Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

KubeCon EU 2016: Secure, Cloud-Native Networking with Project Calico

1,532 views

Published on

Why does the network matter and why does it need to be simple (the 3am test)? Why should we build networks that scale to the extremes and how can we do that with proven technologies? Finally, how can we secure microservices, why should we bother, and what does this mean for developers and operators?

Sched Link: http://sched.co/6BUR

Published in: Technology
  • Be the first to comment

KubeCon EU 2016: Secure, Cloud-Native Networking with Project Calico

  1. 1. Secure, Cloud-Native Networking Simple, scalable, secure networking for Kubernetes Shaun Crampton, Core Developer, Project Calico @projectcalico 10th March 2016
  2. 2. IP Operational Simplicity
  3. 3. IP Service Router Router Router IP Service IP Service IP Service IP Service IP Service IP Service IP Service
  4. 4. IP Service Router Router Router IP Service IP Service IP Service IP Service IP Service IP Service IP Service Container Host
  5. 5. Container Host Container Namespace Root Namespace Container Namespace eth0 eth0 192.168.0.45 10.0.0.1 eth0 10.0.0.2 IP Linux Kernel Routing (you already have this!) default via 192.168.0.1 dev eth0 192.168.0.0/24 dev eth0 src 10.0.2.15 10.0.0.1/32 dev cali34 scope global 10.0.0.2/32 dev cali89 scope global 10.0.1.0/26 via 192.168.0.29 dev eth0 10.0.2.128/26 via 192.168.0.131 dev eth0 veth pair (kernel version 2.6.24+) Containers on other hosts Containers on this host cali34 cali89
  6. 6. IP Operational Simplicity Scalability
  7. 7. IP Operational Simplicity Scalability Security
  8. 8. FBI director James Comey has said he believes Sony’s cyberattackers first breached the studio’s network in September, gaining access through a common tactic called “spear phishing”—duping an employee into clicking on an email attachment or a web link. …For more than two months Sony’s hackers roamed freely, identifying what they wanted to steal. This was possible because the studio, with few exceptions, didn’t segregate or provide extra security for even its most precious secrets. In effect, once the invaders made it past the network gates they could go anywhere they wanted because Sony hadn’t locked any doors. Inside the Hack of the Century by Peter Elkind, Fortune.com
  9. 9. ©ChrisvanDyck https://www.flickr.com/photos/chrisvandyck/4453036699
  10. 10. Developer intent
  11. 11. Container Host Container Namespace Root Namespace Container Namespace eth0 eth0 192.168.0.45 10.0.0.1 eth0 10.0.0.2 IP Linux Kernel Filtering (iptables) (you already have this!) Per-container distributed firewall cali34 cali89
  12. 12. NetworkPolicy v1alpha1 DEMO: https://vimeo.com/159475864/d54a478 1d5
  13. 13. Client NS Default NS Mgmt NS F C B F B F UI
  14. 14. Client NS Default NS Mgmt NS F C B F B F UI
  15. 15. Turn on isolation… kubectl annotate ns default "net.alpha.kubernetes.io/network-isolation=yes" --overwrite=true kubectl annotate ns client "net.alpha.kubernetes.io/network-isolation=yes" --overwrite=true
  16. 16. Client NS Default NS Mgmt NS F C B F B F UI
  17. 17. admin-ui.yaml kind: NetworkPolicy apiVersion: net.alpha.kubernetes.io/v1alpha1 metadata: namespace: default name: allow-ui spec: podSelector: ingress: - from: - namespaces: role: management-ui Metadata Empty selector applies to all pods Allow from management namespace
  18. 18. Client NS Default NS Mgmt NS F C B F B F UI
  19. 19. backend-policy.yaml kind: NetworkPolicy apiVersion: net.alpha.kubernetes.io/v1alpha1 metadata: namespace: default name: backend-policy spec: podSelector: tier: backend ingress: - from: - pods: tier: frontend ports: - protocol: TCP port: 637 Allow from frontends on port 637 only Apply to backends
  20. 20. Client NS Default NS Mgmt NS F C B F B F UI
  21. 21. frontend-policy.yaml kind: NetworkPolicy apiVersion: net.alpha.kubernetes.io/v1alpha1 metadata: namespace: default name: frontend-policy spec: podSelector: tier: frontend ingress: - from: - namespaces: role: client ports: - protocol: TCP port: 80 Apply to frontends Allow from clients On port 80
  22. 22. Client NS Default NS Mgmt NS F C B F B F UI
  23. 23. IP Operational Simplicity Scalability Security
  24. 24.  Main project website: www.projectcalico.org  Production plugin: https://goo.gl/pyNsIf  Try out the demo: https://goo.gl/BYC97u  Ansible playbooks from Kubespray https://docs.kubespray.io/  Public #slack https://calicousers-slackin.herokuapp.com/  Download & try it out  We welcome your feedback and contributions  Follow me @fasaxc  Follow us @projectcalico

×