Slide 1

Slide 1 text

1 © 2017 Tigera, Inc. | Proprietary and Confidential OpenShift Commons Briefing Andy Randall, CEO Simplifying and Securing Your OpenShift Network with Project Calico March 2, 2017

Slide 2

Slide 2 text

2 © 2017 Tigera, Inc. | Proprietary and Confidential Isn’t virtual networking a solved problem? Can we just get on with developing and deploying apps now? First, a (not unreasonable) question...

Slide 3

Slide 3 text

3 © 2017 Tigera, Inc. | Proprietary and Confidential Challenges of Cloud-Native: Scale & Churn <0.1x Median lifespan >10x Workloads per host 100+x Churn per host First-generation, centralized SDN controller Traditional security appliance

Slide 4

Slide 4 text

4 © 2017 Tigera, Inc. | Proprietary and Confidential Challenges of Cloud-Native: Dynamic Security Dynamic IP address assignment Fungible server resources Subnets / VLANs no longer meaningful for security rules Orchestrator makes highly dynamic scheduling decisions Workload meta-data already captured in orchestrator Opportunity to automate security, get rid of “firewall cruft” Micro-services architecture increases network-based attack surface Attackers already exploit internal vulnerabilities Perimeter security insufficient — need to secure intra-cluster traffic

Slide 5

Slide 5 text

5 © 2017 Tigera, Inc. | Proprietary and Confidential SIMPLIFY the network, by removing unnecessary layers of complexity What’s Required? … implemented in a scale-out, distributed architecture … SECURE workloads with fine-grained policy rules, leveraging orchestrator

Slide 6

Slide 6 text

6 © 2017 Tigera, Inc. | Proprietary and Confidential Enter Project Calico Thousands of clusters deployed globally by users such as... Active open source community with 100+ contributors

Slide 7

Slide 7 text

7 © 2017 Tigera, Inc. | Proprietary and Confidential 1. Simplify the Network ☑ Flat IP network (pods are endpoints too) ☑ No overlay by default ⇒ zero packet overhead ☑ Routed model — one hop to the kernel, another hop to the destination (remote kernel or local pod) ☑ Leverages Linux’s built-in, efficient network stack ☑ Maximum performance, simplest to troubleshoot

Slide 8

Slide 8 text

8 © 2017 Tigera, Inc. | Proprietary and Confidential Calico Architecture: Routing Physical fabric (L2 or L3) or public cloud SDN (e.g. Amazon VPC / subnet) Cloud OS / Orchestration System Cloud OS / Orchestration System Compute Node Compute Node Compute Node kernel Cloud OS / Orchestration System Calico- node Routes Pod Eth0 Calico Plugin Compute Node Compute Node Compute Node kernel Calico- node Routes Pod Eth0 Control plane (etcd / Raft + BGP) Data plane (IP)

Slide 9

Slide 9 text

9 © 2017 Tigera, Inc. | Proprietary and Confidential Calico Architecture: Policy Enforcement Physical fabric (L2 or L3) or public cloud SDN (e.g. Amazon VPC / subnet) Cloud OS / Orchestration System Cloud OS / Orchestration System Compute Node Compute Node Compute Node kernel Cloud OS / Orchestration System Calico- node Routes ACLs Pod Eth0 Calico Plugin Compute Node Compute Node Compute Node kernel Calico- node Routes ACLs Pod Eth0 Control plane (etcd / Raft + BGP) Data plane (IP)

Slide 10

Slide 10 text

10 © 2017 Tigera, Inc. | Proprietary and Confidential 2. Network Policies My IT guys installed a firewall at the edge of my data center. Why do I want network policies as well?

Slide 11

Slide 11 text

11 © 2017 Tigera, Inc. | Proprietary and Confidential

Slide 12

Slide 12 text

12 © 2017 Tigera, Inc. | Proprietary and Confidential

Slide 13

Slide 13 text

13 © 2017 Tigera, Inc. | Proprietary and Confidential

Slide 14

Slide 14 text

14 © 2017 Tigera, Inc. | Proprietary and Confidential Anatomy of a Calico Network Policy apiVersion: v1 kind: policy metadata: name: allow-tcp-6379 spec: selector: role == 'database' ingress: - action: allow protocol: tcp source: selector: role == 'frontend' destination: ports: - 6379 egress: - action: allow Name of this policy Which pods does it apply to? Who can talk to those pods (with which protocols?) To whom can those pods talk (with which protocols?) $ calicoctl apply -f mypolicy.yaml API version Yes, this looks a lot like a Kubernetes Network Policy… Calico can enforce k8s policy or this extended model

Slide 15

Slide 15 text

15 © 2017 Tigera, Inc. | Proprietary and Confidential Calico Architecture: Policy Enforcement Revisited Cloud OS / Orchestration System Cloud OS / Orchestration System Compute Node Compute Node Compute Node kernel Cloud OS / Orchestration System Calico- node Routes ACLs Pod Eth0 Calico Plugin Compute Node Compute Node Compute Node kernel Calico- node Routes ACLs Pod Eth0 ■ Policy rendering to ACLs is distributed to calico agents ■ Each node efficiently calculates what it needs & programs iptables ■ At scale, <10ms to first ping

Slide 16

Slide 16 text

16 © 2017 Tigera, Inc. | Proprietary and Confidential Architectural Comparison OVS-based (e.g. OpenShift SDN) Project Calico One subnet per host Dynamic allocation of IP address ranges to host as additional containers scheduled (reduces wasted addresses without imposing an upper limit on # containers) Pods connected to OVS Bridge (br0) Pods connected into Linux kernel routing engine (no bridge, single routed hop, same path intra/inter node) Access to pods on remote nodes via VXLAN tunnel (tun0) Tunnel possible but not required — pods have real IPs on underlying network — no double-encapsulation when running on underlying SDN (e.g. public cloud or OpenStack) Connectivity outside cluster via NAT NAT not required by default to outside world, since pods have real IPs Network isolation enforced in OVS via tenant separation (separate ovs-multitenant plug-in) or Kubernetes network policy with ovs-subnet Network isolation (including multi-tenant) enforced via ingress + egress policy rules encoded into iptables rules in Linux kernel OVS in control and data path Calico in control path only (data path = traditional Linux kernel L3 forwarding & filtering)

Slide 17

Slide 17 text

17 © 2017 Tigera, Inc. | Proprietary and Confidential Considerations for other SDN solutions (Some) Other Networking Solutions Project Calico Centralized controller calculates rules for each node All policy calculations / rendering Must replace internal service routing — not compatible with Kube-proxy Fully compatible with standard Kube-proxy Must use own external load balancing — not compatible with OpenShift Router Fully compatible with OpenShift Router and any other regular IP networking mechanisms (it’s just IP)

Slide 18

Slide 18 text

18 © 2017 Tigera, Inc. | Proprietary and Confidential Can I just get the policies? I like how Calico does policies — but still want to use a VXLAN overlay. You probably can’t do that, right?

Slide 19

Slide 19 text

19 © 2017 Tigera, Inc. | Proprietary and Confidential Combining Calico with Flannel Networking A collaboration between Tigera and CoreOS to apply Calico policy to flannel overlay networks More: http://github.com/projectcalico/canal

Slide 20

Slide 20 text

20 © 2017 Tigera, Inc. | Proprietary and Confidential Calico & OpenShift So how does this all tie together with ?

Slide 21

Slide 21 text

21 © 2017 Tigera, Inc. | Proprietary and Confidential Calico on OpenShift

Slide 22

Slide 22 text

22 © 2017 Tigera, Inc. | Proprietary and Confidential Calico on OpenShift CNI CNI CNI CNI CNI CNI ● Calico-CNI ● Calico-IPAM CNI

Slide 23

Slide 23 text

23 © 2017 Tigera, Inc. | Proprietary and Confidential Calico on OpenShift CNI CNI CNI CNI CNI CNI ● Felix (local routing & policy calculation) ● Bird (BGP) Calico/Node

Slide 24

Slide 24 text

24 © 2017 Tigera, Inc. | Proprietary and Confidential Calico on OpenShift CNI CNI CNI CNI CNI CNI P Calico Policy Controller

Slide 25

Slide 25 text

25 © 2017 Tigera, Inc. | Proprietary and Confidential Lots of recipes Calico + Kubernetes ■ E.g. AWS Quick Start, Stack Point Cloud, kops, ... Users have deployed with OpenShift ■ “Roll-your-own” installation until recently Tigera / Red Hat collaborating on supported integration and certification for OpenShift ■ Integration was working - but broken by OCP 3.4. Addressing a few minor remaining issues. ■ “Watch this space” - by signing up to the Project Calico Slack (http://slack.projectcalico.org), joining the #openshift channel, and let us know you’re interested! Calico-OpenShift Integration &

Slide 26

Slide 26 text

26 © 2017 Tigera, Inc. | Proprietary and Confidential github.com/projectcalico @andrew_randall | @projectcalico slack.projectcalico.org → #openshift Andy Randall [email protected]