Transcript KubeCon London 2016 Simple Scalable Secure

Secure, Cloud-Native Networking
Simple, scalable, secure networking for Kubernetes
Shaun Crampton, Core Developer, Project Calico
@projectcalico
10th March 2016
Operational
Simplicity
IP
Service
Service
Service
Service
Service
Service
Service
Service
IP
IP
IP
IP
IP
IP
IP
IP
Router
Router
Router
Container Host
Service
Service
Service
Service
Service
Service
Service
Service
IP
IP
IP
IP
IP
IP
IP
IP
Router
Router
Router
Linux Kernel Routing
(you already have this!)
10.0.0.1
eth0
default via 192.168.0.1 dev eth0
192.168.0.0/24 dev eth0 src 10.0.2.15
10.0.0.1/32 dev cali34 scope global
10.0.0.2/32 dev cali89 scope global
10.0.1.0/26 via 192.168.0.29 dev eth0
10.0.2.128/26 via 192.168.0.131 dev eth0
cali34
IP
10.0.0.2
eth0
Container
Namespace
Container Host
cali89
192.168.0.45
Container
Namespace
Root Namespace
eth0
Containers on Containers
this host
on
other hosts
veth pair (kernel version
2.6.24+)
Operational
Simplicity
IP
Scalability
Operational
Simplicity
IP
Scalability
Security
FBI director James Comey has said he believes Sony’s cyberattackers first
breached the studio’s network in September, gaining access through a
common tactic called “spear phishing”—duping an employee into clicking
on an email attachment or a web link.
…For more than two months Sony’s hackers roamed freely, identifying
what they wanted to steal. This was possible because the studio, with few
exceptions, didn’t segregate or provide extra security for even its most
precious secrets. In effect, once the invaders made it past the network
gates they could go anywhere they wanted because Sony hadn’t
locked any doors.
Inside the Hack of the Century by Peter Elkind, Fortune.com
© Chris van Dyck
https://www.flickr.com/photos/chrisvandyck/4453036699
Developer intent
192.168.0.45
10.0.0.1
eth0
cali34
Container
Namespace
IP
10.0.0.2
eth0
Container
Namespace
Container Host
Linux Kernel Filtering
(iptables)
(you already have this!)
cali89
Root Namespace
Per-container distributed
firewall
eth0
NetworkPolicy v1alpha1 DEMO:
https://vimeo.com/159475864/d54a478
1d5
Client NS
Default NS
Mgmt NS
F
UI
B
C
F
B
F
Client NS
Default NS
Mgmt NS
F
UI
B
C
F
B
F
Turn on isolation…
kubectl annotate ns default \
"net.alpha.kubernetes.io/network-isolation=yes" \
--overwrite=true
kubectl annotate ns client \
"net.alpha.kubernetes.io/network-isolation=yes" \
--overwrite=true
Client NS
Default NS
Mgmt NS
F
UI
B
C
F
B
F
admin-ui.yaml
kind: NetworkPolicy
Metadata
apiVersion: net.alpha.kubernetes.io/v1alpha1
metadata:
namespace: default
name: allow-ui
Empty selector
spec:
applies to all pods
podSelector:
ingress:
- from:
Allow from
- namespaces:
management
role: management-ui
namespace
Client NS
Default NS
Mgmt NS
F
UI
B
C
F
B
F
backend-policy.yaml
kind: NetworkPolicy
apiVersion: net.alpha.kubernetes.io/v1alpha1
metadata:
namespace: default
name: backend-policy
spec:
podSelector:
tier: backend
ingress:
- from:
- pods:
tier: frontend
ports:
- protocol: TCP
port: 637
Apply to backends
Allow from frontends
on port 637 only
Client NS
Default NS
Mgmt NS
F
UI
B
C
F
B
F
frontend-policy.yaml
kind: NetworkPolicy
apiVersion: net.alpha.kubernetes.io/v1alpha1
metadata:
namespace: default
name: frontend-policy
spec:
podSelector:
tier: frontend
ingress:
- from:
- namespaces:
role: client
ports:
- protocol: TCP
port: 80
Apply to frontends
Allow from clients
On port 80
Client NS
Default NS
Mgmt NS
F
UI
B
C
F
B
F
Operational
Simplicity
IP
Scalability
Security
 Main project website:
www.projectcalico.org
 Production plugin: https://goo.gl/pyNsIf
 Try out the demo: https://goo.gl/BYC97u
 Ansible playbooks from Kubespray
https://docs.kubespray.io/
 Public #slack
https://calicousers-slackin.herokuapp.com/
 Download & try it out
 We welcome your feedback and
contributions
 Follow me
@fasaxc
 Follow us
@projectcalico