SlideShare a Scribd company logo

Simplifying and Securing your OpenShift Network with Project Calico

Andrew Randall
Andrew Randall

This document discusses Project Calico and how it can simplify and secure the network in OpenShift. It begins by acknowledging that virtual networking is now common but that current solutions do not scale well. It then discusses how Calico addresses this through a distributed architecture and fine-grained network policies. Calico implements a flat IP network without overlays for improved performance and simplifies troubleshooting. It can also enforce network policies by rendering them into ACL rules distributed to nodes. Calico has been deployed on thousands of clusters and integrates well with orchestrators like OpenShift.

Technology
1 of 26
Download to read offline
1© 2017 Tigera, Inc. | Proprietary and Confidential OpenShift Commons Briefing Andy Randall, CEO Simplifying and Securing Your OpenShift Network with Project Calico March 2, 2017
2© 2017 Tigera, Inc. | Proprietary and Confidential Isn’t virtual networking a solved problem? Can we just get on with developing and deploying apps now? First, a (not unreasonable) question...
3© 2017 Tigera, Inc. | Proprietary and Confidential Challenges of Cloud-Native: Scale & Churn <0.1x Median lifespan >10x Workloads per host 100+xChurn per host First-generation, centralized SDN controller Traditional security appliance
4© 2017 Tigera, Inc. | Proprietary and Confidential Challenges of Cloud-Native: Dynamic Security Dynamic IP address assignment Fungible server resources Subnets / VLANs no longer meaningful for security rules Orchestrator makes highly dynamic scheduling decisions Workload meta-data already captured in orchestrator Opportunity to automate security, get rid of “firewall cruft” Micro-services architecture increases network-based attack surface Attackers already exploit internal vulnerabilities Perimeter security insufficient — need to secure intra-cluster traffic
5© 2017 Tigera, Inc. | Proprietary and Confidential SIMPLIFY the network, by removing unnecessary layers of complexity What’s Required? … implemented in a scale-out, distributed architecture … SECURE workloads with fine-grained policy rules, leveraging orchestrator
6© 2017 Tigera, Inc. | Proprietary and Confidential Enter Project Calico Thousands of clusters deployed globally by users such as... Active open source community with 100+ contributors
7© 2017 Tigera, Inc. | Proprietary and Confidential 1. Simplify the Network ☑ Flat IP network (pods are endpoints too) ☑ No overlay by default ⇒ zero packet overhead ☑ Routed model — one hop to the kernel, another hop to the destination (remote kernel or local pod) ☑ Leverages Linux’s built-in, efficient network stack ☑ Maximum performance, simplest to troubleshoot
8© 2017 Tigera, Inc. | Proprietary and Confidential Calico Architecture: Routing Physical fabric (L2 or L3) or public cloud SDN (e.g. Amazon VPC / subnet) Cloud OS / Orchestration SystemCloud OS / Orchestration System Compute NodeCompute NodeCompute Node kernel Cloud OS / Orchestration System Calico- node Routes Pod Eth0 Calico Plugin Compute NodeCompute NodeCompute Node kernel Calico- node Routes Pod Eth0 Control plane (etcd / Raft + BGP) Data plane (IP)
9© 2017 Tigera, Inc. | Proprietary and Confidential Calico Architecture: Policy Enforcement Physical fabric (L2 or L3) or public cloud SDN (e.g. Amazon VPC / subnet) Cloud OS / Orchestration SystemCloud OS / Orchestration System Compute NodeCompute NodeCompute Node kernel Cloud OS / Orchestration System Calico- node Routes ACLs Pod Eth0 Calico Plugin Compute NodeCompute NodeCompute Node kernel Calico- node Routes ACLs Pod Eth0 Control plane (etcd / Raft + BGP) Data plane (IP)
10© 2017 Tigera, Inc. | Proprietary and Confidential 2. Network Policies My IT guys installed a firewall at the edge of my data center. Why do I want network policies as well?
11© 2017 Tigera, Inc. | Proprietary and Confidential
12© 2017 Tigera, Inc. | Proprietary and Confidential
13© 2017 Tigera, Inc. | Proprietary and Confidential
14© 2017 Tigera, Inc. | Proprietary and Confidential Anatomy of a Calico Network Policy apiVersion: v1 kind: policy metadata: name: allow-tcp-6379 spec: selector: role == 'database' ingress: - action: allow protocol: tcp source: selector: role == 'frontend' destination: ports: - 6379 egress: - action: allow Name of this policy Which pods does it apply to? Who can talk to those pods (with which protocols?) To whom can those pods talk (with which protocols?) $ calicoctl apply -f mypolicy.yaml API version Yes, this looks a lot like a Kubernetes Network Policy… Calico can enforce k8s policy or this extended model
15© 2017 Tigera, Inc. | Proprietary and Confidential Calico Architecture: Policy Enforcement Revisited Cloud OS / Orchestration SystemCloud OS / Orchestration System Compute NodeCompute NodeCompute Node kernel Cloud OS / Orchestration System Calico- node Routes ACLs Pod Eth0 Calico Plugin Compute NodeCompute NodeCompute Node kernel Calico- node Routes ACLs Pod Eth0 ■ Policy rendering to ACLs is distributed to calico agents ■ Each node efficiently calculates what it needs & programs iptables ■ At scale, <10ms to first ping
16© 2017 Tigera, Inc. | Proprietary and Confidential Architectural Comparison OVS-based (e.g. OpenShift SDN) Project Calico One subnet per host Dynamic allocation of IP address ranges to host as additional containers scheduled (reduces wasted addresses without imposing an upper limit on # containers) Pods connected to OVS Bridge (br0) Pods connected into Linux kernel routing engine (no bridge, single routed hop, same path intra/inter node) Access to pods on remote nodes via VXLAN tunnel (tun0) Tunnel possible but not required — pods have real IPs on underlying network — no double-encapsulation when running on underlying SDN (e.g. public cloud or OpenStack) Connectivity outside cluster via NAT NAT not required by default to outside world, since pods have real IPs Network isolation enforced in OVS via tenant separation (separate ovs-multitenant plug-in) or Kubernetes network policy with ovs-subnet Network isolation (including multi-tenant) enforced via ingress + egress policy rules encoded into iptables rules in Linux kernel OVS in control and data path Calico in control path only (data path = traditional Linux kernel L3 forwarding & filtering)
17© 2017 Tigera, Inc. | Proprietary and Confidential Considerations for other SDN solutions (Some) Other Networking Solutions Project Calico Centralized controller calculates rules for each node All policy calculations / rendering Must replace internal service routing — not compatible with Kube-proxy Fully compatible with standard Kube-proxy Must use own external load balancing — not compatible with OpenShift Router Fully compatible with OpenShift Router and any other regular IP networking mechanisms (it’s just IP)
18© 2017 Tigera, Inc. | Proprietary and Confidential Can I just get the policies? I like how Calico does policies — but still want to use a VXLAN overlay. You probably can’t do that, right?
19© 2017 Tigera, Inc. | Proprietary and Confidential Combining Calico with Flannel Networking A collaboration between Tigera and CoreOS to apply Calico policy to flannel overlay networks More: http://github.com/projectcalico/canal
20© 2017 Tigera, Inc. | Proprietary and Confidential Calico & OpenShift So how does this all tie together with ?
21© 2017 Tigera, Inc. | Proprietary and Confidential Calico on OpenShift
22© 2017 Tigera, Inc. | Proprietary and Confidential Calico on OpenShift CNI CNI CNI CNI CNI CNI ● Calico-CNI ● Calico-IPAM CNI
23© 2017 Tigera, Inc. | Proprietary and Confidential Calico on OpenShift CNI CNI CNI CNI CNI CNI ● Felix (local routing & policy calculation) ● Bird (BGP) Calico/Node
24© 2017 Tigera, Inc. | Proprietary and Confidential Calico on OpenShift CNI CNI CNI CNI CNI CNI P Calico Policy Controller
25© 2017 Tigera, Inc. | Proprietary and Confidential Lots of recipes Calico + Kubernetes ■ E.g. AWS Quick Start, Stack Point Cloud, kops, ... Users have deployed with OpenShift ■ “Roll-your-own” installation until recently Tigera / Red Hat collaborating on supported integration and certification for OpenShift ■ Integration was working - but broken by OCP 3.4. Addressing a few minor remaining issues. ■ “Watch this space” - by signing up to the Project Calico Slack (http://slack.projectcalico.org), joining the #openshift channel, and let us know you’re interested! Calico-OpenShift Integration &
26© 2017 Tigera, Inc. | Proprietary and Confidential github.com/projectcalico @andrew_randall | @projectcalico slack.projectcalico.org → #openshift Andy Randall andy@tigera.io

Recommended

Container Networking: the Gotchas (Mesos London Meetup 11 May 2016)
Container Networking: the Gotchas (Mesos London Meetup 11 May 2016)Container Networking: the Gotchas (Mesos London Meetup 11 May 2016)
Container Networking: the Gotchas (Mesos London Meetup 11 May 2016)Andrew Randall
 
Container Networking - State of the Ecosystem [ContainerConf, Mannheim, Nov 2...
Container Networking - State of the Ecosystem [ContainerConf, Mannheim, Nov 2...Container Networking - State of the Ecosystem [ContainerConf, Mannheim, Nov 2...
Container Networking - State of the Ecosystem [ContainerConf, Mannheim, Nov 2...Karthik Prabhakar
 
Deploying calico on kubernetes
Deploying calico on kubernetesDeploying calico on kubernetes
Deploying calico on kubernetesAnirban Sen Chowdhary
 
Simple, Scalable and Secure Networking for Data Centers with Project Calico
Simple, Scalable and Secure Networking for Data Centers with Project CalicoSimple, Scalable and Secure Networking for Data Centers with Project Calico
Simple, Scalable and Secure Networking for Data Centers with Project CalicoEmma Gordon
 
KubeCon EU 2016: Secure, Cloud-Native Networking with Project Calico
KubeCon EU 2016: Secure, Cloud-Native Networking with Project CalicoKubeCon EU 2016: Secure, Cloud-Native Networking with Project Calico
KubeCon EU 2016: Secure, Cloud-Native Networking with Project CalicoKubeAcademy
 
OpenStack Israel Meetup - Project Kuryr: Bringing Container Networking to Neu...
OpenStack Israel Meetup - Project Kuryr: Bringing Container Networking to Neu...OpenStack Israel Meetup - Project Kuryr: Bringing Container Networking to Neu...
OpenStack Israel Meetup - Project Kuryr: Bringing Container Networking to Neu...Cloud Native Day Tel Aviv
 
Container Networking Meetup March 31 2016
Container Networking Meetup March 31 2016Container Networking Meetup March 31 2016
Container Networking Meetup March 31 2016Andrew Randall
 
Intro to Project Calico: a pure layer 3 approach to scale-out networking
Intro to Project Calico: a pure layer 3 approach to scale-out networkingIntro to Project Calico: a pure layer 3 approach to scale-out networking
Intro to Project Calico: a pure layer 3 approach to scale-out networkingPacket
 

Recommended

Container Networking: the Gotchas (Mesos London Meetup 11 May 2016)
Container Networking: the Gotchas (Mesos London Meetup 11 May 2016)Container Networking: the Gotchas (Mesos London Meetup 11 May 2016)
Container Networking: the Gotchas (Mesos London Meetup 11 May 2016)Andrew Randall
 
Container Networking - State of the Ecosystem [ContainerConf, Mannheim, Nov 2...
Container Networking - State of the Ecosystem [ContainerConf, Mannheim, Nov 2...Container Networking - State of the Ecosystem [ContainerConf, Mannheim, Nov 2...
Container Networking - State of the Ecosystem [ContainerConf, Mannheim, Nov 2...Karthik Prabhakar
 
Deploying calico on kubernetes
Deploying calico on kubernetesDeploying calico on kubernetes
Deploying calico on kubernetesAnirban Sen Chowdhary
 
Simple, Scalable and Secure Networking for Data Centers with Project Calico
Simple, Scalable and Secure Networking for Data Centers with Project CalicoSimple, Scalable and Secure Networking for Data Centers with Project Calico
Simple, Scalable and Secure Networking for Data Centers with Project CalicoEmma Gordon
 
KubeCon EU 2016: Secure, Cloud-Native Networking with Project Calico
KubeCon EU 2016: Secure, Cloud-Native Networking with Project CalicoKubeCon EU 2016: Secure, Cloud-Native Networking with Project Calico
KubeCon EU 2016: Secure, Cloud-Native Networking with Project CalicoKubeAcademy
 
OpenStack Israel Meetup - Project Kuryr: Bringing Container Networking to Neu...
OpenStack Israel Meetup - Project Kuryr: Bringing Container Networking to Neu...OpenStack Israel Meetup - Project Kuryr: Bringing Container Networking to Neu...
OpenStack Israel Meetup - Project Kuryr: Bringing Container Networking to Neu...Cloud Native Day Tel Aviv
 
Container Networking Meetup March 31 2016
Container Networking Meetup March 31 2016Container Networking Meetup March 31 2016
Container Networking Meetup March 31 2016Andrew Randall
 
Intro to Project Calico: a pure layer 3 approach to scale-out networking
Intro to Project Calico: a pure layer 3 approach to scale-out networkingIntro to Project Calico: a pure layer 3 approach to scale-out networking
Intro to Project Calico: a pure layer 3 approach to scale-out networkingPacket
 
Deploying vn fs with kubernetes pods and vms
Deploying vn fs with kubernetes pods and vmsDeploying vn fs with kubernetes pods and vms
Deploying vn fs with kubernetes pods and vmsLibbySchulze1
 
Using OpenContrail with Kubernetes
Using OpenContrail with KubernetesUsing OpenContrail with Kubernetes
Using OpenContrail with KubernetesMatt Baldwin
 
Docker network performance in the public cloud
Docker network performance in the public cloudDocker network performance in the public cloud
Docker network performance in the public cloudArjan Schaaf
 
Overlay/Underlay - Betting on Container Networking
Overlay/Underlay - Betting on Container NetworkingOverlay/Underlay - Betting on Container Networking
Overlay/Underlay - Betting on Container NetworkingLee Calcote
 
Cisco Live 2017: Container networking deep dive with Docker Enterprise Editio...
Cisco Live 2017: Container networking deep dive with Docker Enterprise Editio...Cisco Live 2017: Container networking deep dive with Docker Enterprise Editio...
Cisco Live 2017: Container networking deep dive with Docker Enterprise Editio...Sanjeev Rampal
 
Kubernetes networking & Security
Kubernetes networking & SecurityKubernetes networking & Security
Kubernetes networking & SecurityVietnam Open Infrastructure User Group
 
Kubernetes OpenContrail Meetup
Kubernetes OpenContrail MeetupKubernetes OpenContrail Meetup
Kubernetes OpenContrail MeetupLachlan Evenson
 
Triangle Kubernetes Meetup: Container cloud networking - Contiv for K8S & Ope...
Triangle Kubernetes Meetup: Container cloud networking - Contiv for K8S & Ope...Triangle Kubernetes Meetup: Container cloud networking - Contiv for K8S & Ope...
Triangle Kubernetes Meetup: Container cloud networking - Contiv for K8S & Ope...Sanjeev Rampal
 
OpenDaylight Netvirt and Neutron - Mike Kolesnik, Josh Hershberg - OpenStack ...
OpenDaylight Netvirt and Neutron - Mike Kolesnik, Josh Hershberg - OpenStack ...OpenDaylight Netvirt and Neutron - Mike Kolesnik, Josh Hershberg - OpenStack ...
OpenDaylight Netvirt and Neutron - Mike Kolesnik, Josh Hershberg - OpenStack ...Cloud Native Day Tel Aviv
 
Container network security
Container network securityContainer network security
Container network securityDaisuke Nakajima
 
Kuryr-Kubernetes: The perfect match for networking cloud native workloads - I...
Kuryr-Kubernetes: The perfect match for networking cloud native workloads - I...Kuryr-Kubernetes: The perfect match for networking cloud native workloads - I...
Kuryr-Kubernetes: The perfect match for networking cloud native workloads - I...Cloud Native Day Tel Aviv
 
Kubernetes Networking
Kubernetes NetworkingKubernetes Networking
Kubernetes NetworkingGiragadurai Vallirajan
 
20170705 kubernetes with calico
20170705 kubernetes with calico20170705 kubernetes with calico
20170705 kubernetes with calicoIsaac Tseng
 
Protecting host with calico
Protecting host with calicoProtecting host with calico
Protecting host with calicoAnirban Sen Chowdhary
 
Calico to secure host interfaces
Calico to secure host interfacesCalico to secure host interfaces
Calico to secure host interfacesD.Rajesh Kumar
 
Overview of OpenDaylight Container Orchestration Engine Integration
Overview of OpenDaylight Container Orchestration Engine IntegrationOverview of OpenDaylight Container Orchestration Engine Integration
Overview of OpenDaylight Container Orchestration Engine IntegrationMichelle Holley
 
Calico and BGP
Calico and BGPCalico and BGP
Calico and BGPAnirban Sen Chowdhary
 
[OpenStack Day in Korea 2015] Track 3-6 - Archiectural Overview of the Open S...
[OpenStack Day in Korea 2015] Track 3-6 - Archiectural Overview of the Open S...[OpenStack Day in Korea 2015] Track 3-6 - Archiectural Overview of the Open S...
[OpenStack Day in Korea 2015] Track 3-6 - Archiectural Overview of the Open S...OpenStack Korea Community
 
Microservices for Enterprises - Consistent Network & Security services for Co...
Microservices for Enterprises - Consistent Network & Security services for Co...Microservices for Enterprises - Consistent Network & Security services for Co...
Microservices for Enterprises - Consistent Network & Security services for Co...Dhananjay Sampath
 
Accelerating SDN Applications with Open Source Network Overlays
Accelerating SDN Applications with Open Source Network OverlaysAccelerating SDN Applications with Open Source Network Overlays
Accelerating SDN Applications with Open Source Network OverlaysCumulus Networks
 
Cisco connect montreal 2018 enterprise networks - say goodbye to vla ns
Cisco connect montreal 2018 enterprise networks - say goodbye to vla nsCisco connect montreal 2018 enterprise networks - say goodbye to vla ns
Cisco connect montreal 2018 enterprise networks - say goodbye to vla nsCisco Canada
 
Cisco Connect 2018 Philippines - software-defined access-a transformational ...
Cisco Connect 2018 Philippines - software-defined access-a transformational ... Cisco Connect 2018 Philippines - software-defined access-a transformational ...
Cisco Connect 2018 Philippines - software-defined access-a transformational ...NetworkCollaborators
 

More Related Content

What's hot

Deploying vn fs with kubernetes pods and vms
Deploying vn fs with kubernetes pods and vmsDeploying vn fs with kubernetes pods and vms
Deploying vn fs with kubernetes pods and vmsLibbySchulze1
 
Using OpenContrail with Kubernetes
Using OpenContrail with KubernetesUsing OpenContrail with Kubernetes
Using OpenContrail with KubernetesMatt Baldwin
 
Docker network performance in the public cloud
Docker network performance in the public cloudDocker network performance in the public cloud
Docker network performance in the public cloudArjan Schaaf
 
Overlay/Underlay - Betting on Container Networking
Overlay/Underlay - Betting on Container NetworkingOverlay/Underlay - Betting on Container Networking
Overlay/Underlay - Betting on Container NetworkingLee Calcote
 
Cisco Live 2017: Container networking deep dive with Docker Enterprise Editio...
Cisco Live 2017: Container networking deep dive with Docker Enterprise Editio...Cisco Live 2017: Container networking deep dive with Docker Enterprise Editio...
Cisco Live 2017: Container networking deep dive with Docker Enterprise Editio...Sanjeev Rampal
 
Kubernetes OpenContrail Meetup
Kubernetes OpenContrail MeetupKubernetes OpenContrail Meetup
Kubernetes OpenContrail MeetupLachlan Evenson
 
Triangle Kubernetes Meetup: Container cloud networking - Contiv for K8S & Ope...
Triangle Kubernetes Meetup: Container cloud networking - Contiv for K8S & Ope...Triangle Kubernetes Meetup: Container cloud networking - Contiv for K8S & Ope...
Triangle Kubernetes Meetup: Container cloud networking - Contiv for K8S & Ope...Sanjeev Rampal
 
OpenDaylight Netvirt and Neutron - Mike Kolesnik, Josh Hershberg - OpenStack ...
OpenDaylight Netvirt and Neutron - Mike Kolesnik, Josh Hershberg - OpenStack ...OpenDaylight Netvirt and Neutron - Mike Kolesnik, Josh Hershberg - OpenStack ...
OpenDaylight Netvirt and Neutron - Mike Kolesnik, Josh Hershberg - OpenStack ...Cloud Native Day Tel Aviv
 
Container network security
Container network securityContainer network security
Container network securityDaisuke Nakajima
 
Kuryr-Kubernetes: The perfect match for networking cloud native workloads - I...
Kuryr-Kubernetes: The perfect match for networking cloud native workloads - I...Kuryr-Kubernetes: The perfect match for networking cloud native workloads - I...
Kuryr-Kubernetes: The perfect match for networking cloud native workloads - I...Cloud Native Day Tel Aviv
 
20170705 kubernetes with calico
20170705 kubernetes with calico20170705 kubernetes with calico
20170705 kubernetes with calicoIsaac Tseng
 
Calico to secure host interfaces
Calico to secure host interfacesCalico to secure host interfaces
Calico to secure host interfacesD.Rajesh Kumar
 
Overview of OpenDaylight Container Orchestration Engine Integration
Overview of OpenDaylight Container Orchestration Engine IntegrationOverview of OpenDaylight Container Orchestration Engine Integration
Overview of OpenDaylight Container Orchestration Engine IntegrationMichelle Holley
 
[OpenStack Day in Korea 2015] Track 3-6 - Archiectural Overview of the Open S...
[OpenStack Day in Korea 2015] Track 3-6 - Archiectural Overview of the Open S...[OpenStack Day in Korea 2015] Track 3-6 - Archiectural Overview of the Open S...
[OpenStack Day in Korea 2015] Track 3-6 - Archiectural Overview of the Open S...OpenStack Korea Community
 
Microservices for Enterprises - Consistent Network & Security services for Co...
Microservices for Enterprises - Consistent Network & Security services for Co...Microservices for Enterprises - Consistent Network & Security services for Co...
Microservices for Enterprises - Consistent Network & Security services for Co...Dhananjay Sampath
 
Accelerating SDN Applications with Open Source Network Overlays
Accelerating SDN Applications with Open Source Network OverlaysAccelerating SDN Applications with Open Source Network Overlays
Accelerating SDN Applications with Open Source Network OverlaysCumulus Networks
 

What's hot (20)

Deploying vn fs with kubernetes pods and vms
Deploying vn fs with kubernetes pods and vmsDeploying vn fs with kubernetes pods and vms
Deploying vn fs with kubernetes pods and vms
 
Using OpenContrail with Kubernetes
Using OpenContrail with KubernetesUsing OpenContrail with Kubernetes
Using OpenContrail with Kubernetes
 
Docker network performance in the public cloud
Docker network performance in the public cloudDocker network performance in the public cloud
Docker network performance in the public cloud
 
Overlay/Underlay - Betting on Container Networking
Overlay/Underlay - Betting on Container NetworkingOverlay/Underlay - Betting on Container Networking
Overlay/Underlay - Betting on Container Networking
 
Cisco Live 2017: Container networking deep dive with Docker Enterprise Editio...
Cisco Live 2017: Container networking deep dive with Docker Enterprise Editio...Cisco Live 2017: Container networking deep dive with Docker Enterprise Editio...
Cisco Live 2017: Container networking deep dive with Docker Enterprise Editio...
 
Kubernetes networking & Security
Kubernetes networking & SecurityKubernetes networking & Security
Kubernetes networking & Security
 
Kubernetes OpenContrail Meetup
Kubernetes OpenContrail MeetupKubernetes OpenContrail Meetup
Kubernetes OpenContrail Meetup
 
Triangle Kubernetes Meetup: Container cloud networking - Contiv for K8S & Ope...
Triangle Kubernetes Meetup: Container cloud networking - Contiv for K8S & Ope...Triangle Kubernetes Meetup: Container cloud networking - Contiv for K8S & Ope...
Triangle Kubernetes Meetup: Container cloud networking - Contiv for K8S & Ope...
 
OpenDaylight Netvirt and Neutron - Mike Kolesnik, Josh Hershberg - OpenStack ...
OpenDaylight Netvirt and Neutron - Mike Kolesnik, Josh Hershberg - OpenStack ...OpenDaylight Netvirt and Neutron - Mike Kolesnik, Josh Hershberg - OpenStack ...
OpenDaylight Netvirt and Neutron - Mike Kolesnik, Josh Hershberg - OpenStack ...
 
Container network security
Container network securityContainer network security
Container network security
 
Kuryr-Kubernetes: The perfect match for networking cloud native workloads - I...
Kuryr-Kubernetes: The perfect match for networking cloud native workloads - I...Kuryr-Kubernetes: The perfect match for networking cloud native workloads - I...
Kuryr-Kubernetes: The perfect match for networking cloud native workloads - I...
 
Kubernetes Networking
Kubernetes NetworkingKubernetes Networking
Kubernetes Networking
 
20170705 kubernetes with calico
20170705 kubernetes with calico20170705 kubernetes with calico
20170705 kubernetes with calico
 
Protecting host with calico
Protecting host with calicoProtecting host with calico
Protecting host with calico
 
Calico to secure host interfaces
Calico to secure host interfacesCalico to secure host interfaces
Calico to secure host interfaces
 
Overview of OpenDaylight Container Orchestration Engine Integration
Overview of OpenDaylight Container Orchestration Engine IntegrationOverview of OpenDaylight Container Orchestration Engine Integration
Overview of OpenDaylight Container Orchestration Engine Integration
 
Calico and BGP
Calico and BGPCalico and BGP
Calico and BGP
 
[OpenStack Day in Korea 2015] Track 3-6 - Archiectural Overview of the Open S...
[OpenStack Day in Korea 2015] Track 3-6 - Archiectural Overview of the Open S...[OpenStack Day in Korea 2015] Track 3-6 - Archiectural Overview of the Open S...
[OpenStack Day in Korea 2015] Track 3-6 - Archiectural Overview of the Open S...
 
Microservices for Enterprises - Consistent Network & Security services for Co...
Microservices for Enterprises - Consistent Network & Security services for Co...Microservices for Enterprises - Consistent Network & Security services for Co...
Microservices for Enterprises - Consistent Network & Security services for Co...
 
Accelerating SDN Applications with Open Source Network Overlays
Accelerating SDN Applications with Open Source Network OverlaysAccelerating SDN Applications with Open Source Network Overlays
Accelerating SDN Applications with Open Source Network Overlays
 

Similar to Simplifying and Securing your OpenShift Network with Project Calico

Cisco connect montreal 2018 enterprise networks - say goodbye to vla ns
Cisco connect montreal 2018 enterprise networks - say goodbye to vla nsCisco connect montreal 2018 enterprise networks - say goodbye to vla ns
Cisco connect montreal 2018 enterprise networks - say goodbye to vla nsCisco Canada
 
Cisco Connect 2018 Philippines - software-defined access-a transformational ...
Cisco Connect 2018 Philippines - software-defined access-a transformational ... Cisco Connect 2018 Philippines - software-defined access-a transformational ...
Cisco Connect 2018 Philippines - software-defined access-a transformational ...NetworkCollaborators
 
Cisco Connect 2018 Indonesia - software-defined access-a transformational ap...
Cisco Connect 2018 Indonesia - software-defined access-a transformational ap...Cisco Connect 2018 Indonesia - software-defined access-a transformational ap...
Cisco Connect 2018 Indonesia - software-defined access-a transformational ap...NetworkCollaborators
 
Project calico - introduction
Project calico - introductionProject calico - introduction
Project calico - introductionHazzim Anaya
 
Advanced Networking: The Critical Path for HPC, Cloud, Machine Learning and more
Advanced Networking: The Critical Path for HPC, Cloud, Machine Learning and moreAdvanced Networking: The Critical Path for HPC, Cloud, Machine Learning and more
Advanced Networking: The Critical Path for HPC, Cloud, Machine Learning and moreinside-BigData.com
 
Using Tetration for application security and policy enforcement in multi-vend...
Using Tetration for application security and policy enforcement in multi-vend...Using Tetration for application security and policy enforcement in multi-vend...
Using Tetration for application security and policy enforcement in multi-vend...Joel W. King
 
Seven Criteria for Building an AWS Global Transit Network
Seven Criteria for Building an AWS Global Transit NetworkSeven Criteria for Building an AWS Global Transit Network
Seven Criteria for Building an AWS Global Transit NetworkKhash Nakhostin
 
PSOCLD 1007 Cisco Hybrid Cloud Platform for Google Cloud
PSOCLD 1007 Cisco Hybrid Cloud Platform for Google CloudPSOCLD 1007 Cisco Hybrid Cloud Platform for Google Cloud
PSOCLD 1007 Cisco Hybrid Cloud Platform for Google CloudRohit Agarwalla
 
The Hitch-Hikers Guide to Data Centre Virtualization and Workload Consolidation:
The Hitch-Hikers Guide to Data Centre Virtualization and Workload Consolidation:The Hitch-Hikers Guide to Data Centre Virtualization and Workload Consolidation:
The Hitch-Hikers Guide to Data Centre Virtualization and Workload Consolidation:Cisco Canada
 
Edge Computing: A Unified Infrastructure for all the Different Pieces
Edge Computing: A Unified Infrastructure for all the Different PiecesEdge Computing: A Unified Infrastructure for all the Different Pieces
Edge Computing: A Unified Infrastructure for all the Different PiecesCloudify Community
 
Introduction to the Container Networking and Security
Introduction to the Container Networking and SecurityIntroduction to the Container Networking and Security
Introduction to the Container Networking and SecurityCloud 66
 
4. Clearwater on rina
4. Clearwater on rina4. Clearwater on rina
4. Clearwater on rinaARCFIRE ICT
 
Cisco Connect 2018 Singapore - Cisco Software Defined Access
Cisco Connect 2018 Singapore - Cisco Software Defined AccessCisco Connect 2018 Singapore - Cisco Software Defined Access
Cisco Connect 2018 Singapore - Cisco Software Defined AccessNetworkCollaborators
 
Open coud networking at full speed - Avi Alkobi
Open coud networking at full speed - Avi AlkobiOpen coud networking at full speed - Avi Alkobi
Open coud networking at full speed - Avi AlkobiOpenInfra Days Poland 2019
 
Gain Insight and Programmability with Cisco DC Networking
Gain Insight and Programmability with Cisco DC NetworkingGain Insight and Programmability with Cisco DC Networking
Gain Insight and Programmability with Cisco DC NetworkingCisco Canada
 
Introducing ConnectGuard™ Cloud
Introducing ConnectGuard™ Cloud Introducing ConnectGuard™ Cloud
Introducing ConnectGuard™ Cloud ADVA
 
Cisco at v mworld 2015 theater presentation brfarnha
Cisco at v mworld 2015 theater presentation brfarnhaCisco at v mworld 2015 theater presentation brfarnha
Cisco at v mworld 2015 theater presentation brfarnhaldangelo0772
 

Similar to Simplifying and Securing your OpenShift Network with Project Calico (20)

Cisco connect montreal 2018 enterprise networks - say goodbye to vla ns
Cisco connect montreal 2018 enterprise networks - say goodbye to vla nsCisco connect montreal 2018 enterprise networks - say goodbye to vla ns
Cisco connect montreal 2018 enterprise networks - say goodbye to vla ns
 
Cisco Connect 2018 Philippines - software-defined access-a transformational ...
Cisco Connect 2018 Philippines - software-defined access-a transformational ... Cisco Connect 2018 Philippines - software-defined access-a transformational ...
Cisco Connect 2018 Philippines - software-defined access-a transformational ...
 
Cisco Connect 2018 Indonesia - software-defined access-a transformational ap...
Cisco Connect 2018 Indonesia - software-defined access-a transformational ap...Cisco Connect 2018 Indonesia - software-defined access-a transformational ap...
Cisco Connect 2018 Indonesia - software-defined access-a transformational ap...
 
Project calico - introduction
Project calico - introductionProject calico - introduction
Project calico - introduction
 
Advanced Networking: The Critical Path for HPC, Cloud, Machine Learning and more
Advanced Networking: The Critical Path for HPC, Cloud, Machine Learning and moreAdvanced Networking: The Critical Path for HPC, Cloud, Machine Learning and more
Advanced Networking: The Critical Path for HPC, Cloud, Machine Learning and more
 
ACI Hands-on Lab
ACI Hands-on LabACI Hands-on Lab
ACI Hands-on Lab
 
Using Tetration for application security and policy enforcement in multi-vend...
Using Tetration for application security and policy enforcement in multi-vend...Using Tetration for application security and policy enforcement in multi-vend...
Using Tetration for application security and policy enforcement in multi-vend...
 
Seven Criteria for Building an AWS Global Transit Network
Seven Criteria for Building an AWS Global Transit NetworkSeven Criteria for Building an AWS Global Transit Network
Seven Criteria for Building an AWS Global Transit Network
 
PSOCLD 1007 Cisco Hybrid Cloud Platform for Google Cloud
PSOCLD 1007 Cisco Hybrid Cloud Platform for Google CloudPSOCLD 1007 Cisco Hybrid Cloud Platform for Google Cloud
PSOCLD 1007 Cisco Hybrid Cloud Platform for Google Cloud
 
The Hitch-Hikers Guide to Data Centre Virtualization and Workload Consolidation:
The Hitch-Hikers Guide to Data Centre Virtualization and Workload Consolidation:The Hitch-Hikers Guide to Data Centre Virtualization and Workload Consolidation:
The Hitch-Hikers Guide to Data Centre Virtualization and Workload Consolidation:
 
Kubernetes on AWS
Kubernetes on AWSKubernetes on AWS
Kubernetes on AWS
 
Edge Computing: A Unified Infrastructure for all the Different Pieces
Edge Computing: A Unified Infrastructure for all the Different PiecesEdge Computing: A Unified Infrastructure for all the Different Pieces
Edge Computing: A Unified Infrastructure for all the Different Pieces
 
Introduction to the Container Networking and Security
Introduction to the Container Networking and SecurityIntroduction to the Container Networking and Security
Introduction to the Container Networking and Security
 
4. Clearwater on rina
4. Clearwater on rina4. Clearwater on rina
4. Clearwater on rina
 
Introduction to AirWave 10
Introduction to AirWave 10Introduction to AirWave 10
Introduction to AirWave 10
 
Cisco Connect 2018 Singapore - Cisco Software Defined Access
Cisco Connect 2018 Singapore - Cisco Software Defined AccessCisco Connect 2018 Singapore - Cisco Software Defined Access
Cisco Connect 2018 Singapore - Cisco Software Defined Access
 
Open coud networking at full speed - Avi Alkobi
Open coud networking at full speed - Avi AlkobiOpen coud networking at full speed - Avi Alkobi
Open coud networking at full speed - Avi Alkobi
 
Gain Insight and Programmability with Cisco DC Networking
Gain Insight and Programmability with Cisco DC NetworkingGain Insight and Programmability with Cisco DC Networking
Gain Insight and Programmability with Cisco DC Networking
 
Introducing ConnectGuard™ Cloud
Introducing ConnectGuard™ Cloud Introducing ConnectGuard™ Cloud
Introducing ConnectGuard™ Cloud
 
Cisco at v mworld 2015 theater presentation brfarnha
Cisco at v mworld 2015 theater presentation brfarnhaCisco at v mworld 2015 theater presentation brfarnha
Cisco at v mworld 2015 theater presentation brfarnha
 

More from Andrew Randall

Why Kubernetes on Azure: Tigera-Microsoft Partnership
Why Kubernetes on Azure: Tigera-Microsoft PartnershipWhy Kubernetes on Azure: Tigera-Microsoft Partnership
Why Kubernetes on Azure: Tigera-Microsoft PartnershipAndrew Randall
 
State of cloud and application connectivity
State of cloud and application connectivityState of cloud and application connectivity
State of cloud and application connectivityAndrew Randall
 
Onug lunch talk may 12 2015 no video
Onug lunch talk may 12 2015 no videoOnug lunch talk may 12 2015 no video
Onug lunch talk may 12 2015 no videoAndrew Randall
 
Preview of “CIOReview - Networking Technology Special 2015”
Preview of “CIOReview - Networking Technology Special 2015”Preview of “CIOReview - Networking Technology Special 2015”
Preview of “CIOReview - Networking Technology Special 2015”Andrew Randall
 
A randall powerpresentations
A randall powerpresentationsA randall powerpresentations
A randall powerpresentationsAndrew Randall
 
Ingredients for a Successful Service Innovation Ecosystem
Ingredients for a Successful Service Innovation EcosystemIngredients for a Successful Service Innovation Ecosystem
Ingredients for a Successful Service Innovation EcosystemAndrew Randall
 
ONUG Keynote - VoIP Has Just Begun
ONUG Keynote - VoIP Has Just BegunONUG Keynote - VoIP Has Just Begun
ONUG Keynote - VoIP Has Just BegunAndrew Randall
 

More from Andrew Randall (7)

Why Kubernetes on Azure: Tigera-Microsoft Partnership
Why Kubernetes on Azure: Tigera-Microsoft PartnershipWhy Kubernetes on Azure: Tigera-Microsoft Partnership
Why Kubernetes on Azure: Tigera-Microsoft Partnership
 
State of cloud and application connectivity
State of cloud and application connectivityState of cloud and application connectivity
State of cloud and application connectivity
 
Onug lunch talk may 12 2015 no video
Onug lunch talk may 12 2015 no videoOnug lunch talk may 12 2015 no video
Onug lunch talk may 12 2015 no video
 
Preview of “CIOReview - Networking Technology Special 2015”
Preview of “CIOReview - Networking Technology Special 2015”Preview of “CIOReview - Networking Technology Special 2015”
Preview of “CIOReview - Networking Technology Special 2015”
 
A randall powerpresentations
A randall powerpresentationsA randall powerpresentations
A randall powerpresentations
 
Ingredients for a Successful Service Innovation Ecosystem
Ingredients for a Successful Service Innovation EcosystemIngredients for a Successful Service Innovation Ecosystem
Ingredients for a Successful Service Innovation Ecosystem
 
ONUG Keynote - VoIP Has Just Begun
ONUG Keynote - VoIP Has Just BegunONUG Keynote - VoIP Has Just Begun
ONUG Keynote - VoIP Has Just Begun
 

Recently uploaded

Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Neo4j
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfngoud9212
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsPrecisely
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 

Recently uploaded (20)

Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdf
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power Systems
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 

Simplifying and Securing your OpenShift Network with Project Calico

  • 1. 1© 2017 Tigera, Inc. | Proprietary and Confidential OpenShift Commons Briefing Andy Randall, CEO Simplifying and Securing Your OpenShift Network with Project Calico March 2, 2017
  • 2. 2© 2017 Tigera, Inc. | Proprietary and Confidential Isn’t virtual networking a solved problem? Can we just get on with developing and deploying apps now? First, a (not unreasonable) question...
  • 3. 3© 2017 Tigera, Inc. | Proprietary and Confidential Challenges of Cloud-Native: Scale & Churn <0.1x Median lifespan >10x Workloads per host 100+xChurn per host First-generation, centralized SDN controller Traditional security appliance
  • 4. 4© 2017 Tigera, Inc. | Proprietary and Confidential Challenges of Cloud-Native: Dynamic Security Dynamic IP address assignment Fungible server resources Subnets / VLANs no longer meaningful for security rules Orchestrator makes highly dynamic scheduling decisions Workload meta-data already captured in orchestrator Opportunity to automate security, get rid of “firewall cruft” Micro-services architecture increases network-based attack surface Attackers already exploit internal vulnerabilities Perimeter security insufficient — need to secure intra-cluster traffic
  • 5. 5© 2017 Tigera, Inc. | Proprietary and Confidential SIMPLIFY the network, by removing unnecessary layers of complexity What’s Required? … implemented in a scale-out, distributed architecture … SECURE workloads with fine-grained policy rules, leveraging orchestrator
  • 6. 6© 2017 Tigera, Inc. | Proprietary and Confidential Enter Project Calico Thousands of clusters deployed globally by users such as... Active open source community with 100+ contributors
  • 7. 7© 2017 Tigera, Inc. | Proprietary and Confidential 1. Simplify the Network ☑ Flat IP network (pods are endpoints too) ☑ No overlay by default ⇒ zero packet overhead ☑ Routed model — one hop to the kernel, another hop to the destination (remote kernel or local pod) ☑ Leverages Linux’s built-in, efficient network stack ☑ Maximum performance, simplest to troubleshoot
  • 8. 8© 2017 Tigera, Inc. | Proprietary and Confidential Calico Architecture: Routing Physical fabric (L2 or L3) or public cloud SDN (e.g. Amazon VPC / subnet) Cloud OS / Orchestration SystemCloud OS / Orchestration System Compute NodeCompute NodeCompute Node kernel Cloud OS / Orchestration System Calico- node Routes Pod Eth0 Calico Plugin Compute NodeCompute NodeCompute Node kernel Calico- node Routes Pod Eth0 Control plane (etcd / Raft + BGP) Data plane (IP)
  • 9. 9© 2017 Tigera, Inc. | Proprietary and Confidential Calico Architecture: Policy Enforcement Physical fabric (L2 or L3) or public cloud SDN (e.g. Amazon VPC / subnet) Cloud OS / Orchestration SystemCloud OS / Orchestration System Compute NodeCompute NodeCompute Node kernel Cloud OS / Orchestration System Calico- node Routes ACLs Pod Eth0 Calico Plugin Compute NodeCompute NodeCompute Node kernel Calico- node Routes ACLs Pod Eth0 Control plane (etcd / Raft + BGP) Data plane (IP)
  • 10. 10© 2017 Tigera, Inc. | Proprietary and Confidential 2. Network Policies My IT guys installed a firewall at the edge of my data center. Why do I want network policies as well?
  • 11. 11© 2017 Tigera, Inc. | Proprietary and Confidential
  • 12. 12© 2017 Tigera, Inc. | Proprietary and Confidential
  • 13. 13© 2017 Tigera, Inc. | Proprietary and Confidential
  • 14. 14© 2017 Tigera, Inc. | Proprietary and Confidential Anatomy of a Calico Network Policy apiVersion: v1 kind: policy metadata: name: allow-tcp-6379 spec: selector: role == 'database' ingress: - action: allow protocol: tcp source: selector: role == 'frontend' destination: ports: - 6379 egress: - action: allow Name of this policy Which pods does it apply to? Who can talk to those pods (with which protocols?) To whom can those pods talk (with which protocols?) $ calicoctl apply -f mypolicy.yaml API version Yes, this looks a lot like a Kubernetes Network Policy… Calico can enforce k8s policy or this extended model
  • 15. 15© 2017 Tigera, Inc. | Proprietary and Confidential Calico Architecture: Policy Enforcement Revisited Cloud OS / Orchestration SystemCloud OS / Orchestration System Compute NodeCompute NodeCompute Node kernel Cloud OS / Orchestration System Calico- node Routes ACLs Pod Eth0 Calico Plugin Compute NodeCompute NodeCompute Node kernel Calico- node Routes ACLs Pod Eth0 ■ Policy rendering to ACLs is distributed to calico agents ■ Each node efficiently calculates what it needs & programs iptables ■ At scale, <10ms to first ping
  • 16. 16© 2017 Tigera, Inc. | Proprietary and Confidential Architectural Comparison OVS-based (e.g. OpenShift SDN) Project Calico One subnet per host Dynamic allocation of IP address ranges to host as additional containers scheduled (reduces wasted addresses without imposing an upper limit on # containers) Pods connected to OVS Bridge (br0) Pods connected into Linux kernel routing engine (no bridge, single routed hop, same path intra/inter node) Access to pods on remote nodes via VXLAN tunnel (tun0) Tunnel possible but not required — pods have real IPs on underlying network — no double-encapsulation when running on underlying SDN (e.g. public cloud or OpenStack) Connectivity outside cluster via NAT NAT not required by default to outside world, since pods have real IPs Network isolation enforced in OVS via tenant separation (separate ovs-multitenant plug-in) or Kubernetes network policy with ovs-subnet Network isolation (including multi-tenant) enforced via ingress + egress policy rules encoded into iptables rules in Linux kernel OVS in control and data path Calico in control path only (data path = traditional Linux kernel L3 forwarding & filtering)
  • 17. 17© 2017 Tigera, Inc. | Proprietary and Confidential Considerations for other SDN solutions (Some) Other Networking Solutions Project Calico Centralized controller calculates rules for each node All policy calculations / rendering Must replace internal service routing — not compatible with Kube-proxy Fully compatible with standard Kube-proxy Must use own external load balancing — not compatible with OpenShift Router Fully compatible with OpenShift Router and any other regular IP networking mechanisms (it’s just IP)
  • 18. 18© 2017 Tigera, Inc. | Proprietary and Confidential Can I just get the policies? I like how Calico does policies — but still want to use a VXLAN overlay. You probably can’t do that, right?
  • 19. 19© 2017 Tigera, Inc. | Proprietary and Confidential Combining Calico with Flannel Networking A collaboration between Tigera and CoreOS to apply Calico policy to flannel overlay networks More: http://github.com/projectcalico/canal
  • 20. 20© 2017 Tigera, Inc. | Proprietary and Confidential Calico & OpenShift So how does this all tie together with ?
  • 21. 21© 2017 Tigera, Inc. | Proprietary and Confidential Calico on OpenShift
  • 22. 22© 2017 Tigera, Inc. | Proprietary and Confidential Calico on OpenShift CNI CNI CNI CNI CNI CNI ● Calico-CNI ● Calico-IPAM CNI
  • 23. 23© 2017 Tigera, Inc. | Proprietary and Confidential Calico on OpenShift CNI CNI CNI CNI CNI CNI ● Felix (local routing & policy calculation) ● Bird (BGP) Calico/Node
  • 24. 24© 2017 Tigera, Inc. | Proprietary and Confidential Calico on OpenShift CNI CNI CNI CNI CNI CNI P Calico Policy Controller
  • 25. 25© 2017 Tigera, Inc. | Proprietary and Confidential Lots of recipes Calico + Kubernetes ■ E.g. AWS Quick Start, Stack Point Cloud, kops, ... Users have deployed with OpenShift ■ “Roll-your-own” installation until recently Tigera / Red Hat collaborating on supported integration and certification for OpenShift ■ Integration was working - but broken by OCP 3.4. Addressing a few minor remaining issues. ■ “Watch this space” - by signing up to the Project Calico Slack (http://slack.projectcalico.org), joining the #openshift channel, and let us know you’re interested! Calico-OpenShift Integration &
  • 26. 26© 2017 Tigera, Inc. | Proprietary and Confidential github.com/projectcalico @andrew_randall | @projectcalico slack.projectcalico.org → #openshift Andy Randall andy@tigera.io