Securing Microservices in CloudFoundry

Brenden Blanco and Deepa Kalani!Architects, CTO Office - PLUMgrid!

Need for Micro Segmentation

§  Movement towards cloud native applications.§  Elastic nature of applications requires a more agile way of configuring

policies§  Operators would like to have an intuitive way of defining policies, based on

application roles and not ip addresses.§  Relying on traditional firewall rules will quickly make it unmanageable as

applications move around §  Move towards a whitelist model of policy definition, where one defines

acceptable information flow and everything else is blocked

2

IPTables to define Endpoint Policy - State Explosion

IP1->IP3IP1->IP5IP1->IP7IP1->IP8IP3->IP1IP3->IP5IP3->IP7IP3->IP8

IP2->IP4IP2->IP6IP2->IP9IP2->IP10IP4->IP6IP4->IP2IP4->IP9IP4->IP10

IP2->IP4IP2->IP6IP2->IP9IP2->IP10IP4->IP6IP4->IP2IP4->IP9IP4->IP10

IP5->IP1IP5->IP3IP5->IP7IP5->IP8IP7->IP1IP7->IP5IP7->IP3IP7->IP8

IP8->IP3IP8->IP5IP8->IP7IP8->IP1

IP9->IP4IP9->IP6IP9->IP2IP9->IP10IP10->IP2IP10->IP6IP10->IP4IP10->IP9

IPTableRules

Group Based Policy - secure, scalable, intent based

4

Green->GreenRed->Red

Green->GreenRed->Red

Green->GreenRed->Red

IP1,IP3->GreenIP2,IP4->Red

IP5,IP7->GreenIP6->Red

IP8->GreenIP9,IP10->RedEndpointGroups

Policies

Policy specification for Cloud Foundry Applications

§  Define Endpoints and EPGs (Applications are represented by Groups of Endpoints)

§  Policy definition is in the nature of applications.§  e.g. A_APP->A_DB 80 allow, B_APP->A_APP allow.

§  Envision policy as a graph of application connectivity5

23 Groups 12 Rules

A_App

B_APP C_APP

A_DB DB_Ext

www.iovisor.org

IO Module, users perspective

6

IOModule

Managementinterface-RESTAPI-Cli/configfile

Interfaces-InterfaceType(Net,Tracing,Storage,…)

Somethingrunsinkernel

Somethingrunsinuserspace

Controllersliveuphere IOModulesCatalogSearchforIOMod

DownloadIOModSomewhereinthecloud(iovisor.org)thereisacatalogofpublicIOModules

www.iovisor.org

IO Module, developers perspective

7

IOModulesCatalog

PublishnewModules

Somewhereinthecloud(iovisor.org)thereisacatalogofpublicIOModules

DataPlane

Managementinterface-RESTAPI-Cli/configfile

Interfaces-InterfaceType(Net,Tracing,Storage,…)

UsersinteractwiththeModulewith:

UserspacehelperIOModule

ControlPlane(userspace)

IOModuleDataPlane(kernel)

IOModuledeveloper

IOModule

IOVisorSDK

Clang/P4

Python,C,C++,Go,JS…

www.iovisor.org

IO Module, graph composition

8

IOVisorManager

Kernela^achmentpoints

Kernelspace

Userspace

Openrepoof“IOModules”

Kernelcode

Kernelcode

•  extendingLinuxKernelcapabilices

APIstoControllers

Metadata

www.iovisor.org

Composing IO Modules

9

Policy Plugin with IO Visor

10

Overlay–VXLAN

192.168.0.0/16 192.168.1.0/16

LinuxBridge

VxlanDev

C C C

Garden/1-10.244.18.3Garden/0-10.244.18.2

LinuxBridge

VxlanDev

C C C

Policyboundary

Thank You!www.iovisor.org

www.iovisor.org

Backup Slides

12

www.iovisor.org

Introducing IO Visor Project

13

FutureofLinuxKernelIOforsoDwaredefinedservices

LedbyiniHalcontribuHonsfromPLUMgrid

(UpstreamedsinceKernel3.16)

EvoluHonofKernelBPF&eBPF

(BerkeleyPacketFilter)

“IOVisorwillworkcloselywiththeLinuxkernelcommunitytoadvanceuniversalIOextensibilityforLinux.Thiscollabora=oniscri=callyimportantasvirtualiza=onispuAngmoredemandsonflexibility,performanceandsecurity.OpensourcesoFwareandcollabora=vedevelopmentaretheingredientsforaddressingmassivechangeinanyindustry.IOVisorwillprovidetheessen:alframeworkforthisworkonLinuxvirtualiza:onandnetworking.”

JimZemlin,Execu:veDirector,TheLinuxFounda:on.

www.iovisor.org

IO Visor Project: What?

14

•  A programmable data plane and development tools to simplify the creation of new

infrastructure ideas

•  An open source project and a community of developers •  Enables a new way to Innovate, Develop and Share IO and Networking functions

Open Source & Community

Programmable Data Plane

1

2

•  A place to share / standardize new ideas in the form of “IO Modules”

Repository of “IO Modules” 3

www.iovisor.org

IO Visor Project Use Cases Example: Networking

§  IO Visor is used to build a fully distributed virtual network across multiple compute nodes

§  All data plane components are inserted dynamically in the kernel

§  No usage of virtual/physical appliances needed

§  Example here https://github.com/iovisor/bcc/tree/master/examples/distributed_bridge

15

Virtual/Physical Appliances

Virtual Network Topology in Kernel Space