Bringing Security and Multitenancy. Lei (Harry) Zhang

Similar documents
OPENSTACK + KUBERNETES + HYPERCONTAINER. The Container Platform for NFV

Evolution of Kubernetes in One Year From Technical View

The speed of containers, the security of VMs

Unified Kubernetes CRI runtimes based on Kata Containers. Xu Wang hyper.sh

How Container Runtimes matter in Kubernetes?

The speed of containers, the security of VMs. KataContainers.io

Multitenancy Deep Dive

CONTAINERS AND MICROSERVICES WITH CONTRAIL

How to build scalable, reliable and stable Kubernetes cluster atop OpenStack.

Package your Java Application using Docker and Kubernetes. Arun

Kubernetes - Networking. Konstantinos Tsakalozos

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Code: Slides:

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Stackube Documentation

How to build and run OCI containers

Kubernetes. An open platform for container orchestration. Johannes M. Scheuermann. Karlsruhe,

Kubernetes 101. Doug Davis, STSM September, 2017

What s New in Red Hat OpenShift Container Platform 3.4. Torben Jäger Red Hat Solution Architect

Cloud & container monitoring , Lars Michelsen Check_MK Conference #4

Singularity CRI User Documentation

Scaling Jenkins with Docker and Kubernetes Carlos

Docker All The Things

VMware Integrated OpenStack with Kubernetes Getting Started Guide. VMware Integrated OpenStack 4.1

Docker und IBM Digital Experience in Docker Container

OpenShift Roadmap Enterprise Kubernetes for Developers. Clayton Coleman, Architect, OpenShift

Important DevOps Technologies (3+2+3days) for Deployment

Kuber-what?! Learn about Kubernetes

Kubernetes introduction. Container orchestration

2016 Mesosphere, Inc. All Rights Reserved.

Container Networking and Openstack. Fernando Sanchez Fawad Khaliq March, 2016

Buenos Aires 31 de Octubre de 2018

VMware Integrated OpenStack with Kubernetes Getting Started Guide. VMware Integrated OpenStack 4.0

Kubernetes Integration with Virtuozzo Storage

Secure Kubernetes Container Workloads

Think Small to Scale Big

Infoblox IPAM Driver for Kubernetes User's Guide

Launching StarlingX. The Journey to Drive Compute to the Edge Pilot Project Supported by the OpenStack

Infoblox IPAM Driver for Kubernetes. Page 1

Kubernetes on Openstack

Kata Containers The way to run virtualized containers. Sebastien Boeuf, Linux Software Engineer Intel Corporation

Kuryr & Fuxi. OpenStack networking and storage for Docker Swarm containers. Hongbin Lu Antoni Segura Puimedon

The Path to GPU as a Service in Kubernetes Renaud Gaubert Lead Kubernetes Engineer

Microservices. Chaos Kontrolle mit Kubernetes. Robert Kubis - Developer Advocate,

Kubernetes 1.9 Features and Future

An Introduction to Kubernetes

Docker A FRAMEWORK FOR DATA INTENSIVE COMPUTING

Table of Contents HOL CNA

Life of a Packet. KubeCon Europe Michael Rubin TL/TLM in GKE/Kubernetes github.com/matchstick. logo. Google Cloud Platform

Red Hat Atomic Details Dockah, Dockah, Dockah! Containerization as a shift of paradigm for the GNU/Linux OS

INSTALLATION RUNBOOK FOR Iron.io + IronWorker

Wolfram Richter Red Hat. OpenShift Container Netzwerk aus Sicht der Workload

Container Orchestration on Amazon Web Services. Arun

Neutron: peeking behind the curtains

Internals of Docking Storage with Kubernetes Workloads

Red Hat Roadmap for Containers and DevOps

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

CNI, CRI, and OCI - Oh My!

Getting Started with VMware Integrated OpenStack with Kubernetes. VMware Integrated OpenStack 5.1

Managing and Protecting Persistent Volumes for Kubernetes. Xing Yang, Huawei and Jay Bryant, Lenovo

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

SAMPLE CHAPTER. Marko Lukša MANNING

So, I have all these containers! Now what?

RED HAT GLUSTER TECHSESSION CONTAINER NATIVE STORAGE OPENSHIFT + RHGS. MARCEL HERGAARDEN SR. SOLUTION ARCHITECT, RED HAT BENELUX April 2017

TEN LAYERS OF CONTAINER SECURITY

Scheduling in Kubernetes October, 2017

A REFERENCE ARCHITECTURE FOR DEPLOYING WSO2 MIDDLEWARE ON KUBERNETES

Full Scalable Media Cloud Solution with Kubernetes Orchestration. Zhenyu Wang, Xin(Owen)Zhang

What s New in K8s 1.3

Building a Kubernetes on Bare-Metal Cluster to Serve Wikipedia. Alexandros Kosiaris Giuseppe Lavagetto

An introduction to Docker

Red Hat OpenShift Roadmap Q4 CY16 and H1 CY17 Releases. Lutz Lange Solution

Blockchain on Kubernetes

Containerisation with Docker & Kubernetes

OPENSTACK Building Block for Cloud. Ng Hwee Ming Principal Technologist (Telco) APAC Office of Technology

ovirt and Docker Integration

개발자와운영자를위한 DevOps 플랫폼 OpenShift Container Platform. Hyunsoo Senior Solution Architect 07.Feb.2017

WHITE PAPER. RedHat OpenShift Container Platform. Benefits: Abstract. 1.1 Introduction

Operating Within Normal Parameters: Monitoring Kubernetes

OpenShift 3 Technical Architecture. Clayton Coleman, Dan McPherson Lead Engineers

Infoblox Kubernetes1.0.0 IPAM Plugin

TEN LAYERS OF CONTAINER SECURITY. Kirsten Newcomer Security Strategist

Question: 2 Kubernetes changed the name of cluster members to "Nodes." What were they called before that? Choose the correct answer:

Docker 101 Workshop. Eric Smalling - Solution Architect, Docker

Linux Clusters Institute: OpenStack Neutron

Convergence of VM and containers orchestration using KubeVirt. Chunfu Wen

S Implementing DevOps and Hybrid Cloud

Kubernetes and the CNI: Where we are and What s Next Casey Callendrello RedHat / CoreOS

Build Cloud like Rackspace with OpenStack Ansible

MESOS A State-Of-The-Art Container Orchestrator Mesosphere, Inc. All Rights Reserved. 1

More Containers, More Problems

Kubernetes and the CNI: Where we are and What s Next Casey Callendrello RedHat / CoreOS

Understanding and Evaluating Kubernetes. Haseeb Tariq Anubhavnidhi Archie Abhashkumar

Project Kuryr. Here comes advanced services for containers networking. Antoni Segura

agenda PAE Docker Docker PAE

TEN LAYERS OF CONTAINER SECURITY

The four forces of Cloud Native

Contrail Networking: Evolve your cloud with Containers

Container-Native Storage

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Transcription:

Bringing Security and Multitenancy to Kubernetes Lei (Harry) Zhang

About Me Lei (Harry) Zhang #Microsoft MVP in cloud and datacenter management though I m a Linux guy :/ Previous: VMware, Baidu Feature maintainer of Kubernetes HyperCrew: https://hyper.sh Publications: Docker & Kubernetes Under the Hood PhD candidate @ZJU: Large-scale cluster management and scheduling

A survey about boundary Are you comfortable with Linux containers as an effective boundary? Yes, I use containers in my private/safe environment No, I use containers to serve the public cloud

As long as we care security We have to wrap containers inside full-blown virtual machines But we lose cloud-native deployment reality Slow startup time Huge resources wasting dream Memory tax for every container

Revisit namespace cgroups container Container Runtime The dynamic view and boundary of /bin /dev /etc /home /lib / lib64 /media /mnt /opt /proc / root /run /sbin /sys /tmp / usr /var /data /temp.txt echo hello Read-Write Layer & /data read-write layer init layer your running process Container Image The static view of your program, data, dependencies, files and directories /etc/hosts /etc/hostname /etc/resolv.conf CMD [ echo hello"] VOLUME /data ADD temp.txt / json json /temp.txt read-only layer FROM busybox Docker Container FROM busybox ADD temp.txt / VOLUME /data CMD [ echo hello"]

HyperContainer Secure Kubernetes from runtime level

HyperContainer Container Runtime RunV https://github.com/hyperhq/runv The OCI compatible hypervisor based runtime implementation Widely adopted by companies like Huawei etc Control daemon https://github.com/hyperhq/hyperd Container Image Docker Image Spec

Combine the best parts Portable and behaves like a Linux container $ hyperctl run -t busybox echo helloworld sub-second startup time*, ~12MB memory cost Fully isolated sandbox with an independent guest kernel $ hyperctl exec -t busybox uname -r 4.4.12-hyper (or your provided kernel) security, backward compatibility, maturity See: http://hypercontainer.io/why-hyper.html

HyperContainer is a Pod That s how HyperContainer fits into the Kubernetes philosophy Wait, why Pod is so important?

Pod: lesson learned from Borg Should sample.war be packaged with Tomcat?

Pod: lesson learned from Borg InitContainers: one or more containers started in sequence before the pod's normal containers are started. Share volumes, perform network operations, and perform computation prior to the app containers.

So, Pod is The group of super-affinity containers The atomic scheduling unit Pod The process group in container cloud log app Do right things without modifying your container image infra container init container Kubernetes = Spring Framework volume Pod = IoC

Pod is not easy to simulate log super affinity app Requirement: app: 1G, log: 0.5G Available: Node_A: 1.25G, Node_B: 2G What happens if app scheduled to Node_A?

HyperContainer is a Pod Linux container based runtimes wraps and encapsulates several app containers into a logical group Hypervisor container based runtime hypervisor serves as a natural boundary of Pod

HyperContainer is a Pod kubelet Container Runtime Interface create sandbox Foo --> create container C --> start container C stop container C --> remove container C --> delete sandbox Foo Sandbox Normally: the infra container HyperContainer: hypervisor with HyperKernel a HyperStart process as PID 1 setup mnt namespace, launch apps from the images etc

Hypernetes Kubernetes with HyperContainer Runtime

Hypernetes Also: h8s 1. Kubernetes + HyperContainer runtime officially supported by using kubernetes/frakti 2. Multi-tenant network and persistent volumes battle tested Neutron + Cinder plugin

Multi-tenant Network

Multi-tenant Network Goal: leveraging tenant-aware neutron network for Kubernetes following the network plugin workflow Non-goal: break k8s network model or hack k8s code

Define the Network Network a top class api object each tenant (created by Keystone) has its own Network Network mapping to Neutron net a Network Controller is responsible to manage Network lifecycle

Example proxy Call Neutron to create/delete network Desired World Real World controller-manager ControlLoop network pod replica namespace service job deployment volume petset kubelet SyncLoop api-server etcd proxy scheduler kubelet SyncLoop

Kubernetes Network Model Container reach container all containers can communicate with all other containers without NAT Node reach container all nodes can communicate with all containers (and vice-versa) without NAT IP addressing Pod in cluster can be addressed by its IP

How h8s fits that? Network can be assigned to one or more Namespaces Pods belonging to the same Network can reach each other directly through IP a Pod s network mapping to Neutron port kubelet is responsible for Pod network setup let s see how kubelet works

Example proxy kubelet SyncLoop 1 Pod created scheduler api-server etcd proxy kubelet SyncLoop

Example proxy kubelet SyncLoop scheduler 2 Pod object added api-server etcd proxy kubelet SyncLoop

Example proxy 3.1 New pod object detected 3.2 Bind pod with node kubelet SyncLoop scheduler api-server etcd proxy kubelet SyncLoop

Example proxy kubelet SyncLoop scheduler api-server etcd proxy 4.1 Detected pod bind with me 4.2 Start containers in pod kubelet SyncLoop

Design of kubelet Choose Runtime docker, rkt, hyper/remote NodeStatus Network Status status Manager PLEG InitNetworkPlugin SyncLoop volume Manager Pod Update Worker (e.g.add) generale Pod status check volume status (talk later) call runtime to start containers set up Pod network (see next slide) image Manager PodUpdate HandlePods {Add, Update, Remove, Delete, }

Set Up Pod Network

kubestack A standalone grpc daemon 1. to translate the SetUpPod request to the Neutron network API 2. handling multi-tenant Service proxy

Service OnServiceUpdate $ iptables-save grep my-service -A KUBE-SERVICES -d 10.0.0.116/32 -p tcp -m comment --comment "default/my-service: cluster IP" -m tcp --dport 8001 -j KUBE-SVC-KEAUNL7HVWWSEZA6 -A KUBE-SVC-KEAUNL7HVWWSEZA6 -m comment --comment "default/my-service:" --mode random -j KUBE-SEP-6XXFWO3KTRMPKCHZ -A KUBE-SVC-KEAUNL7HVWWSEZA6 -m comment --comment "default/my-service:" --mode random -j KUBE-SEP-57KPRZ3JQVENLNBRZ -A KUBE-SEP-6XXFWO3KTRMPKCHZ -p tcp -m comment --comment "default/my-service:" -m tcp -j DNAT --to-destination 172.17.0.2:80 -A KUBE-SEP-57KPRZ3JQVENLNBRZ -p tcp -m comment --comment "default/my-service:" -m tcp -j DNAT --to-destination 172.17.0.3:80 OnEndpointsUpdate portal 10.10.0.116:8001 backend rule_1 172.17.0.2.:80 random mode rules backend rule_2 172.17.0.3.:80

Multi-tenant Service Default iptables-based kube-proxy is not tenant aware Endpoint Pods and Nodes with iptables rules are isolated into different networks Hypernetes uses a built-in HAproxy as the Service portal to handle all Service instances within same namespace the same OnServiceUpdate and OnEndpointsUpdate workflow ExternalProvider a OpenStack LB will be created as Service e.g. curl 58.215.33.98:8078

Persistent Volume

Kubernetes Persistent Volume Get mountedvolume from actualstateofworld mount Host Unmount volumes in mountedvolume but not in desiredstateofworld AttachVolume() if vol in desiredstateofworld and not attached Pod mountpath Pod mountpath MountVolume() if vol in desiredstateofworld and not in mountedvolume Verify devices that should be detached/unmounted are detached/unmounted attach path Cinder volume plugin Tips: 1. -v host:path Volume Manager desired World 2. attach VS mount 3. Totally independent from container management reconcile

Persistent Volume with HyperContainer Enhanced Cinder volume plugin Host Linux container: Pod Pod 1. full OpenStack cluster mountpath mountpath 2. query Nova to find node 3. attach Cinder volume to host path attach vol vol 4. bind mount host path to Pod containers Enhanced Cinder volume plugin HyperContainer: directly attach block devices to Pod thanks to the hypervisor based Pod boundary Volume Manager desired World eliminates extra time to query Nova reconcile

PV Example Create a Cinder volume Claim volume by reference its volumeid

Container Runtime Interface

Future of CRI Keep Docker as the only one default container runtime oci-runtime, rktlet, hyperd Frakti: the Remote Container Runtime Kit https://github.com/kubernetes/frakti welcome to tryout, star and fork

if image becomes non-standard e.g. Docker image becomes somehow Docker specific Don t worry, kubelet.imagemanager is moving to runtime specific but then k8s will probably choose NO DEFAULT runtime

Full Topology Node Node Node KeyStone Pod Pod Pod Pod Master Neutron Object: Network kubestack kube-proxy Object: Pod Cinder Ceph Neutron L2 Agent kubelet Object: Cinder Plugin

Summary A new way to build secure and multi-tenant Kubernetes Kubernetes + HyperContainer + Neutron Plugin + Cinder Plugin + Keystone Project URL: https://github.com/hyperhq/hypernetes Roadmap Graduate HyperContainer runtime on k8s upstream see HyperContainer in official k8s release Neutron CNI plugin Tip: https://hyper.sh is totally built on Hypernetes, try it out :)

END Lei (Harry) Zhang @resouer

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback