Networking & Security for Mesos - · PDF file the libnetwork API, but it is not well...

Click here to load reader

  • date post

    20-May-2020
  • Category

    Documents

  • view

    1
  • download

    1

Embed Size (px)

Transcript of Networking & Security for Mesos - · PDF file the libnetwork API, but it is not well...

  • @projectcalico Project Calico is sponsored by

    Sponsored by

    Networking & Security for Mesos AN IP FOR EVERY CONTAINER… AND MORE!

    Christopher Liljenstolpe February 24, 2016

  • @projectcalico Project Calico is sponsored by

    The #1 Challenge for Cloud?

    Recent data breaches due to hacking or poor security http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

    Cloud-native app

    architectures are driving 100-1000x growth in workloads in an era of heightened

    security threats

  • @projectcalico Project Calico is sponsored by

    Enterprise security is still in the middle ages

  • @projectcalico Project Calico is sponsored by

    Medieval security architecture

  • @projectcalico Project Calico is sponsored by

    “Oh, hey! I just love these things! … Crunchy on the outside and a chewy center!”

  • @projectcalico Project Calico is sponsored by

    Fast forward to the present

  • @projectcalico Project Calico is sponsored by

    Increased complexity

  • @projectcalico Project Calico is sponsored by

    Resource Fungibility

  • @projectcalico Project Calico is sponsored by

    Tear down the walls?

  • @projectcalico Project Calico is sponsored by

    The opportunity?

  • @projectcalico Project Calico is sponsored by

    The opportunity?

  • @projectcalico Project Calico is sponsored by

    The Dynamic, Distributed Firewall

    Network Fabric

    eth0eth0

    eth0

    192.168.1.2 Ro

    ut in

    g

    Ro ut

    in g

    eth0

    192.168.1.3

    eth0

    192.168.1.4

    eth0

    192.168.1.7

    eth0

    192.168.1.6

    eth0

    192.168.1.5

    10.0.0.1 10.0.0.2

  • @projectcalico Project Calico is sponsored by

    Workload B 2001:db8::2

    Workload A 2001:db8::1

    The Dynamic, Distributed Firewall: Worked Example

    Felix

    Workload C 2001:db8::3

    Felix

    1. to 2001:db8::2 port 80 allow 2. to 2001:db8::3 port 80 allow 3. from port 443 allow 4. default deny

    A: loadBal; QA B: webApp C: webApp loadBal: allow 80 to webApp webApp: allow 80 fm loadBal

    QA: allow 443 fm

    Pub: allow 443 fm any

    1. from 2001:db8::1 port 80 allow 2. default deny

    1. from 2001:db8::1 port 80 allow 2. default deny

    Pub

    any

  • @projectcalico Project Calico is sponsored by

    Mesos / HAProxy introduce another problem…

    Host [10.0.0.1]

    Application [172.17.0.2]

    A service [172.17.0.3]

    … another [172.17.0.4]

    IP:10.0.0.1:80IP:10.0.0.1:80IP:10.0.0.1:8080

  • @projectcalico Project Calico is sponsored by

    The Solution…

  • @projectcalico Project Calico is sponsored by

    Mesos Agent Mesos Agent

    Project Calico & Mesos – Logical Architecture

    Mesos Agent

    Host Kernel

    Workload (container

    or VM)

    Workload (container

    or VM)

    Workload (container

    or VM) …

    Efficient Packet Forwarding (IP per workload, direct integration with cloud fabric)

    Policy Enforcement

    Policy Enforcement

    Policy Enforcement

    Security Policy

    Routes & Addresses

    Mesos Master

  • @projectcalico Project Calico is sponsored by

    Net-modules Work Flow – Actual Architecture

    Update task state

    Plug-­‐in  (Calico)AgentMasterFramework

    IPAM

    Network virtualizer

    Get  IP

    Isolator module

    Isolate  (IP,  policy)

    Cleanup module

    Launch  task  (NetworkInfo)

    Launch  task  (NetworkInfo)

    Task  update  (NetworkInfo)

    Task  update   (NetworkInfo)

    Mesos module

    Network  plug-­‐in

  • @projectcalico Project Calico is sponsored by

    § Mesos cluster with 2 agents § Launching 4 probe tasks

    § Each probe listens to port 9000 § Each probe tries to reach all other probes

    § We want all 4 to launch successfully (no port conflicts)

    § We want to isolate them into two groups of 2 probes

    Demonstration of basic network isolation

  • @projectcalico Project Calico is sponsored by

    Demonstration (video)

  • @projectcalico Project Calico is sponsored by

    § Net-modules supported with Mesos containerizer since Mesos 0.26 § IP per container § IP Address Management (IPAM) § DNS-based service discovery (Mesos-DNS) § Network isolation

    § Try it out – https://github.com/mesosphere/net- modules § Includes step-by-step instructions to repeat the demo

    Where are we at today?

  • @projectcalico Project Calico is sponsored by

    § Other frameworks (only Marathon supported today) § Community work ongoing to integrate Spark, Chronos, ...

    § Docker daemon support via same net-modules mechanism § Docker daemon includes a different networking model, via

    the libnetwork API, but it is not well integrated with Mesos

    § Tighter integration of fine-grained policy control § Today, fine-grained policy is ”side loaded” via calicoctl

    § One-step install via DCOS § Support for Container Network Interface (CNI)

    model (as used by Kubernetes)

    Restrictions / Wish List

  • @projectcalico Project Calico is sponsored by

    Summary