Upload
others
View
16
Download
1
Embed Size (px)
Citation preview
@projectcalico Project Calico is sponsored by
Sponsored by
Networking & Security for MesosAN IP FOR EVERY CONTAINER… AND MORE!
Christopher Liljenstolpe February 24, 2016
@projectcalico Project Calico is sponsored by
The #1 Challenge for Cloud?
Recent data breaches due to hacking or poor securityhttp://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
Cloud-native app
architectures are driving100-1000x growth in workloadsin an era of heightened
security threats
@projectcalico Project Calico is sponsored by
Enterprise security is still in the middle ages
@projectcalico Project Calico is sponsored by
Medieval security architecture
@projectcalico Project Calico is sponsored by
“Oh, hey! I just love these things! … Crunchy on the outside and a chewy center!”
@projectcalico Project Calico is sponsored by
Fast forward to the present
@projectcalico Project Calico is sponsored by
Increased complexity
@projectcalico Project Calico is sponsored by
Resource Fungibility
@projectcalico Project Calico is sponsored by
Tear down the walls?
@projectcalico Project Calico is sponsored by
The opportunity?
@projectcalico Project Calico is sponsored by
The opportunity?
@projectcalico Project Calico is sponsored by
The Dynamic, Distributed Firewall
NetworkFabric
eth0eth0
eth0
192.168.1.2Ro
utin
g
Rout
ing
eth0
192.168.1.3
eth0
192.168.1.4
eth0
192.168.1.7
eth0
192.168.1.6
eth0
192.168.1.5
10.0.0.1 10.0.0.2
@projectcalico Project Calico is sponsored by
WorkloadB2001:db8::2
WorkloadA2001:db8::1
The Dynamic, Distributed Firewall: Worked Example
Felix
WorkloadC2001:db8::3
Felix
1. to 2001:db8::2 port 80 allow2. to 2001:db8::3 port 80 allow3. from <qaRobots> port 443 allow4. default deny
A: loadBal; QAB: webAppC: webApploadBal: allow 80 to webAppwebApp: allow 80 fm loadBal
QA: allow 443 fm <qaRobots>
Pub: allow 443 fm any
1. from 2001:db8::1 port 80 allow2. default deny
1. from 2001:db8::1 port 80 allow2. default deny
Pub
any
@projectcalico Project Calico is sponsored by
Mesos / HAProxy introduce another problem…
Host [10.0.0.1]
Application[172.17.0.2]
A service[172.17.0.3]
… another[172.17.0.4]
IP:10.0.0.1:80IP:10.0.0.1:80IP:10.0.0.1:8080
@projectcalico Project Calico is sponsored by
The Solution…
@projectcalico Project Calico is sponsored by
Mesos AgentMesos Agent
Project Calico & Mesos – Logical Architecture
Mesos Agent
Host Kernel
Workload (container
or VM)
Workload (container
or VM)
Workload (container
or VM)…
…
Efficient Packet Forwarding(IP per workload, direct integration with cloud fabric)
Policy Enforcement
Policy Enforcement
Policy Enforcement
Security Policy
Routes &Addresses
Mesos Master
@projectcalico Project Calico is sponsored by
Net-modules Work Flow – Actual Architecture
Update task state
Plug-‐in (Calico)AgentMasterFramework
IPAM
Networkvirtualizer
Get IP
Isolatormodule
Isolate (IP, policy)
Cleanupmodule
Launch task (NetworkInfo)
Launch task (NetworkInfo)
Task update (NetworkInfo)
Task update (NetworkInfo)
Mesos module
Network plug-‐in
@projectcalico Project Calico is sponsored by
§ Mesos cluster with 2 agents§ Launching 4 probe tasks
§ Each probe listens to port 9000§ Each probe tries to reach all other probes
§ We want all 4 to launch successfully (no port conflicts)
§ We want to isolate them into two groups of 2 probes
Demonstration of basic network isolation
@projectcalico Project Calico is sponsored by
Demonstration (video)
@projectcalico Project Calico is sponsored by
§ Net-modules supported with Mesos containerizersince Mesos 0.26§ IP per container§ IP Address Management (IPAM)§ DNS-based service discovery (Mesos-DNS)§ Network isolation
§ Try it out – https://github.com/mesosphere/net-modules§ Includes step-by-step instructions to repeat the demo
Where are we at today?
@projectcalico Project Calico is sponsored by
§ Other frameworks (only Marathon supported today)§ Community work ongoing to integrate Spark, Chronos, ...
§ Docker daemon support via same net-modules mechanism§ Docker daemon includes a different networking model, via
the libnetwork API, but it is not well integrated with Mesos
§ Tighter integration of fine-grained policy control§ Today, fine-grained policy is ”side loaded” via calicoctl
§ One-step install via DCOS§ Support for Container Network Interface (CNI)
model (as used by Kubernetes)
Restrictions / Wish List
@projectcalico Project Calico is sponsored by
Summary