secure kubernetes container workloads with production
play

Secure Kubernetes Container Workloads with Production-Grade - PowerPoint PPT Presentation

Oct 19, 2022 •140 likes •458 views

Secure Kubernetes Container Workloads with Production-Grade Networking Cynthia Thomas Irena Berezovsky Tim Hockin CIA IT operations have top secret apps for their agents, most of which require isolation Antoni is in Ops and wants to help CIA

  1. Secure Kubernetes Container Workloads with Production-Grade Networking Cynthia Thomas Irena Berezovsky Tim Hockin

  2. CIA IT operations have top secret apps for their agents, most of which require isolation Antoni is in Ops and wants to help CIA - embrace DevOps Berta is a Dev eager to design - efficiently and deliver excellent apps Antoni Berta

  3. The world before Neutron: can I plug in your cable? 1. New project defined: Developer needs an environment 2. Dev asks SysAdmin for some resources 3. SysAdmin installs Server OS and asks Network people for a VLAN (ewww!) 4. Network people ask Security team to open a port in a firewall rule ∞. Someone plugs into wrong port or wrong requirements: start over!

  4. Antoni & Berta were doing it the hard way The CIA IT takes weeks, even months to deliver isolated resources for the various projects at CIA. Servers and VLANs and firewalls, oh my!

  5. Neutron for higher layer network services ● OpenStack core project since Folsom ● Tenant and Admin solution agnostic API ● Pluggable Framework ● Provides extensible API to build rich topologies (vendor extensions) ● Advanced Services Support, i.e. LBaaS, VPNaaS, FWaaS

  6. OpenStack Networking on the fly at CIA ● OpenStack has reduced the time to deliver compute resources Operator (networking, security, etc) versus App ● Security policies allows the Developer CIA to keep business units separate ● Each department admin can manage its own resources

  7. Can we do better? ● Spawning a VM is slow expensive App App App ● There is a lot of management overhead ● VMs are not portable: run on a specific Libs Libs Libs Hypervisor Guest Guest Guest OS OS OS If only there was a way to virtualize an OS to enable multiple workloads to run on a single Hypervisor OS... OS Hardware

  8. Along came Docker Containers are an alternative to VMs ● Bundle your app & deps, but not the OS container container container Faster and lower overhead than VMs App App App ● O(milliseconds) to spawn Libs Libs Libs Developer-focused ● Enables fast iteration, less non-app concerns OS Ridiculously simple UX Hardware It’s the technology of the decade!

  9. CIA developers demand containers Launch in milliseconds! Dev-Prod parity, on my laptop! MUST HAVE! But it is very chaotic -- they need need help managing it all...

  10. Kubernetes changed everything The Kubernetes API is app-centric ● De-emphasizes infrastructure and operations concerns ● Those can exist, but are not the primary focus ● Integrate with existing infrastructure and ops, but don’t replace it Networking is infrastructure, security is ops We still need to address the concerns of ops!

  11. Kubernetes network model Assumes a single, shared network space ● No noun for Network (yet?) Network plugins decide what technology ● veth, VXLAN, OVS, etc. All connectivity is enabled by default Implicitly single tenant ● Also reflected in services like DNS Compare to Docker model: ● Noun for Network ● App-centric networks

  12. Tension between dev and ops “No, no, no! I can’t have my apps be reachable by Carlos’s team!”

  13. Namespaces: Kubernetes Scopes for named objects within a cluster ● Pods, Services, etc. are all namespaced Logical grouping of related things ● Could be 1 user ● ...or 1 app ● ...or 1 tier of an app No relationship to nodes or networks ● All Namespaces exist on all nodes ● Network is not segmented Seems like an obvious hook for networking

  14. Kubernetes NetworkPolicy API to lock down the network ● Describe the graph of your app ● Specify which connectivity to allow Applies per Namespace ● Exists alongside the apps it decribes ● Default-deny plus explicit allow rules Network infrastructure can enforce it ● Many vendors have implementations Does not cover egress (yet?)

  15. Kubernetes NetworkPolicy apiVersion: extensions/v1beta1 apiVersion: extensions/v1beta1 kind: NetworkPolicy kind: NetworkPolicy metadata: metadata: name: front-to-mid name: mid-to-db namespace: cia-spy-app namespace: cia-spy-app spec: spec: podSelector: podSelector: matchLabels: matchLabels: role: middleware role: db ingress: ingress: - ports: - ports: - protocol: TCP - protocol: TCP port: 6379 port: 3306 from: from: - podSelector: - podSelector: matchLabels: matchLabels: role: frontend role: middleware

  16. Kubernetes NetworkPolicy apiVersion: extensions/v1beta1 apiVersion: extensions/v1beta1 kind: NetworkPolicy kind: NetworkPolicy metadata: metadata: name: front-to-mid name: mid-to-db namespace: cia-spy-app namespace: cia-spy-app spec: spec: podSelector: podSelector: matchLabels: matchLabels: role: middleware role: db ingress: ingress: - ports: - ports: - protocol: TCP - protocol: TCP port: 6379 port: 3306 from: from: - podSelector: - podSelector: matchLabels: matchLabels: role: frontend role: middleware

  17. Kubernetes NetworkPolicy apiVersion: extensions/v1beta1 apiVersion: extensions/v1beta1 kind: NetworkPolicy kind: NetworkPolicy metadata: metadata: name: front-to-mid name: mid-to-db namespace: cia-spy-app namespace: cia-spy-app spec: spec: podSelector: podSelector: matchLabels: matchLabels: role: middleware role: db ingress: ingress: - ports: - ports: - protocol: TCP - protocol: TCP port: 6379 port: 3306 from: from: - podSelector: - podSelector: matchLabels: matchLabels: role: frontend role: middleware

  18. Kubernetes NetworkPolicy apiVersion: extensions/v1beta1 apiVersion: extensions/v1beta1 kind: NetworkPolicy kind: NetworkPolicy metadata: metadata: name: front-to-mid name: mid-to-db namespace: cia-spy-app namespace: cia-spy-app spec: spec: podSelector: podSelector: matchLabels: matchLabels: role: middleware role: db ingress: ingress: - ports: - ports: - protocol: TCP - protocol: TCP port: 6379 port: 3306 from: from: - podSelector: - podSelector: matchLabels: matchLabels: role: frontend role: middleware

  19. Where Neutron is ahead of k8s Neutron Kubernetes Multi Tenant environment Single Tenant Rich network topologies with overlapping IPs Flat, shared network with IP per pod Security Groups, Port Security (ARP Spoofing) Network Policy (ingress only) Port Quality of Service - Admin and Tenant facing API Primarily application-centric API

  20. Containers Challenges ● A lot of new products/companies have emerged in the container orchestration and integration ecosystem ● With multi-host, multi orchestration environment, networking becomes critical ● Run containers in VMs for better isolation and security ● Multi-tenancy, host or cluster per tenant ● VMs and Containers share the same network

  21. What is Kuryr? ● Neutron as a production-ready networking abstraction that containers need ● Kuryr translates container orchestration events into Neutron entities, performs API calls and manages the response to the orchestrator

  22. Kuryr as a translator between k8s and Neutron ● Map container networking abstractions to the Neutron API Kubernetes Neutron Namespace Network, Subnet ● Allow Container, BM and VM networking under the same API Pod Port ● Implements all the common code for Service Load Balancer Neutron vendors, allowing them to External IP Floating IP provide advanced container Network Policy Security Groups networking by just having a binding script

  23. Example: CIA Security Antoni can satisfy CIA security requirements with Kubernetes & Kuryr: ● Kubernetes made it easy for the app devs to express the application in terms of required deployment ● With NetworkPolicy devs can specify the intended application connectivity ● With Kuryr mapping of Kubernetes requests to Neutron constructs, and NetworkPolicy realization by Neutron security groups, true isolation and security is achieved via the Kubernetes API

  24. Kubernetes + Kuryr + MidoNet: Scalable Neutron Neutron plugin scaling with ease, and flexible API for fine-grain security policies ● Event-based design (receives events from k8s-api) ● Compatible with Kubernetes >=1.2 ● API watcher + CNI driver ● Asynchronous event-loop based on asyncio python 3.4 library ● No kube-proxy

  25. How is MidoNet a Scalable Neutron Solution?

  26. Example: CIA MidoNet deployment Antoni uses MidoNet for his OpenStack Neutron plugin for production-grade networking ● He knows he can scale compute for the CIA with confidence with an HA solution ● MidoNet Manager provides Antoni with every single network flow and each security policy applied

  27. Example: CIA MidoNet deployment with kuryr-k8s ● Antoni is trying the kuryr-k8s tech preview solution with MidoNet: https://docs.midonet.org/ ● Today, he can launch a script to automatically deploy the k8s-master and k8s-worker to try MidoNet with k8s ● Antoni wants native API calls for pods and VMs while using the same operator tools

  28. MidoNet-enhanced Security Neutron Security Groups ● white-list of allowed traffic ● port-level firewall MidoNet implements SG+: ● low-level constructs called chains and rules ● richer feature set for matching/filtering and actions

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Stateful workloads on kubernetes with ceph Agenda CaaS Kubernetes

Stateful workloads on kubernetes with ceph Agenda CaaS Kubernetes

Stateful workloads on kubernetes with ceph Agenda CaaS Kubernetes Ceph Storage Operation NVRAMOS 2019 10/28/2019 Cloud Service Model On Premises IaaS CaaS PaaS SaaS Applications Applications

660 views • 36 slides
Optimizing for Production Workloads Dan Walsh Red Hat @rhatdan Samuel Ortiz @sameo PDF PDF

Optimizing for Production Workloads Dan Walsh Red Hat @rhatdan Samuel Ortiz @sameo PDF PDF

Optimizing for Production Workloads Dan Walsh Red Hat @rhatdan Samuel Ortiz @sameo PDF PDF Linux PDF Linux Containers What do you need to run a container Standard Definition of what makes up a container image. OCI Image Bundle

878 views • 73 slides
Build Production Ready Container Platform Based on Magnum and Kubernetes Bo Wang

Build Production Ready Container Platform Based on Magnum and Kubernetes Bo Wang

Build Production Ready Container Platform Based on Magnum and Kubernetes Bo Wang bo.wang@easystack.cn HouMing Wang houming.wang@easystack.cn Magnum weakness Features for production ready container platform Private docker

525 views • 23 slides
OPENSTACK + KUBERNETES + HYPERCONTAINER The Container Platform for NFV ABOUT ME Harry Zhang

OPENSTACK + KUBERNETES + HYPERCONTAINER The Container Platform for NFV ABOUT ME Harry Zhang

OPENSTACK + KUBERNETES + HYPERCONTAINER The Container Platform for NFV ABOUT ME Harry Zhang ID: @resouer Coder, Author, Speaker Member of Hyper Feature Maintainer & Project Manager of Kubernetes sig-scheduling,

3.57k views • 46 slides
Continuous Kubernetes Security @sublimino and @controlplaneio Im: - Andy - Dev-like -

Continuous Kubernetes Security @sublimino and @controlplaneio Im: - Andy - Dev-like -

Continuous Kubernetes Security @sublimino and @controlplaneio Im: - Andy - Dev-like - Sec-ish - Ops-y Is this Kubernetes cluster secure? EPIC FAIL GIF How secure is Kubernetes? What this Kubernetes talk is about Common Pwns

1.18k views • 113 slides
Matthias Sohn Adel Zaalouk SAP From Containers to Kubernetes From Containers to Kubernetes

Matthias Sohn Adel Zaalouk SAP From Containers to Kubernetes From Containers to Kubernetes

Matthias Sohn Adel Zaalouk SAP From Containers to Kubernetes From Containers to Kubernetes Container Container Runtime Host OS VM From Containers to Kubernetes Container Container Runtime Host OS VM From Containers to Kubernetes

1.72k views • 135 slides
K8s or Die! You must do Kubernetes. Or should you? If so when, where, why? How?! Marco Ceppi

K8s or Die! You must do Kubernetes. Or should you? If so when, where, why? How?! Marco Ceppi

K8s or Die! You must do Kubernetes. Or should you? If so when, where, why? How?! Marco Ceppi @marcoceppi Ryan Beisner @ryanbeisner Why Kubernetes Computing in the modern age Virtual Process Machines Containers Traditional Container

516 views • 24 slides
Deployment Strategies on Kubernetes By Etienne Tremel Software engineer at Container Solutions

Deployment Strategies on Kubernetes By Etienne Tremel Software engineer at Container Solutions

Deployment Strategies on Kubernetes By Etienne Tremel Software engineer at Container Solutions @etiennetremel February 13th, 2017 Agenda Kubernetes in brief Look at 6 different strategies Recreate Ramped Blue/Green

822 views • 61 slides
OpenAFS as Persistent Storage inside Kubernetes using Container Storage Interface plugin for

OpenAFS as Persistent Storage inside Kubernetes using Container Storage Interface plugin for

OpenAFS as Persistent Storage inside Kubernetes using Container Storage Interface plugin for OpenAFS Yadavendra Yadav T odd DeSantis OpenAFS WorkShop 2019 Pittsburgh, US Application Modernization Evolution of Container Agenda

542 views • 27 slides
CONTAINER ORCHESTRATION WITH SWARM MODE, MESOS/MARATHON AND KUBERNETES ADRIAN MOUAT WHO AM I?

CONTAINER ORCHESTRATION WITH SWARM MODE, MESOS/MARATHON AND KUBERNETES ADRIAN MOUAT WHO AM I?

CONTAINER ORCHESTRATION WITH SWARM MODE, MESOS/MARATHON AND KUBERNETES ADRIAN MOUAT WHO AM I? Chief Scientist at Container Solutions Wrote "Using Docker" for O'Reilly 40% discount with code AUTHD Docker Captain @adrianmouat WHAT

1.4k views • 59 slides
Using Container Migration for HPC Workloads Resilience Mohamad Sindi & John R. Williams

Using Container Migration for HPC Workloads Resilience Mohamad Sindi & John R. Williams

Using Container Migration for HPC Workloads Resilience Mohamad Sindi & John R. Williams Massachusetts Institute of Technology Center for Computational Engineering (CCE) HPEC19, Sept 26 2019 Agenda The issue Proposed mitigation

545 views • 22 slides
Kubernetes Administration from Zero to (junior) Hero Lszl Budai Component Soft Ltd.

Kubernetes Administration from Zero to (junior) Hero Lszl Budai Component Soft Ltd.

Kubernetes Administration from Zero to (junior) Hero Lszl Budai Component Soft Ltd. Agenda 1.Introduction 2.Accessing the kubernetes API 3.Kubernetes workloads 4.Accessing applications 5.Volumes and persistent storage 2 (c) 2018

1.17k views • 57 slides
Build Your Serverless Container Cloud with OpenStack and Kubernetes Kevin Zhao Senior Software

Build Your Serverless Container Cloud with OpenStack and Kubernetes Kevin Zhao Senior Software

22.05.2018 Build Your Serverless Container Cloud with OpenStack and Kubernetes Kevin Zhao Senior Software Engineer on Arm. OpenStack Zun Core Reviewer kevin.zhao@arm.com Agenda What is Serverless Container Cloud Demo Zun and Container

750 views • 35 slides
K8s Intermediate Kubernetes a clustered container orchestration Software an open-source system

K8s Intermediate Kubernetes a clustered container orchestration Software an open-source system

K8s Intermediate Kubernetes a clustered container orchestration Software an open-source system for automating deployment, scaling, and management of containerized applications. It groups containers that make up an application into logical units

566 views • 45 slides
Kubernetes und Container Aber Sicher! Container / K8s Security Andreas Falk Vorstellung

Kubernetes und Container Aber Sicher! Container / K8s Security Andreas Falk Vorstellung

Kubernetes und Container Aber Sicher! Container / K8s Security Andreas Falk Vorstellung Andreas Falk Novatec Consulting andreas.falk@novatec-gmbh.de / @andifalk https://www.novatec-gmbh.de/beratung/agile-security 2

1.1k views • 65 slides
Closed, Sealed & Secure Container Valve Systems Micro Matic - Closed, Sealed & Secure

Closed, Sealed & Secure Container Valve Systems Micro Matic - Closed, Sealed & Secure

Closed, Sealed & Secure Container Valve Systems Micro Matic - Closed, Sealed & Secure Container Valve Systems Delivering DEF Purity, Packaging Integrity & Operational Excellence Overview Points of Discussion How We Can Help You &

598 views • 34 slides
Applying F(I)MEA Technique for SDN/OpenFlow Security Analysis Green Kim greenkim@konkuk.ac.kr

Applying F(I)MEA Technique for SDN/OpenFlow Security Analysis Green Kim greenkim@konkuk.ac.kr

Applying F(I)MEA Technique for SDN/OpenFlow Security Analysis Green Kim greenkim@konkuk.ac.kr Contents 1. Introduction 1.1 Motivation 1.2 Related Works Analysis 1.2.1 OpenFlow: A Security Analysis 1.2.2 OpenFlow Vulnerability Assessment

345 views • 30 slides
Evaluation of SDN Controller and Its Impact on Information-Centric Networking (ICN) Overview, Use

Evaluation of SDN Controller and Its Impact on Information-Centric Networking (ICN) Overview, Use

Evaluation of SDN Controller and Its Impact on Information-Centric Networking (ICN) Overview, Use Cases and Performance Evaluation Karim Md Monjurul 27-12-2018 School of Computer Science, Beijing Institute of Technology Table of contents 1.

560 views • 45 slides
Deeply Programmable Network (DPN) and Advanced Network Virtualization Aki Nakao The University

Deeply Programmable Network (DPN) and Advanced Network Virtualization Aki Nakao The University

Deeply Programmable Network (DPN) and Advanced Network Virtualization Aki Nakao The University of Tokyo 2012/11/27 1 OpenFlow SDN OpenFlow Controller Fixed Data Plane Fixed Control Plane (OpenFlow API) Flow Pattern Match

626 views • 23 slides
Programming The Network Data Plane Changhoon Kim Beautiful ideas: What if you could

Programming The Network Data Plane Changhoon Kim Beautiful ideas: What if you could

Programming The Network Data Plane Changhoon Kim Beautiful ideas: What if you could Realize a small, but super-fast DNS cache Perform TCP SYN authentication for billions of SYNs per sec Build a replicated key-value store ensuring

455 views • 44 slides
IoT-Flows: Lightweight Policy Enforcement of Information Flows in IoT Infrastructures Jos

IoT-Flows: Lightweight Policy Enforcement of Information Flows in IoT Infrastructures Jos

IoT-Flows: Lightweight Policy Enforcement of Information Flows in IoT Infrastructures Jos Augusto Suruagy Monteiro Centro de Informtica - UFPE IoT-Flows: US Subteam (PIs) Prof. Atul Prakash (UMich) Expert on security and IoT Prof. Darko

455 views • 24 slides
IPv6 Security Considerations: Future Challenges Prof. Sukumar Nandi Company Dept of Computer

IPv6 Security Considerations: Future Challenges Prof. Sukumar Nandi Company Dept of Computer

IPv6 Security Considerations: Future Challenges Prof. Sukumar Nandi Company Dept of Computer Sc. & Engg. LOGO Indian Institute of Technology Guwahati Agenda Outline Motivation for IPv6 Brief comparision between IPv6 and IPv4

290 views • 25 slides
In-Zone Power Distribution for the Next Generation Integrated Power System Generation Integrated

In-Zone Power Distribution for the Next Generation Integrated Power System Generation Integrated

In-Zone Power Distribution for the Next Generation Integrated Power System Generation Integrated Power System ASNE Advanced Naval Propulsion Symposium 2008 December 15-16 2008 Arlington, VA CAPT Norbert Doerry Technical Director, Future

487 views • 17 slides
Cybersecurity research and education: Helping meet the high demand for cybersecurity experts

Cybersecurity research and education: Helping meet the high demand for cybersecurity experts

West Virginia University Cybersecurity research and education: Helping meet the high demand for cybersecurity experts Katerina Goseva-Popstojanova Professor Lane Department of Computer Science and Electrical Engineering (LCSEE) West

538 views • 21 slides

More recommend