How not to have a ‘bad time’ securing your micro-services · How not to have a ‘bad time’...

How not to have a ‘bad time’

securing your micro-services

Or, how to avoid firewall hell@liljenstolpe | cdl@projectcalico.org

Remember  3-­‐tier  architectures?

Getting  Medieval

Fast  forward  to  the  present

Increased  complexity

Resource  Fungibility

Tear  down  the  walls?

The  opportunity?

The  opportunity?

PSA:  Do  not  use  port  mapping

NetworkFabric80  <-­‐>  5389

Port  80

Port  80

4397<-­‐>80

The  Distributed  Firewall

NetworkFabric

Routing

10.0.0.1

192.168.1.2

192.168.1.1

Routing10.0.0.2

192.168.1.3

192.168.1.4

Project  Calico  architecture

RouteReflector

Kernel

Routing

10.0.0.2

192.168.1.3

192.168.1.4

Routes

iptablesFelix

BGP

admin-ui.yaml

kind:  NetworkPolicyapiVersion:  net.alpha.kubernetes.io/v1alpha1metadata:

namespace:  defaultname:  allow-­‐ui

spec:podSelector:ingress:-­‐ from:

-­‐ namespaces:role:  management-­‐ui

Metadata

Empty selector applies to all pods

Allow from management namespace

Network  Intent

Thank’s for  watching

•Main  project  website:  www.projectcalico.org•https://github.com/Metaswitch/calico•http://lists.projectcalico.org/listinfo/calico•Download  &  try  it  out•We  welcome  your  feedback  and  contributions• Follow  us                @projectcalico• Follow  me                @liljenstolpe