SlideShare a Scribd company logo
1 of 15
Download to read offline
Securing Microservices in CloudFoundry
Brenden Blanco and Deepa Kalani!
Architects, CTO Office - PLUMgrid!
Need for Micro Segmentation
§  Movement towards cloud native applications.
§  Elastic nature of applications requires a more agile way of configuring
policies
§  Operators would like to have an intuitive way of defining policies, based on
application roles and not ip addresses.
§  Relying on traditional firewall rules will quickly make it unmanageable as
applications move around
§  Move towards a whitelist model of policy definition, where one defines
acceptable information flow and everything else is blocked
IPTables to define Endpoint Policy - State Explosion
IP1->IP3	
IP1->IP5	
IP1->IP7	
IP1->IP8	
	
IP3->IP1	
IP3->IP5	
IP3->IP7	
IP3->IP8	
IP2->IP4	
IP2->IP6	
IP2->IP9	
IP2->IP10	
	
IP4->IP6	
IP4->IP2	
IP4->IP9	
IP4->IP10	
IP2->IP4	
IP2->IP6	
IP2->IP9	
IP2->IP10	
	
IP4->IP6	
IP4->IP2	
IP4->IP9	
IP4->IP10	
IP5->IP1	
IP5->IP3	
IP5->IP7	
IP5->IP8	
	
IP7->IP1	
IP7->IP5	
IP7->IP3	
IP7->IP8	
IP8->IP3	
IP8->IP5	
IP8->IP7	
IP8->IP1	
	
	
IP9->IP4	
IP9->IP6	
IP9->IP2	
IP9->IP10	
	
IP10->IP2	
IP10->IP6	
IP10->IP4	
IP10->IP9	
IP	Table	Rules
Group Based Policy - secure, scalable, intent based
Green->Green	
Red->Red	
Green->Green	
Red->Red	
Green->Green	
Red->Red	
IP1,IP3->Green	
IP2,IP4->	Red	
IP5,IP7->Green	
IP6->	Red	
IP8->Green	
IP9,IP10->	Red	Endpoint	Groups	
Policies
Policy specification for Cloud Foundry Applications
§  Define Endpoints and EPGs (Applications are represented by Groups of
Endpoints)
§  Policy definition is in the nature of applications.
§  e.g. A_APP->A_DB 80 allow, B_APP->A_APP allow.
§  Envision policy as a graph of application connectivity
A_App	
B_APP	 C_APP	
A_DB	
DB_Ext
www.iovisor.org	
IO Module, users perspective
IO	Module	
Management	interface	
	-	REST	API	
-	Cli	/	config	file	
Interfaces	
		-	Interface	Type	(Net,	Tracing,	Storage,	…)	
Something	runs	in	kernel	
Something	runs	in	user	space	
Controllers	live	up	here	 IO	Modules		
Catalog	Search	for	IO	Mod	
Download	IO	Mod	
Somewhere	in	the	cloud	(iovisor.org)	
there	is	a	catalog	of	public	IO	Modules
www.iovisor.org	
IO Module, developers perspective
IO	Modules		
Catalog	
Publish	new	Modules	
Somewhere	in	the	cloud	(iovisor.org)	
there	is	a	catalog	of	public	IO	Modules	
Data	Plane	
Management	
interface	
	-	REST	API	
-	Cli	/	config	file	
Interfaces	
		-	Interface	Type	(Net,	Tracing,	
Storage,	…)	
Users	interact	with	the	Module	
with:	
User	space	helper	
IO	Module	
	Control	Plane	
(user	space)	
IO	Module	
	Data	Plane	
(kernel)	
IO	Module	
developer	
IO	Module	
IOVisor	
SDK	
Clang	/	P4	
Python,	C,	C++,	Go,	JS	…
www.iovisor.org	
IO Module, graph composition
IOVisor	
Manager	
Kernel	a^achment	points	
Kernel	space	
User	space	
Open	repo	of		
“IO	Modules”	
Kernel	
code	
Kernel	
code	
•  extending	Linux	Kernel	capabilices	
APIs	to	Controllers	
Metadata
www.iovisor.org	
Composing IO Modules
Policy Plugin with IO Visor
10
Overlay	–VXLAN	
192.168.0.0/16	 192.168.1.0/16	
Linux	Bridge	
Vxlan	Dev	
C	 C	 C	
Garden/1	-	10.244.18.3	Garden/0	-	10.244.18.2	
Linux	Bridge	
Vxlan	Dev	
C	 C	 C	
Policy	boundary
Thank You!
www.iovisor.org
www.iovisor.org	
Backup Slides
1
2
www.iovisor.org	
Introducing IO Visor Project
1
3
Future	of	Linux	Kernel	IO		
for	soDware	defined	services	
Led	by	iniHal	contribuHons	from	
PLUMgrid	
(Upstreamed	since	Kernel	3.16)			
EvoluHon	of	Kernel		
BPF	&	eBPF	
(Berkeley	Packet	Filter)		
“IO	Visor	will	work	closely	with	the	Linux	kernel	community	to	advance	universal	IO	extensibility	for	Linux.	
This	collabora=on	is	cri=cally	important	as	virtualiza=on	is	puAng	more	demands	on	flexibility,	performance	
and	security.		
	
Open	source	soFware	and	collabora=ve	development	are	the	ingredients	for	addressing	massive	change	in	
any	industry.	IO	Visor	will	provide	the	essen:al	framework	for	this	work	on	Linux	virtualiza:on	and	
networking.” 	 	 	 		 	 	 		
	 	 	 	 	 	 	 	 	 	 	Jim	Zemlin,	
Execu:ve	Director,	The	Linux	Founda:on.
www.iovisor.org	
IO Visor Project: What?
1
4

•  A programmable data plane and development tools to simplify the creation of new
infrastructure ideas
•  An open source project and a community of developers 
•  Enables a new way to Innovate, Develop and Share IO and Networking functions
Open Source & Community
Programmable Data Plane
1	
2	

•  A place to share / standardize new ideas in the form of “IO Modules”
Repository of “IO Modules”
3
www.iovisor.org	
IO Visor Project Use Cases Example: Networking
§  IO Visor is used to build a fully
distributed virtual network across
multiple compute nodes
§  All data plane components are
inserted dynamically in the kernel
§  No usage of virtual/physical
appliances needed
§  Example here
https://github.com/iovisor/bcc/tree/
master/examples/distributed_bridge
1
5
Virtual/Physical
Appliances
Virtual Network
Topology in
Kernel Space

More Related Content

What's hot

What's hot (20)

Intel® RDT Hands-on Lab
Intel® RDT Hands-on LabIntel® RDT Hands-on Lab
Intel® RDT Hands-on Lab
 
Tungsten Fabric Overview
Tungsten Fabric OverviewTungsten Fabric Overview
Tungsten Fabric Overview
 
Osnug meetup-tungsten fabric - overview.pptx
Osnug meetup-tungsten fabric - overview.pptxOsnug meetup-tungsten fabric - overview.pptx
Osnug meetup-tungsten fabric - overview.pptx
 
Cilium - API-aware Networking and Security for Containers based on BPF
Cilium - API-aware Networking and Security for Containers based on BPFCilium - API-aware Networking and Security for Containers based on BPF
Cilium - API-aware Networking and Security for Containers based on BPF
 
Kernel advantages for Istio realized with Cilium
Kernel advantages for Istio realized with CiliumKernel advantages for Istio realized with Cilium
Kernel advantages for Istio realized with Cilium
 
The Universal Dataplane
The Universal DataplaneThe Universal Dataplane
The Universal Dataplane
 
Kubernetes Networking with Cilium - Deep Dive
Kubernetes Networking with Cilium - Deep DiveKubernetes Networking with Cilium - Deep Dive
Kubernetes Networking with Cilium - Deep Dive
 
Data Plane and VNF Acceleration Mini Summit
Data Plane and VNF Acceleration Mini Summit Data Plane and VNF Acceleration Mini Summit
Data Plane and VNF Acceleration Mini Summit
 
TLDK - FD.io Sept 2016
TLDK - FD.io Sept 2016 TLDK - FD.io Sept 2016
TLDK - FD.io Sept 2016
 
In-kernel Analytics and Tracing with eBPF for OpenStack Clouds
In-kernel Analytics and Tracing with eBPF for OpenStack CloudsIn-kernel Analytics and Tracing with eBPF for OpenStack Clouds
In-kernel Analytics and Tracing with eBPF for OpenStack Clouds
 
Replacing iptables with eBPF in Kubernetes with Cilium
Replacing iptables with eBPF in Kubernetes with CiliumReplacing iptables with eBPF in Kubernetes with Cilium
Replacing iptables with eBPF in Kubernetes with Cilium
 
FD.io - The Universal Dataplane
FD.io - The Universal DataplaneFD.io - The Universal Dataplane
FD.io - The Universal Dataplane
 
Cilium - Fast IPv6 Container Networking with BPF and XDP
Cilium - Fast IPv6 Container Networking with BPF and XDPCilium - Fast IPv6 Container Networking with BPF and XDP
Cilium - Fast IPv6 Container Networking with BPF and XDP
 
Cilium - overview and recent updates
Cilium - overview and recent updatesCilium - overview and recent updates
Cilium - overview and recent updates
 
EBPF and Linux Networking
EBPF and Linux NetworkingEBPF and Linux Networking
EBPF and Linux Networking
 
BPF & Cilium - Turning Linux into a Microservices-aware Operating System
BPF  & Cilium - Turning Linux into a Microservices-aware Operating SystemBPF  & Cilium - Turning Linux into a Microservices-aware Operating System
BPF & Cilium - Turning Linux into a Microservices-aware Operating System
 
LF_DPDK17_Abstract APIs for DPDK and ODP
LF_DPDK17_Abstract APIs for DPDK and ODPLF_DPDK17_Abstract APIs for DPDK and ODP
LF_DPDK17_Abstract APIs for DPDK and ODP
 
LF_DPDK_Mellanox bifurcated driver model
LF_DPDK_Mellanox bifurcated driver modelLF_DPDK_Mellanox bifurcated driver model
LF_DPDK_Mellanox bifurcated driver model
 
Linux Kernel Cryptographic API and Use Cases
Linux Kernel Cryptographic API and Use CasesLinux Kernel Cryptographic API and Use Cases
Linux Kernel Cryptographic API and Use Cases
 
Kernel Recipes 2017 - EBPF and XDP - Eric Leblond
Kernel Recipes 2017 - EBPF and XDP - Eric LeblondKernel Recipes 2017 - EBPF and XDP - Eric Leblond
Kernel Recipes 2017 - EBPF and XDP - Eric Leblond
 

Viewers also liked

CETH for XDP [Linux Meetup Santa Clara | July 2016]
CETH for XDP [Linux Meetup Santa Clara | July 2016] CETH for XDP [Linux Meetup Santa Clara | July 2016]
CETH for XDP [Linux Meetup Santa Clara | July 2016]
IO Visor Project
 
BPF: Tracing and more
BPF: Tracing and moreBPF: Tracing and more
BPF: Tracing and more
Brendan Gregg
 

Viewers also liked (20)

Evolving Virtual Networking with IO Visor [OpenStack Summit Austin | April 2016]
Evolving Virtual Networking with IO Visor [OpenStack Summit Austin | April 2016]Evolving Virtual Networking with IO Visor [OpenStack Summit Austin | April 2016]
Evolving Virtual Networking with IO Visor [OpenStack Summit Austin | April 2016]
 
bcc/BPF tools - Strategy, current tools, future challenges
bcc/BPF tools - Strategy, current tools, future challengesbcc/BPF tools - Strategy, current tools, future challenges
bcc/BPF tools - Strategy, current tools, future challenges
 
CETH for XDP [Linux Meetup Santa Clara | July 2016]
CETH for XDP [Linux Meetup Santa Clara | July 2016] CETH for XDP [Linux Meetup Santa Clara | July 2016]
CETH for XDP [Linux Meetup Santa Clara | July 2016]
 
IO Visor Summit 2017: Welcome & Overview via Pere Monclus
IO Visor Summit 2017: Welcome & Overview via Pere MonclusIO Visor Summit 2017: Welcome & Overview via Pere Monclus
IO Visor Summit 2017: Welcome & Overview via Pere Monclus
 
Linux BPF Superpowers
Linux BPF SuperpowersLinux BPF Superpowers
Linux BPF Superpowers
 
BPF: Tracing and more
BPF: Tracing and moreBPF: Tracing and more
BPF: Tracing and more
 
In out system
In out systemIn out system
In out system
 
The end of embedded Linux (as we know it)
The end of embedded Linux (as we know it)The end of embedded Linux (as we know it)
The end of embedded Linux (as we know it)
 
Portland Science Hack Day: Open Source Hardware
Portland Science Hack Day: Open Source HardwarePortland Science Hack Day: Open Source Hardware
Portland Science Hack Day: Open Source Hardware
 
Linux on Open Source Hardware
Linux on Open Source HardwareLinux on Open Source Hardware
Linux on Open Source Hardware
 
Android beyond the smartphone
Android beyond the smartphoneAndroid beyond the smartphone
Android beyond the smartphone
 
Germany in wwii
Germany in wwiiGermany in wwii
Germany in wwii
 
Tuning Android for low RAM
Tuning Android for low RAMTuning Android for low RAM
Tuning Android for low RAM
 
Software update for IoT: the current state of play
Software update for IoT: the current state of playSoftware update for IoT: the current state of play
Software update for IoT: the current state of play
 
10 ways hardware engineers can make software integration easier
10 ways hardware engineers can make software integration easier10 ways hardware engineers can make software integration easier
10 ways hardware engineers can make software integration easier
 
Software Defined Radio (SDR)
Software Defined Radio (SDR)Software Defined Radio (SDR)
Software Defined Radio (SDR)
 
Read-only rootfs: theory and practice
Read-only rootfs: theory and practiceRead-only rootfs: theory and practice
Read-only rootfs: theory and practice
 
Userspace drivers-2016
Userspace drivers-2016Userspace drivers-2016
Userspace drivers-2016
 
Adapt or Die: A Microservices Story at Google
Adapt or Die: A Microservices Story at GoogleAdapt or Die: A Microservices Story at Google
Adapt or Die: A Microservices Story at Google
 
What's Better than Microservices? Serverless Microservices.
What's Better than Microservices? Serverless Microservices.What's Better than Microservices? Serverless Microservices.
What's Better than Microservices? Serverless Microservices.
 

Similar to Using IO Visor to Secure Microservices Running on CloudFoundry [OpenStack Summit Austin | April 2016]

How Cisco Migrated from MapReduce Jobs to Spark Jobs - StampedeCon 2015
How Cisco Migrated from MapReduce Jobs to Spark Jobs - StampedeCon 2015How Cisco Migrated from MapReduce Jobs to Spark Jobs - StampedeCon 2015
How Cisco Migrated from MapReduce Jobs to Spark Jobs - StampedeCon 2015
StampedeCon
 
Are you ready to be edgy? Bringing applications to the edge of the network
Are you ready to be edgy? Bringing applications to the edge of the networkAre you ready to be edgy? Bringing applications to the edge of the network
Are you ready to be edgy? Bringing applications to the edge of the network
Megan O'Keefe
 

Similar to Using IO Visor to Secure Microservices Running on CloudFoundry [OpenStack Summit Austin | April 2016] (20)

Securing Micro Services in Cloud Foundry
Securing Micro Services in Cloud FoundrySecuring Micro Services in Cloud Foundry
Securing Micro Services in Cloud Foundry
 
RTI/Cisco response to the Software Defined Networks (SDN) OMG RFI
RTI/Cisco response to the Software Defined Networks (SDN) OMG RFIRTI/Cisco response to the Software Defined Networks (SDN) OMG RFI
RTI/Cisco response to the Software Defined Networks (SDN) OMG RFI
 
Object Broker Infrastructure for Wide Area Networks
Object Broker Infrastructure for Wide Area NetworksObject Broker Infrastructure for Wide Area Networks
Object Broker Infrastructure for Wide Area Networks
 
The International standards landscape for IoT in SmartHome
The International standards landscape for IoT in SmartHomeThe International standards landscape for IoT in SmartHome
The International standards landscape for IoT in SmartHome
 
ONOS SDN-IP: Tutorial and Use Case for SDX
ONOS SDN-IP: Tutorial and Use Case for SDXONOS SDN-IP: Tutorial and Use Case for SDX
ONOS SDN-IP: Tutorial and Use Case for SDX
 
CPaaS.io Y1 Review Meeting - Cloud & Edge Programming
CPaaS.io Y1 Review Meeting - Cloud & Edge ProgrammingCPaaS.io Y1 Review Meeting - Cloud & Edge Programming
CPaaS.io Y1 Review Meeting - Cloud & Edge Programming
 
IoTWorld 2016 OSS Keynote Param Singh, Ian Skerrett
IoTWorld 2016 OSS Keynote Param Singh, Ian SkerrettIoTWorld 2016 OSS Keynote Param Singh, Ian Skerrett
IoTWorld 2016 OSS Keynote Param Singh, Ian Skerrett
 
Model-driven Telemetry: The Foundation of Big Data Analytics
Model-driven Telemetry: The Foundation of Big Data AnalyticsModel-driven Telemetry: The Foundation of Big Data Analytics
Model-driven Telemetry: The Foundation of Big Data Analytics
 
Akka.Net and .Net Core - The Developer Conference 2018 Florianopolis
Akka.Net and .Net Core - The Developer Conference 2018 FlorianopolisAkka.Net and .Net Core - The Developer Conference 2018 Florianopolis
Akka.Net and .Net Core - The Developer Conference 2018 Florianopolis
 
SDN and metrics from the SDOs
SDN and metrics from the SDOsSDN and metrics from the SDOs
SDN and metrics from the SDOs
 
StampedeCon 2015 Keynote
StampedeCon 2015 KeynoteStampedeCon 2015 Keynote
StampedeCon 2015 Keynote
 
How Cisco Migrated from MapReduce Jobs to Spark Jobs - StampedeCon 2015
How Cisco Migrated from MapReduce Jobs to Spark Jobs - StampedeCon 2015How Cisco Migrated from MapReduce Jobs to Spark Jobs - StampedeCon 2015
How Cisco Migrated from MapReduce Jobs to Spark Jobs - StampedeCon 2015
 
The Enterprise Guide to Building a Data Mesh - Introducing SpecMesh
The Enterprise Guide to Building a Data Mesh - Introducing SpecMeshThe Enterprise Guide to Building a Data Mesh - Introducing SpecMesh
The Enterprise Guide to Building a Data Mesh - Introducing SpecMesh
 
Using Cisco pxGrid for Security Platform Integration: a deep dive
Using Cisco pxGrid for Security Platform Integration: a deep diveUsing Cisco pxGrid for Security Platform Integration: a deep dive
Using Cisco pxGrid for Security Platform Integration: a deep dive
 
Cloud Native Application Integration With APIs
Cloud Native Application Integration With APIsCloud Native Application Integration With APIs
Cloud Native Application Integration With APIs
 
IEEE HPSR 2017 Keynote: Softwarized Dataplanes and the P^3 trade-offs: Progra...
IEEE HPSR 2017 Keynote: Softwarized Dataplanes and the P^3 trade-offs: Progra...IEEE HPSR 2017 Keynote: Softwarized Dataplanes and the P^3 trade-offs: Progra...
IEEE HPSR 2017 Keynote: Softwarized Dataplanes and the P^3 trade-offs: Progra...
 
Are you ready to be edgy? Bringing applications to the edge of the network
Are you ready to be edgy? Bringing applications to the edge of the networkAre you ready to be edgy? Bringing applications to the edge of the network
Are you ready to be edgy? Bringing applications to the edge of the network
 
The Current And Future State Of Service Mesh
The Current And Future State Of Service MeshThe Current And Future State Of Service Mesh
The Current And Future State Of Service Mesh
 
Developers’ mDay u Banjoj Luci - Janko Isidorović, Mainflux – Unified IoT Pl...
Developers’ mDay u Banjoj Luci - Janko Isidorović, Mainflux –  Unified IoT Pl...Developers’ mDay u Banjoj Luci - Janko Isidorović, Mainflux –  Unified IoT Pl...
Developers’ mDay u Banjoj Luci - Janko Isidorović, Mainflux – Unified IoT Pl...
 
Io t standard_bis_arpanpal
Io t standard_bis_arpanpalIo t standard_bis_arpanpal
Io t standard_bis_arpanpal
 

Recently uploaded

Structuring Teams and Portfolios for Success
Structuring Teams and Portfolios for SuccessStructuring Teams and Portfolios for Success
Structuring Teams and Portfolios for Success
UXDXConf
 

Recently uploaded (20)

Powerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara LaskowskaPowerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara Laskowska
 
How we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdfHow we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdf
 
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdfSimplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
 
THE BEST IPTV in GERMANY for 2024: IPTVreel
THE BEST IPTV in  GERMANY for 2024: IPTVreelTHE BEST IPTV in  GERMANY for 2024: IPTVreel
THE BEST IPTV in GERMANY for 2024: IPTVreel
 
Connecting the Dots in Product Design at KAYAK
Connecting the Dots in Product Design at KAYAKConnecting the Dots in Product Design at KAYAK
Connecting the Dots in Product Design at KAYAK
 
Syngulon - Selection technology May 2024.pdf
Syngulon - Selection technology May 2024.pdfSyngulon - Selection technology May 2024.pdf
Syngulon - Selection technology May 2024.pdf
 
Structuring Teams and Portfolios for Success
Structuring Teams and Portfolios for SuccessStructuring Teams and Portfolios for Success
Structuring Teams and Portfolios for Success
 
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptxUnpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
 
Speed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in MinutesSpeed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in Minutes
 
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdfIntroduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
 
The Metaverse: Are We There Yet?
The  Metaverse:    Are   We  There  Yet?The  Metaverse:    Are   We  There  Yet?
The Metaverse: Are We There Yet?
 
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
 
Intro in Product Management - Коротко про професію продакт менеджера
Intro in Product Management - Коротко про професію продакт менеджераIntro in Product Management - Коротко про професію продакт менеджера
Intro in Product Management - Коротко про професію продакт менеджера
 
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
 
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...
 
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdfWhere to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
 
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
 
What's New in Teams Calling, Meetings and Devices April 2024
What's New in Teams Calling, Meetings and Devices April 2024What's New in Teams Calling, Meetings and Devices April 2024
What's New in Teams Calling, Meetings and Devices April 2024
 
IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024
 
Strategic AI Integration in Engineering Teams
Strategic AI Integration in Engineering TeamsStrategic AI Integration in Engineering Teams
Strategic AI Integration in Engineering Teams
 

Using IO Visor to Secure Microservices Running on CloudFoundry [OpenStack Summit Austin | April 2016]

  • 1. Securing Microservices in CloudFoundry Brenden Blanco and Deepa Kalani! Architects, CTO Office - PLUMgrid!
  • 2. Need for Micro Segmentation §  Movement towards cloud native applications. §  Elastic nature of applications requires a more agile way of configuring policies §  Operators would like to have an intuitive way of defining policies, based on application roles and not ip addresses. §  Relying on traditional firewall rules will quickly make it unmanageable as applications move around §  Move towards a whitelist model of policy definition, where one defines acceptable information flow and everything else is blocked
  • 3. IPTables to define Endpoint Policy - State Explosion IP1->IP3 IP1->IP5 IP1->IP7 IP1->IP8 IP3->IP1 IP3->IP5 IP3->IP7 IP3->IP8 IP2->IP4 IP2->IP6 IP2->IP9 IP2->IP10 IP4->IP6 IP4->IP2 IP4->IP9 IP4->IP10 IP2->IP4 IP2->IP6 IP2->IP9 IP2->IP10 IP4->IP6 IP4->IP2 IP4->IP9 IP4->IP10 IP5->IP1 IP5->IP3 IP5->IP7 IP5->IP8 IP7->IP1 IP7->IP5 IP7->IP3 IP7->IP8 IP8->IP3 IP8->IP5 IP8->IP7 IP8->IP1 IP9->IP4 IP9->IP6 IP9->IP2 IP9->IP10 IP10->IP2 IP10->IP6 IP10->IP4 IP10->IP9 IP Table Rules
  • 4. Group Based Policy - secure, scalable, intent based Green->Green Red->Red Green->Green Red->Red Green->Green Red->Red IP1,IP3->Green IP2,IP4-> Red IP5,IP7->Green IP6-> Red IP8->Green IP9,IP10-> Red Endpoint Groups Policies
  • 5. Policy specification for Cloud Foundry Applications §  Define Endpoints and EPGs (Applications are represented by Groups of Endpoints) §  Policy definition is in the nature of applications. §  e.g. A_APP->A_DB 80 allow, B_APP->A_APP allow. §  Envision policy as a graph of application connectivity A_App B_APP C_APP A_DB DB_Ext
  • 6. www.iovisor.org IO Module, users perspective IO Module Management interface - REST API - Cli / config file Interfaces - Interface Type (Net, Tracing, Storage, …) Something runs in kernel Something runs in user space Controllers live up here IO Modules Catalog Search for IO Mod Download IO Mod Somewhere in the cloud (iovisor.org) there is a catalog of public IO Modules
  • 7. www.iovisor.org IO Module, developers perspective IO Modules Catalog Publish new Modules Somewhere in the cloud (iovisor.org) there is a catalog of public IO Modules Data Plane Management interface - REST API - Cli / config file Interfaces - Interface Type (Net, Tracing, Storage, …) Users interact with the Module with: User space helper IO Module Control Plane (user space) IO Module Data Plane (kernel) IO Module developer IO Module IOVisor SDK Clang / P4 Python, C, C++, Go, JS …
  • 8. www.iovisor.org IO Module, graph composition IOVisor Manager Kernel a^achment points Kernel space User space Open repo of “IO Modules” Kernel code Kernel code •  extending Linux Kernel capabilices APIs to Controllers Metadata
  • 10. Policy Plugin with IO Visor 10 Overlay –VXLAN 192.168.0.0/16 192.168.1.0/16 Linux Bridge Vxlan Dev C C C Garden/1 - 10.244.18.3 Garden/0 - 10.244.18.2 Linux Bridge Vxlan Dev C C C Policy boundary
  • 13. www.iovisor.org Introducing IO Visor Project 1 3 Future of Linux Kernel IO for soDware defined services Led by iniHal contribuHons from PLUMgrid (Upstreamed since Kernel 3.16) EvoluHon of Kernel BPF & eBPF (Berkeley Packet Filter) “IO Visor will work closely with the Linux kernel community to advance universal IO extensibility for Linux. This collabora=on is cri=cally important as virtualiza=on is puAng more demands on flexibility, performance and security. Open source soFware and collabora=ve development are the ingredients for addressing massive change in any industry. IO Visor will provide the essen:al framework for this work on Linux virtualiza:on and networking.” Jim Zemlin, Execu:ve Director, The Linux Founda:on.
  • 14. www.iovisor.org IO Visor Project: What? 1 4 •  A programmable data plane and development tools to simplify the creation of new infrastructure ideas •  An open source project and a community of developers •  Enables a new way to Innovate, Develop and Share IO and Networking functions Open Source & Community Programmable Data Plane 1 2 •  A place to share / standardize new ideas in the form of “IO Modules” Repository of “IO Modules” 3
  • 15. www.iovisor.org IO Visor Project Use Cases Example: Networking §  IO Visor is used to build a fully distributed virtual network across multiple compute nodes §  All data plane components are inserted dynamically in the kernel §  No usage of virtual/physical appliances needed §  Example here https://github.com/iovisor/bcc/tree/ master/examples/distributed_bridge 1 5 Virtual/Physical Appliances Virtual Network Topology in Kernel Space