Embed Size (px)
Citation preview
Secure, Cloud-Native NetworkingSimple, scalable, secure networking for KubernetesShaun Crampton, Core Developer, Project Calico @projectcalico
10th March 2016
IP
OperationalSimplicity
IP
Service
Router
Router
Router
IP
Service
IP
Service
IP
Service
IP
Service
IP
Service
IP
Service
IP
Service
IP
Service
Router
Router
Router
IP
Service
IP
Service
IP
Service
IP
Service
IP
Service
IP
Service
IP
Service
Container Host
Container Host
Container Namespace
Root Namespace
Container Namespace
eth0
eth0
192.
168.
0.45
10.0.0.1
eth010.0.0.2
IP
Linux Kernel Routing(you already have this!)default via 192.168.0.1 dev eth0 192.168.0.0/24 dev eth0 src 10.0.2.15 10.0.0.1/32 dev cali34 scope global10.0.0.2/32 dev cali89 scope global10.0.1.0/26 via 192.168.0.29 dev eth010.0.2.128/26 via 192.168.0.131 dev eth0
veth pair (kernel version 2.6.24+)
Containers on other hosts
Containers on this host
cali34
cali89
IP
OperationalSimplicity
Scalability
IP
OperationalSimplicity
Scalability Security
FBI director James Comey has said he believes Sony’s cyberattackers first breached the studio’s network in September, gaining access through a common tactic called “spear phishing”—duping an employee into clicking on an email attachment or a web link.
…For more than two months Sony’s hackers roamed freely, identifying what they wanted to steal. This was possible because the studio, with few exceptions, didn’t segregate or provide extra security for even its most precious secrets. In effect, once the invaders made it past the network gates they could go anywhere they wanted because Sony hadn’t locked any doors.
Inside the Hack of the Century by Peter Elkind, Fortune.com
© C
hris
van
Dyc
k ht
tps:
//ww
w.fl
ickr
.com
/pho
tos/
chris
vand
yck/
4453
0366
99
Developer intent
Container Host
Container Namespace
Root Namespace
Container Namespace
eth0
eth0
192.
168.
0.4510.0.0.1
eth010.0.0.2
IP
Linux Kernel Filtering (iptables)(you already have this!)
Per-container distributed firewall
cali34
cali89
NetworkPolicy v1alpha1 DEMO:https://vimeo.com/159475864/
d54a4781d5
Client NS Default NS Mgmt NSF
C
B
F
B
F
UI
Client NS Default NS Mgmt NSF
C
B
F
B
F
UI
Turn on isolation…
kubectl annotate ns default \ "net.alpha.kubernetes.io/network-isolation=yes" \ --overwrite=truekubectl annotate ns client \ "net.alpha.kubernetes.io/network-isolation=yes" \ --overwrite=true
Client NS Default NS Mgmt NSF
C
B
F
B
F
UI
admin-ui.yaml
kind: NetworkPolicyapiVersion: net.alpha.kubernetes.io/v1alpha1metadata: namespace: default name: allow-uispec: podSelector: ingress: - from: - namespaces: role: management-ui
Metadata
Empty selector applies to all pods
Allow from management namespace
Client NS Default NS Mgmt NSF
C
B
F
B
F
UI
backend-policy.yamlkind: NetworkPolicyapiVersion: net.alpha.kubernetes.io/v1alpha1metadata: namespace: default name: backend-policyspec: podSelector: tier: backend ingress: - from: - pods: tier: frontend ports: - protocol: TCP port: 637
Allow from frontends on port 637 only
Apply to backends
Client NS Default NS Mgmt NSF
C
B
F
B
F
UI
frontend-policy.yamlkind: NetworkPolicyapiVersion: net.alpha.kubernetes.io/v1alpha1metadata: namespace: default name: frontend-policyspec: podSelector: tier: frontend ingress: - from: - namespaces: role: client ports: - protocol: TCP port: 80
Apply to frontends
Allow from clientsOn port 80
Client NS Default NS Mgmt NSF
C
B
F
B
F
UI
IP
OperationalSimplicity
Scalability Security
Main project website: www.projectcalico.org
Production plugin: https://goo.gl/pyNsIf Try out the demo: https://goo.gl/
BYC97u Ansible playbooks from Kubespray
https://docs.kubespray.io/ Public #slack
https://calicousers-slackin.herokuapp.com/
Download & try it out We welcome your feedback and
contributions Follow me @fasaxc Follow us @projectcalico
