SECURITY SOLUTION FOR KUBERNETES USING CLOUD-NATIVE VIRTUAL NETWORK FUNCTIONS

Similar documents
Singapore. Service Proxy, Container Networking & K8s. Acknowledgement: Pierre Pfister, Jerome John DiGiglio, Ray

Accelerate Cloud Native with FD.io

Dataplane Networking journey in Containers

K8s(Kubernetes) and SDN for Multi-access Edge Computing deployment

Secure web proxy resistant to probing attacks

Cloud-Native Network Functions (CNFs)

A Hierarchical SW Load Balancing Solution for Cloud Deployment

Cisco HyperFlex and the F5 BIG-IP Platform Accelerate Infrastructure and Application Deployments

FD.io VPP & Ligato Use Cases. Contiv-VPP CNI plugin for Kubernetes IPSEC VPN gateway

Cisco Container Platform

Building NFV Solutions with OpenStack and Cisco ACI

TEN LAYERS OF CONTAINER SECURITY. Kirsten Newcomer Security Strategist

TEN LAYERS OF CONTAINER SECURITY

Using Network Virtualization in DevOps environments Yves Fauser, 22. March 2016 (Technical Product Manager VMware NSBU)

Defining Security for an AWS EKS deployment

Virtual Infrastructure: VMs and Containers

REDUCING GRANULARITY OF BROWSER FINGERPRINTING TECHNIQUES

Hashing technique to optimally balance load within switching networks

Kubernetes networking in the telco space

Kubernetes - Networking. Konstantinos Tsakalozos

Project Calico v3.2. Overview. Architecture and Key Components. Project Calico provides network security for containers and virtual machine workloads.

Notification Features For Digital Content In A Mobile-Optimized Format

Datacenter Network Solutions Group

Synchronizing Media Content In A Shared Virtual Reality Environment

Project Calico v3.1. Overview. Architecture and Key Components

EASILY DEPLOY AND SCALE KUBERNETES WITH RANCHER

Navigation of blogs related by a tag

How to Leverage Containers to Bolster Security and Performance While Moving to Google Cloud

DevOps CICD PopUp. Software Defined Application Delivery Fabric. Frey Khademi. Systems Engineering DACH. Avi Networks

Virtualizing 5G Infrastructure using Cloud VIM. Sangho Shin SK Telecom

FLEXIBLE SOFTWARIZED NETWORKS: A RAS PERSPECTIVE DIDIER COLLE, WOUTER TAVERNIER, STEVEN VAN ROSSEM PUBLIC

Implementing Container Application Platforms with Cisco ACI

FortiDDoS Deployment Guide for Cloud Signaling with Verisign OpenHybrid

Handwriting recognition for IDEs with Unicode support

VMWARE PKS. What is VMware PKS? VMware PKS Architecture DATASHEET

Cloud Native Networking

High Performance Cloud-native Networking K8s Unleashing FD.io

Nokia AirGile cloud-native core: shaping networks to every demand

Containers for NFV Peter Willis March 2017

Simplify Container Networking With ican. Huawei Cloud Network Lab

Kubernetes Integration Guide

Clover Overview: Gambia release. April 16, 2018

Conversion of a 3D scene into video

Kubernetes made easy with Docker EE. Patrick van der Bleek Sr. Solutions Engineer NEMEA

The Edge Resource Center: Leveraging NFV and SDN for High Availability/High Performance Network Functions

VMWARE PIVOTAL CONTAINER SERVICE

Important DevOps Technologies (3+2+3days) for Deployment

Buenos Aires 31 de Octubre de 2018

Performance Considerations of Network Functions Virtualization using Containers

This document (including, without limitation, any product roadmap or statement of direction data) illustrates the planned testing, release and

VMWARE ENTERPRISE PKS

Application Provisioning

Overview of Container Management

Architectural overview Turbonomic accesses Cisco Tetration Analytics data through Representational State Transfer (REST) APIs. It uses telemetry data

Red Hat Roadmap for Containers and DevOps

Dan Williams Networking Services, Red Hat

Maximizing Agility at the Network Edge

Robocall and fake caller-id detection

Cisco CloudCenter Use Case Summary

Disabling facial unlocking using facial expression

Automatically Generating and Rendering Native Advertisements

Top Nine Kubernetes Settings You Should Check Right Now to Maximize Security

Onto Petaflops with Kubernetes

Selecting native ad units using gestures

Cisco Application Centric Infrastructure

Securing Microservice Interactions in Openstack and Kubernetes

Prediction and Selection of Sequence of Actions Related to Voice Activated Computing Systems

Setting up Kubernetes with Day 2 in Mind. Angela Chin, Senior Software Engineer, Pivotal Urvashi Reddy, Senior Software Engineer, Pivotal

Casa Systems Axyom Software Platform

Unify DevOps and SecOps: Security Without Friction

Open Security Controller - Security Orchestration for OpenStack

BUILDING APPLICATION SECURITY INTO PRODUCTION CONTAINER ENVIRONMENTS Informed by the National Institute of Standards and Technology

ALLOCATING RF SPECTRUM PARTITIONS IN A CBRS NETWORK

Configuring Cisco Nexus 9000 Series Switches in ACI Mode (DCAC9K) v3.0

REMOVABLE COMPUTER DATA STORAGE MEDIUM WITH VISIBLE MUTABLEBULK- PROPERTY INDICATION

and public cloud infrastructure, including Amazon Web Services (AWS) and AWS GovCloud, Microsoft Azure and Azure Government Cloud.

Voice activated spell-check

ebook ADVANCED LOAD BALANCING IN THE CLOUD 5 WAYS TO SIMPLIFY THE CHAOS

BUFFERING AND INSERTING TEXT INPUTS

Distributed Denial of Service

Behavior-Triggered Answer Reconfirmation for Spam Detection in Online Surveys

Opendaylight: Enabling 5G through Cloud Native Telco Architecture Edgar Lombara Lumina Networks Inc.

Kubernetes. An open platform for container orchestration. Johannes M. Scheuermann. Karlsruhe,

Introduction to Cisco and Intel NFV Quick Start

Automatic event scheduling based on weather conditions

Micro Focus Network Operations Management Suite Supports SDN and Network Virtualization Engineering and Operations

ViryaOS RFC: Secure Containers for Embedded and IoT. A proposal for a new Xen Project sub-project

F5 Networks in the Software Defined DataCenter Era. Paolo Pambianco System Engineer CSP

Open Source Networking Software Case studies and Roundtable. Arpit Joshipura GM, Networking

Securing the container platform

An Introduction to Kubernetes

Building a Platform Optimized for the Network Edge

Container Orchestration on Amazon Web Services. Arun

WHITE PAPER. RedHat OpenShift Container Platform. Benefits: Abstract. 1.1 Introduction

APPLICATIONS ON TOP OF DNA CENTER: TOPOLOGY EVOLUTION BASED ON CUSTOMER NETWORK DYNAMICS

Competitor Identification Based On Organic Impressions

Intelligent Generation of Physical Products

OPNFV overview and Edge Cloud

DDoS Detection&Mitigation: Radware Solution

Technical Disclosure Commons

Transcription:

Technical Disclosure Commons Defensive Publications Series May 10, 2018 SECURITY SOLUTION FOR KUBERNETES USING CLOUD-NATIVE VIRTUAL NETWORK FUNCTIONS Jan Medved Cisco Systems, Inc. Follow this and additional works at: https://www.tdcommons.org/dpubs_series Recommended Citation Medved, Jan, "SECURITY SOLUTION FOR KUBERNETES USING CLOUD-NATIVE VIRTUAL NETWORK FUNCTIONS", Technical Disclosure Commons, (May 10, 2018) This work is licensed under a Creative Commons Attribution 4.0 License. This Article is brought to you for free and open access by Technical Disclosure Commons. It has been accepted for inclusion in Defensive Publications Series by an authorized administrator of Technical Disclosure Commons.

Medved: SECURITY SOLUTION FOR KUBERNETES USING CLOUD-NATIVE VIRTUAL NETWO SECURITY SOLUTION FOR KUBERNETES USING CLOUD-NATIVE VIRTUAL NETWORK FUNCTIONS AUTHORS: Jan Medved CISCO SYSTEMS, INC. ABSTRACT A cloud security solution is described herein for Kubernetes-orchestrated clusters using a security cloud-native Virtual Network Function (VNF) deployed on the cluster. One advantage to this solution is that it is built into Kubernetes networking, and is therefore easier to manage/orchestrate. Moreover, it is modular (e.g., can be combined with other solutions via Service Function Chaining (SFC)), and is easier to extend/modify than in other security solutions, which may require changes to the kernel. DETAILED DESCRIPTION Existing networking solutions for Kubernetes rely on data path capabilities of the Linux kernel or the Open Virtual Switch (OVS) plugin within the kernel. This limits their functionality to implementations of basic Kubernetes policy with possibly minor extensions. Sophisticated security features, such as Distributed Denial of Service (DDOS) attack detection/mitigation or scrubbing of traffic destined for application pods must be implemented by an external appliance. In particular, there exists no security solution where the capabilities of a sophisticated security device are built into the Kubernetes networking plugin. The techniques described herein use a cloud-native security Virtual Network Function (VNF) to secure application workloads deployed on a Kubernetes cluster. A cloud-native VNF is a VNF designed for cloud environments: it runs on the Kubernetes cluster, its lifecycle is orchestrated by Kubernetes, and its control/management plane is designed according to the twelve-factor application principles (see https://12factor.net). Cloud-native VNFs must support Development Operations (DevOps) based deployment patterns, including canary and blue-green deployments. The security appliance may be Copyright 2018 Cisco Systems, Inc. 1 5597 Published by Technical Disclosure Commons, 2018 2

Defensive Publications Series, Art. 1191 [2018] based on Ligato, which is a framework for implementing cloud-native VNFs (see http://github.com/ligato). The prerequisite for deployment of cloud-native VNFs on Kubernetes is the use of Contiv-VPP as the Kubernetes Container Networking Interface (CNI) networking plugin (see http://github.com/contiv/vpp). The security appliance is deployed on the Kubernetes cluster as yet another pod. The Contiv-VPP plugin is instructed to redirect traffic destined to a target application pod to the security appliance, where security policies are applied. The Contiv-VPP plugin then routes the application traffic from the security appliance to the target application pod. On the reverse path, the outgoing traffic of the application pod can be routed to the appliance, or directly to the network. Figure 1 below illustrates an example present mode of operation. Figure 1 Copyright 2018 Cisco Systems, Inc. 2 5597 3

Medved: SECURITY SOLUTION FOR KUBERNETES USING CLOUD-NATIVE VIRTUAL NETWO Figure 2 below illustrates an example solution described herein. Figure 2 Figure 3 below illustrates an example data path. Figure 3 Copyright 2018 Cisco Systems, Inc. 3 5597 Published by Technical Disclosure Commons, 2018 4

Defensive Publications Series, Art. 1191 [2018] Figure 4 below illustrates an example container application network chain. Figure 4 In summary, a cloud security solution is described herein for Kubernetesorchestrated clusters using a security cloud-native VNF deployed on the cluster. One advantage to this solution is that it is built into Kubernetes networking, and is therefore easier to manage/orchestrate. Moreover, it is modular (e.g., can be combined with other solutions via Service Function Chaining (SFC)), and is easier to extend/modify than in other security solutions, which may require changes to the kernel. Copyright 2018 Cisco Systems, Inc. 4 5597 5

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback