Embed Size (px)
Citation preview
OPENCONTRAIL+ KUBERNETES
Aniket Daptari@_aniket_Sr. Product ManagerCloud Networking
2 Copyright © 2014 Juniper Networks, Inc. www.juniper.net
AGENDA
BACKGROUND & PROBLEM STATEMENT
CONTRAIL PRODUCT OVERVIEW
KUBERNETES SOLUTION DETAILS
CUSTOMER USE-CASES;; Q&A
1
2
3
4
3 Copyright © 2014 Juniper Networks, Inc. www.juniper.net
INFRASTRUCTURE LANDSCAPESERVICE OVERLAY OVER MULTIPLE HETEROGENOUS ENVIRONMENTS
LB
WAN OPT
FIREWALL
Physical Svc AppliancesVirtualized Svc VMs
Legacy Servers & Storage(VLAN, VMware based) Public Clouds
AWS
…
SERVICE
OVERLAY
UNDERLAY
GCE
Legacy Interconnect
Hybrid Cloud
DC or POP 2
Multi-DC Distributed Cloud
Phy + VirtInterconnect
Phy. + Virtual Svc Insertion
MGMT
VMs & Containers
DC or POP 1
Gatewayrouter
Gatewayrouter
Bare-metal Servers & Storage
CPE
Customer Branch
vCPE
4 Copyright © 2014 Juniper Networks, Inc. www.juniper.net
DYNAMIC APPS
CUSTOM APPS
ENTERPRISE APP LANDSCAPE
EXCHANGE(e.g. Equinix, etc.)
…ENTERPRISE PRIVATE CLOUDS (100’s)
TRADITIONAL / STANDARD APPS
CRM
ERP Auth
BI
Expense Database
…
…Helpdesk xxx PUBLIC CLOUDS
…
MULTIPLE SAAS CLOUDS
…
What-If Analysis
Analytics
Provide high speed connectivity enabling Hybrid Clouds
EMERGENCE OF SAAS CLOUDS§ App Vendors are migrating to SaaS Clouds à Almost every traditional app has a SaaS offering
PUBLIC CLOUD MIGRATION§ Custom Apps are migrating to Public and SaaS Clouds
§ Dynamic Apps are migrating to Public Clouds – but some still remain on-prem
PRIVATE CLOUDS (100’s)§ Fewer Private Clouds§ Financials, Healthcare, Hi-Tech, Oil & Gas & Govt. sectors
§ Cost, Compliance & Security àprimary drivers
ENTERPRISE DC (1000’s)Today large number of enterprises run all Ent. Apps on-prem
5 Copyright © 2014 Juniper Networks, Inc. www.juniper.net
SOFTWARE / DEVELOPERS…
6 Copyright © 2014 Juniper Networks, Inc. www.juniper.net
SOFTWARE / DEVELOPERS – RISE OF MICROSERVICES
https://www.sequoiacap.com/article/build-us-microservices/
7 Copyright © 2014 Juniper Networks, Inc. www.juniper.net
VIRTUALIZATION – COMPUTE AND STORAGE DATA CENTER EVOLUTION
TRADITIONAL VIRTUALIZATION
LB Policies
ACLs
FW, IPS Policies
Sec. Device
LB Device
Switches
Physical Servers
Router
End-user
§ Sub-Optimal Device Util.
§ Static & Inflexible
§ TCO (Capex, Opex)
§ Physically Constrained
§ Silo’ed
§ Manual device config
§ Custom Policy Config
§ Deployment knowledge
Admin
Standalone Applications(Dedicated Resources)
Virtual Machines
VLANs
v Security
LB Policies
ACLs
VLAN Config
Security Policies
Router
End-user
Standalone Application(Virtualized Resources)
Admin
v LB
VM Orchestrator
§ Sub-Optimal Device Util.
§ Static & Inflexible
§ TCO (Capex, Opex)
§ Physically Constrained
§ Silo’ed
§ Manual device config
§ Custom Policy Config
§ Deployment knowledge
Main Challenges Some are solved …
8 Copyright © 2014 Juniper Networks, Inc. www.juniper.net
LEGACY NETWORK VIRTUALIZATIONCLOUD ENABLED DATA CENTER
CLOUD
§ Sub-Optimal Device Utilization
§ Static & Inflexible
§ TCO (Capex, Opex)
§ Physically Constrained
§ Silo’ed
§ Large, Manual Device Config
§ Custom / Complex Policy Config
§ Specialized deployment knowledge
Evolving Applications(on Resource Pool)
Compute
Storage
LB
Security
Admin
External Cloud Based Resources
Virtualized Resource Pools
No ACLs
End-user
Orchestrator / Controller
All Policies (incl. ACLs)
Virtual Network
Virtual Network
Resources Across DC’s
All Challenges are solved …
9 Copyright © 2014 Juniper Networks, Inc. www.juniper.net
EVOLUTION TO CLOUD NETWORK AUTOMATION
Element / Device Mgmt System / Services Abstractions
Human Middleware
Proprietary Vendor Lock-in
Intelligent Policy Automation
Open-Source API’s Ecosystem
TRADITIONAL NETWORKS CLOUD NETWORKS
10 Copyright © 2014 Juniper Networks, Inc. www.juniper.net
PRODUCT OVERVIEW
11 Copyright © 2014 Juniper Networks, Inc. www.juniper.net
BGP SIGNALED END-SYSTEM IP/VPNS
12 Copyright © 2014 Juniper Networks, Inc. www.juniper.net
OPENCONTRAIL ARCHITECTURE - RECAP
13 Copyright © 2014 Juniper Networks, Inc. www.juniper.net
OPENCONTRAIL HETEROGENEOUS NETWORKING SYSTEM
POD
AWS/
GCE…
Public Clouds
14 Copyright © 2014 Juniper Networks, Inc. www.juniper.net
VIRTUAL NETWORK GREEN
Host + Hypervisor Host + Hypervisor
VIRTUAL NETWORKS: LOGICAL VERSUS PHYSICAL
VIRTUAL NETWORK BLUE
VIRTUAL NETWORK YELLOW
Contrail Security Policy (Firewall-like e.g. allow only HTTP traffic)
Contrail Policy with a Firewall Service
IP fabric(switch underlay)
G1 G2 G3
B3
B1B2
G1
G3
G2
Y1 Y2 Y3B1 B2 B3
Y2Y3Y1
VM and virtualized Network function pool
Intra-network traffic
Inter-network traffic traversing a service
… …
LOGICAL
(Policy Definition)
PHYSICAL
(Policy Enforcement)
Non-HTTP traffic
15 Copyright © 2014 Juniper Networks, Inc. www.juniper.net
SOLUTION FOR CONTAINERS
16 Copyright © 2014 Juniper Networks, Inc. www.juniper.net
NETWORKING AND CONTAINERS - DOCKER
17 Copyright © 2014 Juniper Networks, Inc. www.juniper.net
DOCKERMULTI-HYPERVISOR ENVIRONMENT
18 Copyright © 2014 Juniper Networks, Inc. www.juniper.net
SOLUTION FOR KUBERNETES
19 Copyright © 2014 Juniper Networks, Inc. www.juniper.net
NETWORKING AND CONTAINERS - KUBERNETESKubernetes is Google’s Open Source orchestration system for Dockercontainers.
It handles scheduling onto nodes in a compute cluster and actively manages workloads to ensure that their state matches the users declared intentions.
Using the concepts of ”services" and "pods", it groups the containers which make up an application into logical units for easy management and discovery. Uses “labels” for annotations.
20 Copyright © 2014 Juniper Networks, Inc. www.juniper.net
NETWORKING AND CONTAINERS - KUBERNETES
New daemon - listens to the kubernetes API on the Master.
Creates virtual networks on demand.
Connects them together using the Labels/Annotations present in app deployment template.
A plugin script running on the minion/node then connects the container veth-pair to the OpenContrail vrouter rather than the docker0 bridge.
21 Copyright © 2014 Juniper Networks, Inc. www.juniper.net
NETWORKING AND CONTAINERS - KUBERNETES
Virtual Network – for a collection of PODs.
IP per POD.
Floating IP for Service VIP.
ECMP Load-balancing across Service PODs.
22 Copyright © 2014 Juniper Networks, Inc. www.juniper.net
KUBERNETES + OPENCONTRAIL
Opencontrail VRouter
Opencontrail VRouter Opencontrail ControllerKube-Network-Mgr
*Opencontrail replaces kube-proxy
23 Copyright © 2014 Juniper Networks, Inc. www.juniper.net
OPENCONTRAIL KEY COMPONENTS
POD POD Virtual NetworksConnect Virtual Machines
Gateway DevicesConnect the Virtual to the Physical
Network Policy Connect Virtual Networks
24 Copyright © 2014 Juniper Networks, Inc. www.juniper.net
OPENCONTRAIL NETWORK POLICY
Virtual Network PoliciesAt a high level of abstraction, applied at the boundaries of virtual networks.
C C C
GreenPOD
C C C
RedPOD
Policy#Protocol:Port
25 Copyright © 2014 Juniper Networks, Inc. www.juniper.net
OPENCONTRAIL NETWORK FUNCTION SERVICE POLICY
Service PoliciesPolicy based application of virtual services with scale-out.
Firewall, Intrusion Prevention, Load balancer, Cache, WAN optimizer, proxy, ...
C C C
GreenPOD
C C C
RedPOD
VirtualServiceIDS
VirtualServiceCache
PhysicalServiceFirewall
Policy#Protocol:Port
#ServiceNAT + IDS + Cache + Firewall
26 Copyright © 2014 Juniper Networks, Inc. www.juniper.net
OPENCONTRAIL BUILDING BLOCKS
C C C
C C C
POD Virtual Network
Tenant POD Containers
Virtual Firewall
Physical Gateway RouterNon-Virtualized (Bare Metal) Server
Physical Network (Internet, L3VPN, ...)
POD
PhysicalNetwork
Virtual Load Balancer
Service Chain
Virtualized Server hosting Virtual Machines
27 Copyright © 2014 Juniper Networks, Inc. www.juniper.net
OPENCONTRAIL KUBERNETES LABELS
Opencontrail Kubernetes (Opencontrail Labels)
Name
Uses:
POD
Virtual Network
Virtual Network Policy
NetworkTag
NetworkAccessTag
POD
POD
PODPOD POD
28 Copyright © 2014 Juniper Networks, Inc. www.juniper.net
OPENCONTRAIL KUBERNETES LABELS
"template":"metadata":"labels":"app":"guestbook","name": "frontend","uses": "redis"
,
Example: Snippet of the POD definition that shows the opencontrail labels name and uses
"template":"metadata":"labels":"app":"redis","name":"redis","role":"slave"
,
POD – redis POD – guestbook
NetworkAccessTagaka: Policy
29 Copyright © 2014 Juniper Networks, Inc. www.juniper.net
KUBERNETES + OPENCONTRAIL – GCE SETUP
Steps:1. export NETWORK_PROVIDER=opencontrail2. kube-up.sh
More details: GETTING STARTED GUIDEhttps://github.com/Juniper/kubernetes/blob/opencontrail-integration/docs/getting-started-guides/opencontrail.md
OR
https://github.com/Juniper/container-networking-ansible
30 Copyright © 2014 Juniper Networks, Inc. www.juniper.net
KUBERNETES + OPENCONTRAIL – GCE SETUP
31 Copyright © 2014 Juniper Networks, Inc. www.juniper.net
KUBERNETES + OPENCONTRAIL – DEPLOY APPSguestbook-go is an example provided by Kubernetes that shows a simple multi-tier app.
1. Guestbook controller is the front end GUI that connects to one of the redis slave instance
2. Redis slave instance gets the IP and Port of the redis master from SkyDNS
3. Redis slave connects to redis master and writes the data provided by guestbook UIGuestbook
Redis Redis
RedisMaster
SkyDNS
32 Copyright © 2014 Juniper Networks, Inc. www.juniper.net
KUBERNETES + OPENCONTRAIL – DEPLOY APPSguestbook-go can be deployed by following opencontrail.md in the getting-started-guide section
Steps:
1. get the patch for guestbook-controller, guestbook-redis-slave and redis-masterPatch introduces “name” and “uses” labels in the json files.
2. Apply the patch:Ex: git apply –stat patch (* execute this from the kubernetes base directory)
git apply –check patchgit apply patch
PATCH URL: https://github.com/Juniper/contrail-kubernetes/blob/vrouter-manifest/cluster/patch_guest_book
33 Copyright © 2014 Juniper Networks, Inc. www.juniper.net
KUBERNETES + OPENCONTRAIL – DEPLOY APPS3. Deploy guestbook app
Example:
kubectl create -f guestbook-go/redis-master-controller.jsonkubectl create -f guestbook-go/redis-master-service.json
kubectl create -f guestbook-go/redis-slave-controller.jsonkubectl create -f guestbook-go/redis-slave-service.json
kubectl create -f guestbook-go/guestbook-controller.jsonkubectl create -f guestbook-go/guestbook-service.json
34 Copyright © 2014 Juniper Networks, Inc. www.juniper.net
KUBERNETES + OPENCONTRAIL – DEPLOY APPS
35 Copyright © 2014 Juniper Networks, Inc. www.juniper.net
CUSTOMER USE-CASES
36 Copyright © 2014 Juniper Networks, Inc. www.juniper.net
LITHIUM TECHNOLOGIES
https://youtu.be/pZjNFcyC6Uo - https://twitter.com/lachlanevenson
37 Copyright © 2014 Juniper Networks, Inc. www.juniper.net
SYMANTECENTERPRISE PRIVATE CLOUD
Solution DescriptionCustomer Needs
1 Multi-vendor CLOS & Network Virtualization§ CLOS-based L3 Network provides high-performance and redundancy between compute nodes
§ Virtualized (compute) and bare metal (Hadoop) servers
3 Centralized security policy definition, distributed enforcement§ API-based policy definition§ Security policy at virtual network level and VM level§ RBAC for Security Teams and Application Teams
4 Self-provisioned service / app deployment§ Controlled migration of apps from development to production clouds
§ Seamless integration of new features / apps
2 Multi-vendor Hardware Support§ Juniper MX as a gateway router to Interconnect public internet & L3VPN/EVPN for multi-DC connectivity
§ Juniper SRX used as a Perimeter firewall§ F5 & A10 Load Balancers – Hardware and Virtualized
OpenStack Orchestrator, Contrail Network Virtualization, Hadoop & VeritasStorage Services§ Common Private IaaS for Production, Dev-Test across 4 DCs
§ No Manual Provisioning of Services –Compute, Storage, Network§ On-demand & scale-out network services – LB, FW, DNS, NAT§ Line Rate Traffic from Applications to Data-store: massive hadoopdatastore, real-time stream processing, DB-as-a-Service (NoSQL / SQL)
Contrail / Openstack
Workload/AppsInfra RacksOpenstack Racks
MX GW
SRX Dynamically scaled application edge
Hadoop Data-Store
A10 & F5
2
1
43
38 Copyright © 2014 Juniper Networks, Inc. www.juniper.net
WORKDAYENTERPRISE PRIVATE CLOUD (SAAS)
Solution DescriptionCustomer Needs
1 Integration of Private & HP VPC using Openstack§ 12 Private DCs & 2 HP Cloud Service Locations§ Same Security Framework across Hybrid Cloud
3 Strong Security & Governance Framework§ Reduced Security Rules Complexity on Firewall – 10K rules to 44 templates with 10s of rules.
§ All Traffic Flows are Logged and Stored in STRM –Customer & within Application
4 On-Demand Virtualized Network Services§ FW-as-a-Service implemented using Virtual SRX§ LB-as-a-Service implemented using F5 BIG-IP or Contrail
§ Highly Multi-tenanted & High Scale SaaS Workloads§ Security framework for Governance, Audit, and Compliance§ Self Service Environment for Test-Dev & Production§ Hybrid Cloud Support –HP & Private
2 Self-service with Mix of Resource Types across IaaS§ Developer can request services across multiple clouds (AZs)§ Some Applications not Virtualized (KVM) – run on Docker (BM) § Controlled migration from development to production on Shared Cloud
23
1
PRODUCTION
Public CloudsInternet
DEVELOP-MENT
“Open Compute” Platform, OpenstackOrchestrator, KVM & Docker, GlusterFS, Contrail Network Virtualization
SRX
F5
4
39 Copyright © 2014 Juniper Networks, Inc. www.juniper.net
@_aniket_ / @opencontrail
http://www.opencontrail.orghttps://pedrormarques.wordpress.com
contrail-[email protected] YOU!
40 Copyright © 2014 Juniper Networks, Inc. www.juniper.net
