Container NetworkingState of the Ecosystem

Karthik Prabhakarkp@tigera.io

@projectcalico Copyright © 2016 Tigera, Inc. | Proprietary and Confidential

▪ Network Architecture Redux

▪ State of the Ecosystem

▪ Security and Policy

▪ Looking Forward

Topics

@projectcalico Copyright © 2016 Tigera, Inc. | Proprietary and Confidential

▪ Network Architecture Redux▪ Lessons learned from decades of Internetwork deployment experience

▪ State of the Ecosystem▪ Abstractions & Architectures: Understand tradeoffs.

▪ Security and Policy▪ Enable app isolation with labels and policy automation

▪ Looking Forward▪ Facilitate planning for new capabilities

Why Should -You- Care?

Network Architecture & Design

@projectcalico Copyright © 2016 Tigera, Inc. | Proprietary and Confidential

Server

Simple enterprise network

Server Server Server

Physical Network

@projectcalico Copyright © 2016 Tigera, Inc. | Proprietary and Confidential

Server

We should probably have some kind of security...

Server Server Server

Physical Network Physical Network

PhysicalFirewall

@projectcalico Copyright © 2016 Tigera, Inc. | Proprietary and Confidential

VM

Then came virtualization...

VM VM VM

Tier 1 Overlay Tier 2 Overlay

Physical / Cloud Network

VirtualFirewall

@projectcalico Copyright © 2016 Tigera, Inc. | Proprietary and Confidential

VM

Then came containers...

VM VM

Tier 1 Overlay

VM

Tier 2 Overlay

Physical / Cloud Network

VirtualFirewall

Blue Overlay

Yellow Overlay Blue Overlay

Green Overlay

@projectcalico Copyright © 2016 Tigera, Inc. | Proprietary and Confidential

Scale & Churn

Thousands of instancesLow churn

Millions of containersHigh churn

10© 2016 Tigera, Inc. | Proprietary and Confidential

https://upload.wikimedia.org/wikipedia/commons/1/1b/MSC_Oscar_(ship,_2014)_002.jpg

http://theunholycow.com/wp-content/uploads/2014/03/delivery-man.jpg

“In networking,...

… there is no substitute for thinking”

@projectcalico Copyright © 2016 Tigera, Inc. | Proprietary and Confidential

Common Considerations

Interconnectivity: Overlay vs. Native

Address Space: Admin-assigned vs. Overlapping/BYOA

Visibility: Private vs. DC-wide vs. Filtered

Network State: Centralized vs. Distributed

Network Abstraction: L2 (Ethernet) vs. L3 (IP)

State of the Ecosystem

13© 2016 Tigera, Inc. | Proprietary and Confidential

Container Networking Model (CNM)

Orchestrators

Drivers /Plugins

Bridge Overlay KuryrCalico

macvlan

Evolution to Alternative Network Abstractions

Source: https://success.docker.com/Datacenter/Apply/Docker_Reference_Architecture:_Designing_Scalable,_Portable_Docker_Container_Networks

14© 2016 Tigera, Inc. | Proprietary and Confidential

Container Networking Model (CNM)

Container Networking Interface (CNI)

Orchestrators

Drivers /Plugins

Bridge Overlay KuryrCalico

macvlanKuryr

Calico

Alternative Container Networking Abstractions

Source: https://success.docker.com/Datacenter/Apply/Docker_Reference_Architecture:_Designing_Scalable,_Portable_Docker_Container_Networks

15© 2016 Tigera, Inc. | Proprietary and Confidential

Mesos Containerizers

Docker Engine

CNI Plugin(e.g.,Calico-CNI )

Mesos-Agent

CNI Libnetwork

CNM Driver(e.g.,libnetwork/Calico)

Docker Containerizer

Mesos Containerizer

16© 2016 Tigera, Inc. | Proprietary and Confidential

Mesos Containerizers - Unified Containerizer

CNI Plugin(e.g.,Calico-CNI )

Mesos-Agent

CNIIsolator

Unified Containerizer

@projectcalico Copyright © 2016 Tigera, Inc. | Proprietary and Confidential

Flannel

VXLAN UDP ...

flannelCNI plugin

Orchestrator

Network Fabric

@projectcalico Copyright © 2016 Tigera, Inc. | Proprietary and Confidential

Calico

CalicoCNI plugin

BGP IPIP

Policy enforcement

Native

Orchestrator

Network Fabric

@projectcalico Copyright © 2016 Tigera, Inc. | Proprietary and Confidential

IP

Service

Router

Router

Router

IP

Service

IP

Service

IP

Service

IP

Service

IP

Service

IP

Service

IP

Service

Conceptual View

@projectcalico Copyright © 2016 Tigera, Inc. | Proprietary and Confidential

IP

Service

Router

Router

Router

IP

Service

IP

Service

IP

Service

IP

Service

IP

Service

IP

Service

IP

Service

Container Host Container Host

Calico Conceptual View

@projectcalico Copyright © 2016 Tigera, Inc. | Proprietary and Confidential

Calico

Route▪ Get packets from A to B▪ Flat IP or overlay/tunnel

Secure▪ Stop packets getting from A to B

(that shouldn’t, based on developer and operator intent)

▪ Capture suspicious flows

Security and Policy

@projectcalico Copyright © 2016 Tigera, Inc. | Proprietary and Confidential

Open By Default

@projectcalico Copyright © 2016 Tigera, Inc. | Proprietary and Confidential

Issue With Default Open

@projectcalico Copyright © 2016 Tigera, Inc. | Proprietary and Confidential

Namespace A Namespace B

Namespaces

@projectcalico Copyright © 2016 Tigera, Inc. | Proprietary and Confidential

Namespace A Namespace B

Namespaces With Default Open

@projectcalico Copyright © 2016 Tigera, Inc. | Proprietary and Confidential

Namespace A Namespace B

Namespaces With Labels and Policy

@projectcalico Copyright © 2016 Tigera, Inc. | Proprietary and Confidential

~DEMO~

@projectcalico Copyright © 2016 Tigera, Inc. | Proprietary and Confidential

Demo example: nginx policy

kind: NetworkPolicyapiVersion: extensions/v1beta1metadata: name: access-nginx namespace: policy-demospec: podSelector: matchLabels: run: nginx ingress: - from: - podSelector: matchLabels: run: access

Metadata

Rich selector for pods to apply to

Fine-grained rules

30© 2016 Tigera, Inc. | Proprietary and Confidential

CalicoCNI plugin

BGP IPIP

Policy enforcement

Native

flannelCNI plugin

VXLAN UDP ...

Canal: Calico Policy Enforcement with Flannel Networking

Looking Forward

@projectcalico Copyright © 2016 Tigera, Inc. | Proprietary and Confidential

- Egress Policy & Filtering- Tracing & Troubleshooting- Federation- Service Routing / Cluster-IP’s- Policy API’s for Docker & Mesos- Application Authentication

Future Plans & Ongoing Initiatives

github.com/projectcalico

@projectcalico

slack.projectcalico.org

We’re Hiring!

http://www.projectcalico.org/