/reader033/viewer/2022042219/5ec565c1d68084568c75fe08/html5/thumbnails/21.jpg)
@projectcalico Project Calico is sponsored by
§ Other frameworks (only Marathon supported today)§ Community work ongoing to integrate Spark, Chronos, ...
§ Docker daemon support via same net-modules mechanism§ Docker daemon includes a different networking model, via
the libnetwork API, but it is not well integrated with Mesos
§ Tighter integration of fine-grained policy control§ Today, fine-grained policy is ”side loaded” via calicoctl
§ One-step install via DCOS§ Support for Container Network Interface (CNI)
model (as used by Kubernetes)
Restrictions / Wish List
![Page 22: Networking & Security for Mesos - Meetupfiles.meetup.com/14353592/mesos-meetup-nyc-2016-02b.pdf · the libnetwork API, but it is not well integrated with Mesos! Tighter integration](https://reader033.fdocuments.in/reader033/viewer/2022042219/5ec565c1d68084568c75fe08/html5/thumbnails/22.jpg)
@projectcalico Project Calico is sponsored by
Summary