simplifying and securing your openshift network with project calico

Download Simplifying and Securing your OpenShift Network with Project Calico

Post on 12-Apr-2017

135 views

Category:

Technology

2 download

Embed Size (px)

TRANSCRIPT

  • 1 2017 Tigera, Inc. | Proprietary and Confidential

    OpenShift Commons BriefingAndy Randall, CEO

    Simplifying and Securing Your OpenShift Network with Project Calico

    March 2, 2017

  • 2 2017 Tigera, Inc. | Proprietary and Confidential

    Isnt virtual networking a solved problem?

    Can we just get on with developing and deploying apps now?

    First, a (not unreasonable) question...

  • 3 2017 Tigera, Inc. | Proprietary and Confidential

    Challenges of Cloud-Native: Scale & Churn

    10xWorkloads per host

    100+xChurn per host

    First-generation, centralized SDN controller

    Traditional security appliance

  • 4 2017 Tigera, Inc. | Proprietary and Confidential

    Challenges of Cloud-Native: Dynamic SecurityDynamic IP address assignment

    Fungible server resources

    Subnets / VLANs no longer meaningful for security rules

    Orchestrator makes highly dynamic scheduling decisions

    Workload meta-data already captured in orchestrator

    Opportunity to automate security, get rid of firewall cruft

    Micro-services architecture increases network-based attack surface

    Attackers already exploit internal vulnerabilities

    Perimeter security insufficient need to secure intra-cluster traffic

  • 5 2017 Tigera, Inc. | Proprietary and Confidential

    SIMPLIFY the network, by removing unnecessary layers of complexity

    Whats Required?

    implemented in a scale-out, distributed architecture

    SECURE workloads with fine-grained policy rules, leveraging orchestrator

  • 6 2017 Tigera, Inc. | Proprietary and Confidential

    Enter Project Calico

    Thousands of clusters deployed globally by users such as...

    Active open source community with 100+ contributors

  • 7 2017 Tigera, Inc. | Proprietary and Confidential

    1. Simplify the Network

    Flat IP network (pods are endpoints too)

    No overlay by default zero packet overhead

    Routed model one hop to the kernel, another hop to the destination (remote kernel or local pod)

    Leverages Linuxs built-in, efficient network stack

    Maximum performance, simplest to troubleshoot

  • 8 2017 Tigera, Inc. | Proprietary and Confidential

    Calico Architecture: Routing

    Physical fabric (L2 or L3) or public cloud SDN (e.g. Amazon VPC / subnet)

    Cloud OS / Orchestration SystemCloud OS / Orchestration System

    Compute NodeCompute NodeCompute Node

    kernel

    Cloud OS / Orchestration System

    Calico-node

    Routes

    Pod

    Eth0

    CalicoPlugin

    Compute NodeCompute NodeCompute Node

    kernel

    Calico-node

    Routes

    Pod

    Eth0

    Control plane (etcd / Raft + BGP)

    Data plane (IP)

  • 9 2017 Tigera, Inc. | Proprietary and Confidential

    Calico Architecture: Policy Enforcement

    Physical fabric (L2 or L3) or public cloud SDN (e.g. Amazon VPC / subnet)

    Cloud OS / Orchestration SystemCloud OS / Orchestration System

    Compute NodeCompute NodeCompute Node

    kernel

    Cloud OS / Orchestration System

    Calico-node

    Routes ACLs

    Pod

    Eth0

    CalicoPlugin

    Compute NodeCompute NodeCompute Node

    kernel

    Calico-node

    Routes ACLs

    Pod

    Eth0

    Control plane (etcd / Raft + BGP)

    Data plane (IP)

  • 10 2017 Tigera, Inc. | Proprietary and Confidential

    2. Network Policies

    My IT guys installed a firewall at the edge of my data center. Why do I want network policies as well?

  • 11 2017 Tigera, Inc. | Proprietary and Confidential

  • 12 2017 Tigera, Inc. | Proprietary and Confidential

  • 13 2017 Tigera, Inc. | Proprietary and Confidential

  • 14 2017 Tigera, Inc. | Proprietary and Confidential

    Anatomy of a Calico Network Policy

    apiVersion: v1kind: policymetadata: name: allow-tcp-6379spec: selector: role == 'database' ingress: - action: allow protocol: tcp source: selector: role == 'frontend' destination: ports: - 6379 egress: - action: allow

    Name of this policy

    Which pods does it apply to?

    Who can talk to those pods (with which protocols?)

    To whom can those pods talk (with which protocols?)

    $ calicoctl apply -f mypolicy.yaml

    API versionYes, this looks a lot like a Kubernetes Network PolicyCalico can enforce k8s policy or this extended model

  • 15 2017 Tigera, Inc. | Proprietary and Confidential

    Calico Architecture: Policy Enforcement Revisited

    Cloud OS / Orchestration SystemCloud OS / Orchestration System

    Compute NodeCompute NodeCompute Node

    kernel

    Cloud OS / Orchestration System

    Calico-node

    Routes ACLs

    Pod

    Eth0

    CalicoPlugin

    Compute NodeCompute NodeCompute Node

    kernel

    Calico-node

    Routes ACLs

    Pod

    Eth0

    Policy rendering to ACLs is distributed to calico agents

    Each node efficiently calculates what it needs & programs iptables

    At scale,

  • 16 2017 Tigera, Inc. | Proprietary and Confidential

    Architectural ComparisonOVS-based (e.g. OpenShift SDN) Project Calico

    One subnet per host Dynamic allocation of IP address ranges to host as additional containers scheduled (reduces wasted addresses without imposing an upper limit on # containers)

    Pods connected to OVS Bridge (br0) Pods connected into Linux kernel routing engine (no bridge, single routed hop, same path intra/inter node)

    Access to pods on remote nodes via VXLAN tunnel (tun0)

    Tunnel possible but not required pods have real IPs on underlying network no double-encapsulation when running on underlying SDN (e.g. public cloud or OpenStack)

    Connectivity outside cluster via NAT NAT not required by default to outside world, since pods have real IPs

    Network isolation enforced in OVS via tenant separation (separate ovs-multitenant plug-in) or Kubernetes network policy with ovs-subnet

    Network isolation (including multi-tenant) enforced via ingress + egress policy rules encoded into iptables rules in Linux kernel

    OVS in control and data path Calico in control path only (data path = traditional Linux kernel L3 forwarding & filtering)

  • 17 2017 Tigera, Inc. | Proprietary and Confidential

    Considerations for other SDN solutions(Some) Other Networking Solutions Project Calico

    Centralized controller calculates rules for each node All policy calculations / rendering

    Must replace internal service routing not compatible with Kube-proxy

    Fully compatible with standard Kube-proxy

    Must use own external load balancing not compatible with OpenShift Router

    Fully compatible with OpenShift Router and any other regular IP networking mechanisms (its just IP)

  • 18 2017 Tigera, Inc. | Proprietary and Confidential

    Can I just get the policies?

    I like how Calico does policies but still want to use a VXLAN overlay.

    You probably cant do that, right?

  • 19 2017 Tigera, Inc. | Proprietary and Confidential

    Combining Calico with Flannel NetworkingA collaboration between Tigera and CoreOS to apply Calico policy to flannel overlay networks

    More: http://github.com/projectcalico/canal

  • 20 2017 Tigera, Inc. | Proprietary and Confidential

    Calico & OpenShift

    So how does this all tie together with

    ?

  • 21 2017 Tigera, Inc. | Proprietary and Confidential

    Calico on OpenShift

  • 22 2017 Tigera, Inc. | Proprietary and Confidential

    Calico on OpenShift

    CNI CNI CNI

    CNI CNI CNI

    Calico-CNI

    Calico-IPAM

    CNI

  • 23 2017 Tigera, Inc. | Proprietary and Confidential

    Calico on OpenShift

    CNI CNI CNI

    CNI CNI CNI

    Felix (local routing & policy calculation)

    Bird (BGP)

    Calico/Node

  • 24 2017 Tigera, Inc. | Proprietary and Confidential

    Calico on OpenShift

    CNI CNI CNI

    CNI CNI CNI

    P Calico Policy Controller

  • 25 2017 Tigera, Inc. | Proprietary and Confidential

    Lots of recipes Calico + Kubernetes E.g. AWS Quick Start, Stack Point Cloud, kops, ...

    Users have deployed with OpenShift Roll-your-own installation until recently

    Tigera / Red Hat collaborating on supported integration and certification for OpenShift

    Integration was working - but broken by OCP 3.4. Addressing a few minor remaining issues.

    Watch this space - by signing up to the Project Calico Slack (http://slack.projectcalico.org), joining the #openshift channel, and let us know youre interested!

    Calico-OpenShift Integration

    &

    http://slack.projectcalico.org

  • 26 2017 Tigera, Inc. | Proprietary and Confidential

    github.com/projectcalico

    @andrew_randall | @projectcalico

    slack.projectcalico.org #openshift

    Andy Randallandy@tigera.io