Networking & Security for Mesos - · PDF file the libnetwork API, but it is not well...
date post
20-May-2020Category
Documents
view
1download
1
Embed Size (px)
Transcript of Networking & Security for Mesos - · PDF file the libnetwork API, but it is not well...
@projectcalico Project Calico is sponsored by
Sponsored by
Networking & Security for Mesos AN IP FOR EVERY CONTAINER… AND MORE!
Christopher Liljenstolpe February 24, 2016
@projectcalico Project Calico is sponsored by
The #1 Challenge for Cloud?
Recent data breaches due to hacking or poor security http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
Cloud-native app
architectures are driving 100-1000x growth in workloads in an era of heightened
security threats
@projectcalico Project Calico is sponsored by
Enterprise security is still in the middle ages
@projectcalico Project Calico is sponsored by
Medieval security architecture
@projectcalico Project Calico is sponsored by
“Oh, hey! I just love these things! … Crunchy on the outside and a chewy center!”
@projectcalico Project Calico is sponsored by
Fast forward to the present
@projectcalico Project Calico is sponsored by
Increased complexity
@projectcalico Project Calico is sponsored by
Resource Fungibility
@projectcalico Project Calico is sponsored by
Tear down the walls?
@projectcalico Project Calico is sponsored by
The opportunity?
@projectcalico Project Calico is sponsored by
The opportunity?
@projectcalico Project Calico is sponsored by
The Dynamic, Distributed Firewall
Network Fabric
eth0eth0
eth0
192.168.1.2 Ro
ut in
g
Ro ut
in g
eth0
192.168.1.3
eth0
192.168.1.4
eth0
192.168.1.7
eth0
192.168.1.6
eth0
192.168.1.5
10.0.0.1 10.0.0.2
@projectcalico Project Calico is sponsored by
Workload B 2001:db8::2
Workload A 2001:db8::1
The Dynamic, Distributed Firewall: Worked Example
Felix
Workload C 2001:db8::3
Felix
1. to 2001:db8::2 port 80 allow 2. to 2001:db8::3 port 80 allow 3. from port 443 allow 4. default deny
A: loadBal; QA B: webApp C: webApp loadBal: allow 80 to webApp webApp: allow 80 fm loadBal
QA: allow 443 fm
Pub: allow 443 fm any
1. from 2001:db8::1 port 80 allow 2. default deny
1. from 2001:db8::1 port 80 allow 2. default deny
Pub
any
@projectcalico Project Calico is sponsored by
Mesos / HAProxy introduce another problem…
Host [10.0.0.1]
Application [172.17.0.2]
A service [172.17.0.3]
… another [172.17.0.4]
IP:10.0.0.1:80IP:10.0.0.1:80IP:10.0.0.1:8080
@projectcalico Project Calico is sponsored by
The Solution…
@projectcalico Project Calico is sponsored by
Mesos Agent Mesos Agent
Project Calico & Mesos – Logical Architecture
Mesos Agent
Host Kernel
Workload (container
or VM)
Workload (container
or VM)
Workload (container
or VM) …
…
Efficient Packet Forwarding (IP per workload, direct integration with cloud fabric)
Policy Enforcement
Policy Enforcement
Policy Enforcement
Security Policy
Routes & Addresses
Mesos Master
@projectcalico Project Calico is sponsored by
Net-modules Work Flow – Actual Architecture
Update task state
Plug-‐in (Calico)AgentMasterFramework
IPAM
Network virtualizer
Get IP
Isolator module
Isolate (IP, policy)
Cleanup module
Launch task (NetworkInfo)
Launch task (NetworkInfo)
Task update (NetworkInfo)
Task update (NetworkInfo)
Mesos module
Network plug-‐in
@projectcalico Project Calico is sponsored by
§ Mesos cluster with 2 agents § Launching 4 probe tasks
§ Each probe listens to port 9000 § Each probe tries to reach all other probes
§ We want all 4 to launch successfully (no port conflicts)
§ We want to isolate them into two groups of 2 probes
Demonstration of basic network isolation
@projectcalico Project Calico is sponsored by
Demonstration (video)
@projectcalico Project Calico is sponsored by
§ Net-modules supported with Mesos containerizer since Mesos 0.26 § IP per container § IP Address Management (IPAM) § DNS-based service discovery (Mesos-DNS) § Network isolation
§ Try it out – https://github.com/mesosphere/net- modules § Includes step-by-step instructions to repeat the demo
Where are we at today?
@projectcalico Project Calico is sponsored by
§ Other frameworks (only Marathon supported today) § Community work ongoing to integrate Spark, Chronos, ...
§ Docker daemon support via same net-modules mechanism § Docker daemon includes a different networking model, via
the libnetwork API, but it is not well integrated with Mesos
§ Tighter integration of fine-grained policy control § Today, fine-grained policy is ”side loaded” via calicoctl
§ One-step install via DCOS § Support for Container Network Interface (CNI)
model (as used by Kubernetes)
Restrictions / Wish List
@projectcalico Project Calico is sponsored by
Summary
