Networking & Security for Mesos - Meetupfiles.meetup.com/14353592/mesos-meetup-nyc-2016-02b.pdf ·...

@projectcalico Project Calico is sponsored by

Sponsored by

Networking & Security for MesosAN IP FOR EVERY CONTAINER… AND MORE!

Christopher Liljenstolpe February 24, 2016


The #1 Challenge for Cloud?

Recent data breaches due to hacking or poor securityhttp://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

Cloud-native app

architectures are driving100-1000x growth in workloadsin an era of heightened

security threats


Enterprise security is still in the middle ages


Medieval security architecture


“Oh, hey! I just love these things! … Crunchy on the outside and a chewy center!”


Fast forward to the present


Increased complexity


Resource Fungibility


Tear down the walls?


The opportunity?


The Dynamic, Distributed Firewall

NetworkFabric

eth0eth0

eth0

192.168.1.2Ro

utin

g

Rout

ing

eth0

192.168.1.3

eth0

192.168.1.4

eth0

192.168.1.7

eth0

192.168.1.6

eth0

192.168.1.5

10.0.0.1 10.0.0.2


WorkloadB2001:db8::2

WorkloadA2001:db8::1

The Dynamic, Distributed Firewall: Worked Example

Felix

WorkloadC2001:db8::3

Felix

1. to 2001:db8::2 port 80 allow2. to 2001:db8::3 port 80 allow3. from <qaRobots> port 443 allow4. default deny

A: loadBal; QAB: webAppC: webApploadBal: allow 80 to webAppwebApp: allow 80 fm loadBal

QA: allow 443 fm <qaRobots>

Pub: allow 443 fm any

1. from 2001:db8::1 port 80 allow2. default deny

1. from 2001:db8::1 port 80 allow2. default deny

Pub

any


Mesos / HAProxy introduce another problem…

Host [10.0.0.1]

Application[172.17.0.2]

A service[172.17.0.3]

… another[172.17.0.4]

IP:10.0.0.1:80IP:10.0.0.1:80IP:10.0.0.1:8080


The Solution…


Mesos AgentMesos Agent

Project Calico & Mesos – Logical Architecture

Mesos Agent

Host Kernel

Workload (container

or VM)

Workload (container

or VM)

Workload (container

or VM)…

…

Efficient Packet Forwarding(IP per workload, direct integration with cloud fabric)

Policy Enforcement

Policy Enforcement

Policy Enforcement

Security Policy

Routes &Addresses

Mesos Master


Net-modules Work Flow – Actual Architecture

Update task state

Plug-‐in (Calico)AgentMasterFramework

IPAM

Networkvirtualizer

Get IP

Isolatormodule

Isolate (IP, policy)

Cleanupmodule

Launch task (NetworkInfo)

Launch task (NetworkInfo)

Task update (NetworkInfo)

Task update (NetworkInfo)

Mesos module

Network plug-‐in


§ Mesos cluster with 2 agents§ Launching 4 probe tasks

§ Each probe listens to port 9000§ Each probe tries to reach all other probes

§ We want all 4 to launch successfully (no port conflicts)

§ We want to isolate them into two groups of 2 probes

Demonstration of basic network isolation


Demonstration (video)


§ Net-modules supported with Mesos containerizersince Mesos 0.26§ IP per container§ IP Address Management (IPAM)§ DNS-based service discovery (Mesos-DNS)§ Network isolation

§ Try it out – https://github.com/mesosphere/net-modules§ Includes step-by-step instructions to repeat the demo

Where are we at today?


§ Other frameworks (only Marathon supported today)§ Community work ongoing to integrate Spark, Chronos, ...

§ Docker daemon support via same net-modules mechanism§ Docker daemon includes a different networking model, via

the libnetwork API, but it is not well integrated with Mesos

§ Tighter integration of fine-grained policy control§ Today, fine-grained policy is ”side loaded” via calicoctl

§ One-step install via DCOS§ Support for Container Network Interface (CNI)

model (as used by Kubernetes)

Restrictions / Wish List


Summary

Networking & Security for Mesos - Meetupfiles.meetup.com/14353592/mesos-meetup-nyc-2016-02b.pdf ·...

Documents

Transcript of Networking & Security for Mesos - Meetupfiles.meetup.com/14353592/mesos-meetup-nyc-2016-02b.pdf ·...