Multitenancy Deep Dive

Similar documents
The speed of containers, the security of VMs. KataContainers.io

The speed of containers, the security of VMs

How Container Runtimes matter in Kubernetes?

Bringing Security and Multitenancy. Lei (Harry) Zhang

Top Nine Kubernetes Settings You Should Check Right Now to Maximize Security

Hacking and Hardening Kubernetes

TEN LAYERS OF CONTAINER SECURITY

CONTAINERS AND MICROSERVICES WITH CONTRAIL

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Unified Kubernetes CRI runtimes based on Kata Containers. Xu Wang hyper.sh

Secure Kubernetes Container Workloads

Multiple Networks and Isolation in Kubernetes. Haibin Michael Xie / Principal Architect Huawei

Introduction to Kubernetes

Stackube Documentation

Kubernetes 101. Doug Davis, STSM September, 2017

TungstenFabric (Contrail) at Scale in Workday. Mick McCarthy, Software Workday David O Brien, Software Workday

OpenShift Dedicated 3 Release Notes

OpenShift Roadmap Enterprise Kubernetes for Developers. Clayton Coleman, Architect, OpenShift

TEN LAYERS OF CONTAINER SECURITY. Kirsten Newcomer Security Strategist

How to Put Your AF Server into a Container

Kubernetes 1.8 and Beyond

TEN LAYERS OF CONTAINER SECURITY

Implementing SaaS on Kubernetes

OPENSTACK + KUBERNETES + HYPERCONTAINER. The Container Platform for NFV

Building Kubernetes cloud: real world deployment examples, challenges and approaches. Alena Prokharchyk, Rancher Labs

Kubernetes made easy with Docker EE. Patrick van der Bleek Sr. Solutions Engineer NEMEA

Kuber-what?! Learn about Kubernetes

KUBERNETES IN A GROWN ENVIRONMENT AND INTEGRATION INTO CONTINUOUS DELIVERY

ViryaOS RFC: Secure Containers for Embedded and IoT. A proposal for a new Xen Project sub-project

Life of a Packet. KubeCon Europe Michael Rubin TL/TLM in GKE/Kubernetes github.com/matchstick. logo. Google Cloud Platform

Kuberiter White Paper. Kubernetes. Cloud Provider Comparison Chart. Lawrence Manickam Kuberiter Inc

Kubernetes - Networking. Konstantinos Tsakalozos

Onto Petaflops with Kubernetes

Red Hat Roadmap for Containers and DevOps

Kubernetes 1.9 Features and Future

VMWARE PIVOTAL CONTAINER SERVICE

One year of Deploying Applications for Docker, CoreOS, Kubernetes and Co

VMWARE ENTERPRISE PKS

Dan Williams Networking Services, Red Hat

Overview of Container Management

@briandorsey #kubernetes #GOTOber

Project Calico v3.2. Overview. Architecture and Key Components. Project Calico provides network security for containers and virtual machine workloads.

Oh.. You got this? Attack the modern web

VMWARE PKS. What is VMware PKS? VMware PKS Architecture DATASHEET

Docker A FRAMEWORK FOR DATA INTENSIVE COMPUTING

Red Hat OpenShift Roadmap Q4 CY16 and H1 CY17 Releases. Lutz Lange Solution

Building a Kubernetes on Bare-Metal Cluster to Serve Wikipedia. Alexandros Kosiaris Giuseppe Lavagetto

Infoblox Kubernetes1.0.0 IPAM Plugin

Cloud I - Introduction

Kubernetes Container Networking with NSX-T Data Center Deep Dive

Kubernetes on Openstack

One year of Deploying Applications for Docker, CoreOS, Kubernetes and Co.

Kubernetes. An open platform for container orchestration. Johannes M. Scheuermann. Karlsruhe,

Safe Harbor Statement

rkt and Kubernetes What's new (and coming) with Container Runtimes and Orchestration

Convergence of VM and containers orchestration using KubeVirt. Chunfu Wen

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

RUNNING VIRTUAL MACHINES ON KUBERNETES. Roman Mohr & Fabian Deutsch, Red Hat, KVM Forum, 2017

Inside Kubernetes Resource Management (QoS)

EASILY DEPLOY AND SCALE KUBERNETES WITH RANCHER

Container-Native Storage

INTRODUCING CONTAINER-NATIVE VIRTUALIZATION

Virtual Security Gateway Overview

Cloud & container monitoring , Lars Michelsen Check_MK Conference #4

Project Kuryr. Here comes advanced services for containers networking. Antoni Segura

Kubernetes Integration Guide

Defining Security for an AWS EKS deployment

Securing Containers on the High Seas. Jack OWASP Belgium September 2018

Datacenter Network Solutions Group

Scheduling in Kubernetes October, 2017

Using Network Virtualization in DevOps environments Yves Fauser, 22. March 2016 (Technical Product Manager VMware NSBU)

WHITE PAPER. RedHat OpenShift Container Platform. Benefits: Abstract. 1.1 Introduction

Contrail Networking: Evolve your cloud with Containers

Kubernetes, CNCF and Beyond

Microservices. Chaos Kontrolle mit Kubernetes. Robert Kubis - Developer Advocate,

Managing and Protecting Persistent Volumes for Kubernetes. Xing Yang, Huawei and Jay Bryant, Lenovo

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Open Service Broker API: Creating a Cross-Platform Standard Doug Davis IBM Shannon Coen Pivotal

Real-life technical decision points in using cloud & container technology:

Container Networking and Openstack. Fernando Sanchez Fawad Khaliq March, 2016

Containers Infrastructure for Advanced Management. Federico Simoncelli Associate Manager, Red Hat October 2016

Full Scalable Media Cloud Solution with Kubernetes Orchestration. Zhenyu Wang, Xin(Owen)Zhang

Kubernetes The Path to Cloud Native

OpenStack Manila An Overview of Manila Liberty & Mitaka

개발자와운영자를위한 DevOps 플랫폼 OpenShift Container Platform. Hyunsoo Senior Solution Architect 07.Feb.2017

More Containers, More Problems

Package your Java Application using Docker and Kubernetes. Arun

Welcome to Manila: An OpenStack File Share Service. May 14 th, 2014

Container Deployment and Security Best Practices

An Introduction to Kubernetes

Container Isolation at Scale (... and introducing gvisor) Dawn Chen and Zhengyu He

Introduction to the Open Service Broker API. Doug Davis

Securing Microservice Interactions in Openstack and Kubernetes

Understanding and Evaluating Kubernetes. Haseeb Tariq Anubhavnidhi Archie Abhashkumar

What s New in Red Hat OpenShift Container Platform 3.4. Torben Jäger Red Hat Solution Architect

Project Calico v3.1. Overview. Architecture and Key Components

Setting up Kubernetes with Day 2 in Mind. Angela Chin, Senior Software Engineer, Pivotal Urvashi Reddy, Senior Software Engineer, Pivotal

Operating Within Normal Parameters: Monitoring Kubernetes

Application Centric Microservices Ken Owens, CTO Cisco Intercloud Services. Redhat Summit 2015

Transcription:

Multitenancy Deep Dive Thursday, December 7 2:00pm - 3:20pm David Oppenheimer (Google) davidopp@google.com Quinton Hoole (Huawei) quinton.hoole@huawei.com

Agenda Presentations Discussion of topics of interest Ideas for 2018 (including whether we should create a Working Group)

Presentations Quinton Hoole, Huawei Jessica Frazelle, Microsoft Harry Zhang, Hyper David Oppenheimer, Google Tim Allclair, Google

Multi-Tenancy Models Jessie Frazelle - Microsoft refer to original doc

Soft Multi-Tenancy - multiple users _within the same organization_ in the same cluster. - could have possible bad actors such as people leaving the company, etc. - Users are not thought to be actively malicious since they are within the same organization, but potential for accidents or evil leaving employees. - A large focus is to prevent accidents.

Hard Multi-Tenancy - multiple users, from various places, in the same cluster. - means that anyone on the cluster is thought to be potentially malicious and therefore should not have access to any other tenants resources.

Access to k8s API For our purposes, we only run untrusted workloads, but we have our own trusted API on top of the kubernetes API (seems like SaaS from davidopp s doc.) A different multi-tenancy models would also restrict access to the API and create roles, etc. Refer to that doc for more details.

Host OS

Container Runtime

Network

DNS

AuthN/AuthZ

Isolation of Master and System nodes.

Isolation of system services.

Restricting access to host resources.

Environment Variables

Thoughts about Hard Multi-tenancy in Kubernetes with Hypervisor based Container Runtimes Harry (Lei) Zhang @resouer

Background Hypernetes (Stackube): A multi-tenant Kubernetes distro with hypervisor based container runtime runv, now upgrading to KataContainers https://github.com/openstack/stackube Upstream Kubernetes + customized plugins The core system behind https://hyper.sh/ Passed 100% conformance e2e tests

Container Runtime: Isolation & Security KataContainers

Container Runtime: OS Multi-Tenancy BYOK (Bring Your Own Kernel): annotations: com.github.katacontainers.kernelpath: "/boot/vmlinuz-custom-myversion (This has already been implemented) Or even: annotations: com.github.katacontainers.kernelpath: "/boot/windows-nano-server-myversion (This has also been concept proved)

Container Runtime: OS Multi-Tenancy

Tenant Stackube: Q: Tenant == Namespace CRD tenant controller with RBAC Keystone Do we need nested namespace? (One Tenant with multiple namespaces?) Tenant == Namespace, or Tenant 1:N Namespace

Network Stackube: Q: One Network per Tenant CRD network controller Neutron CNI plugin L2 network isolation Pods of same Tenant belong to same subnet Do we really need Network API object? Or Network Policy should be the plan?. And what about multiple networks? Is L2 isolation specially preferred for hard multi-tenancy? Do we need to isolate Nodes and Pods by different subnets?

DNS Stackube: Q: Per kube-dns per namespace (tenant) Discussion: https://github.com/kubernetes/dns/issues/132 Other approach: Sidecar, we use this in old version of Hypernetes Enforce by CoreDNS (+RBAC)

Summary KataContainers can play an important role in hard-multitenant Kubernetes Thanks to CRI While other aspects like Tenant, Network, DNS etc still need to be clearly defined or updated to build the whole stack up. Then what is the Kubernetes/Cloud Native way to solve them?

Multitenancy taxonomies David Oppenheimer, Google December 7, 2017

Control plane vs. node multitenancy All policies are specified through the control plane. Distinction is whether policy controls sharing of control plane or nodes. Control plane multitenancy RBAC EventRateLimit admission controller Many for node multitenancy ResourceQuota / LimitRange / request / limit / priority node affinity, pod affinity, taints/tolerations PodSecurityPolicy NetworkPolicy

How control plane and node are used trusted control plane untrusted code trusted untrusted small company running software they wrote and/or thoroughly vetted SaaS provider running untrusted code (CI/CD-as-a-service, open-source-as-a-service, etc.) enterprise running software they wrote and/or thoroughly vetted PaaS/CaaS (particularly KaaS)

Other axes What do users see? objects (or subset) in user s namespace(s) or all namespace(s)? nodes? metadata about other tenants (namespace collision, service names in DNS, etc.)? Node-level isolation mechanism containers + PodSecurityPolicy, seccomp, AppArmor, SELinux,... container + hypervisor (nested virtualization) dedicated nodes (taints/tolerations or anti-affinity)

Secure Containers Tim Allclair, Google

Secure Containers Stronger Isolation Sandboxing untrusted code VM strength isolation

Work in Progress It's time to agree on CRI-O with Clear Containers Frakti with runv (soon!) Kata Containers Cloud providers exploring CaaS the abstractions, before we diverge too much.

Open Questions We're kicking off the discussions now.

What are the properties of a sandbox? Must it employ full virtualization technology? Or could a sandbox be a very restrictive seccomp profile? What does sandboxing imply about networking? What does sandboxing imply about auth[nz]? What features is it OK to break with a sandbox? E.g. cross-container IPC? host namespaces? etc.

Where is the sandbox boundary? Pods? Easier resource sharing & communication between containers. Containers? Finer grained control allows for models like trusted sidecars Better for a serverless (nodeless) model Much simpler networking Or should we consider something else? Namespaces? Sandbox resource? A combination of pods + containers?

Explicit, without choice of backend? Sandbox *bool API Design How do we surface sandboxes to the user? Explicit, with choice of backend? Sandbox string Implicit, derived from security attributes? See: Entitlements

Implementation details Sandboxed & unsandboxed containers should live side-by-side. Should sandboxing be enforced by the runtime (CRI), or the Kubelet? Does the kubelet decide which CRI server to talk to, or just pass the sandbox bit on the CreateContainer request?

Stay tuned! Look for a design proposal soon... Expect more discussions in sig-node meetings Thoughts? Questions? Get in touch! tallclair@google.com @tallclair (github, slack, twitter)

Possible group discussion topics (1) How are you (and/or your customers) using the existing Kubernetes multitenancy features? What problems/use cases are you solving? What would you (and/or your customers) like to do, but can t (or are rolling your own, and would like it supported in upstream)? What problems/use cases/pain points would this address? (Consider both control plane and node support for multitenancy)

Possible group discussion topics (2) Hierararchy vs. labels vs. good enough how it is policies that span namespaces and/or apply within a namespace? Need better hiding of tenants from one another? Issues with tenants DoSing each other via the control plane? Uses cases and missing features for hard multitenancy need more isolation in the control plane? need secure containers?

2018 planning Should we create a multitenancy Working Group? Specific multitenancy features you want and/or are interested in working on? Note: a mailing list has been set up -- please join it! https://groups.google.com/forum/#!forum/kubernetes-wg-multitenancy

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback