SlideShare uma empresa Scribd logo

Container network security

Daisuke Nakajima
Daisuke Nakajima

This slides describes Kubernetes typical Network design and Challenges. TungstenFabric resolves those challenges.

Internet
1 de 30
Baixar para ler offline
Container Network Security
Speaker • TungstenFabric Ambassador • Juniper Networks •
SDN ECOSYSTEM in CNCF
Beyond cloud-native… Do you care about: • High-performance forwarding • Proven cloud-grade, carrier-grade scale • Feature rich for Kubernetes and LB, beyond CNI • Feature rich in general for net + sec • Multi-tenancy • Open source / community • Open standards-based federation • Multiple orchestrator support • Solid vendor backing and optional services • Collapsing stacked SDNs: e.g. K8s on OpenStack • Ease of use SDN ECOSYSTEM in CNCF
Kubernetes Network 5
Typical Kubernetes setup ●Kuberenetes Cluster APIServer Controller Scheduler etcd OVS/Bridge Docker network pod pod kube-let kube-proxy Kubernetes system is consist from Kube Master and Worker. Master has API, container scheduler, Database. Worker has kube-let, kube-proxy and pod as Container. kube-let in worker node has Container Network interface called CNI which is plugin of Network function. Use can select network plugin for particular use case.OVS/Bridge Docker network pod pod kube-let kube-proxy
Typical Kubernetes Network ●Typical K8S network behavior pod-network service-network external-network Typically K8S has three type of Network 1) pod-network which is connecting POD. All of POD connect common Network. This network only uses internally. 2) service network which is used by cluster-ip of “Service”. Inter Service communication uses this network. 3) external-network which is used by ”LoadBalancer”. Outside of K8S user uses this network to connect POD. pod pod pod Service ClusterIP pod Service LoadBalancer Internet LAN
Typical Kubernetes Network ●Typical K8S network behavior external-network When POD and Service are created, each IP address is assigned automatically. 1) External User connects “192.168.0.1” as Web loadBalancer. 2) Web LoadBalancer does Destination NAT to selected nginx pod. 3) nginx pod connects ”172.16.0.11” as DB Cluster IP 4) DB Cluster IP does Destination NAT to selected mysql pod. That is pod network is isolated from External network. User cannot reach to POD directly from External. Those such LoadBalancer and ClusterIP behavior is done by kube-proxy. mysq l nginx DB ClusterIP Web LoadBalancer Internet LAN 192.168.0.0/24 172.16.0.0/24 192.168.0.0/24 nginxmysq l .1 .21 .22 .23 .24 .11 .12 pod-network service-network
K8S CNI Typical behavior ●Typical K8S network policy (namespace) Namespace defines POD groups like Openstack Project. It make isolation among different namespace. That means pod inside namespace can communicate each other, but different namespace cannot. Even pods are created in different namespaces, IP address are assigned by common pod-network pool. mysq l nginx nginx mysq l mysq l apatch apatchmysq l apiVersion: v1 kind: Pod metadata: name: mysql namespace: groupA labels: name: db spec: containers: - name: mysql-gA image: mysql namespace: groupA namespace: groupB pod-network apiVersion: v1 kind: Pod metadata: name: mysql namespace: groupB labels: name: sb spec: containers: - name: mysql-gB image: mysql
K8S CNI Typical behavior ●Typical K8S network policy (Label) Label defines each pod as particular role. the Label also be used to defined access control. The pods in same service labels can reach each other. The pods in different labels cannot reach. Why Label is used to filter traffic, IP address of POD may be changed when POD moves. so IP address based filtering is useless. For example, pod which labels are “wordpress” and “db” accepts connection from pod having “wordpress” and “webapi” labels. Connection is denied even If one of labels are match. mysq l nginx nginx mysq l service: wordpress role: webapi service: wordpress role: db mysq l apatch apatchmysq l pod-network service: redmine role: webapi service: redmine role: db apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: test-network-policy namespace: default spec: podSelector: matchLabels: service: wordpress role: db policyTypes: - Ingress ingress: - from: - podSelector: matchLabels: service: wordpress role: webapi
K8S CNI Typical behavior ●Typical K8S network policy (Ingress) nginx nginx pod-network external-network Web LoadBalancer 192.168.0.0/24 172.16.0.0/24 service-network 192.168.10.0/24 192.168.20.0/24 apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: test-network-policy namespace: default spec: podSelector: matchLabels: service: wordpress role: nginx policyTypes: - Ingress ingress: - from: - ipBlock: cidr: 192.168.20.0/24 “Ingress” addressed incoming traffic to pod. User can define particular CIDR and port in Ingress – from – ipBlock section.
K8S CNI Typical behavior ●Typical K8S network policy (Egress) nginx nginx pod-network external-network Web LoadBalancer 192.168.0.0/24 172.16.0.0/24 service-network 192.168.10.0/24 192.168.20.0/24 apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: test-network-policy namespace: default spec: podSelector: matchLabels: service: wordpress role: nginx policyTypes: - Egress egress: - to: - ipBlock: cidr: 192.168.20.0/24 “Egress” addressed ongoing traffic from pod. User can define particular CIDR and port in Egress – from – ipBlock section.
Typical Kubernetes External Connection ●Kuberenetes setup APIServer Controller Scheduler etcd Physical Network BMS OVS/Bridge Docker network pod pod kube-let kube-proxy Internet If POD needs to connect to other network like Internet or LAN, POD address is translated to IP address of Worker node as SNAT. Pod Network cannot connect external network without SNAT. That means, External system cannot filter by exact IP address of POD and Worker node. Because IP address of POD sometimes be changed and it moves to other worker node. POD IP address is translated to IP address of node
Considering use case ●Dedicated pod-network mysq l nginx nginxmysq l 192.168.10.0/24 Tenant: A mysq l nginx nginxmysq l 192.168.20.0/24 Tenant: B One Kubernetes setup has only one Pod-network. If dedicated pod network is required, it must be separated kubernetes setup must be deployed. Kubernetes can be deployed on Virtual-machine on Openstack or anything. But even multiple kubernetes setup on each VM are deployed, different pod network cannot communicate without NAT as I described so far.
Considering use case ●Openstack Virtual-machine for K8S setup •NovaAPI •Glance •Keystone •Neutron OVS/Bridge APIServer Controller Scheduler APIServer Controller Scheduler OVS/Bridge mysq l nginx nginx mysq l 192.168.10.0/24 mysq l nginx nginx mysq l 192.168.20.0/24 Tenant: BTenant: A mysq l nginx mysq l nginx OVS/BR OVS/BR OVS/Bridge mysq l nginx mysq l nginx OVS/BR OVS/BR
Typical Enterprise use case ●Consider K8S limitation from Typical Enterprise Network Design Web Web API API DB DB 192.168.10.0/24 192.168.20.0/24 192.168.30.0/24 172.16.0.0/24 Syslo g Monitor Service Network Develop:A Develop:B Typical Enterprise Network uses dedicated network to isolate different Section, Division purpose. For the isolation, Firewall address ingress/eggres traffic between them. For instance “Service Network” only be allowed to ”Web” server TCP:80. Develop:A allows to connect ”Web” TCP:22,80. Develop:B allows to to connect “API”and“DB”. Develop:A and Develop:B doesn’t connect each other. “Web” allows to connect API, TCP8080 and Syslog and monitoring and so on. if ”Web” and “API” is containerized by K8S, existing Network design might not work well. Challenges: • Dedicated POD network • FW integration • Existing Network connection • Direct POD connection
Kubernetes Network “Extension” TungstenFabric
Physical IP Fabric (no changes) TungstenFabric CONTROLLER ORCHESTRATOR Host O/SvRouter Network / Storage orchestration Gateway … Internet / WAN or Legacy Env. (Config, Control, Analytics, Svr Mgmt) (Windows, Linux ….) on BMS TOR Compute orchestration Virtual Network Blue Virtual Network Red FW Logical View … Centralized PolicyDefinition Distributed PolicyEnforcement BGP BGP XMPPEVPN Tungsten Fabric Overview
Typical Kubernetes setup with Tungsten Fabric ●Kuberenetes Cluster on BMS APIServer TF vRouter pod pod TungstenFabric is one of CNI plugins which provides additional network service to POD. TungstenFabric resolves POD network limitation which I described so far. TungstenFabric has two mode, one is BMS mode and another is Nested mode. BMS mode installs TungstenFabric vRouter on BMS. •KubeManager •Controller •Analytics •Analytics-DB kubelet CNI Agent TF vRouter pod pod kubelet CNI Agent
Typical Kubernetes setup with Tungsten Fabric ●Kuberenetes Cluster on Openstack TF vRouter Nested mode doesn’t install TF vRouter on VM. Also SDN Controller is not installed Kubernetes Cluster. only Kubemanager and CNI are installed. kube- manager calls TF Controller which works Openstack Neutron Plugin and CNI calls TF Agent on Compute node. It is very unique solution to avoid multiple SDN controller runs on VM. Also, Worker node doesn’t need TF vRouter. it uses VLAN to isolate POD network. •Controller •Analytics •Analytics-DB •NovaAPI •Glance •Keystone •Neutron Agent APIServer kube-manager kubelet CNI bridge pod pod vlan vlan
Typical Kubernetes setup with Tungsten Fabric ●Kuberenetes Cluster with Openstack TungstanFabric can work with both Openstack and K8S at same time. It can extend same Virtual- network between VM and POD. Also same security policy such as Security Group or Label based FW is attached to both VM and POD. •Controller •Analytics •Analytics-DB •NovaAPI •Glance •Keystone •Neutron TF vRouter pod pod kubelet CNI Agent APIServer kube-manager TF vRouter Agent VM
What challenges can TF resolve? ●Dedicated POD network mysql nginx nginxmysql 192.168.10.0/24 Tenant: A apiVersion: v1 kind: Pod metadata: name: mysql annotations: { "opencontrail.org/network" : '{"domain":"default-domain", "project": ”user1", "name":”pod-vn1"}' } labels: name: db spec: containers: - name: mysql-gA image: mysql TungstenFabric provides dedicated network to POD using “annotations”. User can attach their own virtual-network to POD without separated K8S setup.
What challenges can TF resolve? mysql nginx nginxmysql 192.168.10.0/24 TungstenFabric allows to connect multiple virtual networks connecting POD. User can define 5 tuple based Filter between virtual network like Security Group as Openstack. It’s easy to define which traffic allows to connect by TungstenFabric. 192.168.20.0/24 ●Inter POD network
What challenges can TF resolve? apiVersion: v1 kind: Pod metadata: name: cirros-vn1-1 annotations: { "opencontrail.org/network" : '{"domain":"default-domain", "project": "juniper-test", "name":"pod-service-1"}' } labels: application: service-app1 label: web spec: replicas: 2 containers: - name: cirros-vn1-1 image: docker.io/cirros imagePullPolicy: IfNotPresent ●Enforce Label Based Filter Traffic filter is defined by YAML which is configured POD owner. Thus, IT supervisor cannot control traffic using Firewall. TungstenFabric enforces traffic by Firewall Rule which is defined IT supervisor. TungstenFabric provides global policy to POD network. If service owner violates its policy, traffic cannot reach to other POD.
What challenges can TF resolve? ●Direct Connect from External Network TungstenFabric provides Floating IP to POD interface as same feature as Openstack one. TungstenFabric does Destination NAT on its vRouter module to exact POD IP address. Left Picture shows “Router” does NAT, but actually TF vRouter on worker node does NAT. There is no Physical Router or dedicated NAT server. It is very useful to connect POD directly from external Network for debugging purpose. This feature is not K8S standard feature, so it requires to use TungsteFabric API. nginx nginx pod-network external-network Web LoadBalancer service-network public-network D:203.0.113.1 10.0.10.1 10.0.10.1
What challenges can TF resolve? ●External Network Connection As described, TungstenFabric connect with Physical Router and HVTEP. So TungstenFabric can associate External Network with POD network keeping network isolation. Because, Virtual-network of TungstenFabric has “VNI” and “Route-Target” for each and its route advertises to Router/HVTEP by L3VPN/EVPN and create Tunnel between Router/HVTEP and TF vRouter. APIServer TF vRouter pod pod •KubeManager •Controller •Analytics •Analytics-DB kubelet CNI Agent TF vRouter pod pod kubelet CNI Agent SV VMSV VM BGP L3VPN/EVPN
What challenges can TF resolve? ●VNF integration TugstanFabric can associate pod network with VNF/PNF. VNF/PVN can stir pod traffic to Service Chaining. Service Chaining can stir traffic to multiple VNFs by TF vRouter instead of actual VNF configuration. Thus, it is possible to add/delete/scale out/scale in without configuration changing in VNF/PNF. TF vRouter pod pod kubelet CNI Agent TF vRouter Agent Internet
What challenges can TF resolve? ●Consider Typical Enterprise Network Design by TungsetenFabric Web Web API API DB DB 192.168.10.0/24 192.168.20.0/24 192.168.30.0/24 172.16.0.0/24 Syslo g Monitor Service Network Develop:A Develop:B TunstenFabric resolved many challenges of K8S default feature. Thus, Left picture network design is enabled. Tungsten Fabric Resolves: • Dedicated POD network • FW integration • Existing Network connection • Direct POD connection
COMMUNITY MEMBERS your logo here
Container network security

Recomendados

Interop2018 contrail ContrailEnterpriseMulticloud
Interop2018 contrail ContrailEnterpriseMulticloudInterop2018 contrail ContrailEnterpriseMulticloud
Interop2018 contrail ContrailEnterpriseMulticloud
Daisuke Nakajima
 
Contrail integrated with Kubernetes and Openstack
Contrail integrated with Kubernetes and OpenstackContrail integrated with Kubernetes and Openstack
Contrail integrated with Kubernetes and Openstack
Daisuke Nakajima
 
Open contrailmeetup
Open contrailmeetupOpen contrailmeetup
Open contrailmeetup
Daisuke Nakajima
 
Using OpenContrail with Kubernetes
Using OpenContrail with KubernetesUsing OpenContrail with Kubernetes
Using OpenContrail with Kubernetes
Matt Baldwin
 
MidoNet 101
MidoNet 101MidoNet 101
MidoNet 101
alexbikfalvi
 
Simplifying and Securing your OpenShift Network with Project Calico
Simplifying and Securing your OpenShift Network with Project CalicoSimplifying and Securing your OpenShift Network with Project Calico
Simplifying and Securing your OpenShift Network with Project Calico
Andrew Randall
 
Kubernetes OpenContrail Meetup
Kubernetes OpenContrail MeetupKubernetes OpenContrail Meetup
Kubernetes OpenContrail Meetup
Lachlan Evenson
 
Container Networking - State of the Ecosystem [ContainerConf, Mannheim, Nov 2...
Container Networking - State of the Ecosystem [ContainerConf, Mannheim, Nov 2...Container Networking - State of the Ecosystem [ContainerConf, Mannheim, Nov 2...
Container Networking - State of the Ecosystem [ContainerConf, Mannheim, Nov 2...
Karthik Prabhakar
 

Recomendados

Interop2018 contrail ContrailEnterpriseMulticloud
Interop2018 contrail ContrailEnterpriseMulticloudInterop2018 contrail ContrailEnterpriseMulticloud
Interop2018 contrail ContrailEnterpriseMulticloud
Daisuke Nakajima
 
Contrail integrated with Kubernetes and Openstack
Contrail integrated with Kubernetes and OpenstackContrail integrated with Kubernetes and Openstack
Contrail integrated with Kubernetes and Openstack
Daisuke Nakajima
 
Open contrailmeetup
Open contrailmeetupOpen contrailmeetup
Open contrailmeetup
Daisuke Nakajima
 
Using OpenContrail with Kubernetes
Using OpenContrail with KubernetesUsing OpenContrail with Kubernetes
Using OpenContrail with Kubernetes
Matt Baldwin
 
MidoNet 101
MidoNet 101MidoNet 101
MidoNet 101
alexbikfalvi
 
Simplifying and Securing your OpenShift Network with Project Calico
Simplifying and Securing your OpenShift Network with Project CalicoSimplifying and Securing your OpenShift Network with Project Calico
Simplifying and Securing your OpenShift Network with Project Calico
Andrew Randall
 
Kubernetes OpenContrail Meetup
Kubernetes OpenContrail MeetupKubernetes OpenContrail Meetup
Kubernetes OpenContrail Meetup
Lachlan Evenson
 
Container Networking - State of the Ecosystem [ContainerConf, Mannheim, Nov 2...
Container Networking - State of the Ecosystem [ContainerConf, Mannheim, Nov 2...Container Networking - State of the Ecosystem [ContainerConf, Mannheim, Nov 2...
Container Networking - State of the Ecosystem [ContainerConf, Mannheim, Nov 2...
Karthik Prabhakar
 
Container Networking: the Gotchas (Mesos London Meetup 11 May 2016)
Container Networking: the Gotchas (Mesos London Meetup 11 May 2016)Container Networking: the Gotchas (Mesos London Meetup 11 May 2016)
Container Networking: the Gotchas (Mesos London Meetup 11 May 2016)
Andrew Randall
 
Kuryr-Kubernetes: The perfect match for networking cloud native workloads - I...
Kuryr-Kubernetes: The perfect match for networking cloud native workloads - I...Kuryr-Kubernetes: The perfect match for networking cloud native workloads - I...
Kuryr-Kubernetes: The perfect match for networking cloud native workloads - I...
Cloud Native Day Tel Aviv
 
VPNaaS in Neutron
VPNaaS in NeutronVPNaaS in Neutron
VPNaaS in Neutron
Kazunori Takeuchi
 
Simple, Scalable and Secure Networking for Data Centers with Project Calico
Simple, Scalable and Secure Networking for Data Centers with Project CalicoSimple, Scalable and Secure Networking for Data Centers with Project Calico
Simple, Scalable and Secure Networking for Data Centers with Project Calico
Emma Gordon
 
Openstack Summit: Networking and policies across Containers and VMs
Openstack Summit: Networking and policies across Containers and VMsOpenstack Summit: Networking and policies across Containers and VMs
Openstack Summit: Networking and policies across Containers and VMs
Sanjeev Rampal
 
Can the Open vSwitch (OVS) bottleneck be resolved? - Erez Cohen - OpenStack D...
Can the Open vSwitch (OVS) bottleneck be resolved? - Erez Cohen - OpenStack D...Can the Open vSwitch (OVS) bottleneck be resolved? - Erez Cohen - OpenStack D...
Can the Open vSwitch (OVS) bottleneck be resolved? - Erez Cohen - OpenStack D...
Cloud Native Day Tel Aviv
 
Contrail Deep-dive - Cloud Network Services at Scale
Contrail Deep-dive - Cloud Network Services at ScaleContrail Deep-dive - Cloud Network Services at Scale
Contrail Deep-dive - Cloud Network Services at Scale
MarketingArrowECS_CZ
 
OpenContrail deployment experience
OpenContrail deployment experienceOpenContrail deployment experience
OpenContrail deployment experience
Jakub Pavlik
 
Project calico - introduction
Project calico - introductionProject calico - introduction
Project calico - introduction
Hazzim Anaya
 
Neutron high availability open stack architecture openstack israel event 2015
Neutron high availability open stack architecture openstack israel event 2015Neutron high availability open stack architecture openstack israel event 2015
Neutron high availability open stack architecture openstack israel event 2015
Arthur Berezin
 
OpenStack in Action 4! Emilien Macchi & Sylvain Afchain - What's new in neutr...
OpenStack in Action 4! Emilien Macchi & Sylvain Afchain - What's new in neutr...OpenStack in Action 4! Emilien Macchi & Sylvain Afchain - What's new in neutr...
OpenStack in Action 4! Emilien Macchi & Sylvain Afchain - What's new in neutr...
eNovance
 
[OpenStack Days 2016] Track4 - OpenNSL으로 브로드콜 기반 네트,워크 스위치 제어하기
[OpenStack Days 2016] Track4 - OpenNSL으로 브로드콜 기반 네트,워크 스위치 제어하기[OpenStack Days 2016] Track4 - OpenNSL으로 브로드콜 기반 네트,워크 스위치 제어하기
[OpenStack Days 2016] Track4 - OpenNSL으로 브로드콜 기반 네트,워크 스위치 제어하기
OpenStack Korea Community
 
Deployment of Juniper Contrail in AVG Technologies
Deployment of Juniper Contrail in AVG TechnologiesDeployment of Juniper Contrail in AVG Technologies
Deployment of Juniper Contrail in AVG Technologies
MarketingArrowECS_CZ
 
[OpenStack 하반기 스터디] Interoperability with ML2: LinuxBridge, OVS and SDN
[OpenStack 하반기 스터디] Interoperability with ML2: LinuxBridge, OVS and SDN[OpenStack 하반기 스터디] Interoperability with ML2: LinuxBridge, OVS and SDN
[OpenStack 하반기 스터디] Interoperability with ML2: LinuxBridge, OVS and SDN
OpenStack Korea Community
 
Secure Multi Tenant Cloud with OpenContrail
Secure Multi Tenant Cloud with OpenContrailSecure Multi Tenant Cloud with OpenContrail
Secure Multi Tenant Cloud with OpenContrail
Priti Desai
 
NYC Docker Meetup: Contiv networking on Docker
NYC Docker Meetup: Contiv networking on DockerNYC Docker Meetup: Contiv networking on Docker
NYC Docker Meetup: Contiv networking on Docker
Sanjeev Rampal
 
How we built Packet's bare metal cloud platform
How we built Packet's bare metal cloud platformHow we built Packet's bare metal cloud platform
How we built Packet's bare metal cloud platform
Packet
 
Kubernetes networking & Security
Kubernetes networking & SecurityKubernetes networking & Security
Kubernetes networking & Security
Vietnam Open Infrastructure User Group
 
SDN and NFV
SDN and NFVSDN and NFV
SDN and NFV
Richard Kuo
 
Docker meetupdublin.23.3.2017
Docker meetupdublin.23.3.2017Docker meetupdublin.23.3.2017
Docker meetupdublin.23.3.2017
Patrick Lynchehaun
 
Open stackaustinmeetupsept21
Open stackaustinmeetupsept21Open stackaustinmeetupsept21
Open stackaustinmeetupsept21
Brent Doncaster
 
4. CNCF kubernetes Comparison of-existing-cni-plugins-for-kubernetes
4. CNCF kubernetes Comparison of-existing-cni-plugins-for-kubernetes4. CNCF kubernetes Comparison of-existing-cni-plugins-for-kubernetes
4. CNCF kubernetes Comparison of-existing-cni-plugins-for-kubernetes
Juraj Hantak
 

Mais conteúdo relacionado

Mais procurados

Kuryr-Kubernetes: The perfect match for networking cloud native workloads - I...
Kuryr-Kubernetes: The perfect match for networking cloud native workloads - I...Kuryr-Kubernetes: The perfect match for networking cloud native workloads - I...
Kuryr-Kubernetes: The perfect match for networking cloud native workloads - I...
Cloud Native Day Tel Aviv
 
Can the Open vSwitch (OVS) bottleneck be resolved? - Erez Cohen - OpenStack D...
Can the Open vSwitch (OVS) bottleneck be resolved? - Erez Cohen - OpenStack D...Can the Open vSwitch (OVS) bottleneck be resolved? - Erez Cohen - OpenStack D...
Can the Open vSwitch (OVS) bottleneck be resolved? - Erez Cohen - OpenStack D...
Cloud Native Day Tel Aviv
 
Project calico - introduction
Project calico - introductionProject calico - introduction
Project calico - introduction
Hazzim Anaya
 
[OpenStack Days 2016] Track4 - OpenNSL으로 브로드콜 기반 네트,워크 스위치 제어하기
[OpenStack Days 2016] Track4 - OpenNSL으로 브로드콜 기반 네트,워크 스위치 제어하기[OpenStack Days 2016] Track4 - OpenNSL으로 브로드콜 기반 네트,워크 스위치 제어하기
[OpenStack Days 2016] Track4 - OpenNSL으로 브로드콜 기반 네트,워크 스위치 제어하기
OpenStack Korea Community
 
[OpenStack 하반기 스터디] Interoperability with ML2: LinuxBridge, OVS and SDN
[OpenStack 하반기 스터디] Interoperability with ML2: LinuxBridge, OVS and SDN[OpenStack 하반기 스터디] Interoperability with ML2: LinuxBridge, OVS and SDN
[OpenStack 하반기 스터디] Interoperability with ML2: LinuxBridge, OVS and SDN
OpenStack Korea Community
 

Mais procurados (20)

Container Networking: the Gotchas (Mesos London Meetup 11 May 2016)
Container Networking: the Gotchas (Mesos London Meetup 11 May 2016)Container Networking: the Gotchas (Mesos London Meetup 11 May 2016)
Container Networking: the Gotchas (Mesos London Meetup 11 May 2016)
 
Kuryr-Kubernetes: The perfect match for networking cloud native workloads - I...
Kuryr-Kubernetes: The perfect match for networking cloud native workloads - I...Kuryr-Kubernetes: The perfect match for networking cloud native workloads - I...
Kuryr-Kubernetes: The perfect match for networking cloud native workloads - I...
 
VPNaaS in Neutron
VPNaaS in NeutronVPNaaS in Neutron
VPNaaS in Neutron
 
Simple, Scalable and Secure Networking for Data Centers with Project Calico
Simple, Scalable and Secure Networking for Data Centers with Project CalicoSimple, Scalable and Secure Networking for Data Centers with Project Calico
Simple, Scalable and Secure Networking for Data Centers with Project Calico
 
Openstack Summit: Networking and policies across Containers and VMs
Openstack Summit: Networking and policies across Containers and VMsOpenstack Summit: Networking and policies across Containers and VMs
Openstack Summit: Networking and policies across Containers and VMs
 
Can the Open vSwitch (OVS) bottleneck be resolved? - Erez Cohen - OpenStack D...
Can the Open vSwitch (OVS) bottleneck be resolved? - Erez Cohen - OpenStack D...Can the Open vSwitch (OVS) bottleneck be resolved? - Erez Cohen - OpenStack D...
Can the Open vSwitch (OVS) bottleneck be resolved? - Erez Cohen - OpenStack D...
 
Contrail Deep-dive - Cloud Network Services at Scale
Contrail Deep-dive - Cloud Network Services at ScaleContrail Deep-dive - Cloud Network Services at Scale
Contrail Deep-dive - Cloud Network Services at Scale
 
OpenContrail deployment experience
OpenContrail deployment experienceOpenContrail deployment experience
OpenContrail deployment experience
 
Project calico - introduction
Project calico - introductionProject calico - introduction
Project calico - introduction
 
Neutron high availability open stack architecture openstack israel event 2015
Neutron high availability open stack architecture openstack israel event 2015Neutron high availability open stack architecture openstack israel event 2015
Neutron high availability open stack architecture openstack israel event 2015
 
OpenStack in Action 4! Emilien Macchi & Sylvain Afchain - What's new in neutr...
OpenStack in Action 4! Emilien Macchi & Sylvain Afchain - What's new in neutr...OpenStack in Action 4! Emilien Macchi & Sylvain Afchain - What's new in neutr...
OpenStack in Action 4! Emilien Macchi & Sylvain Afchain - What's new in neutr...
 
[OpenStack Days 2016] Track4 - OpenNSL으로 브로드콜 기반 네트,워크 스위치 제어하기
[OpenStack Days 2016] Track4 - OpenNSL으로 브로드콜 기반 네트,워크 스위치 제어하기[OpenStack Days 2016] Track4 - OpenNSL으로 브로드콜 기반 네트,워크 스위치 제어하기
[OpenStack Days 2016] Track4 - OpenNSL으로 브로드콜 기반 네트,워크 스위치 제어하기
 
Deployment of Juniper Contrail in AVG Technologies
Deployment of Juniper Contrail in AVG TechnologiesDeployment of Juniper Contrail in AVG Technologies
Deployment of Juniper Contrail in AVG Technologies
 
[OpenStack 하반기 스터디] Interoperability with ML2: LinuxBridge, OVS and SDN
[OpenStack 하반기 스터디] Interoperability with ML2: LinuxBridge, OVS and SDN[OpenStack 하반기 스터디] Interoperability with ML2: LinuxBridge, OVS and SDN
[OpenStack 하반기 스터디] Interoperability with ML2: LinuxBridge, OVS and SDN
 
Secure Multi Tenant Cloud with OpenContrail
Secure Multi Tenant Cloud with OpenContrailSecure Multi Tenant Cloud with OpenContrail
Secure Multi Tenant Cloud with OpenContrail
 
NYC Docker Meetup: Contiv networking on Docker
NYC Docker Meetup: Contiv networking on DockerNYC Docker Meetup: Contiv networking on Docker
NYC Docker Meetup: Contiv networking on Docker
 
How we built Packet's bare metal cloud platform
How we built Packet's bare metal cloud platformHow we built Packet's bare metal cloud platform
How we built Packet's bare metal cloud platform
 
Kubernetes networking & Security
Kubernetes networking & SecurityKubernetes networking & Security
Kubernetes networking & Security
 
SDN and NFV
SDN and NFVSDN and NFV
SDN and NFV
 
Docker meetupdublin.23.3.2017
Docker meetupdublin.23.3.2017Docker meetupdublin.23.3.2017
Docker meetupdublin.23.3.2017
 

Semelhante a Container network security

4. CNCF kubernetes Comparison of-existing-cni-plugins-for-kubernetes
4. CNCF kubernetes Comparison of-existing-cni-plugins-for-kubernetes4. CNCF kubernetes Comparison of-existing-cni-plugins-for-kubernetes
4. CNCF kubernetes Comparison of-existing-cni-plugins-for-kubernetes
Juraj Hantak
 
Simplify Networking for Containers
Simplify Networking for ContainersSimplify Networking for Containers
Simplify Networking for Containers
LinuxCon ContainerCon CloudOpen China
 
How to build a Kubernetes networking solution from scratch
How to build a Kubernetes networking solution from scratchHow to build a Kubernetes networking solution from scratch
How to build a Kubernetes networking solution from scratch
All Things Open
 
OpenStack and OpenContrail for FreeBSD platform by Michał Dubiel
OpenStack and OpenContrail for FreeBSD platform by Michał DubielOpenStack and OpenContrail for FreeBSD platform by Michał Dubiel
OpenStack and OpenContrail for FreeBSD platform by Michał Dubiel
eurobsdcon
 
Accelerated SDN in Azure
Accelerated SDN in AzureAccelerated SDN in Azure
Accelerated SDN in Azure
Open Networking Summit
 

Semelhante a Container network security (20)

Open stackaustinmeetupsept21
Open stackaustinmeetupsept21Open stackaustinmeetupsept21
Open stackaustinmeetupsept21
 
4. CNCF kubernetes Comparison of-existing-cni-plugins-for-kubernetes
4. CNCF kubernetes Comparison of-existing-cni-plugins-for-kubernetes4. CNCF kubernetes Comparison of-existing-cni-plugins-for-kubernetes
4. CNCF kubernetes Comparison of-existing-cni-plugins-for-kubernetes
 
Comparison of existing cni plugins for kubernetes
Comparison of existing cni plugins for kubernetesComparison of existing cni plugins for kubernetes
Comparison of existing cni plugins for kubernetes
 
Building a sdn solution for the deployment of web application stacks in docker
Building a sdn solution for the deployment of web application stacks in dockerBuilding a sdn solution for the deployment of web application stacks in docker
Building a sdn solution for the deployment of web application stacks in docker
 
DockerCon EU 2018 Workshop: Container Networking for Swarm and Kubernetes in ...
DockerCon EU 2018 Workshop: Container Networking for Swarm and Kubernetes in ...DockerCon EU 2018 Workshop: Container Networking for Swarm and Kubernetes in ...
DockerCon EU 2018 Workshop: Container Networking for Swarm and Kubernetes in ...
 
Nynog-K8s-networking-101.pptx
Nynog-K8s-networking-101.pptxNynog-K8s-networking-101.pptx
Nynog-K8s-networking-101.pptx
 
Simplify Networking for Containers
Simplify Networking for ContainersSimplify Networking for Containers
Simplify Networking for Containers
 
Container Networking Deep Dive
Container Networking Deep DiveContainer Networking Deep Dive
Container Networking Deep Dive
 
Demystfying container-networking
Demystfying container-networkingDemystfying container-networking
Demystfying container-networking
 
"One network to rule them all" - OpenStack Summit Austin 2016
"One network to rule them all" - OpenStack Summit Austin 2016"One network to rule them all" - OpenStack Summit Austin 2016
"One network to rule them all" - OpenStack Summit Austin 2016
 
Collabnix Online Webinar - Demystifying Docker & Kubernetes Networking by Bal...
Collabnix Online Webinar - Demystifying Docker & Kubernetes Networking by Bal...Collabnix Online Webinar - Demystifying Docker & Kubernetes Networking by Bal...
Collabnix Online Webinar - Demystifying Docker & Kubernetes Networking by Bal...
 
OSS Japan 2019 service mesh bridging Kubernetes and legacy
OSS Japan 2019 service mesh bridging Kubernetes and legacyOSS Japan 2019 service mesh bridging Kubernetes and legacy
OSS Japan 2019 service mesh bridging Kubernetes and legacy
 
OpenStack Networking and Automation
OpenStack Networking and AutomationOpenStack Networking and Automation
OpenStack Networking and Automation
 
Osnug meetup-tungsten fabric - overview.pptx
Osnug meetup-tungsten fabric - overview.pptxOsnug meetup-tungsten fabric - overview.pptx
Osnug meetup-tungsten fabric - overview.pptx
 
How to build a Kubernetes networking solution from scratch
How to build a Kubernetes networking solution from scratchHow to build a Kubernetes networking solution from scratch
How to build a Kubernetes networking solution from scratch
 
Tungsten Fabric Overview
Tungsten Fabric OverviewTungsten Fabric Overview
Tungsten Fabric Overview
 
OpenStack and OpenContrail for FreeBSD platform by Michał Dubiel
OpenStack and OpenContrail for FreeBSD platform by Michał DubielOpenStack and OpenContrail for FreeBSD platform by Michał Dubiel
OpenStack and OpenContrail for FreeBSD platform by Michał Dubiel
 
Docker Networking Overview
Docker Networking OverviewDocker Networking Overview
Docker Networking Overview
 
OpenStack Tokyo 2015: Connecting the Dots with Neutron
OpenStack Tokyo 2015: Connecting the Dots with NeutronOpenStack Tokyo 2015: Connecting the Dots with Neutron
OpenStack Tokyo 2015: Connecting the Dots with Neutron
 
Accelerated SDN in Azure
Accelerated SDN in AzureAccelerated SDN in Azure
Accelerated SDN in Azure
 

Mais de Daisuke Nakajima

Contrail handson 手順書
Contrail handson 手順書Contrail handson 手順書
Contrail handson 手順書
Daisuke Nakajima
 
Openvswitch vps 20120429資料
Openvswitch vps 20120429資料Openvswitch vps 20120429資料
Openvswitch vps 20120429資料
Daisuke Nakajima
 

Mais de Daisuke Nakajima (14)

Cloud Operator Days Tokyo 2020
Cloud Operator Days Tokyo 2020Cloud Operator Days Tokyo 2020
Cloud Operator Days Tokyo 2020
 
Open contrailmeetup 20161207
Open contrailmeetup 20161207Open contrailmeetup 20161207
Open contrailmeetup 20161207
 
Open stackdaystokyo2016
Open stackdaystokyo2016Open stackdaystokyo2016
Open stackdaystokyo2016
 
2016 interop sdi_showcase_contrail
2016 interop sdi_showcase_contrail2016 interop sdi_showcase_contrail
2016 interop sdi_showcase_contrail
 
Open contrailday 20150926
Open contrailday 20150926Open contrailday 20150926
Open contrailday 20150926
 
Open contrail days 2014 fall
Open contrail days 2014 fallOpen contrail days 2014 fall
Open contrail days 2014 fall
 
OpenContrailとnfv
OpenContrailとnfvOpenContrailとnfv
OpenContrailとnfv
 
Opencontrailの基本 for オープンソースカンファレンス2014 Kansai@Kyoto
Opencontrailの基本 for オープンソースカンファレンス2014 Kansai@KyotoOpencontrailの基本 for オープンソースカンファレンス2014 Kansai@Kyoto
Opencontrailの基本 for オープンソースカンファレンス2014 Kansai@Kyoto
 
Contrail handson 手順書
Contrail handson 手順書Contrail handson 手順書
Contrail handson 手順書
 
Open contraildays2014
Open contraildays2014Open contraildays2014
Open contraildays2014
 
OpenContrailの基本 for OSC Tokyo 2014 Spring
OpenContrailの基本 for OSC Tokyo 2014 SpringOpenContrailの基本 for OSC Tokyo 2014 Spring
OpenContrailの基本 for OSC Tokyo 2014 Spring
 
Open contrailのご紹介
Open contrailのご紹介Open contrailのご紹介
Open contrailのご紹介
 
Openvswitch vps 20120429資料
Openvswitch vps 20120429資料Openvswitch vps 20120429資料
Openvswitch vps 20120429資料
 
OpenvswitchでVPS
OpenvswitchでVPSOpenvswitchでVPS
OpenvswitchでVPS
 

Último

Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...
SUHANI PANDEY
 
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
tanu pandey
 
➥🔝 7737669865 🔝▻ mehsana Call-girls in Women Seeking Men 🔝mehsana🔝 Escorts...
➥🔝 7737669865 🔝▻ mehsana Call-girls in Women Seeking Men 🔝mehsana🔝 Escorts...➥🔝 7737669865 🔝▻ mehsana Call-girls in Women Seeking Men 🔝mehsana🔝 Escorts...
➥🔝 7737669865 🔝▻ mehsana Call-girls in Women Seeking Men 🔝mehsana🔝 Escorts...
nirzagarg
 
VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...
VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...
VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...
SUHANI PANDEY
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
EleniIlkou
 
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
Delhi Call girls
 
Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...
Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...
Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...
SUHANI PANDEY
 
(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...
(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...
(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...
Escorts Call Girls
 
Wagholi & High Class Call Girls Pune Neha 8005736733 | 100% Gennuine High Cla...
Wagholi & High Class Call Girls Pune Neha 8005736733 | 100% Gennuine High Cla...Wagholi & High Class Call Girls Pune Neha 8005736733 | 100% Gennuine High Cla...
Wagholi & High Class Call Girls Pune Neha 8005736733 | 100% Gennuine High Cla...
SUHANI PANDEY
 
( Pune ) VIP Pimpri Chinchwad Call Girls 🎗️ 9352988975 Sizzling | Escorts | G...
( Pune ) VIP Pimpri Chinchwad Call Girls 🎗️ 9352988975 Sizzling | Escorts | G...( Pune ) VIP Pimpri Chinchwad Call Girls 🎗️ 9352988975 Sizzling | Escorts | G...
( Pune ) VIP Pimpri Chinchwad Call Girls 🎗️ 9352988975 Sizzling | Escorts | G...
nilamkumrai
 
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
SUHANI PANDEY
 
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRLLucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
imonikaupta
 
📱Dehradun Call Girls Service 📱☎️ +91'905,3900,678 ☎️📱 Call Girls In Dehradun 📱
📱Dehradun Call Girls Service 📱☎️ +91'905,3900,678 ☎️📱 Call Girls In Dehradun 📱📱Dehradun Call Girls Service 📱☎️ +91'905,3900,678 ☎️📱 Call Girls In Dehradun 📱
📱Dehradun Call Girls Service 📱☎️ +91'905,3900,678 ☎️📱 Call Girls In Dehradun 📱
@Chandigarh #call #Girls 9053900678 @Call #Girls in @Punjab 9053900678
 
Call Girls Sangvi Call Me 7737669865 Budget Friendly No Advance BookingCall G...
Call Girls Sangvi Call Me 7737669865 Budget Friendly No Advance BookingCall G...Call Girls Sangvi Call Me 7737669865 Budget Friendly No Advance BookingCall G...
Call Girls Sangvi Call Me 7737669865 Budget Friendly No Advance BookingCall G...
roncy bisnoi
 
Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...
Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...
Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...
Delhi Call girls
 
Al Barsha Night Partner +0567686026 Call Girls Dubai
Al Barsha Night Partner +0567686026 Call Girls DubaiAl Barsha Night Partner +0567686026 Call Girls Dubai
Al Barsha Night Partner +0567686026 Call Girls Dubai
Escorts Call Girls
 

Último (20)

Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...
 
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
 
➥🔝 7737669865 🔝▻ mehsana Call-girls in Women Seeking Men 🔝mehsana🔝 Escorts...
➥🔝 7737669865 🔝▻ mehsana Call-girls in Women Seeking Men 🔝mehsana🔝 Escorts...➥🔝 7737669865 🔝▻ mehsana Call-girls in Women Seeking Men 🔝mehsana🔝 Escorts...
➥🔝 7737669865 🔝▻ mehsana Call-girls in Women Seeking Men 🔝mehsana🔝 Escorts...
 
VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...
VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...
VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
 
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service AvailableCall Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
 
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
 
Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...
Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...
Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...
 
(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...
(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...
(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...
 
Wagholi & High Class Call Girls Pune Neha 8005736733 | 100% Gennuine High Cla...
Wagholi & High Class Call Girls Pune Neha 8005736733 | 100% Gennuine High Cla...Wagholi & High Class Call Girls Pune Neha 8005736733 | 100% Gennuine High Cla...
Wagholi & High Class Call Girls Pune Neha 8005736733 | 100% Gennuine High Cla...
 
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency""Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
 
( Pune ) VIP Pimpri Chinchwad Call Girls 🎗️ 9352988975 Sizzling | Escorts | G...
( Pune ) VIP Pimpri Chinchwad Call Girls 🎗️ 9352988975 Sizzling | Escorts | G...( Pune ) VIP Pimpri Chinchwad Call Girls 🎗️ 9352988975 Sizzling | Escorts | G...
( Pune ) VIP Pimpri Chinchwad Call Girls 🎗️ 9352988975 Sizzling | Escorts | G...
 
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
 
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRLLucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53
 
📱Dehradun Call Girls Service 📱☎️ +91'905,3900,678 ☎️📱 Call Girls In Dehradun 📱
📱Dehradun Call Girls Service 📱☎️ +91'905,3900,678 ☎️📱 Call Girls In Dehradun 📱📱Dehradun Call Girls Service 📱☎️ +91'905,3900,678 ☎️📱 Call Girls In Dehradun 📱
📱Dehradun Call Girls Service 📱☎️ +91'905,3900,678 ☎️📱 Call Girls In Dehradun 📱
 
Call Girls Sangvi Call Me 7737669865 Budget Friendly No Advance BookingCall G...
Call Girls Sangvi Call Me 7737669865 Budget Friendly No Advance BookingCall G...Call Girls Sangvi Call Me 7737669865 Budget Friendly No Advance BookingCall G...
Call Girls Sangvi Call Me 7737669865 Budget Friendly No Advance BookingCall G...
 
Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...
Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...
Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...
 
Al Barsha Night Partner +0567686026 Call Girls Dubai
Al Barsha Night Partner +0567686026 Call Girls DubaiAl Barsha Night Partner +0567686026 Call Girls Dubai
Al Barsha Night Partner +0567686026 Call Girls Dubai
 
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
 

Container network security

  • 4. Beyond cloud-native… Do you care about: • High-performance forwarding • Proven cloud-grade, carrier-grade scale • Feature rich for Kubernetes and LB, beyond CNI • Feature rich in general for net + sec • Multi-tenancy • Open source / community • Open standards-based federation • Multiple orchestrator support • Solid vendor backing and optional services • Collapsing stacked SDNs: e.g. K8s on OpenStack • Ease of use SDN ECOSYSTEM in CNCF
  • 6. Typical Kubernetes setup ●Kuberenetes Cluster APIServer Controller Scheduler etcd OVS/Bridge Docker network pod pod kube-let kube-proxy Kubernetes system is consist from Kube Master and Worker. Master has API, container scheduler, Database. Worker has kube-let, kube-proxy and pod as Container. kube-let in worker node has Container Network interface called CNI which is plugin of Network function. Use can select network plugin for particular use case.OVS/Bridge Docker network pod pod kube-let kube-proxy
  • 7. Typical Kubernetes Network ●Typical K8S network behavior pod-network service-network external-network Typically K8S has three type of Network 1) pod-network which is connecting POD. All of POD connect common Network. This network only uses internally. 2) service network which is used by cluster-ip of “Service”. Inter Service communication uses this network. 3) external-network which is used by ”LoadBalancer”. Outside of K8S user uses this network to connect POD. pod pod pod Service ClusterIP pod Service LoadBalancer Internet LAN
  • 8. Typical Kubernetes Network ●Typical K8S network behavior external-network When POD and Service are created, each IP address is assigned automatically. 1) External User connects “192.168.0.1” as Web loadBalancer. 2) Web LoadBalancer does Destination NAT to selected nginx pod. 3) nginx pod connects ”172.16.0.11” as DB Cluster IP 4) DB Cluster IP does Destination NAT to selected mysql pod. That is pod network is isolated from External network. User cannot reach to POD directly from External. Those such LoadBalancer and ClusterIP behavior is done by kube-proxy. mysq l nginx DB ClusterIP Web LoadBalancer Internet LAN 192.168.0.0/24 172.16.0.0/24 192.168.0.0/24 nginxmysq l .1 .21 .22 .23 .24 .11 .12 pod-network service-network
  • 9. K8S CNI Typical behavior ●Typical K8S network policy (namespace) Namespace defines POD groups like Openstack Project. It make isolation among different namespace. That means pod inside namespace can communicate each other, but different namespace cannot. Even pods are created in different namespaces, IP address are assigned by common pod-network pool. mysq l nginx nginx mysq l mysq l apatch apatchmysq l apiVersion: v1 kind: Pod metadata: name: mysql namespace: groupA labels: name: db spec: containers: - name: mysql-gA image: mysql namespace: groupA namespace: groupB pod-network apiVersion: v1 kind: Pod metadata: name: mysql namespace: groupB labels: name: sb spec: containers: - name: mysql-gB image: mysql
  • 10. K8S CNI Typical behavior ●Typical K8S network policy (Label) Label defines each pod as particular role. the Label also be used to defined access control. The pods in same service labels can reach each other. The pods in different labels cannot reach. Why Label is used to filter traffic, IP address of POD may be changed when POD moves. so IP address based filtering is useless. For example, pod which labels are “wordpress” and “db” accepts connection from pod having “wordpress” and “webapi” labels. Connection is denied even If one of labels are match. mysq l nginx nginx mysq l service: wordpress role: webapi service: wordpress role: db mysq l apatch apatchmysq l pod-network service: redmine role: webapi service: redmine role: db apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: test-network-policy namespace: default spec: podSelector: matchLabels: service: wordpress role: db policyTypes: - Ingress ingress: - from: - podSelector: matchLabels: service: wordpress role: webapi
  • 11. K8S CNI Typical behavior ●Typical K8S network policy (Ingress) nginx nginx pod-network external-network Web LoadBalancer 192.168.0.0/24 172.16.0.0/24 service-network 192.168.10.0/24 192.168.20.0/24 apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: test-network-policy namespace: default spec: podSelector: matchLabels: service: wordpress role: nginx policyTypes: - Ingress ingress: - from: - ipBlock: cidr: 192.168.20.0/24 “Ingress” addressed incoming traffic to pod. User can define particular CIDR and port in Ingress – from – ipBlock section.
  • 12. K8S CNI Typical behavior ●Typical K8S network policy (Egress) nginx nginx pod-network external-network Web LoadBalancer 192.168.0.0/24 172.16.0.0/24 service-network 192.168.10.0/24 192.168.20.0/24 apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: test-network-policy namespace: default spec: podSelector: matchLabels: service: wordpress role: nginx policyTypes: - Egress egress: - to: - ipBlock: cidr: 192.168.20.0/24 “Egress” addressed ongoing traffic from pod. User can define particular CIDR and port in Egress – from – ipBlock section.
  • 13. Typical Kubernetes External Connection ●Kuberenetes setup APIServer Controller Scheduler etcd Physical Network BMS OVS/Bridge Docker network pod pod kube-let kube-proxy Internet If POD needs to connect to other network like Internet or LAN, POD address is translated to IP address of Worker node as SNAT. Pod Network cannot connect external network without SNAT. That means, External system cannot filter by exact IP address of POD and Worker node. Because IP address of POD sometimes be changed and it moves to other worker node. POD IP address is translated to IP address of node
  • 14. Considering use case ●Dedicated pod-network mysq l nginx nginxmysq l 192.168.10.0/24 Tenant: A mysq l nginx nginxmysq l 192.168.20.0/24 Tenant: B One Kubernetes setup has only one Pod-network. If dedicated pod network is required, it must be separated kubernetes setup must be deployed. Kubernetes can be deployed on Virtual-machine on Openstack or anything. But even multiple kubernetes setup on each VM are deployed, different pod network cannot communicate without NAT as I described so far.
  • 15. Considering use case ●Openstack Virtual-machine for K8S setup •NovaAPI •Glance •Keystone •Neutron OVS/Bridge APIServer Controller Scheduler APIServer Controller Scheduler OVS/Bridge mysq l nginx nginx mysq l 192.168.10.0/24 mysq l nginx nginx mysq l 192.168.20.0/24 Tenant: BTenant: A mysq l nginx mysq l nginx OVS/BR OVS/BR OVS/Bridge mysq l nginx mysq l nginx OVS/BR OVS/BR
  • 16. Typical Enterprise use case ●Consider K8S limitation from Typical Enterprise Network Design Web Web API API DB DB 192.168.10.0/24 192.168.20.0/24 192.168.30.0/24 172.16.0.0/24 Syslo g Monitor Service Network Develop:A Develop:B Typical Enterprise Network uses dedicated network to isolate different Section, Division purpose. For the isolation, Firewall address ingress/eggres traffic between them. For instance “Service Network” only be allowed to ”Web” server TCP:80. Develop:A allows to connect ”Web” TCP:22,80. Develop:B allows to to connect “API”and“DB”. Develop:A and Develop:B doesn’t connect each other. “Web” allows to connect API, TCP8080 and Syslog and monitoring and so on. if ”Web” and “API” is containerized by K8S, existing Network design might not work well. Challenges: • Dedicated POD network • FW integration • Existing Network connection • Direct POD connection
  • 18. Physical IP Fabric (no changes) TungstenFabric CONTROLLER ORCHESTRATOR Host O/SvRouter Network / Storage orchestration Gateway … Internet / WAN or Legacy Env. (Config, Control, Analytics, Svr Mgmt) (Windows, Linux ….) on BMS TOR Compute orchestration Virtual Network Blue Virtual Network Red FW Logical View … Centralized PolicyDefinition Distributed PolicyEnforcement BGP BGP XMPPEVPN Tungsten Fabric Overview
  • 19. Typical Kubernetes setup with Tungsten Fabric ●Kuberenetes Cluster on BMS APIServer TF vRouter pod pod TungstenFabric is one of CNI plugins which provides additional network service to POD. TungstenFabric resolves POD network limitation which I described so far. TungstenFabric has two mode, one is BMS mode and another is Nested mode. BMS mode installs TungstenFabric vRouter on BMS. •KubeManager •Controller •Analytics •Analytics-DB kubelet CNI Agent TF vRouter pod pod kubelet CNI Agent
  • 20. Typical Kubernetes setup with Tungsten Fabric ●Kuberenetes Cluster on Openstack TF vRouter Nested mode doesn’t install TF vRouter on VM. Also SDN Controller is not installed Kubernetes Cluster. only Kubemanager and CNI are installed. kube- manager calls TF Controller which works Openstack Neutron Plugin and CNI calls TF Agent on Compute node. It is very unique solution to avoid multiple SDN controller runs on VM. Also, Worker node doesn’t need TF vRouter. it uses VLAN to isolate POD network. •Controller •Analytics •Analytics-DB •NovaAPI •Glance •Keystone •Neutron Agent APIServer kube-manager kubelet CNI bridge pod pod vlan vlan
  • 21. Typical Kubernetes setup with Tungsten Fabric ●Kuberenetes Cluster with Openstack TungstanFabric can work with both Openstack and K8S at same time. It can extend same Virtual- network between VM and POD. Also same security policy such as Security Group or Label based FW is attached to both VM and POD. •Controller •Analytics •Analytics-DB •NovaAPI •Glance •Keystone •Neutron TF vRouter pod pod kubelet CNI Agent APIServer kube-manager TF vRouter Agent VM
  • 22. What challenges can TF resolve? ●Dedicated POD network mysql nginx nginxmysql 192.168.10.0/24 Tenant: A apiVersion: v1 kind: Pod metadata: name: mysql annotations: { "opencontrail.org/network" : '{"domain":"default-domain", "project": ”user1", "name":”pod-vn1"}' } labels: name: db spec: containers: - name: mysql-gA image: mysql TungstenFabric provides dedicated network to POD using “annotations”. User can attach their own virtual-network to POD without separated K8S setup.
  • 23. What challenges can TF resolve? mysql nginx nginxmysql 192.168.10.0/24 TungstenFabric allows to connect multiple virtual networks connecting POD. User can define 5 tuple based Filter between virtual network like Security Group as Openstack. It’s easy to define which traffic allows to connect by TungstenFabric. 192.168.20.0/24 ●Inter POD network
  • 24. What challenges can TF resolve? apiVersion: v1 kind: Pod metadata: name: cirros-vn1-1 annotations: { "opencontrail.org/network" : '{"domain":"default-domain", "project": "juniper-test", "name":"pod-service-1"}' } labels: application: service-app1 label: web spec: replicas: 2 containers: - name: cirros-vn1-1 image: docker.io/cirros imagePullPolicy: IfNotPresent ●Enforce Label Based Filter Traffic filter is defined by YAML which is configured POD owner. Thus, IT supervisor cannot control traffic using Firewall. TungstenFabric enforces traffic by Firewall Rule which is defined IT supervisor. TungstenFabric provides global policy to POD network. If service owner violates its policy, traffic cannot reach to other POD.
  • 25. What challenges can TF resolve? ●Direct Connect from External Network TungstenFabric provides Floating IP to POD interface as same feature as Openstack one. TungstenFabric does Destination NAT on its vRouter module to exact POD IP address. Left Picture shows “Router” does NAT, but actually TF vRouter on worker node does NAT. There is no Physical Router or dedicated NAT server. It is very useful to connect POD directly from external Network for debugging purpose. This feature is not K8S standard feature, so it requires to use TungsteFabric API. nginx nginx pod-network external-network Web LoadBalancer service-network public-network D:203.0.113.1 10.0.10.1 10.0.10.1
  • 26. What challenges can TF resolve? ●External Network Connection As described, TungstenFabric connect with Physical Router and HVTEP. So TungstenFabric can associate External Network with POD network keeping network isolation. Because, Virtual-network of TungstenFabric has “VNI” and “Route-Target” for each and its route advertises to Router/HVTEP by L3VPN/EVPN and create Tunnel between Router/HVTEP and TF vRouter. APIServer TF vRouter pod pod •KubeManager •Controller •Analytics •Analytics-DB kubelet CNI Agent TF vRouter pod pod kubelet CNI Agent SV VMSV VM BGP L3VPN/EVPN
  • 27. What challenges can TF resolve? ●VNF integration TugstanFabric can associate pod network with VNF/PNF. VNF/PVN can stir pod traffic to Service Chaining. Service Chaining can stir traffic to multiple VNFs by TF vRouter instead of actual VNF configuration. Thus, it is possible to add/delete/scale out/scale in without configuration changing in VNF/PNF. TF vRouter pod pod kubelet CNI Agent TF vRouter Agent Internet
  • 28. What challenges can TF resolve? ●Consider Typical Enterprise Network Design by TungsetenFabric Web Web API API DB DB 192.168.10.0/24 192.168.20.0/24 192.168.30.0/24 172.16.0.0/24 Syslo g Monitor Service Network Develop:A Develop:B TunstenFabric resolved many challenges of K8S default feature. Thus, Left picture network design is enabled. Tungsten Fabric Resolves: • Dedicated POD network • FW integration • Existing Network connection • Direct POD connection