Sponsored by Networking & Security for Mesos AN IP FOR EVERY CONTAINER AND MORE! Christopher Liljenstolpe February 24, 2016
The #1 Challenge for Cloud? Recent data breaches due to hacking or poor security http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/ Cloud-native app architectures are driving 100-1000x growth in workloads in an era of heightened security threats
Enterprise security is still in the middle ages
Medieval security architecture
Oh, hey! I just love these things! Crunchy on the outside and a chewy center!
Fast forward to the present
Increased complexity
Resource Fungibility
Tear down the walls?
The opportunity?
The opportunity?
The Dynamic, Distributed Firewall eth0 192.168.1.2 eth0 192.168.1.5 eth0 192.168.1.4 Routing 10.0.0.1 10.0.0.2 eth0 Network eth0 Fabric Routing eth0 192.168.1.6 eth0 192.168.1.7 eth0 192.168.1.3
The Dynamic, Distributed Firewall: Worked Example Workload A 2001:db8::1 1. to 2001:db8::2 port 80 allow 2. to 2001:db8::3 port 80 allow 3. from <qarobots> any port 443 allow 4. default deny Workload B 2001:db8::2 Felix 1. from 2001:db8::1 port 80 allow 2. default deny A: loadbal; QA Pub B: webapp C: webapp loadbal: allow 80 to webapp webapp: allow 80 fm loadbal QA: allow 443 fm <qarobots> Pub: allow 443 fm any Workload C 2001:db8::3 Felix 1. from 2001:db8::1 port 80 allow 2. default deny
Mesos / HAProxy introduce another problem Host [10.0.0.1] A service [172.17.0.3] another [172.17.0.4] Application [172.17.0.2] IP:10.0.0.1:8080 IP:10.0.0.1:80
The Solution
Project Calico & Mesos Logical Architecture Mesos Agent Mesos Agent Mesos Master Mesos Agent Workload (container or VM) Workload (container or VM) Workload (container or VM) Security Policy Host Kernel Policy Enforcement Policy Enforcement Policy Enforcement Routes & Addresses Efficient Packet Forwarding (IP per workload, direct integration with cloud fabric)
Net-modules Work Flow Actual Architecture Framework Master Agent Plug- in (Calico) Launch task (NetworkInfo) Launch task (NetworkInfo) Update task state Task update (NetworkInfo) Cleanup module Task update (NetworkInfo) Get IP Isolate (IP, policy) Isolator module IPAM Network virtualizer Mesos module Network plug- in
Demonstration of basic network isolation Mesos cluster with 2 agents Launching 4 probe tasks Each probe listens to port 9000 Each probe tries to reach all other probes We want all 4 to launch successfully (no port conflicts) We want to isolate them into two groups of 2 probes
Demonstration (video)
Where are we at today? Net-modules supported with Mesos containerizer since Mesos 0.26 IP per container IP Address Management (IPAM) DNS-based service discovery (Mesos-DNS) Network isolation Try it out https://github.com/mesosphere/netmodules Includes step-by-step instructions to repeat the demo
Restrictions / Wish List Other frameworks (only Marathon supported today) Community work ongoing to integrate Spark, Chronos,... Docker daemon support via same net-modules mechanism Docker daemon includes a different networking model, via the libnetwork API, but it is not well integrated with Mesos Tighter integration of fine-grained policy control Today, fine-grained policy is side loaded via calicoctl One-step install via DCOS Support for Container Network Interface (CNI) model (as used by Kubernetes)
Summary