bringing security and multi tenancy to kubernetes
play

Bringing Security and Multi- tenancy to Kubernetes Lei (Harry) - PowerPoint PPT Presentation

Sep 12, 2022 •201 likes •609 views

Bringing Security and Multi- tenancy to Kubernetes Lei (Harry) Zhang About Me Lei (Harry) Zhang @resouer #CNCF member, #Microsoft MVP Previous: VMware, Baidu Feature Maintainer of Kubernetes HyperCrew: https://hyper.sh/

  1. Bringing Security and Multi- tenancy to Kubernetes Lei (Harry) Zhang

  2. About Me • Lei (Harry) Zhang @resouer #CNCF member, #Microsoft MVP • Previous: VMware, Baidu • • Feature Maintainer of Kubernetes • HyperCrew: https://hyper.sh/ Publication: Docker & Kubernetes Under the Hood • • Phd Candidate #Large-scale cluster scheduling and management

  3. A survey about “boundary” • Are you comfortable with Linux containers as an effective boundary? • Yes , I use containers in my private/safe environment • No , I use containers to serve the public cloud

  4. As long as we care security… • We have to wrap containers inside full-blown virtual machines • But we lose cloud-native deployment reality • Slow startup time • Huge resources wasting dream • Memory tax for every container • …

  5. namespace cgroups Revisit container /bin /dev /etc /home /lib / lib64 /media /mnt /opt /proc / root /run /sbin /sys /tmp / read-write layer usr /var /data /temp.txt • Container Runtime “echo hello” init layer Read-Write Layer & /data • The dynamic view and boundary of your running process /etc/hosts /etc/hostname /etc/resolv.conf json CMD [“echo hello"] json read-only layer • Container Image t x VOLUME /data t . p m e t • The static view of your program, data, / ADD temp.txt / dependencies, files and directories FROM busybox FROM busybox ADD temp.txt / VOLUME /data CMD [“echo hello"] Docker Container

  6. HyperContainer Secure Kubernetes from runtime level

  7. HyperContainer • Container Runtime • RunV https://github.com/hyperhq/runv • A OCI compatible hypervisor based runtime implementation • • Control daemon https://github.com/hyperhq/hyperd • • Container Image • Docker Image Spec

  8. Combine the best parts • Portable and behaves like a Linux container • $ hyperctl run -t busybox echo helloworld • sub-second startup time*, ~12MB memory cost • Fully isolated sandbox with an independent guest kernel • $ hyperctl exec -t busybox uname -r 4.4.12-hyper (or your provided kernel) • • security, backward compatibility, maturity See: http://hypercontainer.io/why-hyper.html

  9. HyperContainer is a Pod • That’s how HyperContainer fits into the Kubernetes philosophy • Wait, why Pod is so important?

  10. Pod: lesson learned from Borg • Should sample.war be packaged with Tomcat ?

  11. Pod: lesson learned from Borg • InitContainers: one or more containers started in sequence before the pod's normal containers are started. • Share volumes, perform network operations, and perform computation prior to the app containers.

  12. So, Pod is • The group of super-affinity containers Pod • The atomic scheduling unit log app • The process group in container cloud • Do right things infra container init container • without modifying your container image • Kubernetes = Spring Framework volume • Pod = IoC

  13. Pod is not easy to simulate • log super affinity app • Requirement: app : 1G, log : 0.5G • • Available: Node_A : 1.25G, Node_B : 2G • • What happens if app scheduled to Node_A ?

  14. HyperContainer is a Pod • Linux container based runtimes • wraps and encapsulates several app containers into a logical group • Hypervisor container based runtime • hypervisor serves as a natural boundary of Pod

  15. HyperContainer is a Pod • Container Runtime Interface • create sandbox Foo --> create container C --> start container C • stop container C --> remove container C --> delete sandbox Foo • Sandbox • Normally: the infra container • HyperContainer: hypervisor with HyperKernel • a HyperStart process as PID 1 • setup mnt namespace, launch apps from the images etc •

  16. Hypernetes Kubernetes with HyperContainer Runtime

  17. Hypernetes • Also: h8s • Kubernetes + HyperContainer runtime • officially supported by using kubernetes / frakti • Multi-tenant network and persistent volumes • battle tested Neutron + Cinder plugin

  18. Multi-tenant Network • Goal: • leveraging tenant-aware neutron network for Kubernetes • following the network plugin workflow • Non-goal: • break k8s network model or hack k8s code

  19. Define the Network • Network • a top class api object • each tenant (created by Keystone) has its own Network • Network mapping to Neutron “net” • a Network Controller is responsible to manage Network lifecycle

  20. Example proxy network pod Call Neutron to replica Desired World kubelet create/delete namespace Real World SyncLoop network service job deployment volume petset controller-manager … ControlLoop proxy etcd api-server kubelet scheduler SyncLoop

  21. Kubernetes Network Model • Container reach container • all containers can communicate with all other containers without NAT • Node reach container • all nodes can communicate with all containers (and vice-versa) without NAT • IP addressing • Pod in cluster can be addressed by its IP

  22. How h8s fits that? • Network can be assigned to one or more Namespaces • Pods belonging to the same Network can reach each other directly through IP • a Pod’s network mapping to Neutron “port” • kubelet network plugin is responsible for Pod network setup

  23. Example proxy kubelet SyncLoop 1 Pod created scheduler proxy etcd api-server kubelet SyncLoop

  24. Example proxy kubelet SyncLoop 2 Pod object added scheduler proxy etcd api-server kubelet SyncLoop

  25. Example proxy kubelet SyncLoop 3.1 New pod object detected 3.2 Bind pod with node scheduler proxy etcd api-server kubelet SyncLoop

  26. Example proxy kubelet SyncLoop scheduler proxy etcd api-server kubelet SyncLoop 4.1 Detected pod bind with me 4.2 Start containers in pod

  27. Design of kubelet Choose Runtime � docker, rkt, hyper/remote � NodeStatus Network Status status Manager PLEG InitNetworkPlugin InitNetworkPlugin volume SyncLoop Manager image Manager Pod Update Worker (e.g.ADD) • generale Pod status • check volume status (talk later) PodUpdate • call runtime to start containers HandlePods • set up Pod network (see next slide) { Add, Update, Remove, Delete, … }

  28. Set Up Pod Network

  29. kubestack A standalone gRPC daemon 1. to “translate” the SetUpPod request to the Neutron network API 2. handling multi-tenant Service proxy

  30. OnServiceUpdate Service $ iptables-save | grep my-service -A KUBE-SERVICES -d 10.0.0.116/32 -p tcp -m comment --comment "default/my-service: cluster IP" -m tcp --dport 8001 -j KUBE-SVC-KEAUNL7HVWWSEZA6 -A KUBE-SVC-KEAUNL7HVWWSEZA6 -m comment --comment "default/my-service:" --mode random -j KUBE-SEP-6XXFWO3KTRMPKCHZ -A KUBE-SVC-KEAUNL7HVWWSEZA6 -m comment --comment "default/my-service:" --mode random -j KUBE-SEP-57KPRZ3JQVENLNBRZ OnEndpointsUpdate -A KUBE-SEP-6XXFWO3KTRMPKCHZ -p tcp -m comment --comment "default/my-service:" -m tcp -j DNAT --to-destination 172.17.0.2:80 -A KUBE-SEP-57KPRZ3JQVENLNBRZ -p tcp -m comment --comment "default/my-service:" -m tcp -j DNAT --to-destination 172.17.0.3:80 portal 10.10.0.116:8001 backend rule_1 172.17.0.2.:80 random mode rules backend rule_2 172.17.0.3.:80

  31. Multi-tenant Service • Default iptables-based kube-proxy is not tenant aware • Endpoint Pods and Nodes with iptables rules are isolated into different networks • Hypernetes uses a built-in HAproxy as the Service portal • to proxy all Service instances within same namespace • the same OnServiceUpdate and OnEndpointsUpdate process • ExternalProvider • a OpenStack LB will be created as Service • e.g. curl 58.215.33.98:8078

  32. Kubernetes Persistent Volume • Get mountedVolume from actualStateOfWorld • Unmount volumes in mountedVolume but not in desiredStateOfWorld Host mount • AttachVolume() if vol in desiredStateOfWorld and not attached • MountVolume() if vol in desiredStateOfWorld and not Pod Pod in mountedVolume mountPath mountPath • Verify devices that should be detached/unmounted are detached/unmounted attach path Volume • Tips: desired Manager World Cinder volume plugin 1. -v host:path 2. attach VS mount 3. Totally independent from container reconcile management

  33. Persistent Volume with HyperContainer Host • Enhanced Cinder volume plugin • Linux container: Pod Pod mountPath mountPath 1. full OpenStack cluster 2. query Nova to find node vol vol attach 3. attach Cinder volume to host path Enhanced 4. bind mount host path to Pod containers Cinder volume plugin • HyperContainer : Volume desired • directly attach block devices to Pod Manager World • thanks to the hypervisor based Pod boundary • eliminates extra time to query Nova reconcile

  34. PV Example • Create a Cinder volume • Claim volume by reference its volumeID

  35. Container Runtime Interface

  36. Future of CRI • Keep Docker as the only one default container runtime • ocid, rktlet, hyperd • Frakti: the Remote Container Runtime Kit • https://github.com/kubernetes/frakti • welcome to tryout, star and fork

  37. “if image becomes non-standard” • e.g. Docker image becomes somehow Docker specific • Don’t worry, kubelet . imageManager is moving to runtime specific • but then k8s will probably choose • NO DEFAULT runtime

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

MTS: Bringing Multi-Tenancy to Virtual Networking Kashyap Thimmaraju, Saad Hermak, Gbor

MTS: Bringing Multi-Tenancy to Virtual Networking Kashyap Thimmaraju, Saad Hermak, Gbor

MTS: Bringing Multi-Tenancy to Virtual Networking Kashyap Thimmaraju, Saad Hermak, Gbor Rtvri and Stefan Schmid USENIX Annual Technical Conference 2019 July 11, Renton, Washington, USA Virtual Networks Using Virtual Switches VM VM VM

962 views • 58 slides
Architectural Principles for Secure Multi-Tenancy John Linn, Office of the CTO, RSA, The Security

Architectural Principles for Secure Multi-Tenancy John Linn, Office of the CTO, RSA, The Security

Architectural Principles for Secure Multi-Tenancy John Linn, Office of the CTO, RSA, The Security Division of EMC John Field, Office of the CTO, EMC Also adapting prior content by Burt Kaliski DIMACS Workshop in Systems and Networking Advances

508 views • 18 slides
Multi-Tenancy & Isolation Bogdan Munteanu - Dropbox Overview What is Edgestore?

Multi-Tenancy & Isolation Bogdan Munteanu - Dropbox Overview What is Edgestore?

Multi-Tenancy & Isolation Bogdan Munteanu - Dropbox Overview What is Edgestore? Workloads & API Multi-tenancy & Isolation Lessons Learned What is Edgestore Distributed Metadata Store built on top of MySQL

406 views • 36 slides
Using Cloud Native Technologies to Solve Complex Application Security Challenges in Kubernetes

Using Cloud Native Technologies to Solve Complex Application Security Challenges in Kubernetes

Using Cloud Native Technologies to Solve Complex Application Security Challenges in Kubernetes Deployments Cequence Security: A Cloud Native Approach to Application Security Venture-backed start-up bringing much-needed innovation to

304 views • 17 slides
Continuous Kubernetes Security @sublimino and @controlplaneio Im: - Andy - Dev-like -

Continuous Kubernetes Security @sublimino and @controlplaneio Im: - Andy - Dev-like -

Continuous Kubernetes Security @sublimino and @controlplaneio Im: - Andy - Dev-like - Sec-ish - Ops-y Is this Kubernetes cluster secure? EPIC FAIL GIF How secure is Kubernetes? What this Kubernetes talk is about Common Pwns

1.18k views • 113 slides
DEVELOPING A MULTI-TENANT SAAS USING CLOJURE Ari-Pekka Viitanen ME Programmer Architect

DEVELOPING A MULTI-TENANT SAAS USING CLOJURE Ari-Pekka Viitanen ME Programmer Architect

DEVELOPING A MULTI-TENANT SAAS USING CLOJURE Ari-Pekka Viitanen ME Programmer Architect VINCIT Working for ari-pekka.viitanen@vincit.com @apviitanen CASE BXX STACK DATA PERSISTENCE AND MULTI-TENANCY SINGLE TENANCY MULTI-TENANCY -

522 views • 28 slides
Security through Multi-Layer Diversity Meng Xu (Qualifying Examination Presentation) 1 Bringing

Security through Multi-Layer Diversity Meng Xu (Qualifying Examination Presentation) 1 Bringing

Security through Multi-Layer Diversity Meng Xu (Qualifying Examination Presentation) 1 Bringing Diversity to Computing Monoculture Current computing monoculture leaves our infrastructure vulnerable to massive and rapid attacks. Knowing

1.25k views • 112 slides
Armada Kubernetes multi-cluster batch scheduler 1 / 12 Introduction G-Research - Compute

Armada Kubernetes multi-cluster batch scheduler 1 / 12 Introduction G-Research - Compute

Armada Kubernetes multi-cluster batch scheduler 1 / 12 Introduction G-Research - Compute Platform Engineering Team We build tools around HTCondor clusters and Kubernetes clusters 2 / 12 Agenda 1. Project requirements 2. Current options 3.

732 views • 12 slides
Secure SDN Authentication & Authorization for Multi-tenancy (DNS based PKI model) Author:

Secure SDN Authentication & Authorization for Multi-tenancy (DNS based PKI model) Author:

IETF94 2 Nov. 2015 Yokohama SDNRG WG Secure SDN Authentication & Authorization for Multi-tenancy (DNS based PKI model) Author: www.huawei.com Hosnieh Rafiee Ietf{at}rozanak.com Motivation Problem: secure SDN authentication,

546 views • 10 slides
Towards a European Role in Tenancy Law and Housing Policy Christoph U. Schmid, ZERP, Bremen 1

Towards a European Role in Tenancy Law and Housing Policy Christoph U. Schmid, ZERP, Bremen 1

Towards a European Role in Tenancy Law and Housing Policy Christoph U. Schmid, ZERP, Bremen 1 TENLAW - Tenancy Law and Housing Policy in Multi-level Europe State of the field I Comparative dimension: Crisis has increased the number of

442 views • 16 slides
PLATFORM AS A SERVICE MULTI TENANCY AND OPEN STANDARDS Peter Chittum @pchittum

PLATFORM AS A SERVICE MULTI TENANCY AND OPEN STANDARDS Peter Chittum @pchittum

PLATFORM AS A SERVICE MULTI TENANCY AND OPEN STANDARDS Peter Chittum @pchittum salesforce.com Platform as a Service Multi Tenancy and Open Standards Peter Chittum Developer Evangelist @pchittum Safe Harbor Safe harbor statement

545 views • 39 slides
Paradrop: Enabling Lightweight Multi-tenancy at the Networks Extreme Edge Peng Liu, Dale

Paradrop: Enabling Lightweight Multi-tenancy at the Networks Extreme Edge Peng Liu, Dale

Paradrop: Enabling Lightweight Multi-tenancy at the Networks Extreme Edge Peng Liu, Dale Willis, Suman Banerjee University of Wisconsin-Madison 2016 IEEE/ACM Symposium on Edge Computing Presented by Allen Leis and Patrick Jennings Agenda

509 views • 40 slides
Airflow on Kubernetes: Containerizing your Workflows By Michael Hewitt Agenda Kubernetes

Airflow on Kubernetes: Containerizing your Workflows By Michael Hewitt Agenda Kubernetes

Airflow on Kubernetes: Containerizing your Workflows By Michael Hewitt Agenda Kubernetes Overview 1 Airflows integration with Kubernetes 2 Deployment of Airflow on Kubernetes 3 Kubernetes Pod Operator and its benefits 4 DAG Development

2.79k views • 14 slides
Kubernetes Security Zooming In, Zooming Out A comprehensive Container Security Strategy Kavya

Kubernetes Security Zooming In, Zooming Out A comprehensive Container Security Strategy Kavya

Kubernetes Security Zooming In, Zooming Out A comprehensive Container Security Strategy Kavya Pearlman Global Cybersecurity Strategist - Wallarm @KavyaPearlman | @Wallarm Rob Richardson Technical Evangelist - MemSQL @Rob_Rich | @MemSQL

279 views • 27 slides
#MicroFocusCyberSummit Shifting Security Left Bringing security into continuous integration and

#MicroFocusCyberSummit Shifting Security Left Bringing security into continuous integration and

#MicroFocusCyberSummit Shifting Security Left Bringing security into continuous integration and delivery Brenton Scott Witonski <>< , Acxiom Brandon Spruth, Target Lucas von Stockhausen, Fortify #MicroFocusCyberSummit WHY ARE YOU

711 views • 44 slides
A Multi-Tenancy Cloud-Native Digital Library Platform Yinlin Chen, Jim Tuttle, William A. Ingram

A Multi-Tenancy Cloud-Native Digital Library Platform Yinlin Chen, Jim Tuttle, William A. Ingram

A Multi-Tenancy Cloud-Native Digital Library Platform Yinlin Chen, Jim Tuttle, William A. Ingram {ylchen, jim.tuttle, waingram}@vt.edu Information Technologies and Services Virginia Tech Libraries Agenda Cloud-native concept Virginia

411 views • 20 slides
EIV And What We Look For During MORs North Tampa Housing Development Corporation September

EIV And What We Look For During MORs North Tampa Housing Development Corporation September

EIV And What We Look For During MORs North Tampa Housing Development Corporation September 28, 2010 Owner/Agent Workshop Jacksonville, FL N ORTH T AMPA H OUSING D EVELOPMENT C ORPORATION Session Instructor Joe H. Clements Local Contract

380 views • 35 slides
Crystalline topological phases and crosscap states in conformal field theories Shinsei Ryu

Crystalline topological phases and crosscap states in conformal field theories Shinsei Ryu

Crystalline topological phases and crosscap states in conformal field theories Shinsei Ryu Univ. of Illinois, Urbana-Champaign People and papers Bode Sule (UIUC) Chang-Tse Hsieh (UIUC) Xiao Chen (UIUC) Ching-Kai Chiu (UIUC -> UBC)

781 views • 21 slides
Simple Theories of Dark Matter Clifford Cheung Berkeley Center for Theoretical Physics, UC

Simple Theories of Dark Matter Clifford Cheung Berkeley Center for Theoretical Physics, UC

Simple Theories of Dark Matter Clifford Cheung Berkeley Center for Theoretical Physics, UC Berkeley (Berkeley, CA) Theoretical Physics Group, Lawrence Berkeley National Laboratory (Berkeley, CA) M. Baumgart, C.C., J. Ruderman, L. Wang, I. Yavin

969 views • 37 slides
VISION Cloud: Data-intensive Storage Services on Clouds Dimosthenis Kyriazis National Technical

VISION Cloud: Data-intensive Storage Services on Clouds Dimosthenis Kyriazis National Technical

VISION Cloud: Data-intensive Storage Services on Clouds Dimosthenis Kyriazis National Technical University of Athens We live in a rich digital environment (Mobile) smart devices exponentially penetrate the market Cities go digital

650 views • 15 slides
Maritime Information Sharing & Analysis Center Maritime Risk Symposium Rutgers University

Maritime Information Sharing & Analysis Center Maritime Risk Symposium Rutgers University

L Maritime Security Council Maritime Information Sharing & Analysis Center Maritime Risk Symposium Rutgers University November 7-9, 2011 National Council of ISACs 2 National Council of ISACs Members 3 DHS/ Maritime USCG Information

427 views • 5 slides
Nominations and Elections Jacqueline Wilson NYS PTA Outreach Coordinator Contact information:

Nominations and Elections Jacqueline Wilson NYS PTA Outreach Coordinator Contact information:

Nominations and Elections Jacqueline Wilson NYS PTA Outreach Coordinator Contact information: outreach@nyspta.org Nominations are in Order For all information on nominations and elections, see the NYS Resource Guide, Section 7: Where

356 views • 31 slides
Job Quality Fellowship June 23, 2017 as.pn/jobquality Webinar Technology Using ReadyTalk Web

Job Quality Fellowship June 23, 2017 as.pn/jobquality Webinar Technology Using ReadyTalk Web

Economic Opportunities Program Job Quality Fellowship June 23, 2017 as.pn/jobquality Webinar Technology Using ReadyTalk Web Conferencing A Few Select Slides to View. Connect with Screen View Audio Access through Computer or Dial

481 views • 10 slides
PPP INCREASE ACT OF 2020 Phase 3.5 legislation passed this week to replenish funds for the

PPP INCREASE ACT OF 2020 Phase 3.5 legislation passed this week to replenish funds for the

PPP INCREASE ACT OF 2020 Phase 3.5 legislation passed this week to replenish funds for the Paycheck Protection Program (PPP) and Economic Injury Disaster Loans (EIDL) Program It provides an additional $310 billion for the PPP and $60

520 views • 12 slides

More recommend