Secure Networking with Kubernetes, OpenStack, and …...VMs 1 2 1 Consistent security and network...
Transcript of Secure Networking with Kubernetes, OpenStack, and …...VMs 1 2 1 Consistent security and network...
![Page 1: Secure Networking with Kubernetes, OpenStack, and …...VMs 1 2 1 Consistent security and network functionality between VMs, containers, or bare metal. … VM Compute Node Nested Container](https://reader036.fdocuments.in/reader036/viewer/2022062505/5ec561ce3cf24a3c663ddfe0/html5/thumbnails/1.jpg)
Secure Networking with Kubernetes, OpenStack, and Bare Metal
Gregory ElkinbardONS Amsterdam, September 2018
![Page 2: Secure Networking with Kubernetes, OpenStack, and …...VMs 1 2 1 Consistent security and network functionality between VMs, containers, or bare metal. … VM Compute Node Nested Container](https://reader036.fdocuments.in/reader036/viewer/2022062505/5ec561ce3cf24a3c663ddfe0/html5/thumbnails/2.jpg)
Agenda
● Brief Overview of Tungsten Fabric and Community
● New Security Model for TF 5.x ● TF OpenStack Integration● TF Kube Integration● Bare Metal Support
![Page 3: Secure Networking with Kubernetes, OpenStack, and …...VMs 1 2 1 Consistent security and network functionality between VMs, containers, or bare metal. … VM Compute Node Nested Container](https://reader036.fdocuments.in/reader036/viewer/2022062505/5ec561ce3cf24a3c663ddfe0/html5/thumbnails/3.jpg)
Tungsten Fabric Overview
![Page 4: Secure Networking with Kubernetes, OpenStack, and …...VMs 1 2 1 Consistent security and network functionality between VMs, containers, or bare metal. … VM Compute Node Nested Container](https://reader036.fdocuments.in/reader036/viewer/2022062505/5ec561ce3cf24a3c663ddfe0/html5/thumbnails/4.jpg)
MISSION
Build the world’s most ubiquitous, easy-to-use, scalable, secure, and cloud-grade SDN stack, providing a secure network fabric connecting all environments, all clouds, all people.
https://tungsten.io/
![Page 5: Secure Networking with Kubernetes, OpenStack, and …...VMs 1 2 1 Consistent security and network functionality between VMs, containers, or bare metal. … VM Compute Node Nested Container](https://reader036.fdocuments.in/reader036/viewer/2022062505/5ec561ce3cf24a3c663ddfe0/html5/thumbnails/5.jpg)
CODE
• 2013-Today: >300 years of work• 200-300 developer contributions• ~100 active developers• Languages: C++, Python, Node, Go• Apache 2.0 license• Part of the Linux Foundation Networking• GitHub repositories• Gerrit review processes• Launchpad bug tracking and blueprints• Other OSS used: Cassandra, Kafka, HAproxy,
Docker, Keystone
![Page 6: Secure Networking with Kubernetes, OpenStack, and …...VMs 1 2 1 Consistent security and network functionality between VMs, containers, or bare metal. … VM Compute Node Nested Container](https://reader036.fdocuments.in/reader036/viewer/2022062505/5ec561ce3cf24a3c663ddfe0/html5/thumbnails/6.jpg)
COMMUNITY
your logo here
![Page 7: Secure Networking with Kubernetes, OpenStack, and …...VMs 1 2 1 Consistent security and network functionality between VMs, containers, or bare metal. … VM Compute Node Nested Container](https://reader036.fdocuments.in/reader036/viewer/2022062505/5ec561ce3cf24a3c663ddfe0/html5/thumbnails/7.jpg)
Features
![Page 8: Secure Networking with Kubernetes, OpenStack, and …...VMs 1 2 1 Consistent security and network functionality between VMs, containers, or bare metal. … VM Compute Node Nested Container](https://reader036.fdocuments.in/reader036/viewer/2022062505/5ec561ce3cf24a3c663ddfe0/html5/thumbnails/8.jpg)
Architecture Overview
![Page 9: Secure Networking with Kubernetes, OpenStack, and …...VMs 1 2 1 Consistent security and network functionality between VMs, containers, or bare metal. … VM Compute Node Nested Container](https://reader036.fdocuments.in/reader036/viewer/2022062505/5ec561ce3cf24a3c663ddfe0/html5/thumbnails/9.jpg)
Tungsten Fabric as SDN Controller
RULE THEM ALL WITH ONEautomated secure open SDN Controller
CaaS & PaaSVMs or MetalPublic & Private
IaaS
![Page 10: Secure Networking with Kubernetes, OpenStack, and …...VMs 1 2 1 Consistent security and network functionality between VMs, containers, or bare metal. … VM Compute Node Nested Container](https://reader036.fdocuments.in/reader036/viewer/2022062505/5ec561ce3cf24a3c663ddfe0/html5/thumbnails/10.jpg)
Tungsten Fabric Single SDN for VMs & PODs
Neutron/CNISDN Controller
KubernetesCNI
NeutronPlugin or ML2
Driver
Site
Site
Site
Basic Networking:L2/L3 or L2/L3 NetworkIPAM/DHCP, DNS, Multi-Tenancy
Advance Networking:VLAN-ID, VRRP, VIP, LB, Routes Advertisement,GW Function, Service Chaining, Traffic Steering, Flow awareness,QoS, SR-IOV/DPDK, BGP-VPN,Inter Site Federation, Health Checks, FW, IPSec/TLS Support
![Page 11: Secure Networking with Kubernetes, OpenStack, and …...VMs 1 2 1 Consistent security and network functionality between VMs, containers, or bare metal. … VM Compute Node Nested Container](https://reader036.fdocuments.in/reader036/viewer/2022062505/5ec561ce3cf24a3c663ddfe0/html5/thumbnails/11.jpg)
Uniform Network and Security Policy
L4 Policy
Tungsten Fabric network and security policies provide fine grain traffic control, while abstracting away the underlay topology.
1
Svc Chain Policy 2
Containers
App Tier DB Tier
BMSVMs VMsFWLB
Web Tier
VMs
1
2
1
Consistent security and network functionality between VMs, containers, or bare metal.
…VM
Compute NodeNested Container
Compute Node
Tungsten Fabric
Username
Password
…NFV
Compute Node
![Page 12: Secure Networking with Kubernetes, OpenStack, and …...VMs 1 2 1 Consistent security and network functionality between VMs, containers, or bare metal. … VM Compute Node Nested Container](https://reader036.fdocuments.in/reader036/viewer/2022062505/5ec561ce3cf24a3c663ddfe0/html5/thumbnails/12.jpg)
Tungsten Fabric Deployment Model
Contrail 5.X (Containers)Microservices
(SDN Controller)
DaemonSet, Ingress Services with Host Networking
with choice of run single or multiple containers per PODs
27-30 Containers Images
● Delivered as MicroServices○ Docker Containers○ Host dependencies in Privileged Installer
Containers● Common Installers
○ Helm○ Ansible○ Kolla○ OpenStack Platform Director/TrippleO○ Mirantis MCP○ Juju/Charms○ OpenShift
● Latest Release on DockerHub○ https://hub.docker.com/u/tungstenfabric/
![Page 13: Secure Networking with Kubernetes, OpenStack, and …...VMs 1 2 1 Consistent security and network functionality between VMs, containers, or bare metal. … VM Compute Node Nested Container](https://reader036.fdocuments.in/reader036/viewer/2022062505/5ec561ce3cf24a3c663ddfe0/html5/thumbnails/13.jpg)
Tungsten Fabric Security
![Page 14: Secure Networking with Kubernetes, OpenStack, and …...VMs 1 2 1 Consistent security and network functionality between VMs, containers, or bare metal. … VM Compute Node Nested Container](https://reader036.fdocuments.in/reader036/viewer/2022062505/5ec561ce3cf24a3c663ddfe0/html5/thumbnails/14.jpg)
Intent Based Security Policy
Objects at different levels can be tagged
allow web-traffic-group tier=web > tier=app match deployment && site
Tags can be defined at different levels▪ Global▪ Project▪ Network▪ VM / Container / BMS▪ Interface Policies will finally be enforced at the interface level
Tag expression Tag expression Tag expression
Policy Tags
Tags / Labels
Policy Enforcement
Policy Example:
![Page 15: Secure Networking with Kubernetes, OpenStack, and …...VMs 1 2 1 Consistent security and network functionality between VMs, containers, or bare metal. … VM Compute Node Nested Container](https://reader036.fdocuments.in/reader036/viewer/2022062505/5ec561ce3cf24a3c663ddfe0/html5/thumbnails/15.jpg)
CONSISTENT POLICY ENFORCEMENT
…
Web App db
App1, Deployment = Dev
Web App db
App1, Deployment = Staging
Web App db
App1, Deployment = Prod
Tungsten fabric provides a rich, consistent set of security policy capabilities across multiple platforms.
Web App db
App1, Deployment = Dev-K8s
Web App db
App1, Deployment = Dev-Mesos
vRouter Security Groups
Web App db
App1, Deployment = Staging-BMS
B a r e M e t a l S e r v e r s
Network Policy
Device
Manager
1. Simplified Manageability (change control, etc. is much easier)2. Improved Scalability3. Define / Review / Approve Once → Use Everywhere
![Page 16: Secure Networking with Kubernetes, OpenStack, and …...VMs 1 2 1 Consistent security and network functionality between VMs, containers, or bare metal. … VM Compute Node Nested Container](https://reader036.fdocuments.in/reader036/viewer/2022062505/5ec561ce3cf24a3c663ddfe0/html5/thumbnails/16.jpg)
Tungsten Fabric Bare Metal Support
![Page 17: Secure Networking with Kubernetes, OpenStack, and …...VMs 1 2 1 Consistent security and network functionality between VMs, containers, or bare metal. … VM Compute Node Nested Container](https://reader036.fdocuments.in/reader036/viewer/2022062505/5ec561ce3cf24a3c663ddfe0/html5/thumbnails/17.jpg)
Bare Metal Integration
![Page 18: Secure Networking with Kubernetes, OpenStack, and …...VMs 1 2 1 Consistent security and network functionality between VMs, containers, or bare metal. … VM Compute Node Nested Container](https://reader036.fdocuments.in/reader036/viewer/2022062505/5ec561ce3cf24a3c663ddfe0/html5/thumbnails/18.jpg)
Tungsten Fabric and OpenStack
![Page 19: Secure Networking with Kubernetes, OpenStack, and …...VMs 1 2 1 Consistent security and network functionality between VMs, containers, or bare metal. … VM Compute Node Nested Container](https://reader036.fdocuments.in/reader036/viewer/2022062505/5ec561ce3cf24a3c663ddfe0/html5/thumbnails/19.jpg)
TF and OpenStack Integration
![Page 20: Secure Networking with Kubernetes, OpenStack, and …...VMs 1 2 1 Consistent security and network functionality between VMs, containers, or bare metal. … VM Compute Node Nested Container](https://reader036.fdocuments.in/reader036/viewer/2022062505/5ec561ce3cf24a3c663ddfe0/html5/thumbnails/20.jpg)
Integration Details
● Neutron Plugin○ Production Stable○ New for TF 5.0 - Direct Connect non-overlay mode
● ML2 Driver○ Supports multi-SDN in OpenStack○ Code is stable but not production tested○ Lacks feature parity
![Page 21: Secure Networking with Kubernetes, OpenStack, and …...VMs 1 2 1 Consistent security and network functionality between VMs, containers, or bare metal. … VM Compute Node Nested Container](https://reader036.fdocuments.in/reader036/viewer/2022062505/5ec561ce3cf24a3c663ddfe0/html5/thumbnails/21.jpg)
Tungsten Fabric Kubernetes Support
![Page 22: Secure Networking with Kubernetes, OpenStack, and …...VMs 1 2 1 Consistent security and network functionality between VMs, containers, or bare metal. … VM Compute Node Nested Container](https://reader036.fdocuments.in/reader036/viewer/2022062505/5ec561ce3cf24a3c663ddfe0/html5/thumbnails/22.jpg)
Tungsten Fabric Integration with k8s
Compute Node-01
CNI PluginKubelet
POD 1 POD 2
CNI PluginKubelet
POD 3 POD 4
vRouter(replaces kube-proxy)
vRouter(replaces kube-proxy)
Contrail-kube-mgr
Contrail Controller
API Server
Scheduler
Controller/Replication Manager
kubectl(user commands)
etcd
Discovery Dashboard Contrail Analytics
Compute Node-02
Namespace: kube-system
* Contrail-Kube-manager listens to K8s API Server and conveys the API request to Contrail Controller
…
![Page 23: Secure Networking with Kubernetes, OpenStack, and …...VMs 1 2 1 Consistent security and network functionality between VMs, containers, or bare metal. … VM Compute Node Nested Container](https://reader036.fdocuments.in/reader036/viewer/2022062505/5ec561ce3cf24a3c663ddfe0/html5/thumbnails/23.jpg)
DIFFERENT LEVELS OF ISOLATION
N a m e s p a c e - B
S3 S4
POD 9
…POD 13
……
N a m e s p a c e - A
S1 S2
POD 1
…POD 5
……
N a m e s p a c e - D
S7 S8
POD 25
…POD 29
……
N a m e s p a c e - C
S5 S6
POD 17
…POD 21
……
N a m e s p a c e - F
S11 S12
POD 41
…POD 45
……
N a m e s p a c e - E
S9 S10
POD 33
…POD 37
……
DEFAULT CLUSTER MODE NAMESPACE ISOLATION POD / SERVICE ISOLATION▪ This is how Kubernetes networking works
today▪ Flat subnet where -- Any workload can talk to
any other workload
▪ In addition to default cluster, operator can add isolation to different namespaces transparent to the developer
▪ In this mode, each POD is isolated from one another
▪ Note that all three modes can co-exist
![Page 24: Secure Networking with Kubernetes, OpenStack, and …...VMs 1 2 1 Consistent security and network functionality between VMs, containers, or bare metal. … VM Compute Node Nested Container](https://reader036.fdocuments.in/reader036/viewer/2022062505/5ec561ce3cf24a3c663ddfe0/html5/thumbnails/24.jpg)
Getting Started with Tungsten Fabric
![Page 25: Secure Networking with Kubernetes, OpenStack, and …...VMs 1 2 1 Consistent security and network functionality between VMs, containers, or bare metal. … VM Compute Node Nested Container](https://reader036.fdocuments.in/reader036/viewer/2022062505/5ec561ce3cf24a3c663ddfe0/html5/thumbnails/25.jpg)
Getting Started
https://tungsten.io/start/
Carbide SandBox for Amazon AWS● https://tungstenfabric.github.io/website/Tungsten-Fabric-15-minu
te-deployment-with-k8s-on-AWS.html● Quick Kube Testbed for public clouds
Onprem with OpenStack● https://github.com/Juniper/contrail-ansible-deployer/blob/master/
README.md● Easy TF/OpenStack Deployment and Integration
![Page 26: Secure Networking with Kubernetes, OpenStack, and …...VMs 1 2 1 Consistent security and network functionality between VMs, containers, or bare metal. … VM Compute Node Nested Container](https://reader036.fdocuments.in/reader036/viewer/2022062505/5ec561ce3cf24a3c663ddfe0/html5/thumbnails/26.jpg)
Join the Community
Help Drive the Future