SlideShare a Scribd company logo

Container security within Cisco Container Platform

Sanjeev Rampal
Sanjeev Rampal

The document discusses security within Cisco Container Platform. It provides an overview of the security model and features, including platform hardening through the Cisco Secure Development Lifecycle process, role-based access control for Kubernetes, and secure multi-tenancy capabilities in Kubernetes clusters. It also covers container and Kubernetes security best practices like encryption, authentication, and network policies that are supported in Cisco Container Platform. The presentation concludes with a demo of secure multi-tenancy in Kubernetes clusters.

1 of 40
Download to read offline
#CLUS
#CLUS Sanjeev Rampal Principal Engineer, Cloud Platforms BU BRKCLD-2011 A comprehensive look at security within the Cisco Container Platform
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS Agenda • Introduction to Cisco Container Platform • Security Model, Agile delivery, Sample Topology • Platform Hardening & Cisco Secure Development • Kubernetes & Container Security • Kubernetes Secure Multi-tenancy • Demo BRKCLD-2011 3
WEBEX TEAMS DOCUMENTS SPEAKER 2 SPEAKER 1 cs.co/ciscolivebot# Questions? Use Cisco Webex Teams to chat with the speaker after the session Find this session in the Cisco Live Mobile App Click “Join the Discussion” Install Webex Teams or go directly to the team space Enter messages/questions in the team space How Webex Teams will be moderated by the speaker until June 16, 2019. 1 2 3 4 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS Cisco Webex Teams BRKCLD-2011 4
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS Can a look at security ever be “comprehensive” ? BRKCLD-2011 5
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS Control Plane Data Plane VM VM Control Plane Kubernetes Automation Orchestration Operations HX Connect Cluster/ Machine Controllers VM VM VM Cluster 1 Kubernetes Cluster1 Workloads Cluster1 Ops Pod Pod Pod VM VM VM Cluster 2 Kubernetes Cluster2 Workloads Cluster2 Ops Pod Pod Pod Kubernetes Fluentd Prometheus Kibana Hyperflex Contiv Storage (HyperFlex / VMware) Networking (Nexus 9K) Compute Hardware (UCS) Hypervisor Layer (HyperFlex / VMware) Cisco Container Platform Architecture VM VM Istio BRKCLD-2011 6
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS Ops Personas & Logical production layout Tenant cluster 1 Devops admin/ Dev K8s api, RBAC K8s data plane Tenant cluster 2 Devops Admin/ Dev K8s api, RBAC K8s data plane CCP Admin (IT Ops) CCP api, RBAC Full cluster & services life-cycle mgmt “Immutable” infra Ubuntu K8s Add-ons Ubuntu K8s Add-onsUbuntu K8s CCP app CCP admin Web based Installer VM BRKCLD-2011 7
Security Model, Agile delivery, Sample Topology
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS Software Layering & CCP Security Scope Hypervisor, Virtualization infra e.g. vSphere VMs, Instances, Node OS Kubernetes, Docker, Container infra plugins CCP Application Addons Physical Compute, Network, Storage Hypervisor, Virtualization infra e.g. vSphere VMs, Instances, Node OS Kubernetes, Docker, Container infra plugins End-user Applications Addons Physical Compute, Network, Storage CCP packaging & Security responsibility Physical Infra separate setup + responsibility End-user Application responsibility Control cluster Tenant cluster BRKCLD-2011 9
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS Agile Delivery & Immutable infra based model • Immutable Infrastructure • Integrated provisioning and full lifecycle management of of infrastructure (VMs, Node OS etc) along with Kubernetes, container infra • No additional software patching or maintenance needed for Node OS • Centralized upgrades + patching of combined infra => No configuration drift or snowflakes • Continuous Release and Delivery • Bi-weekly internal releases, Monthly external releases, patch releases asap when needed => Improved overall product security, predictability & quick turnaround of security patches BRKCLD-2011 10
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS Sample secure deployment: Private stub network 11BRKCLD-2011 K8S cluster K8S Pod IPs 192.168.0.0/16 K8S Service IPs 10.96.0.0/12 Cluster Node IPs Exposed k8s api and application IPs/ VIPs vSphere cluster CCP control cluster IP gateways External Routed n/w Inbound Proxy Outbound Proxy (optional) Non- containerized Oracle DB (for example) Firewall Private stub network w/ RFC 1918 addressing SNAT IPAM
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS Multi-cloud deployment: Cisco CP + AWS EKS BRKCLD-2011 12
Platform Hardening & Cisco Secure Development
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS CCP Platform Hardening incl CSDL • Cisco Container Platform is developed using the comprehensive security requirements defined in the Cisco Secure Development Lifecycle (CSDL) process • Curated Ubuntu OS from Canonical • Cisco performs additional hardening of containers (internally developed for CCP application as well as sourced from upstream) • Frequent internal vulnerability scanning & fixing of every CCP release using a mix of external vendor container security tools as well as internal tooling BRKCLD-2011 14
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS Internal DevSecOps: Secure Development Pipeline Validate IPC Developed code BOM created, reviewed and approved BOM to IPC (CCP Github) Releases into CCP CI file repo To CCO On-demand test deployment Static registry scan Run-time test Requirements Input + Vulnerability alert feeds Release built CCO Ubuntu, K8S … Container artifacts Ex. Prometheus, NGINX etc CCP CI registry Vulnerability Scanning tools BRKCLD-2011 15
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS Additional platform hardening features • TLS communication for http traffic (Encrypted data in motion internal and external) • Support for TLS 1.3 on CCP API/Dashboard • Strong ciphers for internal encrypted data at rest • ecdsa and ed25119 keys for ssh into cluster nodes • Continuous monitoring of NVD and industry standard vulnerability intelligence streams and rapid turnaround of patch releases • Recent industry CVEs fixed & delivered rapidly on CCP • Example: Critical k8s patch delivered in 2 weeks … CVE-2018-1002105: proxy request handling in kube-apiserver can leave vulnerable TCP connections BRKCLD-2011 16
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS CCP App Security: Role Based Access Control BRKCLD-2011 17
Kubernetes & Container Security
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS Kubernetes Security is a Journey From: J Jalava: Kubernetes Security Journey BRKCLD-2011 19
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS Tenant Kubernetes & Docker Security in CCP K8S Security related features on CCP Kubernetes clusters • K8S dashboard protection • K8S Authentication • K8S Authorization • K8S Cert manager • K8S Encrypted secrets • Kubernetes Ingress with TLS/ https • Istio Ingress gateway + Service mesh • K8S Network policy • Secure Multi-tenancy, Admission controllers, Pod Security Policies, AppArmor, Kata (future) BRKCLD-2011 20
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS K8S dashboard protection Kubernetes dashboard locked in CCP "The hackers had infiltrated Tesla's Kubernetes console which was not password protected," - ArsTechnica BRKCLD-2011 21
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS K8S AuthN, AuthZ, Admission Control flow BRKCLD-2011 22
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS K8S AuthN, AuthZ on CCP K8S tenant clusters • K8S Authentication options: • X.509 Client certificates <Suggested for simple deployments only> • If team has AWS account, can use AWS IAM with on-prem CCP K8S • Integrate 3rd party identity solutions e.g. Tremolo • Direct Kubernetes OIDC-LDAP integration (future) • K8S Authorization options: • ABAC: Disabled on CCP K8S • RBAC: Role Based Access Control; enabled by default on CCP K8S • Authorization webhooks (Tech preview; full support in upcoming release) • Open Policy Agent (Tech preview; full support in upcoming release) BRKCLD-2011 23
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS AWS IAM Authentication for On-prem CCP K8S BRKCLD-2011 24
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS Kubernetes cert-manager & encrypted secrets • Kubernetes Cert-manager: • Kubernetes project to automate generation of X.509 certificates • Used in CCP to generate certs for internal communication & external API • Kubernetes Encrypted secrets: • Kubernetes state in etcd can be encrypted using Kubernetes encrypted secrets feature • Note, this feature must be enabled via CCP api, not exposed to GUI yet • Set etcd_encrypted=True to enable this capability per tenant k8s cluster BRKCLD-2011 25
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS Admission Controllers & Secure Multi-tenancy • New feature (Tech preview in CCP v3.2) • Setting secure_multitenancy_enabled to True enables 1. Multiple built-in k8s admission controllers on the new cluster: • PodSecurityPolicy • LimitRanger • ResourceQuota • ValidatingAdmissionWebhook • MutatingAdmissionWebhook 2. Privileged & restricted pod security policies and associated PodSecurity and RBAC policies and bindings (with AppArmor and Seccomp based tenant and container isolation) 3. Privileged-tenant & restricted-tenant as sample tenants BRKCLD-2011 26
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS Kubernetes Network Policies Support • Supported on CCP tenant clusters for all 3 CNI options • Network microsegmentation tool within Application + across teams • L3, L4 CNI network policies (ingress and egress) • Extra network policy options when using ACI CNI • L7 policies on K8S Ingress (Nginx) and Istio (Envoy) • E-W http traffic encryption w/ Istio App-front App-db App-core1 App-front App-metrics BRKCLD-2011 27
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS Technical Description • Network policies of Kubernetes supported using standard upstream format but enforced through OpFlex / OVS using APIC Host Protection Profiles • Kubernetes app configurations can be moved without modification to/from ACI and non-ACI environments • Standard K8S Container Network policies + (optional) enhanced ACI container network policies Kubernetes Network Policies on CCP+ACI CNI Node OpFlex OVS Kubernetes ACI Policies Network Policy Node OpFlex OVS BRKCLD-2011 28
Demo: Secure Multi-tenancy in CCP K8S
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS More Information • https://www.cisco.com/c/en/us/products/cloud-systems- management/container-platform/index.html • https://www.cisco.com/c/en/us/support/cloud-systems- management/container-platform/tsd-products-support-series- home.html • http://www.cisco.com/go/multicloud • Webex space for this session cs.co.ciscolivebot#BRKCLD-2011 • Or contact/ follow: srampal@cisco.com @sr2357 BRKCLD-2011 30
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS Conclusion: Cisco Container Platform .. so that you won’t need to be this guy BRKCLD-2011 31
Complete your online session evaluation • Please complete your session survey after each session. Your feedback is very important. • Complete a minimum of 4 session surveys and the Overall Conference survey (starting on Thursday) to receive your Cisco Live water bottle. • All surveys can be taken in the Cisco Live Mobile App or by logging in to the Session Catalog on ciscolive.cisco.com/us. Cisco Live sessions will be available for viewing on demand after the event at ciscolive.cisco.com. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS BRKCLD-2011 32
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS Continue your education Related sessions Walk-in labs Demos in the Cisco campus Meet the engineer 1:1 meetings BRKCLD-2011 33
Thank you #CLUS
#CLUS
Backup content
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS K8S Security: Some key standards & initiatives • CIS Docker Benchmark https://www.cisecurity.org/benchmark/docker/ • CIS Kubernetes Benchmark https://www.cisecurity.org/benchmark/kubernetes/ • NIST SP 800-190 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-190.pdf • AppArmor http://wiki.apparmor.net/index.php/Main_Page • SELinux https://selinuxproject.org/page/Main_Page • CRI-O https://github.com/cri-o/cri-o • Kata containers https://katacontainers.io/ • And more … • These are in addition to common infrastructure security & compliance related standards such as Common Criteria, FIPS, PCI-DSS, GDPR, HIPAA BRKCLD-2011 37
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS Preconfigured Pod Security Policy: “restricted” apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: name:restricted annotations: seccomp.security.alpha.kubernetes.io/allowedProfileNa mes:'docker/default’ apparmor.security.beta.kubernetes.io/allowedProfileNam es:'runtime/default’ seccomp.security.alpha.kubernetes.io/defaultProfileNam e:'docker/default’ apparmor.security.beta.kubernetes.io/defaultProfileNam e:'runtime/default’ spec: privileged:false allowPrivilegeEscalation:false requiredDropCapabilities: -ALL volumes: -'configMap’ -'emptyDir’ -'projected’ -'secret’ -'downwardAPI’ -'persistentVolumeClaim' hostNetwork:false hostIPC:false hostPID:false runAsUser: rule:'MustRunAsNonRoot’ seLinux: rule:'RunAsAny’ supplementalGroups: rule:'MustRunAs’ ranges: - min:1 max:65535 fsGroup: rule:'MustRunAs’ ranges: - min:1 max: 65535 readOnlyRootFilesystem:false BRKCLD-2011 38
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS Calico/ Contiv Overlay Container Networking K8S master nodes/ VMs 1..3 K8S compute nodes/ VMs 1..M VMWare VM Port group 100 Physical L3 gateways Contiv VXLAN overlays Non-contiv VLAN traffic K8S compute nodes/ VMs 1..M BRKCLD-2011 39
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS HX vSphere Cluster CCP – CP1 K8S-Red K8S-Blue vCenter PG10 PG20 PG30 10.1.1.0/28 10.1.2.0/24 10.1.3.0/24 ASR1K or any L3 GW Leaf e.g. N93xx Spine e.g. N95xx 100.1.x.x DHCP server* (for pre-3.0 releases) Secure On-Premises Deployment Topology BRKCLD-2011 40

Recommended

NYC Docker Meetup: Contiv networking on Docker
NYC Docker Meetup: Contiv networking on DockerNYC Docker Meetup: Contiv networking on Docker
NYC Docker Meetup: Contiv networking on Docker
Sanjeev Rampal
 
Openstack Summit: Networking and policies across Containers and VMs
Openstack Summit: Networking and policies across Containers and VMsOpenstack Summit: Networking and policies across Containers and VMs
Openstack Summit: Networking and policies across Containers and VMs
Sanjeev Rampal
 
Triangle Kubernetes Meetup: Container cloud networking - Contiv for K8S & Ope...
Triangle Kubernetes Meetup: Container cloud networking - Contiv for K8S & Ope...Triangle Kubernetes Meetup: Container cloud networking - Contiv for K8S & Ope...
Triangle Kubernetes Meetup: Container cloud networking - Contiv for K8S & Ope...
Sanjeev Rampal
 
Kubernetes Multitenancy - KubeSec Enterprise Security Summit
Kubernetes Multitenancy - KubeSec Enterprise Security SummitKubernetes Multitenancy - KubeSec Enterprise Security Summit
Kubernetes Multitenancy - KubeSec Enterprise Security Summit
Sanjeev Rampal
 
Architecture of Cisco Container Platform: A new Enterprise Multi-Cloud Kubern...
Architecture of Cisco Container Platform: A new Enterprise Multi-Cloud Kubern...Architecture of Cisco Container Platform: A new Enterprise Multi-Cloud Kubern...
Architecture of Cisco Container Platform: A new Enterprise Multi-Cloud Kubern...
Sanjeev Rampal
 
Docker Enterprise Networking and Cisco Contiv - Cisco Live 2017 BRKSDN-2256
Docker Enterprise Networking and Cisco Contiv - Cisco Live 2017 BRKSDN-2256Docker Enterprise Networking and Cisco Contiv - Cisco Live 2017 BRKSDN-2256
Docker Enterprise Networking and Cisco Contiv - Cisco Live 2017 BRKSDN-2256
Mark Church
 
Kubecon US 2019: Kubernetes Multitenancy WG Deep Dive
Kubecon US 2019: Kubernetes Multitenancy WG Deep DiveKubecon US 2019: Kubernetes Multitenancy WG Deep Dive
Kubecon US 2019: Kubernetes Multitenancy WG Deep Dive
Sanjeev Rampal
 
Microservices and containers networking: Contiv, an industry leading open sou...
Microservices and containers networking: Contiv, an industry leading open sou...Microservices and containers networking: Contiv, an industry leading open sou...
Microservices and containers networking: Contiv, an industry leading open sou...
Codemotion
 

Recommended

NYC Docker Meetup: Contiv networking on Docker
NYC Docker Meetup: Contiv networking on DockerNYC Docker Meetup: Contiv networking on Docker
NYC Docker Meetup: Contiv networking on Docker
Sanjeev Rampal
 
Openstack Summit: Networking and policies across Containers and VMs
Openstack Summit: Networking and policies across Containers and VMsOpenstack Summit: Networking and policies across Containers and VMs
Openstack Summit: Networking and policies across Containers and VMs
Sanjeev Rampal
 
Triangle Kubernetes Meetup: Container cloud networking - Contiv for K8S & Ope...
Triangle Kubernetes Meetup: Container cloud networking - Contiv for K8S & Ope...Triangle Kubernetes Meetup: Container cloud networking - Contiv for K8S & Ope...
Triangle Kubernetes Meetup: Container cloud networking - Contiv for K8S & Ope...
Sanjeev Rampal
 
Kubernetes Multitenancy - KubeSec Enterprise Security Summit
Kubernetes Multitenancy - KubeSec Enterprise Security SummitKubernetes Multitenancy - KubeSec Enterprise Security Summit
Kubernetes Multitenancy - KubeSec Enterprise Security Summit
Sanjeev Rampal
 
Architecture of Cisco Container Platform: A new Enterprise Multi-Cloud Kubern...
Architecture of Cisco Container Platform: A new Enterprise Multi-Cloud Kubern...Architecture of Cisco Container Platform: A new Enterprise Multi-Cloud Kubern...
Architecture of Cisco Container Platform: A new Enterprise Multi-Cloud Kubern...
Sanjeev Rampal
 
Docker Enterprise Networking and Cisco Contiv - Cisco Live 2017 BRKSDN-2256
Docker Enterprise Networking and Cisco Contiv - Cisco Live 2017 BRKSDN-2256Docker Enterprise Networking and Cisco Contiv - Cisco Live 2017 BRKSDN-2256
Docker Enterprise Networking and Cisco Contiv - Cisco Live 2017 BRKSDN-2256
Mark Church
 
Kubecon US 2019: Kubernetes Multitenancy WG Deep Dive
Kubecon US 2019: Kubernetes Multitenancy WG Deep DiveKubecon US 2019: Kubernetes Multitenancy WG Deep Dive
Kubecon US 2019: Kubernetes Multitenancy WG Deep Dive
Sanjeev Rampal
 
Microservices and containers networking: Contiv, an industry leading open sou...
Microservices and containers networking: Contiv, an industry leading open sou...Microservices and containers networking: Contiv, an industry leading open sou...
Microservices and containers networking: Contiv, an industry leading open sou...
Codemotion
 
Admission controllers - PSP, OPA, Kyverno and more!
Admission controllers - PSP, OPA, Kyverno and more!Admission controllers - PSP, OPA, Kyverno and more!
Admission controllers - PSP, OPA, Kyverno and more!
SebastienSEYMARC
 
Cisco Live 2017: Container networking deep dive with Docker Enterprise Editio...
Cisco Live 2017: Container networking deep dive with Docker Enterprise Editio...Cisco Live 2017: Container networking deep dive with Docker Enterprise Editio...
Cisco Live 2017: Container networking deep dive with Docker Enterprise Editio...
Sanjeev Rampal
 
Networking For Nested Containers: Magnum, Kuryr, Neutron Integration
Networking For Nested Containers: Magnum, Kuryr, Neutron IntegrationNetworking For Nested Containers: Magnum, Kuryr, Neutron Integration
Networking For Nested Containers: Magnum, Kuryr, Neutron Integration
Fawad Khaliq
 
Lessons learned from global telecom operators' cloud journeys - Zeev Likworni...
Lessons learned from global telecom operators' cloud journeys - Zeev Likworni...Lessons learned from global telecom operators' cloud journeys - Zeev Likworni...
Lessons learned from global telecom operators' cloud journeys - Zeev Likworni...
Cloud Native Day Tel Aviv
 
VOID19 Cloud Transformation at Viettel accelerate faster with open infrastru...
VOID19 Cloud Transformation at Viettel accelerate faster with open infrastru...VOID19 Cloud Transformation at Viettel accelerate faster with open infrastru...
VOID19 Cloud Transformation at Viettel accelerate faster with open infrastru...
Vietnam Open Infrastructure User Group
 
Simple, Scalable and Secure Networking for Data Centers with Project Calico
Simple, Scalable and Secure Networking for Data Centers with Project CalicoSimple, Scalable and Secure Networking for Data Centers with Project Calico
Simple, Scalable and Secure Networking for Data Centers with Project Calico
Emma Gordon
 
Docker Networking with Project Calico
Docker Networking with Project CalicoDocker Networking with Project Calico
Docker Networking with Project Calico
Andrew Kennedy
 
Container Networking Meetup March 31 2016
Container Networking Meetup March 31 2016Container Networking Meetup March 31 2016
Container Networking Meetup March 31 2016
Andrew Randall
 
Security Tips to run Docker in Production
Security Tips to run Docker in ProductionSecurity Tips to run Docker in Production
Security Tips to run Docker in Production
Gianluca Arbezzano
 
Clocker, Calico and Docker
Clocker, Calico and DockerClocker, Calico and Docker
Clocker, Calico and Docker
Andrew Kennedy
 
MongoDB.local DC 2018: MongoDB Ops Manager + Kubernetes
MongoDB.local DC 2018: MongoDB Ops Manager + KubernetesMongoDB.local DC 2018: MongoDB Ops Manager + Kubernetes
MongoDB.local DC 2018: MongoDB Ops Manager + Kubernetes
MongoDB
 
MongoDB.local Austin 2018: MongoDB Ops Manager + Kubernetes
MongoDB.local Austin 2018: MongoDB Ops Manager + KubernetesMongoDB.local Austin 2018: MongoDB Ops Manager + Kubernetes
MongoDB.local Austin 2018: MongoDB Ops Manager + Kubernetes
MongoDB
 
Intro to Project Calico: a pure layer 3 approach to scale-out networking
Intro to Project Calico: a pure layer 3 approach to scale-out networkingIntro to Project Calico: a pure layer 3 approach to scale-out networking
Intro to Project Calico: a pure layer 3 approach to scale-out networking
Packet
 
ОЛЕКСАНДР ЛИПКО «Graceful Shutdown Node.js + k8s» Online WDDay 2021
ОЛЕКСАНДР ЛИПКО «Graceful Shutdown Node.js + k8s» Online WDDay 2021ОЛЕКСАНДР ЛИПКО «Graceful Shutdown Node.js + k8s» Online WDDay 2021
ОЛЕКСАНДР ЛИПКО «Graceful Shutdown Node.js + k8s» Online WDDay 2021
WDDay
 
Securing k8s With Kubernetes Goat
Securing k8s With Kubernetes GoatSecuring k8s With Kubernetes Goat
Securing k8s With Kubernetes Goat
Muhammad Yuga Nugraha
 
Container Networking - State of the Ecosystem [ContainerConf, Mannheim, Nov 2...
Container Networking - State of the Ecosystem [ContainerConf, Mannheim, Nov 2...Container Networking - State of the Ecosystem [ContainerConf, Mannheim, Nov 2...
Container Networking - State of the Ecosystem [ContainerConf, Mannheim, Nov 2...
Karthik Prabhakar
 
Kubernetes meetup geneva june 2021
Kubernetes meetup geneva june 2021Kubernetes meetup geneva june 2021
Kubernetes meetup geneva june 2021
SebastienSEYMARC
 
Openstack days sv building highly available services using kubernetes (preso)
Openstack days sv building highly available services using kubernetes (preso)Openstack days sv building highly available services using kubernetes (preso)
Openstack days sv building highly available services using kubernetes (preso)
Allan Naim
 
Build Robust Blockchain Services with Hyperledger and Containers
Build Robust Blockchain Services with Hyperledger and ContainersBuild Robust Blockchain Services with Hyperledger and Containers
Build Robust Blockchain Services with Hyperledger and Containers
LinuxCon ContainerCon CloudOpen China
 
AWS Summit Singapore 2019 | Latest Trends for Cloud-Native Application Develo...
AWS Summit Singapore 2019 | Latest Trends for Cloud-Native Application Develo...AWS Summit Singapore 2019 | Latest Trends for Cloud-Native Application Develo...
AWS Summit Singapore 2019 | Latest Trends for Cloud-Native Application Develo...
AWS Summits
 
4. Kubernetes - Application centric infrastructure kubernetes, contiv
4. Kubernetes - Application centric infrastructure kubernetes, contiv4. Kubernetes - Application centric infrastructure kubernetes, contiv
4. Kubernetes - Application centric infrastructure kubernetes, contiv
Juraj Hantak
 
Microservices & Serverless Architecture Principles Applied - Cisco Live Orlan...
Microservices & Serverless Architecture Principles Applied - Cisco Live Orlan...Microservices & Serverless Architecture Principles Applied - Cisco Live Orlan...
Microservices & Serverless Architecture Principles Applied - Cisco Live Orlan...
Cisco DevNet
 

More Related Content

What's hot

Admission controllers - PSP, OPA, Kyverno and more!
Admission controllers - PSP, OPA, Kyverno and more!Admission controllers - PSP, OPA, Kyverno and more!
Admission controllers - PSP, OPA, Kyverno and more!
SebastienSEYMARC
 
Cisco Live 2017: Container networking deep dive with Docker Enterprise Editio...
Cisco Live 2017: Container networking deep dive with Docker Enterprise Editio...Cisco Live 2017: Container networking deep dive with Docker Enterprise Editio...
Cisco Live 2017: Container networking deep dive with Docker Enterprise Editio...
Sanjeev Rampal
 
Networking For Nested Containers: Magnum, Kuryr, Neutron Integration
Networking For Nested Containers: Magnum, Kuryr, Neutron IntegrationNetworking For Nested Containers: Magnum, Kuryr, Neutron Integration
Networking For Nested Containers: Magnum, Kuryr, Neutron Integration
Fawad Khaliq
 
Lessons learned from global telecom operators' cloud journeys - Zeev Likworni...
Lessons learned from global telecom operators' cloud journeys - Zeev Likworni...Lessons learned from global telecom operators' cloud journeys - Zeev Likworni...
Lessons learned from global telecom operators' cloud journeys - Zeev Likworni...
Cloud Native Day Tel Aviv
 
VOID19 Cloud Transformation at Viettel accelerate faster with open infrastru...
VOID19 Cloud Transformation at Viettel accelerate faster with open infrastru...VOID19 Cloud Transformation at Viettel accelerate faster with open infrastru...
VOID19 Cloud Transformation at Viettel accelerate faster with open infrastru...
Vietnam Open Infrastructure User Group
 
Simple, Scalable and Secure Networking for Data Centers with Project Calico
Simple, Scalable and Secure Networking for Data Centers with Project CalicoSimple, Scalable and Secure Networking for Data Centers with Project Calico
Simple, Scalable and Secure Networking for Data Centers with Project Calico
Emma Gordon
 
Docker Networking with Project Calico
Docker Networking with Project CalicoDocker Networking with Project Calico
Docker Networking with Project Calico
Andrew Kennedy
 
Container Networking Meetup March 31 2016
Container Networking Meetup March 31 2016Container Networking Meetup March 31 2016
Container Networking Meetup March 31 2016
Andrew Randall
 
Security Tips to run Docker in Production
Security Tips to run Docker in ProductionSecurity Tips to run Docker in Production
Security Tips to run Docker in Production
Gianluca Arbezzano
 
Clocker, Calico and Docker
Clocker, Calico and DockerClocker, Calico and Docker
Clocker, Calico and Docker
Andrew Kennedy
 
MongoDB.local DC 2018: MongoDB Ops Manager + Kubernetes
MongoDB.local DC 2018: MongoDB Ops Manager + KubernetesMongoDB.local DC 2018: MongoDB Ops Manager + Kubernetes
MongoDB.local DC 2018: MongoDB Ops Manager + Kubernetes
MongoDB
 
MongoDB.local Austin 2018: MongoDB Ops Manager + Kubernetes
MongoDB.local Austin 2018: MongoDB Ops Manager + KubernetesMongoDB.local Austin 2018: MongoDB Ops Manager + Kubernetes
MongoDB.local Austin 2018: MongoDB Ops Manager + Kubernetes
MongoDB
 
Intro to Project Calico: a pure layer 3 approach to scale-out networking
Intro to Project Calico: a pure layer 3 approach to scale-out networkingIntro to Project Calico: a pure layer 3 approach to scale-out networking
Intro to Project Calico: a pure layer 3 approach to scale-out networking
Packet
 
ОЛЕКСАНДР ЛИПКО «Graceful Shutdown Node.js + k8s» Online WDDay 2021
ОЛЕКСАНДР ЛИПКО «Graceful Shutdown Node.js + k8s» Online WDDay 2021ОЛЕКСАНДР ЛИПКО «Graceful Shutdown Node.js + k8s» Online WDDay 2021
ОЛЕКСАНДР ЛИПКО «Graceful Shutdown Node.js + k8s» Online WDDay 2021
WDDay
 
Securing k8s With Kubernetes Goat
Securing k8s With Kubernetes GoatSecuring k8s With Kubernetes Goat
Securing k8s With Kubernetes Goat
Muhammad Yuga Nugraha
 
Container Networking - State of the Ecosystem [ContainerConf, Mannheim, Nov 2...
Container Networking - State of the Ecosystem [ContainerConf, Mannheim, Nov 2...Container Networking - State of the Ecosystem [ContainerConf, Mannheim, Nov 2...
Container Networking - State of the Ecosystem [ContainerConf, Mannheim, Nov 2...
Karthik Prabhakar
 
Kubernetes meetup geneva june 2021
Kubernetes meetup geneva june 2021Kubernetes meetup geneva june 2021
Kubernetes meetup geneva june 2021
SebastienSEYMARC
 
Openstack days sv building highly available services using kubernetes (preso)
Openstack days sv building highly available services using kubernetes (preso)Openstack days sv building highly available services using kubernetes (preso)
Openstack days sv building highly available services using kubernetes (preso)
Allan Naim
 
Build Robust Blockchain Services with Hyperledger and Containers
Build Robust Blockchain Services with Hyperledger and ContainersBuild Robust Blockchain Services with Hyperledger and Containers
Build Robust Blockchain Services with Hyperledger and Containers
LinuxCon ContainerCon CloudOpen China
 
AWS Summit Singapore 2019 | Latest Trends for Cloud-Native Application Develo...
AWS Summit Singapore 2019 | Latest Trends for Cloud-Native Application Develo...AWS Summit Singapore 2019 | Latest Trends for Cloud-Native Application Develo...
AWS Summit Singapore 2019 | Latest Trends for Cloud-Native Application Develo...
AWS Summits
 

What's hot (20)

Admission controllers - PSP, OPA, Kyverno and more!
Admission controllers - PSP, OPA, Kyverno and more!Admission controllers - PSP, OPA, Kyverno and more!
Admission controllers - PSP, OPA, Kyverno and more!
 
Cisco Live 2017: Container networking deep dive with Docker Enterprise Editio...
Cisco Live 2017: Container networking deep dive with Docker Enterprise Editio...Cisco Live 2017: Container networking deep dive with Docker Enterprise Editio...
Cisco Live 2017: Container networking deep dive with Docker Enterprise Editio...
 
Networking For Nested Containers: Magnum, Kuryr, Neutron Integration
Networking For Nested Containers: Magnum, Kuryr, Neutron IntegrationNetworking For Nested Containers: Magnum, Kuryr, Neutron Integration
Networking For Nested Containers: Magnum, Kuryr, Neutron Integration
 
Lessons learned from global telecom operators' cloud journeys - Zeev Likworni...
Lessons learned from global telecom operators' cloud journeys - Zeev Likworni...Lessons learned from global telecom operators' cloud journeys - Zeev Likworni...
Lessons learned from global telecom operators' cloud journeys - Zeev Likworni...
 
VOID19 Cloud Transformation at Viettel accelerate faster with open infrastru...
VOID19 Cloud Transformation at Viettel accelerate faster with open infrastru...VOID19 Cloud Transformation at Viettel accelerate faster with open infrastru...
VOID19 Cloud Transformation at Viettel accelerate faster with open infrastru...
 
Simple, Scalable and Secure Networking for Data Centers with Project Calico
Simple, Scalable and Secure Networking for Data Centers with Project CalicoSimple, Scalable and Secure Networking for Data Centers with Project Calico
Simple, Scalable and Secure Networking for Data Centers with Project Calico
 
Docker Networking with Project Calico
Docker Networking with Project CalicoDocker Networking with Project Calico
Docker Networking with Project Calico
 
Container Networking Meetup March 31 2016
Container Networking Meetup March 31 2016Container Networking Meetup March 31 2016
Container Networking Meetup March 31 2016
 
Security Tips to run Docker in Production
Security Tips to run Docker in ProductionSecurity Tips to run Docker in Production
Security Tips to run Docker in Production
 
Clocker, Calico and Docker
Clocker, Calico and DockerClocker, Calico and Docker
Clocker, Calico and Docker
 
MongoDB.local DC 2018: MongoDB Ops Manager + Kubernetes
MongoDB.local DC 2018: MongoDB Ops Manager + KubernetesMongoDB.local DC 2018: MongoDB Ops Manager + Kubernetes
MongoDB.local DC 2018: MongoDB Ops Manager + Kubernetes
 
MongoDB.local Austin 2018: MongoDB Ops Manager + Kubernetes
MongoDB.local Austin 2018: MongoDB Ops Manager + KubernetesMongoDB.local Austin 2018: MongoDB Ops Manager + Kubernetes
MongoDB.local Austin 2018: MongoDB Ops Manager + Kubernetes
 
Intro to Project Calico: a pure layer 3 approach to scale-out networking
Intro to Project Calico: a pure layer 3 approach to scale-out networkingIntro to Project Calico: a pure layer 3 approach to scale-out networking
Intro to Project Calico: a pure layer 3 approach to scale-out networking
 
ОЛЕКСАНДР ЛИПКО «Graceful Shutdown Node.js + k8s» Online WDDay 2021
ОЛЕКСАНДР ЛИПКО «Graceful Shutdown Node.js + k8s» Online WDDay 2021ОЛЕКСАНДР ЛИПКО «Graceful Shutdown Node.js + k8s» Online WDDay 2021
ОЛЕКСАНДР ЛИПКО «Graceful Shutdown Node.js + k8s» Online WDDay 2021
 
Securing k8s With Kubernetes Goat
Securing k8s With Kubernetes GoatSecuring k8s With Kubernetes Goat
Securing k8s With Kubernetes Goat
 
Container Networking - State of the Ecosystem [ContainerConf, Mannheim, Nov 2...
Container Networking - State of the Ecosystem [ContainerConf, Mannheim, Nov 2...Container Networking - State of the Ecosystem [ContainerConf, Mannheim, Nov 2...
Container Networking - State of the Ecosystem [ContainerConf, Mannheim, Nov 2...
 
Kubernetes meetup geneva june 2021
Kubernetes meetup geneva june 2021Kubernetes meetup geneva june 2021
Kubernetes meetup geneva june 2021
 
Openstack days sv building highly available services using kubernetes (preso)
Openstack days sv building highly available services using kubernetes (preso)Openstack days sv building highly available services using kubernetes (preso)
Openstack days sv building highly available services using kubernetes (preso)
 
Build Robust Blockchain Services with Hyperledger and Containers
Build Robust Blockchain Services with Hyperledger and ContainersBuild Robust Blockchain Services with Hyperledger and Containers
Build Robust Blockchain Services with Hyperledger and Containers
 
AWS Summit Singapore 2019 | Latest Trends for Cloud-Native Application Develo...
AWS Summit Singapore 2019 | Latest Trends for Cloud-Native Application Develo...AWS Summit Singapore 2019 | Latest Trends for Cloud-Native Application Develo...
AWS Summit Singapore 2019 | Latest Trends for Cloud-Native Application Develo...
 

Similar to Container security within Cisco Container Platform

4. Kubernetes - Application centric infrastructure kubernetes, contiv
4. Kubernetes - Application centric infrastructure kubernetes, contiv4. Kubernetes - Application centric infrastructure kubernetes, contiv
4. Kubernetes - Application centric infrastructure kubernetes, contiv
Juraj Hantak
 
Microservices & Serverless Architecture Principles Applied - Cisco Live Orlan...
Microservices & Serverless Architecture Principles Applied - Cisco Live Orlan...Microservices & Serverless Architecture Principles Applied - Cisco Live Orlan...
Microservices & Serverless Architecture Principles Applied - Cisco Live Orlan...
Cisco DevNet
 
PSOCLD 1007 Cisco Hybrid Cloud Platform for Google Cloud
PSOCLD 1007 Cisco Hybrid Cloud Platform for Google CloudPSOCLD 1007 Cisco Hybrid Cloud Platform for Google Cloud
PSOCLD 1007 Cisco Hybrid Cloud Platform for Google Cloud
Rohit Agarwalla
 
TechWiseTV Workshop: Application Hosting on Catalyst 9000 Series Switches
TechWiseTV Workshop: Application Hosting on Catalyst 9000 Series SwitchesTechWiseTV Workshop: Application Hosting on Catalyst 9000 Series Switches
TechWiseTV Workshop: Application Hosting on Catalyst 9000 Series Switches
Robb Boyd
 
PLNOG16: Automatyzacja kreaowania usług operatorskich w separacji od rodzaju ...
PLNOG16: Automatyzacja kreaowania usług operatorskich w separacji od rodzaju ...PLNOG16: Automatyzacja kreaowania usług operatorskich w separacji od rodzaju ...
PLNOG16: Automatyzacja kreaowania usług operatorskich w separacji od rodzaju ...
PROIDEA
 
The ultimate Kubernetes Deployment Checklist - Infra to Microservices
The ultimate Kubernetes Deployment Checklist - Infra to MicroservicesThe ultimate Kubernetes Deployment Checklist - Infra to Microservices
The ultimate Kubernetes Deployment Checklist - Infra to Microservices
Prakarsh -
 
(SACON) Anand Tapikar - Attack vectors of Kubernetes infra. Are we on right ...
(SACON) Anand Tapikar - Attack vectors of Kubernetes infra. Are we on right ... (SACON) Anand Tapikar - Attack vectors of Kubernetes infra. Are we on right ...
(SACON) Anand Tapikar - Attack vectors of Kubernetes infra. Are we on right ...
Priyanka Aash
 
DEVNET-1148 Leveraging Cisco OpenStack Private Cloud for Developers
DEVNET-1148 Leveraging Cisco OpenStack Private Cloud for DevelopersDEVNET-1148 Leveraging Cisco OpenStack Private Cloud for Developers
DEVNET-1148 Leveraging Cisco OpenStack Private Cloud for Developers
Cisco DevNet
 
Microservices and containers networking: Contiv, an industry leading open sou...
Microservices and containers networking: Contiv, an industry leading open sou...Microservices and containers networking: Contiv, an industry leading open sou...
Microservices and containers networking: Contiv, an industry leading open sou...
Codemotion
 
OIS-K8-Multicloud.pptx
OIS-K8-Multicloud.pptxOIS-K8-Multicloud.pptx
OIS-K8-Multicloud.pptx
VoYat
 
ACI Hands-on Lab
ACI Hands-on LabACI Hands-on Lab
ACI Hands-on Lab
Cisco Canada
 
Implementing Fast IT Deploying Applications at the Pace of Innovation
Implementing Fast IT Deploying Applications at the Pace of Innovation Implementing Fast IT Deploying Applications at the Pace of Innovation
Implementing Fast IT Deploying Applications at the Pace of Innovation
Cisco DevNet
 
Presentation cloud orchestration solution overview
Presentation cloud orchestration solution overviewPresentation cloud orchestration solution overview
Presentation cloud orchestration solution overview
xKinAnx
 
Cisco at v mworld 2015 shipped-vmworld
Cisco at v mworld 2015 shipped-vmworldCisco at v mworld 2015 shipped-vmworld
Cisco at v mworld 2015 shipped-vmworld
ldangelo0772
 
Cisco SDN/NVF Innovations (SDN NVF Day ITB 2016)
Cisco SDN/NVF Innovations (SDN NVF Day ITB 2016)Cisco SDN/NVF Innovations (SDN NVF Day ITB 2016)
Cisco SDN/NVF Innovations (SDN NVF Day ITB 2016)
SDNRG ITB
 
Webex Teams Widgets Technical Drill down - Cisco Live Orlando 2018 - DEVNET-3891
Webex Teams Widgets Technical Drill down - Cisco Live Orlando 2018 - DEVNET-3891Webex Teams Widgets Technical Drill down - Cisco Live Orlando 2018 - DEVNET-3891
Webex Teams Widgets Technical Drill down - Cisco Live Orlando 2018 - DEVNET-3891
Cisco DevNet
 
Docker EE 2.0 Choice, Security & Agility
Docker EE 2.0 Choice, Security & AgilityDocker EE 2.0 Choice, Security & Agility
Docker EE 2.0 Choice, Security & Agility
Ashnikbiz
 
BRKSPG-2069-64bit-package.pdf
BRKSPG-2069-64bit-package.pdfBRKSPG-2069-64bit-package.pdf
BRKSPG-2069-64bit-package.pdf
Heng30
 
Xpdays: Kubernetes CI-CD Frameworks Case Study
Xpdays: Kubernetes CI-CD Frameworks Case StudyXpdays: Kubernetes CI-CD Frameworks Case Study
Xpdays: Kubernetes CI-CD Frameworks Case Study
Denys Vasyliev
 

Similar to Container security within Cisco Container Platform (20)

4. Kubernetes - Application centric infrastructure kubernetes, contiv
4. Kubernetes - Application centric infrastructure kubernetes, contiv4. Kubernetes - Application centric infrastructure kubernetes, contiv
4. Kubernetes - Application centric infrastructure kubernetes, contiv
 
Microservices & Serverless Architecture Principles Applied - Cisco Live Orlan...
Microservices & Serverless Architecture Principles Applied - Cisco Live Orlan...Microservices & Serverless Architecture Principles Applied - Cisco Live Orlan...
Microservices & Serverless Architecture Principles Applied - Cisco Live Orlan...
 
PSOCLD 1007 Cisco Hybrid Cloud Platform for Google Cloud
PSOCLD 1007 Cisco Hybrid Cloud Platform for Google CloudPSOCLD 1007 Cisco Hybrid Cloud Platform for Google Cloud
PSOCLD 1007 Cisco Hybrid Cloud Platform for Google Cloud
 
TechWiseTV Workshop: Application Hosting on Catalyst 9000 Series Switches
TechWiseTV Workshop: Application Hosting on Catalyst 9000 Series SwitchesTechWiseTV Workshop: Application Hosting on Catalyst 9000 Series Switches
TechWiseTV Workshop: Application Hosting on Catalyst 9000 Series Switches
 
PLNOG16: Automatyzacja kreaowania usług operatorskich w separacji od rodzaju ...
PLNOG16: Automatyzacja kreaowania usług operatorskich w separacji od rodzaju ...PLNOG16: Automatyzacja kreaowania usług operatorskich w separacji od rodzaju ...
PLNOG16: Automatyzacja kreaowania usług operatorskich w separacji od rodzaju ...
 
The ultimate Kubernetes Deployment Checklist - Infra to Microservices
The ultimate Kubernetes Deployment Checklist - Infra to MicroservicesThe ultimate Kubernetes Deployment Checklist - Infra to Microservices
The ultimate Kubernetes Deployment Checklist - Infra to Microservices
 
(SACON) Anand Tapikar - Attack vectors of Kubernetes infra. Are we on right ...
(SACON) Anand Tapikar - Attack vectors of Kubernetes infra. Are we on right ... (SACON) Anand Tapikar - Attack vectors of Kubernetes infra. Are we on right ...
(SACON) Anand Tapikar - Attack vectors of Kubernetes infra. Are we on right ...
 
5 cisco open_stack
5 cisco open_stack5 cisco open_stack
5 cisco open_stack
 
DEVNET-1148 Leveraging Cisco OpenStack Private Cloud for Developers
DEVNET-1148 Leveraging Cisco OpenStack Private Cloud for DevelopersDEVNET-1148 Leveraging Cisco OpenStack Private Cloud for Developers
DEVNET-1148 Leveraging Cisco OpenStack Private Cloud for Developers
 
Microservices and containers networking: Contiv, an industry leading open sou...
Microservices and containers networking: Contiv, an industry leading open sou...Microservices and containers networking: Contiv, an industry leading open sou...
Microservices and containers networking: Contiv, an industry leading open sou...
 
OIS-K8-Multicloud.pptx
OIS-K8-Multicloud.pptxOIS-K8-Multicloud.pptx
OIS-K8-Multicloud.pptx
 
ACI Hands-on Lab
ACI Hands-on LabACI Hands-on Lab
ACI Hands-on Lab
 
Implementing Fast IT Deploying Applications at the Pace of Innovation
Implementing Fast IT Deploying Applications at the Pace of Innovation Implementing Fast IT Deploying Applications at the Pace of Innovation
Implementing Fast IT Deploying Applications at the Pace of Innovation
 
Presentation cloud orchestration solution overview
Presentation cloud orchestration solution overviewPresentation cloud orchestration solution overview
Presentation cloud orchestration solution overview
 
Cisco at v mworld 2015 shipped-vmworld
Cisco at v mworld 2015 shipped-vmworldCisco at v mworld 2015 shipped-vmworld
Cisco at v mworld 2015 shipped-vmworld
 
Cisco SDN/NVF Innovations (SDN NVF Day ITB 2016)
Cisco SDN/NVF Innovations (SDN NVF Day ITB 2016)Cisco SDN/NVF Innovations (SDN NVF Day ITB 2016)
Cisco SDN/NVF Innovations (SDN NVF Day ITB 2016)
 
Webex Teams Widgets Technical Drill down - Cisco Live Orlando 2018 - DEVNET-3891
Webex Teams Widgets Technical Drill down - Cisco Live Orlando 2018 - DEVNET-3891Webex Teams Widgets Technical Drill down - Cisco Live Orlando 2018 - DEVNET-3891
Webex Teams Widgets Technical Drill down - Cisco Live Orlando 2018 - DEVNET-3891
 
Docker EE 2.0 Choice, Security & Agility
Docker EE 2.0 Choice, Security & AgilityDocker EE 2.0 Choice, Security & Agility
Docker EE 2.0 Choice, Security & Agility
 
BRKSPG-2069-64bit-package.pdf
BRKSPG-2069-64bit-package.pdfBRKSPG-2069-64bit-package.pdf
BRKSPG-2069-64bit-package.pdf
 
Xpdays: Kubernetes CI-CD Frameworks Case Study
Xpdays: Kubernetes CI-CD Frameworks Case StudyXpdays: Kubernetes CI-CD Frameworks Case Study
Xpdays: Kubernetes CI-CD Frameworks Case Study
 

Recently uploaded

Globus Compute Introduction - GlobusWorld 2024
Globus Compute Introduction - GlobusWorld 2024Globus Compute Introduction - GlobusWorld 2024
Globus Compute Introduction - GlobusWorld 2024
Globus
 
BoxLang: Review our Visionary Licenses of 2024
BoxLang: Review our Visionary Licenses of 2024BoxLang: Review our Visionary Licenses of 2024
BoxLang: Review our Visionary Licenses of 2024
Ortus Solutions, Corp
 
Vitthal Shirke Microservices Resume Montevideo
Vitthal Shirke Microservices Resume MontevideoVitthal Shirke Microservices Resume Montevideo
Vitthal Shirke Microservices Resume Montevideo
Vitthal Shirke
 
Understanding Globus Data Transfers with NetSage
Understanding Globus Data Transfers with NetSageUnderstanding Globus Data Transfers with NetSage
Understanding Globus Data Transfers with NetSage
Globus
 
2024 RoOUG Security model for the cloud.pptx
2024 RoOUG Security model for the cloud.pptx2024 RoOUG Security model for the cloud.pptx
2024 RoOUG Security model for the cloud.pptx
Georgi Kodinov
 
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoamOpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
takuyayamamoto1800
 
Orion Context Broker introduction 20240604
Orion Context Broker introduction 20240604Orion Context Broker introduction 20240604
Orion Context Broker introduction 20240604
Fermin Galan
 
Cyaniclab : Software Development Agency Portfolio.pdf
Cyaniclab : Software Development Agency Portfolio.pdfCyaniclab : Software Development Agency Portfolio.pdf
Cyaniclab : Software Development Agency Portfolio.pdf
Cyanic lab
 
May Marketo Masterclass, London MUG May 22 2024.pdf
May Marketo Masterclass, London MUG May 22 2024.pdfMay Marketo Masterclass, London MUG May 22 2024.pdf
May Marketo Masterclass, London MUG May 22 2024.pdf
Adele Miller
 
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
informapgpstrackings
 
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
Globus
 
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, BetterWebinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
XfilesPro
 
Large Language Models and the End of Programming
Large Language Models and the End of ProgrammingLarge Language Models and the End of Programming
Large Language Models and the End of Programming
Matt Welsh
 
Globus Connect Server Deep Dive - GlobusWorld 2024
Globus Connect Server Deep Dive - GlobusWorld 2024Globus Connect Server Deep Dive - GlobusWorld 2024
Globus Connect Server Deep Dive - GlobusWorld 2024
Globus
 
Enhancing Research Orchestration Capabilities at ORNL.pdf
Enhancing Research Orchestration Capabilities at ORNL.pdfEnhancing Research Orchestration Capabilities at ORNL.pdf
Enhancing Research Orchestration Capabilities at ORNL.pdf
Globus
 
GraphSummit Paris - The art of the possible with Graph Technology
GraphSummit Paris - The art of the possible with Graph TechnologyGraphSummit Paris - The art of the possible with Graph Technology
GraphSummit Paris - The art of the possible with Graph Technology
Neo4j
 
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptx
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptxTop Features to Include in Your Winzo Clone App for Business Growth (4).pptx
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptx
rickgrimesss22
 
Vitthal Shirke Java Microservices Resume.pdf
Vitthal Shirke Java Microservices Resume.pdfVitthal Shirke Java Microservices Resume.pdf
Vitthal Shirke Java Microservices Resume.pdf
Vitthal Shirke
 
A Sighting of filterA in Typelevel Rite of Passage
A Sighting of filterA in Typelevel Rite of PassageA Sighting of filterA in Typelevel Rite of Passage
A Sighting of filterA in Typelevel Rite of Passage
Philip Schwarz
 
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...
Shahin Sheidaei
 

Recently uploaded (20)

Globus Compute Introduction - GlobusWorld 2024
Globus Compute Introduction - GlobusWorld 2024Globus Compute Introduction - GlobusWorld 2024
Globus Compute Introduction - GlobusWorld 2024
 
BoxLang: Review our Visionary Licenses of 2024
BoxLang: Review our Visionary Licenses of 2024BoxLang: Review our Visionary Licenses of 2024
BoxLang: Review our Visionary Licenses of 2024
 
Vitthal Shirke Microservices Resume Montevideo
Vitthal Shirke Microservices Resume MontevideoVitthal Shirke Microservices Resume Montevideo
Vitthal Shirke Microservices Resume Montevideo
 
Understanding Globus Data Transfers with NetSage
Understanding Globus Data Transfers with NetSageUnderstanding Globus Data Transfers with NetSage
Understanding Globus Data Transfers with NetSage
 
2024 RoOUG Security model for the cloud.pptx
2024 RoOUG Security model for the cloud.pptx2024 RoOUG Security model for the cloud.pptx
2024 RoOUG Security model for the cloud.pptx
 
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoamOpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
 
Orion Context Broker introduction 20240604
Orion Context Broker introduction 20240604Orion Context Broker introduction 20240604
Orion Context Broker introduction 20240604
 
Cyaniclab : Software Development Agency Portfolio.pdf
Cyaniclab : Software Development Agency Portfolio.pdfCyaniclab : Software Development Agency Portfolio.pdf
Cyaniclab : Software Development Agency Portfolio.pdf
 
May Marketo Masterclass, London MUG May 22 2024.pdf
May Marketo Masterclass, London MUG May 22 2024.pdfMay Marketo Masterclass, London MUG May 22 2024.pdf
May Marketo Masterclass, London MUG May 22 2024.pdf
 
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
 
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
 
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, BetterWebinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
 
Large Language Models and the End of Programming
Large Language Models and the End of ProgrammingLarge Language Models and the End of Programming
Large Language Models and the End of Programming
 
Globus Connect Server Deep Dive - GlobusWorld 2024
Globus Connect Server Deep Dive - GlobusWorld 2024Globus Connect Server Deep Dive - GlobusWorld 2024
Globus Connect Server Deep Dive - GlobusWorld 2024
 
Enhancing Research Orchestration Capabilities at ORNL.pdf
Enhancing Research Orchestration Capabilities at ORNL.pdfEnhancing Research Orchestration Capabilities at ORNL.pdf
Enhancing Research Orchestration Capabilities at ORNL.pdf
 
GraphSummit Paris - The art of the possible with Graph Technology
GraphSummit Paris - The art of the possible with Graph TechnologyGraphSummit Paris - The art of the possible with Graph Technology
GraphSummit Paris - The art of the possible with Graph Technology
 
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptx
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptxTop Features to Include in Your Winzo Clone App for Business Growth (4).pptx
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptx
 
Vitthal Shirke Java Microservices Resume.pdf
Vitthal Shirke Java Microservices Resume.pdfVitthal Shirke Java Microservices Resume.pdf
Vitthal Shirke Java Microservices Resume.pdf
 
A Sighting of filterA in Typelevel Rite of Passage
A Sighting of filterA in Typelevel Rite of PassageA Sighting of filterA in Typelevel Rite of Passage
A Sighting of filterA in Typelevel Rite of Passage
 
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...
 

Container security within Cisco Container Platform

  • 2. #CLUS Sanjeev Rampal Principal Engineer, Cloud Platforms BU BRKCLD-2011 A comprehensive look at security within the Cisco Container Platform
  • 3. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS Agenda • Introduction to Cisco Container Platform • Security Model, Agile delivery, Sample Topology • Platform Hardening & Cisco Secure Development • Kubernetes & Container Security • Kubernetes Secure Multi-tenancy • Demo BRKCLD-2011 3
  • 4. WEBEX TEAMS DOCUMENTS SPEAKER 2 SPEAKER 1 cs.co/ciscolivebot# Questions? Use Cisco Webex Teams to chat with the speaker after the session Find this session in the Cisco Live Mobile App Click “Join the Discussion” Install Webex Teams or go directly to the team space Enter messages/questions in the team space How Webex Teams will be moderated by the speaker until June 16, 2019. 1 2 3 4 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS Cisco Webex Teams BRKCLD-2011 4
  • 5. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS Can a look at security ever be “comprehensive” ? BRKCLD-2011 5
  • 6. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS Control Plane Data Plane VM VM Control Plane Kubernetes Automation Orchestration Operations HX Connect Cluster/ Machine Controllers VM VM VM Cluster 1 Kubernetes Cluster1 Workloads Cluster1 Ops Pod Pod Pod VM VM VM Cluster 2 Kubernetes Cluster2 Workloads Cluster2 Ops Pod Pod Pod Kubernetes Fluentd Prometheus Kibana Hyperflex Contiv Storage (HyperFlex / VMware) Networking (Nexus 9K) Compute Hardware (UCS) Hypervisor Layer (HyperFlex / VMware) Cisco Container Platform Architecture VM VM Istio BRKCLD-2011 6
  • 7. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS Ops Personas & Logical production layout Tenant cluster 1 Devops admin/ Dev K8s api, RBAC K8s data plane Tenant cluster 2 Devops Admin/ Dev K8s api, RBAC K8s data plane CCP Admin (IT Ops) CCP api, RBAC Full cluster & services life-cycle mgmt “Immutable” infra Ubuntu K8s Add-ons Ubuntu K8s Add-onsUbuntu K8s CCP app CCP admin Web based Installer VM BRKCLD-2011 7
  • 9. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS Software Layering & CCP Security Scope Hypervisor, Virtualization infra e.g. vSphere VMs, Instances, Node OS Kubernetes, Docker, Container infra plugins CCP Application Addons Physical Compute, Network, Storage Hypervisor, Virtualization infra e.g. vSphere VMs, Instances, Node OS Kubernetes, Docker, Container infra plugins End-user Applications Addons Physical Compute, Network, Storage CCP packaging & Security responsibility Physical Infra separate setup + responsibility End-user Application responsibility Control cluster Tenant cluster BRKCLD-2011 9
  • 10. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS Agile Delivery & Immutable infra based model • Immutable Infrastructure • Integrated provisioning and full lifecycle management of of infrastructure (VMs, Node OS etc) along with Kubernetes, container infra • No additional software patching or maintenance needed for Node OS • Centralized upgrades + patching of combined infra => No configuration drift or snowflakes • Continuous Release and Delivery • Bi-weekly internal releases, Monthly external releases, patch releases asap when needed => Improved overall product security, predictability & quick turnaround of security patches BRKCLD-2011 10
  • 11. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS Sample secure deployment: Private stub network 11BRKCLD-2011 K8S cluster K8S Pod IPs 192.168.0.0/16 K8S Service IPs 10.96.0.0/12 Cluster Node IPs Exposed k8s api and application IPs/ VIPs vSphere cluster CCP control cluster IP gateways External Routed n/w Inbound Proxy Outbound Proxy (optional) Non- containerized Oracle DB (for example) Firewall Private stub network w/ RFC 1918 addressing SNAT IPAM
  • 12. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS Multi-cloud deployment: Cisco CP + AWS EKS BRKCLD-2011 12
  • 14. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS CCP Platform Hardening incl CSDL • Cisco Container Platform is developed using the comprehensive security requirements defined in the Cisco Secure Development Lifecycle (CSDL) process • Curated Ubuntu OS from Canonical • Cisco performs additional hardening of containers (internally developed for CCP application as well as sourced from upstream) • Frequent internal vulnerability scanning & fixing of every CCP release using a mix of external vendor container security tools as well as internal tooling BRKCLD-2011 14
  • 15. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS Internal DevSecOps: Secure Development Pipeline Validate IPC Developed code BOM created, reviewed and approved BOM to IPC (CCP Github) Releases into CCP CI file repo To CCO On-demand test deployment Static registry scan Run-time test Requirements Input + Vulnerability alert feeds Release built CCO Ubuntu, K8S … Container artifacts Ex. Prometheus, NGINX etc CCP CI registry Vulnerability Scanning tools BRKCLD-2011 15
  • 16. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS Additional platform hardening features • TLS communication for http traffic (Encrypted data in motion internal and external) • Support for TLS 1.3 on CCP API/Dashboard • Strong ciphers for internal encrypted data at rest • ecdsa and ed25119 keys for ssh into cluster nodes • Continuous monitoring of NVD and industry standard vulnerability intelligence streams and rapid turnaround of patch releases • Recent industry CVEs fixed & delivered rapidly on CCP • Example: Critical k8s patch delivered in 2 weeks … CVE-2018-1002105: proxy request handling in kube-apiserver can leave vulnerable TCP connections BRKCLD-2011 16
  • 17. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS CCP App Security: Role Based Access Control BRKCLD-2011 17
  • 19. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS Kubernetes Security is a Journey From: J Jalava: Kubernetes Security Journey BRKCLD-2011 19
  • 20. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS Tenant Kubernetes & Docker Security in CCP K8S Security related features on CCP Kubernetes clusters • K8S dashboard protection • K8S Authentication • K8S Authorization • K8S Cert manager • K8S Encrypted secrets • Kubernetes Ingress with TLS/ https • Istio Ingress gateway + Service mesh • K8S Network policy • Secure Multi-tenancy, Admission controllers, Pod Security Policies, AppArmor, Kata (future) BRKCLD-2011 20
  • 21. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS K8S dashboard protection Kubernetes dashboard locked in CCP "The hackers had infiltrated Tesla's Kubernetes console which was not password protected," - ArsTechnica BRKCLD-2011 21
  • 22. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS K8S AuthN, AuthZ, Admission Control flow BRKCLD-2011 22
  • 23. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS K8S AuthN, AuthZ on CCP K8S tenant clusters • K8S Authentication options: • X.509 Client certificates <Suggested for simple deployments only> • If team has AWS account, can use AWS IAM with on-prem CCP K8S • Integrate 3rd party identity solutions e.g. Tremolo • Direct Kubernetes OIDC-LDAP integration (future) • K8S Authorization options: • ABAC: Disabled on CCP K8S • RBAC: Role Based Access Control; enabled by default on CCP K8S • Authorization webhooks (Tech preview; full support in upcoming release) • Open Policy Agent (Tech preview; full support in upcoming release) BRKCLD-2011 23
  • 24. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS AWS IAM Authentication for On-prem CCP K8S BRKCLD-2011 24
  • 25. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS Kubernetes cert-manager & encrypted secrets • Kubernetes Cert-manager: • Kubernetes project to automate generation of X.509 certificates • Used in CCP to generate certs for internal communication & external API • Kubernetes Encrypted secrets: • Kubernetes state in etcd can be encrypted using Kubernetes encrypted secrets feature • Note, this feature must be enabled via CCP api, not exposed to GUI yet • Set etcd_encrypted=True to enable this capability per tenant k8s cluster BRKCLD-2011 25
  • 26. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS Admission Controllers & Secure Multi-tenancy • New feature (Tech preview in CCP v3.2) • Setting secure_multitenancy_enabled to True enables 1. Multiple built-in k8s admission controllers on the new cluster: • PodSecurityPolicy • LimitRanger • ResourceQuota • ValidatingAdmissionWebhook • MutatingAdmissionWebhook 2. Privileged & restricted pod security policies and associated PodSecurity and RBAC policies and bindings (with AppArmor and Seccomp based tenant and container isolation) 3. Privileged-tenant & restricted-tenant as sample tenants BRKCLD-2011 26
  • 27. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS Kubernetes Network Policies Support • Supported on CCP tenant clusters for all 3 CNI options • Network microsegmentation tool within Application + across teams • L3, L4 CNI network policies (ingress and egress) • Extra network policy options when using ACI CNI • L7 policies on K8S Ingress (Nginx) and Istio (Envoy) • E-W http traffic encryption w/ Istio App-front App-db App-core1 App-front App-metrics BRKCLD-2011 27
  • 28. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS Technical Description • Network policies of Kubernetes supported using standard upstream format but enforced through OpFlex / OVS using APIC Host Protection Profiles • Kubernetes app configurations can be moved without modification to/from ACI and non-ACI environments • Standard K8S Container Network policies + (optional) enhanced ACI container network policies Kubernetes Network Policies on CCP+ACI CNI Node OpFlex OVS Kubernetes ACI Policies Network Policy Node OpFlex OVS BRKCLD-2011 28
  • 30. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS More Information • https://www.cisco.com/c/en/us/products/cloud-systems- management/container-platform/index.html • https://www.cisco.com/c/en/us/support/cloud-systems- management/container-platform/tsd-products-support-series- home.html • http://www.cisco.com/go/multicloud • Webex space for this session cs.co.ciscolivebot#BRKCLD-2011 • Or contact/ follow: srampal@cisco.com @sr2357 BRKCLD-2011 30
  • 31. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS Conclusion: Cisco Container Platform .. so that you won’t need to be this guy BRKCLD-2011 31
  • 32. Complete your online session evaluation • Please complete your session survey after each session. Your feedback is very important. • Complete a minimum of 4 session surveys and the Overall Conference survey (starting on Thursday) to receive your Cisco Live water bottle. • All surveys can be taken in the Cisco Live Mobile App or by logging in to the Session Catalog on ciscolive.cisco.com/us. Cisco Live sessions will be available for viewing on demand after the event at ciscolive.cisco.com. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS BRKCLD-2011 32
  • 33. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS Continue your education Related sessions Walk-in labs Demos in the Cisco campus Meet the engineer 1:1 meetings BRKCLD-2011 33
  • 35. #CLUS
  • 37. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS K8S Security: Some key standards & initiatives • CIS Docker Benchmark https://www.cisecurity.org/benchmark/docker/ • CIS Kubernetes Benchmark https://www.cisecurity.org/benchmark/kubernetes/ • NIST SP 800-190 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-190.pdf • AppArmor http://wiki.apparmor.net/index.php/Main_Page • SELinux https://selinuxproject.org/page/Main_Page • CRI-O https://github.com/cri-o/cri-o • Kata containers https://katacontainers.io/ • And more … • These are in addition to common infrastructure security & compliance related standards such as Common Criteria, FIPS, PCI-DSS, GDPR, HIPAA BRKCLD-2011 37
  • 38. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS Preconfigured Pod Security Policy: “restricted” apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: name:restricted annotations: seccomp.security.alpha.kubernetes.io/allowedProfileNa mes:'docker/default’ apparmor.security.beta.kubernetes.io/allowedProfileNam es:'runtime/default’ seccomp.security.alpha.kubernetes.io/defaultProfileNam e:'docker/default’ apparmor.security.beta.kubernetes.io/defaultProfileNam e:'runtime/default’ spec: privileged:false allowPrivilegeEscalation:false requiredDropCapabilities: -ALL volumes: -'configMap’ -'emptyDir’ -'projected’ -'secret’ -'downwardAPI’ -'persistentVolumeClaim' hostNetwork:false hostIPC:false hostPID:false runAsUser: rule:'MustRunAsNonRoot’ seLinux: rule:'RunAsAny’ supplementalGroups: rule:'MustRunAs’ ranges: - min:1 max:65535 fsGroup: rule:'MustRunAs’ ranges: - min:1 max: 65535 readOnlyRootFilesystem:false BRKCLD-2011 38
  • 39. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS Calico/ Contiv Overlay Container Networking K8S master nodes/ VMs 1..3 K8S compute nodes/ VMs 1..M VMWare VM Port group 100 Physical L3 gateways Contiv VXLAN overlays Non-contiv VLAN traffic K8S compute nodes/ VMs 1..M BRKCLD-2011 39
  • 40. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS HX vSphere Cluster CCP – CP1 K8S-Red K8S-Blue vCenter PG10 PG20 PG30 10.1.1.0/28 10.1.2.0/24 10.1.3.0/24 ASR1K or any L3 GW Leaf e.g. N93xx Spine e.g. N95xx 100.1.x.x DHCP server* (for pre-3.0 releases) Secure On-Premises Deployment Topology BRKCLD-2011 40