Wolfram Richter Red Hat. OpenShift Container Netzwerk aus Sicht der Workload

Similar documents
Dan Williams Networking Services, Red Hat

Life of a Packet. KubeCon Europe Michael Rubin TL/TLM in GKE/Kubernetes github.com/matchstick. logo. Google Cloud Platform

Docker Networking: From One to Many. Don Mills

OPENSHIFT FOR OPERATIONS. Jamie Cloud Guy - US Public Sector at Red Hat

Project Calico v3.2. Overview. Architecture and Key Components. Project Calico provides network security for containers and virtual machine workloads.

Authorized Source IP for OpenShift Project

Dockercon 2017 Networking Workshop

Implementing Container Application Platforms with Cisco ACI

Secure Kubernetes Container Workloads

2016 Mesosphere, Inc. All Rights Reserved.

Defining Security for an AWS EKS deployment

Dynamic App Services in Containerized Environments

Maximizing Network Throughput for Container Based Storage David Borman Quantum

NGINX: From North/South to East/West

VXLAN Overview: Cisco Nexus 9000 Series Switches

CONTAINERS AND MICROSERVICES WITH CONTRAIL

Project Calico v3.1. Overview. Architecture and Key Components

Building a Kubernetes on Bare-Metal Cluster to Serve Wikipedia. Alexandros Kosiaris Giuseppe Lavagetto

Singapore. Service Proxy, Container Networking & K8s. Acknowledgement: Pierre Pfister, Jerome John DiGiglio, Ray

Kubernetes - Networking. Konstantinos Tsakalozos

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

NSX Data Center Load Balancing and VPN Services

Kubernetes - Load Balancing For Virtual Machines (Pods)

Red Hat OpenShift Roadmap Q4 CY16 and H1 CY17 Releases. Lutz Lange Solution

Linux Clusters Institute: OpenStack Neutron

WHITE PAPER. RedHat OpenShift Container Platform. Benefits: Abstract. 1.1 Introduction

Multiple Networks and Isolation in Kubernetes. Haibin Michael Xie / Principal Architect Huawei

TEN LAYERS OF CONTAINER SECURITY

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

K8s(Kubernetes) and SDN for Multi-access Edge Computing deployment

How to Install Forcepoint NGFW in Amazon AWS TECHNICAL DOCUMENT

Open vswitch in Neutron

Continuous delivery while migrating to Kubernetes

Evaluation of virtualization and traffic filtering methods for container networks

Neutron: peeking behind the curtains

Red Hat JBoss Middleware for OpenShift 3

FD.io VPP & Ligato Use Cases. Contiv-VPP CNI plugin for Kubernetes IPSEC VPN gateway

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Cloud Networking (VITMMA02) Network Virtualization: Overlay Networks OpenStack Neutron Networking

IP Mobility Design Considerations

Kubernetes and the CNI: Where we are and What s Next Casey Callendrello RedHat / CoreOS

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Hacking and Hardening Kubernetes

White Paper. Huawei Campus Switches VXLAN Technology. White Paper

Delivering Microservices Securely and at Scale with NGINX in Red Hat OpenShift. November, 2017

OpenShift 3 Technical Architecture. Clayton Coleman, Dan McPherson Lead Engineers

Agenda. This Session: Azure Networking Basics, On-prem connectivity options DEMO Create VNET/Gateway Cost-estimation for VNET/Gateways

Kubernetes networking in the telco space

Deployment Strategies on Kubernetes. By Etienne Tremel Software engineer at Container February 13th, 2017

S Implementing DevOps and Hybrid Cloud

Kuber-what?! Learn about Kubernetes

Contrail Networking: Evolve your cloud with Containers

DevOps + Infrastructure TRACK SUPPORTED BY

Service Graph Design with Cisco Application Centric Infrastructure

Kubernetes on Openstack

Kubernetes Ingress Virtual Service Configuration

Efficiently exposing apps on Kubernetes at scale. Rasheed Amir, Stakater

Overview of Container Management

Azure Compute. Azure Virtual Machines

10 Kube Commandments

Kubernetes and the CNI: Where we are and What s Next Casey Callendrello RedHat / CoreOS

Creating your Virtual Data Centre

Note: Currently (December 3, 2017), the new managed Kubernetes service on Azure (AKS) does not yet support Windows agents.

An Introduction to Kubernetes

Using Custom Resources to Provide Cloud Native API Management Frank B Greco Jr, Cloud Native Engineer, Northwestern Mutual

Locator ID Separation Protocol (LISP) Overview

Przyspiesz tworzenie aplikacji przy pomocy Openshift Container Platform. Jarosław Stakuń Senior Solution Architect/Red Hat CEE

OpenShift Dedicated 3 Release Notes

Contrail Release Release Notes

PVS Deployment in the Cloud. Last Updated: June 17, 2016

OpenStack Magnum Hands-on. By Saulius Alisauskas and Bryan Havenstein

Infoblox IPAM Driver for Kubernetes User's Guide

ENHANCE APPLICATION SCALABILITY AND AVAILABILITY WITH NGINX PLUS AND THE DIAMANTI BARE-METAL KUBERNETES PLATFORM

IBM Cloud for VMware Solutions NSX Edge Services Gateway Solution Architecture

Infoblox IPAM Driver for Kubernetes. Page 1

NFV go-live. Where are my containers? Franck Baudin Sr Principal Product Manager - OpenStack NFV May 9, 2018

Building NFV Solutions with OpenStack and Cisco ACI

Kubernetes Love at first sight?

Ordering and deleting Single-node Trial for VMware vcenter Server on IBM Cloud instances

Virtualization Design

VMware Integrated OpenStack with Kubernetes Getting Started Guide. VMware Integrated OpenStack 4.1

Load Balancing Bloxx Web Filter. Deployment Guide v Copyright Loadbalancer.org

How to Re-Architect without Breaking Stuff (too much) Owen Garrett March 2018

Docker Networking Deep Dive online meetup

RED HAT OPENSHIFT CONTAINER PLATFORM REFERENCE ARCHITECTURE FOR PCI DSS V3.2.1

Top Nine Kubernetes Settings You Should Check Right Now to Maximize Security

Configuring F5 for SSL Intercept

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Loadbalancer.org Virtual Appliance quick start guide v6.3

Introduction. Network Architecture Requirements of Data Centers in the Cloud Computing Era

The OSI model of network communications

Fault Tolerant Stateful Services on Kubernetes. Timothy St.

Bringing Security and Multitenancy. Lei (Harry) Zhang

Managing Demand Spikes in a highly flexible and agile deployment

Appliance Quick Start Guide. v7.5

Virtualizing 5G Infrastructure using Cloud VIM. Sangho Shin SK Telecom

MidoNet Operations Guide

Kubernetes introduction. Container orchestration

Cilium Documentation. Release v0.8. Cilium Authors

Table of Contents 1.1. Introduction. Overview of vsphere Integrated Containers 1.2

Transcription:

Wolfram Richter Red Hat OpenShift Container Netzwerk aus Sicht der Workload

Why this session? OpenShift is great for web applications, but we want to do X will this work? X { Analytics, Non-HTTP, High- Performance Computing, Big Data, Object storage, NAS, Replicated Databases, } Let s take a look from a networking PoV!

Agenda What is OpenShift? How plain Docker Networking works and what OpenShift does differently Container Networking across nodes Kubernetes Services Ingress: OpenShift Router Egress Pods and Network Policy

OpenShift Platform & Container as a Service Built for both traditional and cloud-native applications An integrated hybrid cloud application platform for application development and deployment Develop, build, and manage container based applications Easily turn source code into running applications with source-to-image capabilities

OpenShift High-Level Architecture

Container Networking Problem Statements As an X, I want my containerized applications to be able to connect to other services, so that they can perform meaningful work. As an X, I want my containerized applications to be accessible externally, so that a wide range of users can use them.

RFC1918 IP assigned by docker daemon

Host NIC Docker bridge Docker host

So we can use the ip command Container

Indicates which IF the veth device is connected to Container

Endpoint of the container s veth device Docker host

Source IP appears to be Node IP

Outbound traffic is masqueraded Inbound traffic is forwarded to container Docker host

Container Networking Problem Statement As an X, I want to use network attached storage from within my container, so I can provide stateful services (*). (*) and storage traffic shouldn t share application network bandwith

Container Networking Problem Statement As a X, I want name resolution to work inside the container like they would on a dedicated machine, so that I don t have to care about them.

/etc/hosts /etc/hostname /etc/resolv.conf

Files in the container fs are overwritten Container

OpenShift Networking Problem Statement As a X, I want container networking to work seamlessly across multiple nodes, so that I don t have to worry where which containers run (*). (*) while still maintaining compatibility with plain docker containers

Host NICs Docker bridge docker bridge <-> ovs bridge ovs bridge ovs bridge <-> host NICs OpenShift node

Look, there s no container connected OpenShift node

Container veth endpoints on ovs bridge OpenShift node

Pod IP address OpenShift node

Ping works from container on same host Container

Ping fails from container on different host Container

Each node has specific IP range

IP Range node 1 IP Range node 2 OpenShift node

IP packets destined for pod on other node is encapsulated via VXLAN

... and sent out via the node s IP stack (MTU impact!)

Port 1 is VXLAN OpenShift node

Flow rules that trigger VXLAN encapsulation Destination node IP address OpenShift node

Two pods in the same namespace on different nodes OpenShift node

can communicate with each other OpenShift pod

OpenShift Networking Problem Statement As a X, I want to ensure that a rogue pod cannot access pods in another project, so that I have a base level of security.

Project-specific VXLAN ID

Pod in a different namespace cannot be reached OpenShift pod

OpenShift Networking Problem Statement As a X, I want to be able to connect to other containerized services using a stable endpoint, so I don t have to reconfigure my application when other containers come and go.

Service IP Address OpenShift node

Namespace in search suffix list Name resolution via OpenShift dnsmasq on node OpenShift pod

Service name is resolved into IP adress OpenShift pod

Communication via service IP OpenShift pod

Kubernetes Service Modes User-space mode IPTables rules forward packages destined to the service IP address to the kube-proxy Kube-proxy will in turn initiate connections to the actual destination IP and proxy between the two endpoints Key advantage: can detect non-responding pods and retry connection to other pods IPTables mode kube-proxy continuously updates the node s IPTables rules forward packets directly to one of the target pod s IP Key advantage: increased throughput

OpenShift Networking Problem Statement As an X, I want my containerized applications to be accessible externally, so that a wide range of users can use them (*). (*) without having to care on which node a container/pod runs

Ingress router pod bound to host port

Host Port = port exposed on the node (containerized) haproxy

OpenShift Routing Layer 7 Routing: HTTP(S), TLS-SNI To properly route other protocols, deploy dedicated customized routers Alternatively instrument external load balancers such as F5, etc.

OpenShift Networking Problem Statement As an operator, I want to be able to fall back to the known working version of a service when deploying a new version so I have a safety net (blue/green deployments)

Router reconfiguration allows blue/green deployments oc patch route/api-gateway -p '{ "spec": { "to": { "name": "api-gateway-green" }}} oc patch route/api-gateway -p '{ "spec": { "to": { "name": "api-gateway-blue" }}}'

OpenShift Networking Problem Statement As an operator, I want my containerized applications to use specific source IP addresses to access external services, so I can restrict service access via (external) firewall rules.

Egress source IP Egress target IP (points to external service IPA ) Egress default GW

Points to egress-1 pod

Retrieving from egress-1 service works OpenShift pod

Egress source IP Egress target IP External service

if2: node s eth0 OpenShift egress pod

OpenShift Networking Problem Statement As an operator, I want to control which services my containerized applications can access, so I can limit access via internal means.

Egress Network Policy { }, } "kind": "EgressNetworkPolicy", "apiversion": "v1", "metadata": { "name": "default }, "spec": { } "egress": [ { "type": "Allow", "to": { "cidrselector": "1.2.3.0/24 } { "type": "Deny", "to": { "cidrselector": "0.0.0.0/32 } } ]

Summary If the question is OpenShift is great for web applications, but we want to do X will this work?, the answer is most likely yes (from a networking point of view) (*). (*) keep in mind that there is an MTU impact, multiple processing hops which impact latency, etc

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback