container networking - state of the ecosystem [containerconf, mannheim, nov 2016]
TRANSCRIPT
@projectcalico Copyright © 2016 Tigera, Inc. | Proprietary and Confidential
▪ Network Architecture Redux
▪ State of the Ecosystem
▪ Security and Policy
▪ Looking Forward
Topics
@projectcalico Copyright © 2016 Tigera, Inc. | Proprietary and Confidential
▪ Network Architecture Redux▪ Lessons learned from decades of Internetwork deployment experience
▪ State of the Ecosystem▪ Abstractions & Architectures: Understand tradeoffs.
▪ Security and Policy▪ Enable app isolation with labels and policy automation
▪ Looking Forward▪ Facilitate planning for new capabilities
Why Should -You- Care?
@projectcalico Copyright © 2016 Tigera, Inc. | Proprietary and Confidential
Server
Simple enterprise network
Server Server Server
Physical Network
@projectcalico Copyright © 2016 Tigera, Inc. | Proprietary and Confidential
Server
We should probably have some kind of security...
Server Server Server
Physical Network Physical Network
PhysicalFirewall
@projectcalico Copyright © 2016 Tigera, Inc. | Proprietary and Confidential
VM
Then came virtualization...
VM VM VM
Tier 1 Overlay Tier 2 Overlay
Physical / Cloud Network
VirtualFirewall
@projectcalico Copyright © 2016 Tigera, Inc. | Proprietary and Confidential
VM
Then came containers...
VM VM
Tier 1 Overlay
VM
Tier 2 Overlay
Physical / Cloud Network
VirtualFirewall
Blue Overlay
Yellow Overlay Blue Overlay
Green Overlay
@projectcalico Copyright © 2016 Tigera, Inc. | Proprietary and Confidential
Scale & Churn
Thousands of instancesLow churn
Millions of containersHigh churn
10© 2016 Tigera, Inc. | Proprietary and Confidential
https://upload.wikimedia.org/wikipedia/commons/1/1b/MSC_Oscar_(ship,_2014)_002.jpg
http://theunholycow.com/wp-content/uploads/2014/03/delivery-man.jpg
“In networking,...
… there is no substitute for thinking”
@projectcalico Copyright © 2016 Tigera, Inc. | Proprietary and Confidential
Common Considerations
Interconnectivity: Overlay vs. Native
Address Space: Admin-assigned vs. Overlapping/BYOA
Visibility: Private vs. DC-wide vs. Filtered
Network State: Centralized vs. Distributed
Network Abstraction: L2 (Ethernet) vs. L3 (IP)
13© 2016 Tigera, Inc. | Proprietary and Confidential
Container Networking Model (CNM)
Orchestrators
Drivers /Plugins
Bridge Overlay KuryrCalico
macvlan
Evolution to Alternative Network Abstractions
Source: https://success.docker.com/Datacenter/Apply/Docker_Reference_Architecture:_Designing_Scalable,_Portable_Docker_Container_Networks
14© 2016 Tigera, Inc. | Proprietary and Confidential
Container Networking Model (CNM)
Container Networking Interface (CNI)
Orchestrators
Drivers /Plugins
Bridge Overlay KuryrCalico
macvlanKuryr
Calico
Alternative Container Networking Abstractions
Source: https://success.docker.com/Datacenter/Apply/Docker_Reference_Architecture:_Designing_Scalable,_Portable_Docker_Container_Networks
15© 2016 Tigera, Inc. | Proprietary and Confidential
Mesos Containerizers
Docker Engine
CNI Plugin(e.g.,Calico-CNI )
Mesos-Agent
CNI Libnetwork
CNM Driver(e.g.,libnetwork/Calico)
Docker Containerizer
Mesos Containerizer
16© 2016 Tigera, Inc. | Proprietary and Confidential
Mesos Containerizers - Unified Containerizer
CNI Plugin(e.g.,Calico-CNI )
Mesos-Agent
CNIIsolator
Unified Containerizer
@projectcalico Copyright © 2016 Tigera, Inc. | Proprietary and Confidential
Flannel
VXLAN UDP ...
flannelCNI plugin
Orchestrator
Network Fabric
@projectcalico Copyright © 2016 Tigera, Inc. | Proprietary and Confidential
Calico
CalicoCNI plugin
BGP IPIP
Policy enforcement
Native
Orchestrator
Network Fabric
@projectcalico Copyright © 2016 Tigera, Inc. | Proprietary and Confidential
IP
Service
Router
Router
Router
IP
Service
IP
Service
IP
Service
IP
Service
IP
Service
IP
Service
IP
Service
Conceptual View
@projectcalico Copyright © 2016 Tigera, Inc. | Proprietary and Confidential
IP
Service
Router
Router
Router
IP
Service
IP
Service
IP
Service
IP
Service
IP
Service
IP
Service
IP
Service
Container Host Container Host
Calico Conceptual View
@projectcalico Copyright © 2016 Tigera, Inc. | Proprietary and Confidential
Calico
Route▪ Get packets from A to B▪ Flat IP or overlay/tunnel
Secure▪ Stop packets getting from A to B
(that shouldn’t, based on developer and operator intent)
▪ Capture suspicious flows
@projectcalico Copyright © 2016 Tigera, Inc. | Proprietary and Confidential
Namespace A Namespace B
Namespaces
@projectcalico Copyright © 2016 Tigera, Inc. | Proprietary and Confidential
Namespace A Namespace B
Namespaces With Default Open
@projectcalico Copyright © 2016 Tigera, Inc. | Proprietary and Confidential
Namespace A Namespace B
Namespaces With Labels and Policy
@projectcalico Copyright © 2016 Tigera, Inc. | Proprietary and Confidential
Demo example: nginx policy
kind: NetworkPolicyapiVersion: extensions/v1beta1metadata: name: access-nginx namespace: policy-demospec: podSelector: matchLabels: run: nginx ingress: - from: - podSelector: matchLabels: run: access
Metadata
Rich selector for pods to apply to
Fine-grained rules
30© 2016 Tigera, Inc. | Proprietary and Confidential
CalicoCNI plugin
BGP IPIP
Policy enforcement
Native
flannelCNI plugin
VXLAN UDP ...
Canal: Calico Policy Enforcement with Flannel Networking
@projectcalico Copyright © 2016 Tigera, Inc. | Proprietary and Confidential
- Egress Policy & Filtering- Tracing & Troubleshooting- Federation- Service Routing / Cluster-IP’s- Policy API’s for Docker & Mesos- Application Authentication
Future Plans & Ongoing Initiatives