applications network security for containerized · 2019. 6. 20. · debugging features and more.....
TRANSCRIPT
![Page 1: Applications Network Security for Containerized · 2019. 6. 20. · DEBUGGING FEATURES AND MORE.. Software Defined Network, Storage Developer Console, Operations Console, Lifecycle](https://reader035.vdocuments.site/reader035/viewer/2022071607/6144de7a34130627ed50a030/html5/thumbnails/1.jpg)
Veer MuchandiChief Architect -Container Solutions, NA Commercial@VeerMuchandi
Network Security for Containerized Applications
![Page 2: Applications Network Security for Containerized · 2019. 6. 20. · DEBUGGING FEATURES AND MORE.. Software Defined Network, Storage Developer Console, Operations Console, Lifecycle](https://reader035.vdocuments.site/reader035/viewer/2022071607/6144de7a34130627ed50a030/html5/thumbnails/2.jpg)
AgendaKubernetes and SDN Choices
OpenShift and OpenShift SDN
Typical network security questions on an Enterprise Cluster
- Restricting traffic across tiers- Handling network zones and isolation- Securing Egress- Securing Ingress- Securing communications between Nodes- Application Network Security
![Page 3: Applications Network Security for Containerized · 2019. 6. 20. · DEBUGGING FEATURES AND MORE.. Software Defined Network, Storage Developer Console, Operations Console, Lifecycle](https://reader035.vdocuments.site/reader035/viewer/2022071607/6144de7a34130627ed50a030/html5/thumbnails/3.jpg)
Kubernetes is a clear winner in the world of Container Orchestration and Management
![Page 4: Applications Network Security for Containerized · 2019. 6. 20. · DEBUGGING FEATURES AND MORE.. Software Defined Network, Storage Developer Console, Operations Console, Lifecycle](https://reader035.vdocuments.site/reader035/viewer/2022071607/6144de7a34130627ed50a030/html5/thumbnails/4.jpg)
Kubernetes
WHAT DOES IT TAKE TO MAKE K8S ENTERPRISE READY?
How do I support my K8S cluster? version upgrades, fixes/patches etc
You’ll need a lot more on your cluster than Kubernetes itself..
![Page 5: Applications Network Security for Containerized · 2019. 6. 20. · DEBUGGING FEATURES AND MORE.. Software Defined Network, Storage Developer Console, Operations Console, Lifecycle](https://reader035.vdocuments.site/reader035/viewer/2022071607/6144de7a34130627ed50a030/html5/thumbnails/5.jpg)
5 CONFIDENTIAL - FOR INTERNAL USE ONLY
![Page 6: Applications Network Security for Containerized · 2019. 6. 20. · DEBUGGING FEATURES AND MORE.. Software Defined Network, Storage Developer Console, Operations Console, Lifecycle](https://reader035.vdocuments.site/reader035/viewer/2022071607/6144de7a34130627ed50a030/html5/thumbnails/6.jpg)
K8S REQUIRES A SECURE ENTERPRISE GRADE LINUX CONTAINER HOST
Kubernetes
Red Hat Enterprise Linux or Red Hat CoreOS
![Page 7: Applications Network Security for Containerized · 2019. 6. 20. · DEBUGGING FEATURES AND MORE.. Software Defined Network, Storage Developer Console, Operations Console, Lifecycle](https://reader035.vdocuments.site/reader035/viewer/2022071607/6144de7a34130627ed50a030/html5/thumbnails/7.jpg)
Kubernetes (CNI, CSI)
Red Hat Enterprise Linux or Red Hat CoreOS
K8S CLUSTER REQUIRES NETWORKING AND STORAGE SOLUTIONS
Software Defined Network, Storage Solution
![Page 8: Applications Network Security for Containerized · 2019. 6. 20. · DEBUGGING FEATURES AND MORE.. Software Defined Network, Storage Developer Console, Operations Console, Lifecycle](https://reader035.vdocuments.site/reader035/viewer/2022071607/6144de7a34130627ed50a030/html5/thumbnails/8.jpg)
#SecuritySymposium
Software Defined Network Choices
![Page 9: Applications Network Security for Containerized · 2019. 6. 20. · DEBUGGING FEATURES AND MORE.. Software Defined Network, Storage Developer Console, Operations Console, Lifecycle](https://reader035.vdocuments.site/reader035/viewer/2022071607/6144de7a34130627ed50a030/html5/thumbnails/9.jpg)
For Network solution, K8S uses CNI
OpenShift SDN
(OVS)
KUBERNETES CNI
Flannel** NuageTigera
Calico & CNX
JuniperContrail
CiscoContiv &
Contiv-ACIBig Switch VMware
NSX-Tkuryr-
kubernetes
OpenShift SDN
(OVN*)
OpenDaylight(CNI & Kuryr)
RH-OSPNeutronPlugin
![Page 10: Applications Network Security for Containerized · 2019. 6. 20. · DEBUGGING FEATURES AND MORE.. Software Defined Network, Storage Developer Console, Operations Console, Lifecycle](https://reader035.vdocuments.site/reader035/viewer/2022071607/6144de7a34130627ed50a030/html5/thumbnails/10.jpg)
Kubernetes (CNI, CSI)
Red Hat Enterprise Linux or Red Hat CoreOS
K8S CLUSTER REQUIRES LIFECYCLE MGMT FOR DEVELOPERS AND OPERATORS
Software Defined Network, Storage
Developer Console, Operations Console, Lifecycle Mgmt, Automated Operations
![Page 11: Applications Network Security for Containerized · 2019. 6. 20. · DEBUGGING FEATURES AND MORE.. Software Defined Network, Storage Developer Console, Operations Console, Lifecycle](https://reader035.vdocuments.site/reader035/viewer/2022071607/6144de7a34130627ed50a030/html5/thumbnails/11.jpg)
Kubernetes (CNI, CSI)
Red Hat Enterprise Linux or Red Hat CoreOS
YOU’LL NEED CONTAINER REGISTRY, LOGGING, METRICS, CHARGEBACK CAPABILITIES
Software Defined Network, Storage
Developer Console, Operations Console, Lifecycle Mgmt, Automated Operations
Cluster Services
Metrics
Registry Logging
Chargeback
![Page 12: Applications Network Security for Containerized · 2019. 6. 20. · DEBUGGING FEATURES AND MORE.. Software Defined Network, Storage Developer Console, Operations Console, Lifecycle](https://reader035.vdocuments.site/reader035/viewer/2022071607/6144de7a34130627ed50a030/html5/thumbnails/12.jpg)
Kubernetes (CNI, CSI)
Red Hat Enterprise Linux or Red Hat CoreOS
YOU’LL NEED TO STANDARDIZE ON MIDDLEWARE, A SERVICE CATALOG, AND MICROSERVICE MGMT
Software Defined Network, Storage
Developer Console, Operations Console, Lifecycle Mgmt, Automated Operations
*coming soon
Cluster Services
Metrics
Registry Logging
Chargeback
Application Services
Middleware Images
Service Catalog
Service Mesh
Service Broker
![Page 13: Applications Network Security for Containerized · 2019. 6. 20. · DEBUGGING FEATURES AND MORE.. Software Defined Network, Storage Developer Console, Operations Console, Lifecycle](https://reader035.vdocuments.site/reader035/viewer/2022071607/6144de7a34130627ed50a030/html5/thumbnails/13.jpg)
Kubernetes (CNI, CSI)
Red Hat Enterprise Linux or Red Hat CoreOS
DEVELOPERS NEED IDEs, BUILD MGMT, CICD, DEBUGGING FEATURES AND MORE..
Software Defined Network, Storage
Developer Console, Operations Console, Lifecycle Mgmt, Automated Operations
Cluster Services
Metrics
Registry Logging
Chargeback
Application Services
Middleware Images
Service Catalog
Service Mesh
Service Broker
Developer Services
Developer Tools
CI/CD
IDE Automation
![Page 14: Applications Network Security for Containerized · 2019. 6. 20. · DEBUGGING FEATURES AND MORE.. Software Defined Network, Storage Developer Console, Operations Console, Lifecycle](https://reader035.vdocuments.site/reader035/viewer/2022071607/6144de7a34130627ed50a030/html5/thumbnails/14.jpg)
Kubernetes (CNI, CSI)
Red Hat Enterprise Linux or Red Hat CoreOS
THIS MAKES A REFERENCE ARCHITECTURE FOR ENTERPRISE KUBERNETES
Openshift SDN, Red Hat OCS (add on)
Developer Console, Operations Console, Lifecycle Mgmt, Automated Operations*
Cluster Services
Metrics
Registry Logging
Chargeback
Application Services
Middleware Images
Service Catalog
Service Mesh*
Service Broker
Developer Services
Developer Tools
CI/CD
IDE Automation
aka OPENSHIFT
![Page 15: Applications Network Security for Containerized · 2019. 6. 20. · DEBUGGING FEATURES AND MORE.. Software Defined Network, Storage Developer Console, Operations Console, Lifecycle](https://reader035.vdocuments.site/reader035/viewer/2022071607/6144de7a34130627ed50a030/html5/thumbnails/15.jpg)
15
OPENSHIFT NETWORK PLUGINS
OpenShift SDN
(OVS)
OPENSHIFT
KUBERNETES CNI
Flannel** NuageTigera
Calico & CNX
JuniperContrail
CiscoContiv &
Contiv-ACIBig Switch
Fully Supported Validated
VMwareNSX-T
In-Progress
DEFAULT
kuryr-kubernetes
OpenShift SDN
(OVN*)
* Coming as default in OCP 4.1** Flannel is minimally verified and is supported only and exactly as deployed in the OpenShift on OpenStack reference architecture
OpenDaylight(CNI & Kuryr)
RH-OSPNeutronPlugin
![Page 16: Applications Network Security for Containerized · 2019. 6. 20. · DEBUGGING FEATURES AND MORE.. Software Defined Network, Storage Developer Console, Operations Console, Lifecycle](https://reader035.vdocuments.site/reader035/viewer/2022071607/6144de7a34130627ed50a030/html5/thumbnails/16.jpg)
#SecuritySymposium
Typical Network Questions
![Page 17: Applications Network Security for Containerized · 2019. 6. 20. · DEBUGGING FEATURES AND MORE.. Software Defined Network, Storage Developer Console, Operations Console, Lifecycle](https://reader035.vdocuments.site/reader035/viewer/2022071607/6144de7a34130627ed50a030/html5/thumbnails/17.jpg)
#SecuritySymposium
1. Restricting traffic across tiers
![Page 18: Applications Network Security for Containerized · 2019. 6. 20. · DEBUGGING FEATURES AND MORE.. Software Defined Network, Storage Developer Console, Operations Console, Lifecycle](https://reader035.vdocuments.site/reader035/viewer/2022071607/6144de7a34130627ed50a030/html5/thumbnails/18.jpg)
Traffic Restrictions Across Application Tiers
Allowed connections
Disallowed connections
How can we restrict traffic across Application Tiers?
![Page 19: Applications Network Security for Containerized · 2019. 6. 20. · DEBUGGING FEATURES AND MORE.. Software Defined Network, Storage Developer Console, Operations Console, Lifecycle](https://reader035.vdocuments.site/reader035/viewer/2022071607/6144de7a34130627ed50a030/html5/thumbnails/19.jpg)
Network Policy Objects Enables Microsegmentation
Allows configuring individual policies at the Pod Level
Apply to ingress traffic for pods and services
Allows restricting traffic between the pods within a project/namespace
Allows traffic to specific pods from other projects/namespaces
![Page 20: Applications Network Security for Containerized · 2019. 6. 20. · DEBUGGING FEATURES AND MORE.. Software Defined Network, Storage Developer Console, Operations Console, Lifecycle](https://reader035.vdocuments.site/reader035/viewer/2022071607/6144de7a34130627ed50a030/html5/thumbnails/20.jpg)
Network Policy Objects
PROJECT A
POD
POD
POD
POD
PROJECT B
POD
POD
POD
POD
Example Policies● Allow all traffic inside the project● Allow traffic from green to gray● Allow traffic to purple on 8080
✓
✓
8080
5432
✓
apiVersion: extensions/v1beta1kind: NetworkPolicymetadata: name: allow-to-purple-on-8080spec: podSelector: matchLabels: color: purple ingress: - ports: - protocol: tcp port: 8080
✓
![Page 21: Applications Network Security for Containerized · 2019. 6. 20. · DEBUGGING FEATURES AND MORE.. Software Defined Network, Storage Developer Console, Operations Console, Lifecycle](https://reader035.vdocuments.site/reader035/viewer/2022071607/6144de7a34130627ed50a030/html5/thumbnails/21.jpg)
Example
Video: https://blog.openshift.com/network-policy-objects-action/
![Page 22: Applications Network Security for Containerized · 2019. 6. 20. · DEBUGGING FEATURES AND MORE.. Software Defined Network, Storage Developer Console, Operations Console, Lifecycle](https://reader035.vdocuments.site/reader035/viewer/2022071607/6144de7a34130627ed50a030/html5/thumbnails/22.jpg)
Hack
![Page 23: Applications Network Security for Containerized · 2019. 6. 20. · DEBUGGING FEATURES AND MORE.. Software Defined Network, Storage Developer Console, Operations Console, Lifecycle](https://reader035.vdocuments.site/reader035/viewer/2022071607/6144de7a34130627ed50a030/html5/thumbnails/23.jpg)
Network Policy Objects to Rescue
kind: NetworkPolicyapiVersion: extensions/v1beta1metadata: name: allow-3306spec: podSelector: matchLabels: app: mysql ingress: - from: - podSelector: matchLabels: app: emailsvc ports: - protocol: TCP port: 3306
Allow MySQLDB connection from Email Service
![Page 24: Applications Network Security for Containerized · 2019. 6. 20. · DEBUGGING FEATURES AND MORE.. Software Defined Network, Storage Developer Console, Operations Console, Lifecycle](https://reader035.vdocuments.site/reader035/viewer/2022071607/6144de7a34130627ed50a030/html5/thumbnails/24.jpg)
Start with Default Deny All ingress traffic to any pods is rejected
![Page 25: Applications Network Security for Containerized · 2019. 6. 20. · DEBUGGING FEATURES AND MORE.. Software Defined Network, Storage Developer Console, Operations Console, Lifecycle](https://reader035.vdocuments.site/reader035/viewer/2022071607/6144de7a34130627ed50a030/html5/thumbnails/25.jpg)
Add Network Policies To Allow Specific Incoming Traffic
![Page 26: Applications Network Security for Containerized · 2019. 6. 20. · DEBUGGING FEATURES AND MORE.. Software Defined Network, Storage Developer Console, Operations Console, Lifecycle](https://reader035.vdocuments.site/reader035/viewer/2022071607/6144de7a34130627ed50a030/html5/thumbnails/26.jpg)
#SecuritySymposium
2. Isolating zones
![Page 27: Applications Network Security for Containerized · 2019. 6. 20. · DEBUGGING FEATURES AND MORE.. Software Defined Network, Storage Developer Console, Operations Console, Lifecycle](https://reader035.vdocuments.site/reader035/viewer/2022071607/6144de7a34130627ed50a030/html5/thumbnails/27.jpg)
External traffic allowed to touch DMZ
Network Zones separated by Firewalls
Holes punched in firewalls to allow specific traffic from
DMZ to Application Zone
and from
Application Zone to Data Zone
How do I setup K8S/OpenShift here?
![Page 28: Applications Network Security for Containerized · 2019. 6. 20. · DEBUGGING FEATURES AND MORE.. Software Defined Network, Storage Developer Console, Operations Console, Lifecycle](https://reader035.vdocuments.site/reader035/viewer/2022071607/6144de7a34130627ed50a030/html5/thumbnails/28.jpg)
Useful to demonstrate compliance with Security Standards and Regulations
Additional actions needed to protect Master APIs, and other URLs in DMZ that are not supposed to be exposed to Internet
Cost of maintenance is high
Option 1: OpenShift cluster per Zone
![Page 29: Applications Network Security for Containerized · 2019. 6. 20. · DEBUGGING FEATURES AND MORE.. Software Defined Network, Storage Developer Console, Operations Console, Lifecycle](https://reader035.vdocuments.site/reader035/viewer/2022071607/6144de7a34130627ed50a030/html5/thumbnails/29.jpg)
Option 2: OpenShift Cluster covering Multiple Zones
Application pods run on one Cluster. Microsegmented with Network Security policies.
Infra Nodes in each zone run Ingress and Egress pods for specific zones
If required, physical isolation of pods to specific nodes is possible with node-selectors. But that defeats the purpose of a shared cluster. Microsegmentation with SDN is the way to go.
![Page 30: Applications Network Security for Containerized · 2019. 6. 20. · DEBUGGING FEATURES AND MORE.. Software Defined Network, Storage Developer Console, Operations Console, Lifecycle](https://reader035.vdocuments.site/reader035/viewer/2022071607/6144de7a34130627ed50a030/html5/thumbnails/30.jpg)
#SecuritySymposium
3. Securing Egress
![Page 31: Applications Network Security for Containerized · 2019. 6. 20. · DEBUGGING FEATURES AND MORE.. Software Defined Network, Storage Developer Console, Operations Console, Lifecycle](https://reader035.vdocuments.site/reader035/viewer/2022071607/6144de7a34130627ed50a030/html5/thumbnails/31.jpg)
Connecting via External Service
Application connecting to External System talks to an External Service whose Endpoint is set as Destination IP & PortOr a Fully qualified domain name (FQDN) of the external system and port
But, what if we have a firewall in front of the External System that allows only Specific IPs?
![Page 32: Applications Network Security for Containerized · 2019. 6. 20. · DEBUGGING FEATURES AND MORE.. Software Defined Network, Storage Developer Console, Operations Console, Lifecycle](https://reader035.vdocuments.site/reader035/viewer/2022071607/6144de7a34130627ed50a030/html5/thumbnails/32.jpg)
Connecting via Egress Router
![Page 33: Applications Network Security for Containerized · 2019. 6. 20. · DEBUGGING FEATURES AND MORE.. Software Defined Network, Storage Developer Console, Operations Console, Lifecycle](https://reader035.vdocuments.site/reader035/viewer/2022071607/6144de7a34130627ed50a030/html5/thumbnails/33.jpg)
Static IP for all traffic from a Project
![Page 34: Applications Network Security for Containerized · 2019. 6. 20. · DEBUGGING FEATURES AND MORE.. Software Defined Network, Storage Developer Console, Operations Console, Lifecycle](https://reader035.vdocuments.site/reader035/viewer/2022071607/6144de7a34130627ed50a030/html5/thumbnails/34.jpg)
Static IP for all traffic from a Project
High availability scenario
![Page 35: Applications Network Security for Containerized · 2019. 6. 20. · DEBUGGING FEATURES AND MORE.. Software Defined Network, Storage Developer Console, Operations Console, Lifecycle](https://reader035.vdocuments.site/reader035/viewer/2022071607/6144de7a34130627ed50a030/html5/thumbnails/35.jpg)
Egress Firewall to Limit AccessCluster admin can limit the external addresses accessed by some or all pods from within the cluster Examples:
A pod can talk to hosts (outside OpenShift cluster) but cannot connect to public internet
A pod can talk to public internet, but cannot connect to hosts (outside OpenShift cluster)
A pod cannot reach specific subnets/hosts
![Page 36: Applications Network Security for Containerized · 2019. 6. 20. · DEBUGGING FEATURES AND MORE.. Software Defined Network, Storage Developer Console, Operations Console, Lifecycle](https://reader035.vdocuments.site/reader035/viewer/2022071607/6144de7a34130627ed50a030/html5/thumbnails/36.jpg)
#SecuritySymposium
4. Securing Ingress
![Page 37: Applications Network Security for Containerized · 2019. 6. 20. · DEBUGGING FEATURES AND MORE.. Software Defined Network, Storage Developer Console, Operations Console, Lifecycle](https://reader035.vdocuments.site/reader035/viewer/2022071607/6144de7a34130627ed50a030/html5/thumbnails/37.jpg)
OpenShift Router as Ingress
Can I restrict access to route?
![Page 38: Applications Network Security for Containerized · 2019. 6. 20. · DEBUGGING FEATURES AND MORE.. Software Defined Network, Storage Developer Console, Operations Console, Lifecycle](https://reader035.vdocuments.site/reader035/viewer/2022071607/6144de7a34130627ed50a030/html5/thumbnails/38.jpg)
Route Specific IP Whitelists
- Restrict access to a route to a select IP address(es)- Annotate the route with the whitelisted/allowed IP addresses- Connections from any other IPs are blocked
metadata:
annotations:
haproxy.router.openshift.io/ip_whitelist: 192.168.1.10 192.168.1.11
What about ingress traffic on ports that are not 80 or 443?
![Page 39: Applications Network Security for Containerized · 2019. 6. 20. · DEBUGGING FEATURES AND MORE.. Software Defined Network, Storage Developer Console, Operations Console, Lifecycle](https://reader035.vdocuments.site/reader035/viewer/2022071607/6144de7a34130627ed50a030/html5/thumbnails/39.jpg)
Binds service to a unique port on every node in the cluster
Port randomly assigned or optionally picked from port range 30000-32767
All nodes act as ingress point at the port assigned
Every node in the cluster redirects traffic to service service endpoints even if a corresponding pod is not running on that node
Firewall rules should not prevent nodes listening on these ports
Every exposed service uses up a port on all the nodes in a cluster. Are there alternatives?
Using NodePort as Ingress to Service
Connect to
![Page 40: Applications Network Security for Containerized · 2019. 6. 20. · DEBUGGING FEATURES AND MORE.. Software Defined Network, Storage Developer Console, Operations Console, Lifecycle](https://reader035.vdocuments.site/reader035/viewer/2022071607/6144de7a34130627ed50a030/html5/thumbnails/40.jpg)
Admin defines ExternalIP address range. Assigns these extra IPs to nodes.
OpenShift assigns both internal IP and external IP to a service. Or a specific External IP can be chosen.
Node to which ExternalIP is assigned acts as the ingress point to the service.
ExternalIP can be a VIP. You can set up ipfailover to reassign VIP to other nodes. Ipfailover runs as a privileged pod and handles VIP assignment.
Assigning External IP to a Service with Ingress
![Page 41: Applications Network Security for Containerized · 2019. 6. 20. · DEBUGGING FEATURES AND MORE.. Software Defined Network, Storage Developer Console, Operations Console, Lifecycle](https://reader035.vdocuments.site/reader035/viewer/2022071607/6144de7a34130627ed50a030/html5/thumbnails/41.jpg)
#SecuritySymposium
5. Securing communications between nodes
![Page 42: Applications Network Security for Containerized · 2019. 6. 20. · DEBUGGING FEATURES AND MORE.. Software Defined Network, Storage Developer Console, Operations Console, Lifecycle](https://reader035.vdocuments.site/reader035/viewer/2022071607/6144de7a34130627ed50a030/html5/thumbnails/42.jpg)
42
Secured Communications between Hosts
Secures cluster communications with IPsec
● Encryption between all Master and Node hosts (L3)
● Uses OpenShift CA and existing certificates
● Simple setup via policy defn○ Groups (e.g. subnets)○ Individual hosts
![Page 43: Applications Network Security for Containerized · 2019. 6. 20. · DEBUGGING FEATURES AND MORE.. Software Defined Network, Storage Developer Console, Operations Console, Lifecycle](https://reader035.vdocuments.site/reader035/viewer/2022071607/6144de7a34130627ed50a030/html5/thumbnails/43.jpg)
#SecuritySymposium
6. Security at Application Level
![Page 44: Applications Network Security for Containerized · 2019. 6. 20. · DEBUGGING FEATURES AND MORE.. Software Defined Network, Storage Developer Console, Operations Console, Lifecycle](https://reader035.vdocuments.site/reader035/viewer/2022071607/6144de7a34130627ed50a030/html5/thumbnails/44.jpg)
SSL at Ingress (with OpenShift Routes)Edge termination
Passthrough termination
Reencrypt
![Page 45: Applications Network Security for Containerized · 2019. 6. 20. · DEBUGGING FEATURES AND MORE.. Software Defined Network, Storage Developer Console, Operations Console, Lifecycle](https://reader035.vdocuments.site/reader035/viewer/2022071607/6144de7a34130627ed50a030/html5/thumbnails/45.jpg)
Layer 7 Application Security
Application specific monitoring East-West container traffic
Web Application Firewalls
Granular traffic control, Packet Inspections
Denial of Service, Ransomware, Viruses Detection and Mitigation
Runtime Security, Forensics, Incident capture, Audits, Alerts
Container runtime monitoring
Partner Solutions
![Page 46: Applications Network Security for Containerized · 2019. 6. 20. · DEBUGGING FEATURES AND MORE.. Software Defined Network, Storage Developer Console, Operations Console, Lifecycle](https://reader035.vdocuments.site/reader035/viewer/2022071607/6144de7a34130627ed50a030/html5/thumbnails/46.jpg)
#SecuritySymposium
7. (Tech Preview) Application network security with Istio
![Page 47: Applications Network Security for Containerized · 2019. 6. 20. · DEBUGGING FEATURES AND MORE.. Software Defined Network, Storage Developer Console, Operations Console, Lifecycle](https://reader035.vdocuments.site/reader035/viewer/2022071607/6144de7a34130627ed50a030/html5/thumbnails/47.jpg)
Istio Concepts - Sidecar Proxy
47
SideCar Proxy- Intercepts all network communication between microservices- Encapsulates Service Infrastructure code - Application code (business logic) unaware of Sidecar proxy- Examples - Linkerd, Envoy
![Page 48: Applications Network Security for Containerized · 2019. 6. 20. · DEBUGGING FEATURES AND MORE.. Software Defined Network, Storage Developer Console, Operations Console, Lifecycle](https://reader035.vdocuments.site/reader035/viewer/2022071607/6144de7a34130627ed50a030/html5/thumbnails/48.jpg)
Istio Concepts - Service Mesh
48
Network of Microservices
Service Mesh is a dedicated infrastructure layer to handle service-service communications
Typically implemented as an array of lightweight network proxies deployed alongside application code
Interconnected Proxies form a mesh network
![Page 49: Applications Network Security for Containerized · 2019. 6. 20. · DEBUGGING FEATURES AND MORE.. Software Defined Network, Storage Developer Console, Operations Console, Lifecycle](https://reader035.vdocuments.site/reader035/viewer/2022071607/6144de7a34130627ed50a030/html5/thumbnails/49.jpg)
Istio Service Mesh on OpenShift
Connect, Manage, and Secure Microservices, transparently
● Intelligent Routing● Load Balancing● Service Resilience● Telemetry and Reporting● Policy Enforcement● Content based Filtering
(Layer 7)● mTLS between services● East-West traffic control
![Page 50: Applications Network Security for Containerized · 2019. 6. 20. · DEBUGGING FEATURES AND MORE.. Software Defined Network, Storage Developer Console, Operations Console, Lifecycle](https://reader035.vdocuments.site/reader035/viewer/2022071607/6144de7a34130627ed50a030/html5/thumbnails/50.jpg)
Application Traffic Encryption with Istio Auth (Future)
Uses Service Account as Identity. SPIFFE Id format
spiffe://<domain>/ns/<namespace>/sa/<serviceaccount>
Mutual TLS between sidecars
Istio CA
- Generate cert pair and SPIFFE key for each SA
- Distribute key and cert pairs- Rotate keys and certs
periodically- Revoke key and cert when
need
![Page 51: Applications Network Security for Containerized · 2019. 6. 20. · DEBUGGING FEATURES AND MORE.. Software Defined Network, Storage Developer Console, Operations Console, Lifecycle](https://reader035.vdocuments.site/reader035/viewer/2022071607/6144de7a34130627ed50a030/html5/thumbnails/51.jpg)
#SecuritySymposium
Questions?
![Page 52: Applications Network Security for Containerized · 2019. 6. 20. · DEBUGGING FEATURES AND MORE.. Software Defined Network, Storage Developer Console, Operations Console, Lifecycle](https://reader035.vdocuments.site/reader035/viewer/2022071607/6144de7a34130627ed50a030/html5/thumbnails/52.jpg)
#SecuritySymposium
THANK YOU
![Page 53: Applications Network Security for Containerized · 2019. 6. 20. · DEBUGGING FEATURES AND MORE.. Software Defined Network, Storage Developer Console, Operations Console, Lifecycle](https://reader035.vdocuments.site/reader035/viewer/2022071607/6144de7a34130627ed50a030/html5/thumbnails/53.jpg)
#SecuritySymposium
OpenShift SDN Overview
![Page 54: Applications Network Security for Containerized · 2019. 6. 20. · DEBUGGING FEATURES AND MORE.. Software Defined Network, Storage Developer Console, Operations Console, Lifecycle](https://reader035.vdocuments.site/reader035/viewer/2022071607/6144de7a34130627ed50a030/html5/thumbnails/54.jpg)
Kubernetes uses CNI
OpenShift SDN
(OVS)
KUBERNETES CNI
Flannel** NuageTigera
Calico & CNX
JuniperContrail
CiscoContiv &
Contiv-ACIBig Switch
Fully Supported Validated
VMwareNSX-T
In-Progress
DEFAULT
kuryr-kubernetes
OpenShift SDN
(OVN*)
* Coming as default in OCP 4.1** Flannel is minimally verified and is supported only and exactly as deployed in the OpenShift on OpenStack reference architecture
OpenDaylight(CNI & Kuryr)
RH-OSPNeutronPlugin
![Page 55: Applications Network Security for Containerized · 2019. 6. 20. · DEBUGGING FEATURES AND MORE.. Software Defined Network, Storage Developer Console, Operations Console, Lifecycle](https://reader035.vdocuments.site/reader035/viewer/2022071607/6144de7a34130627ed50a030/html5/thumbnails/55.jpg)
OpenShift NetworkingSoftware Defined Networking (SDN) for pod-pod communication
- Configures overlay network using Open vSwitch (OVS)- Three types of plugins
- ovs-subnet : flat network every pod can talk to every other pod- ovs-multitenant: project level isolation for pod-pod communication.
Unique VNID per project
You can join projects to get them the same VNID
‘default’ project (VNID 0) privileged to communicate with other pods
- ovs-networkpolicy: fine-grained isolation using network policy objects
![Page 56: Applications Network Security for Containerized · 2019. 6. 20. · DEBUGGING FEATURES AND MORE.. Software Defined Network, Storage Developer Console, Operations Console, Lifecycle](https://reader035.vdocuments.site/reader035/viewer/2022071607/6144de7a34130627ed50a030/html5/thumbnails/56.jpg)
OpenShift Installation DefaultsCluster network CIDR: 10.128.0.0/14
Gives 32-14=18 bits or the ip address range of 10.128.0.0 - 10.131.255.255
Host subnet length: 9 bits (32-9=23)
Subnet for each node is /23. Gets 512 ip addresses per node.
Leaves 9 bits for nodes ((32-9)-14=9). Allows 29=512 subnets that can be assigned to nodes
Subnets: 10.128.0.0/23, 10.128.2.0/23, …10.131.254.0/23
Master Portal Net (services): 172.30.0.0/16
![Page 57: Applications Network Security for Containerized · 2019. 6. 20. · DEBUGGING FEATURES AND MORE.. Software Defined Network, Storage Developer Console, Operations Console, Lifecycle](https://reader035.vdocuments.site/reader035/viewer/2022071607/6144de7a34130627ed50a030/html5/thumbnails/57.jpg)
OpenShift SDN manages Node Registry
Master allocates a subnet to the node.
Node creation - Allocated subnet added to Node Registry
Node deletion - subnet removed from the Node Registry
On node creation,SDN registers the host with the SDN master
![Page 58: Applications Network Security for Containerized · 2019. 6. 20. · DEBUGGING FEATURES AND MORE.. Software Defined Network, Storage Developer Console, Operations Console, Lifecycle](https://reader035.vdocuments.site/reader035/viewer/2022071607/6144de7a34130627ed50a030/html5/thumbnails/58.jpg)
OpenShift SDN configures network devices on Node
br0 Pod containers attached to this ovs bridge device. Non subnet specific flow rules on br0
tun0 For external network access via NAT. Cluster subnet gateway address assigned. Configures netfilter and routing rules.
vxlan0 Access to other nodes. OVS VxLAN device
additional node added:
- Watch subnet updates from master- Add OpenFlow rules on br0 to push traffic to
the newly added subnet go to vxlan0
![Page 59: Applications Network Security for Containerized · 2019. 6. 20. · DEBUGGING FEATURES AND MORE.. Software Defined Network, Storage Developer Console, Operations Console, Lifecycle](https://reader035.vdocuments.site/reader035/viewer/2022071607/6144de7a34130627ed50a030/html5/thumbnails/59.jpg)
OpenShift SDN Pod Creation
- Assigns an available ip address from the node’s cluster subnet to the pod
- Attaches host side of pod’s veth interface pair to br0
- Adds OpenFlow rules to OVS DB to route traffic addressed to the new pod to correct OVS port
- For ovs-multitenant, adds OpenFlow rules - to attach pod’s VNID to outgoing traffic- allow traffic to pod when VNID matches
![Page 60: Applications Network Security for Containerized · 2019. 6. 20. · DEBUGGING FEATURES AND MORE.. Software Defined Network, Storage Developer Console, Operations Console, Lifecycle](https://reader035.vdocuments.site/reader035/viewer/2022071607/6144de7a34130627ed50a030/html5/thumbnails/60.jpg)
Pod to Pod Traffic - Both pods on the same Node
Flow of traffic
eth0(in A’s netns) - vethA - br0 - vethB - eth0(in B’s netns)
* Peer vEthernet device for container A is named ethA and for container B is named ethB
![Page 61: Applications Network Security for Containerized · 2019. 6. 20. · DEBUGGING FEATURES AND MORE.. Software Defined Network, Storage Developer Console, Operations Console, Lifecycle](https://reader035.vdocuments.site/reader035/viewer/2022071607/6144de7a34130627ed50a030/html5/thumbnails/61.jpg)
Pod to Pod Traffic - Pods on two different NodesFlow of traffic
eth0(in A’s netns) - vethA - br0 - vxlan0 - network - vxlan0 - br0- vethB - eth0(in B’s netns)
* Peer vEthernet device for container A is named ethA and for container B is named ethB
![Page 62: Applications Network Security for Containerized · 2019. 6. 20. · DEBUGGING FEATURES AND MORE.. Software Defined Network, Storage Developer Console, Operations Console, Lifecycle](https://reader035.vdocuments.site/reader035/viewer/2022071607/6144de7a34130627ed50a030/html5/thumbnails/62.jpg)
Pod to External Systems outside OpenShiftFlow of traffic
eth0(in A’s netns) - vethA - br0 - tun0 - (NAT) - eth0(physical device) - Internet
![Page 63: Applications Network Security for Containerized · 2019. 6. 20. · DEBUGGING FEATURES AND MORE.. Software Defined Network, Storage Developer Console, Operations Console, Lifecycle](https://reader035.vdocuments.site/reader035/viewer/2022071607/6144de7a34130627ed50a030/html5/thumbnails/63.jpg)
Kubernetes/OpenShift Core Concepts
![Page 64: Applications Network Security for Containerized · 2019. 6. 20. · DEBUGGING FEATURES AND MORE.. Software Defined Network, Storage Developer Console, Operations Console, Lifecycle](https://reader035.vdocuments.site/reader035/viewer/2022071607/6144de7a34130627ed50a030/html5/thumbnails/64.jpg)
Openshift/K8S runs containers in Pods. Pod is a wrapper
Each pod gets an IP address. Container adopts Pod’s IP.
10.0.0.1
Pods
![Page 65: Applications Network Security for Containerized · 2019. 6. 20. · DEBUGGING FEATURES AND MORE.. Software Defined Network, Storage Developer Console, Operations Console, Lifecycle](https://reader035.vdocuments.site/reader035/viewer/2022071607/6144de7a34130627ed50a030/html5/thumbnails/65.jpg)
10.1.0.2Some pods may have more than one container.. that’s a special case though!!
10.0.0.1
All the containers in a pod die along with a pod.
Usually these containers are dependent like a master and slave or side-car patternAnd they have a very tight married relationship
Containers in Pods
![Page 66: Applications Network Security for Containerized · 2019. 6. 20. · DEBUGGING FEATURES AND MORE.. Software Defined Network, Storage Developer Console, Operations Console, Lifecycle](https://reader035.vdocuments.site/reader035/viewer/2022071607/6144de7a34130627ed50a030/html5/thumbnails/66.jpg)
When you scale up your application, you are scaling up pods.
Each Pod has its own IP.
10.1.0.110.0.0.410.0.0.1
Pod Scaling
![Page 67: Applications Network Security for Containerized · 2019. 6. 20. · DEBUGGING FEATURES AND MORE.. Software Defined Network, Storage Developer Console, Operations Console, Lifecycle](https://reader035.vdocuments.site/reader035/viewer/2022071607/6144de7a34130627ed50a030/html5/thumbnails/67.jpg)
Nodes are the application hosts that make up a Openshift/K8S cluster. They run docker and Openshift.Master controls where the pods are deployed on the nodes, and ensures cluster health.
Nodes
![Page 68: Applications Network Security for Containerized · 2019. 6. 20. · DEBUGGING FEATURES AND MORE.. Software Defined Network, Storage Developer Console, Operations Console, Lifecycle](https://reader035.vdocuments.site/reader035/viewer/2022071607/6144de7a34130627ed50a030/html5/thumbnails/68.jpg)
When you scale up, pods are distributed across nodes following scheduler policies defined by the administrator.So even if a node fails, the application is still available
High Availability
![Page 69: Applications Network Security for Containerized · 2019. 6. 20. · DEBUGGING FEATURES AND MORE.. Software Defined Network, Storage Developer Console, Operations Console, Lifecycle](https://reader035.vdocuments.site/reader035/viewer/2022071607/6144de7a34130627ed50a030/html5/thumbnails/69.jpg)
Not just that, if a pod dies for some reason, another pod will come in its place
Health Management
![Page 70: Applications Network Security for Containerized · 2019. 6. 20. · DEBUGGING FEATURES AND MORE.. Software Defined Network, Storage Developer Console, Operations Console, Lifecycle](https://reader035.vdocuments.site/reader035/viewer/2022071607/6144de7a34130627ed50a030/html5/thumbnails/70.jpg)
Pods can be front-ended by a Service.Service is a proxy.. Every node knows about it. Service gets an IP
Service knows which pods to frontend based on the labels.
Flexibility of architecture with Openshift/ K8S Services
![Page 71: Applications Network Security for Containerized · 2019. 6. 20. · DEBUGGING FEATURES AND MORE.. Software Defined Network, Storage Developer Console, Operations Console, Lifecycle](https://reader035.vdocuments.site/reader035/viewer/2022071607/6144de7a34130627ed50a030/html5/thumbnails/71.jpg)
Clients can talk to the service. Service redirects the requests to the pods.
Service also gets a DNS Name
Client can discover service… built in service discovery!!
Built-in Service Discovery
![Page 72: Applications Network Security for Containerized · 2019. 6. 20. · DEBUGGING FEATURES AND MORE.. Software Defined Network, Storage Developer Console, Operations Console, Lifecycle](https://reader035.vdocuments.site/reader035/viewer/2022071607/6144de7a34130627ed50a030/html5/thumbnails/72.jpg)
Accessing your Application
When you want to expose a service externally eg: access via browser using a URL, you create a “Route”
Route gets added to a HAProxy LB.
You can configure your F5 as well as LB.