Securing micro-services, with Kubernetes, Mesos and Calico

@projectcalico Project Calico is sponsored by Sponsored by Securing micro-services
with Kubernetes, Mesos and Calico Ed Harrison @eepyaich 24th September 2015

@projectcalico Project Calico is sponsored by Remember 3-tier architectures?

@projectcalico Project Calico is sponsored by Getting Medieval

@projectcalico Project Calico is sponsored by Fast forward to the
present

@projectcalico Project Calico is sponsored by Increased complexity

@projectcalico Project Calico is sponsored by Resource Fungibility

@projectcalico Project Calico is sponsored by Tear down the walls?

@projectcalico Project Calico is sponsored by The opportunity?

@projectcalico Project Calico is sponsored by The Distributed Firewall Network
Fabric eth0 eth0 eth0 192.168.1.2 Routing Routing eth0 192.168.1.3 eth0 192.168.1.4 eth0 192.168.1.7 eth0 192.168.1.6 eth0 192.168.1.5 10.0.0.1 10.0.0.2

@projectcalico Project Calico is sponsored by Project Calico architecture eth0
192.168.1.2 eth0 192.168.1.4 eth0 192.168.1.7 Felix Routes iptables Route Reflector Kernel BGP Client

@projectcalico Project Calico is sponsored by Firewall Rules { "id":
"WEB", "inbound_rules": [ {"action": "allow", "protocol": "tcp", "dst_ports": [80, 443]}, {"action": "allow", "protocol": "icmp"}, {"action": "deny"} ], "outbound_rules": [ {"action": "allow", "protocol": "tcp", "dst_tag": "syslog", "dst_ports": [514]}, {"action": "deny"} ] }

@projectcalico Project Calico is sponsored by Network Intent

@projectcalico Project Calico is sponsored by Where are we now?
... metadata: annotations: projectcalico.org/policy: "allow tcp from label role=backend" ... { "id": "probe-c", "uris": ["file:///star/star-probe"], "cmd": "./star-probe", "cpus": 0.1, "mem": 64.0, "ports": [], "labels": { "network_isolator.netgroups": "star-2" } }, • Calico network plugin • “Policy only” mode • Namespace isolation • Early demo of network plugin • Calico IPAM • Network isolation via netgroups

@projectcalico Project Calico is sponsored by Where is this heading?

@projectcalico Project Calico is sponsored by  Demos and info
on our blog www.projectcalico.org/blog  Github  https://github.com/projectcalico  /calico  /calico-kubernetes  https://github.com/mesosphere/net- modules  Download & try it out  We welcome your feedback and contributions  Follow us @projectcalico  Follow me @eepyaich More information

Securing micro-services, with Kubernetes, Mesos and Calico

Securing micro-services, with Kubernetes, Mesos and Calico

Ed Harrison

More Decks by Ed Harrison

Other Decks in Technology

Featured

Transcript

@projectcalico Project Calico is sponsored by Sponsored by Securing micro-services

@projectcalico Project Calico is sponsored by Remember 3-tier architectures?

@projectcalico Project Calico is sponsored by Getting Medieval

@projectcalico Project Calico is sponsored by Fast forward to the

@projectcalico Project Calico is sponsored by Increased complexity

@projectcalico Project Calico is sponsored by Resource Fungibility

@projectcalico Project Calico is sponsored by Tear down the walls?

@projectcalico Project Calico is sponsored by The opportunity?

@projectcalico Project Calico is sponsored by The opportunity?

@projectcalico Project Calico is sponsored by The Distributed Firewall Network

@projectcalico Project Calico is sponsored by Project Calico architecture eth0

@projectcalico Project Calico is sponsored by Firewall Rules { "id":

@projectcalico Project Calico is sponsored by Network Intent

@projectcalico Project Calico is sponsored by Where are we now?

@projectcalico Project Calico is sponsored by Where is this heading?

@projectcalico Project Calico is sponsored by  Demos and info