Cilium: Seattle Kubernetes MeetUp Dec 2017
-
Upload
cynthia-thomas -
Category
Technology
-
view
182 -
download
2
Transcript of Cilium: Seattle Kubernetes MeetUp Dec 2017
![Page 1: Cilium: Seattle Kubernetes MeetUp Dec 2017](https://reader033.fdocuments.us/reader033/viewer/2022051521/5a6cf3927f8b9ade418b47f1/html5/thumbnails/1.jpg)
Application-Aware Security for Microservices via BPF
Cynthia Thomas, Technology Evangelist@_techcet_
Seattle Kubernetes MeetUpDecember 12th, 2017
Open Source Cloud Native Security
![Page 2: Cilium: Seattle Kubernetes MeetUp Dec 2017](https://reader033.fdocuments.us/reader033/viewer/2022051521/5a6cf3927f8b9ade418b47f1/html5/thumbnails/2.jpg)
Application Architectures
Delivery Frequency
Operational Complexity
Single Server App
Yearly
Low
Evolution of Application Design & Delivery Frequency
![Page 3: Cilium: Seattle Kubernetes MeetUp Dec 2017](https://reader033.fdocuments.us/reader033/viewer/2022051521/5a6cf3927f8b9ade418b47f1/html5/thumbnails/3.jpg)
Application Architectures
Delivery Frequency
Operational Complexity
Single Server App
Yearly
Low
3-Tier App
Monthly
Moderate
Evolution of Application Design & Delivery Frequency
![Page 4: Cilium: Seattle Kubernetes MeetUp Dec 2017](https://reader033.fdocuments.us/reader033/viewer/2022051521/5a6cf3927f8b9ade418b47f1/html5/thumbnails/4.jpg)
Application Architectures
Delivery Frequency
Operational Complexity
Single Server App
Yearly
Low
Distributed Microservices
10-100 x’s / day
Extreme
3-Tier App
Monthly
Moderate
Evolution of Application Design & Delivery Frequency
![Page 5: Cilium: Seattle Kubernetes MeetUp Dec 2017](https://reader033.fdocuments.us/reader033/viewer/2022051521/5a6cf3927f8b9ade418b47f1/html5/thumbnails/5.jpg)
Network Securityhas barely evolved
$ iptables -A INPUT -p tcp \-s 15.15.15.3 --dport 80 \-m conntrack --ctstate NEW \-j ACCEPT
The world still runs on iptablesmatching IPs and ports:
![Page 6: Cilium: Seattle Kubernetes MeetUp Dec 2017](https://reader033.fdocuments.us/reader033/viewer/2022051521/5a6cf3927f8b9ade418b47f1/html5/thumbnails/6.jpg)
Your HTTP ports be like …
![Page 7: Cilium: Seattle Kubernetes MeetUp Dec 2017](https://reader033.fdocuments.us/reader033/viewer/2022051521/5a6cf3927f8b9ade418b47f1/html5/thumbnails/7.jpg)
Network Securityfor Microservices
Gordon the intern has a brilliant idea…
![Page 8: Cilium: Seattle Kubernetes MeetUp Dec 2017](https://reader033.fdocuments.us/reader033/viewer/2022051521/5a6cf3927f8b9ade418b47f1/html5/thumbnails/8.jpg)
Gordon wants to build a serviceto tweet out all job offerings.
We’re Hiring!
TweetService
![Page 9: Cilium: Seattle Kubernetes MeetUp Dec 2017](https://reader033.fdocuments.us/reader033/viewer/2022051521/5a6cf3927f8b9ade418b47f1/html5/thumbnails/9.jpg)
GET /healthz
GET /jobs/{id}
GET /applicants/{job-id}
POST /jobs
APIGET /jobs/{id}
Jobs APIService
TweetService
The Jobs API service has all thedata Gordon needs.
![Page 10: Cilium: Seattle Kubernetes MeetUp Dec 2017](https://reader033.fdocuments.us/reader033/viewer/2022051521/5a6cf3927f8b9ade418b47f1/html5/thumbnails/10.jpg)
GET /healthz
GET /jobs/{id}
GET /applicants/{job-id}
POST /jobs
APIGET /jobs/331
GET /jobs/{id}
Jobs APIService
TweetService
Gordon uses the GET /jobs/ API call
![Page 11: Cilium: Seattle Kubernetes MeetUp Dec 2017](https://reader033.fdocuments.us/reader033/viewer/2022051521/5a6cf3927f8b9ade418b47f1/html5/thumbnails/11.jpg)
GET /healthz
GET /jobs/{id}
GET /applicants/{job-id}
POST /jobs
APIGET /jobs/331
GET /jobs/{id}
TLS Jobs APIService
TweetService
Developer etiquette.Super simple stuff.
Gordon uses mutual TLS AuthGood thinking Gordon
![Page 12: Cilium: Seattle Kubernetes MeetUp Dec 2017](https://reader033.fdocuments.us/reader033/viewer/2022051521/5a6cf3927f8b9ade418b47f1/html5/thumbnails/12.jpg)
L3/L4
GET /healthz
GET /jobs/{id}
GET /applicants/{job-id}
POST /jobs
APIGET /jobs/331
The security team has L3/L4 network security in place for all services
GET /jobs/{id}
Jobs APIService
TweetService
TLS
iptables -s 10.1.1.1-p tcp --dport 80-j ACCEPT
![Page 13: Cilium: Seattle Kubernetes MeetUp Dec 2017](https://reader033.fdocuments.us/reader033/viewer/2022051521/5a6cf3927f8b9ade418b47f1/html5/thumbnails/13.jpg)
Gordon could POST /jobs or GET /applicants(mistakenly or haphazardly).
POTUS job available!
TweetService
![Page 14: Cilium: Seattle Kubernetes MeetUp Dec 2017](https://reader033.fdocuments.us/reader033/viewer/2022051521/5a6cf3927f8b9ade418b47f1/html5/thumbnails/14.jpg)
Jobs APIService
L3/L4
GET /healthz
GET /jobs/{id}
GET /applicants/{job-id}
POST /jobs
API
exposed
exposed
exposed
GET /jobs/331
Large parts of the API are still exposed unnecessarily
TweetService
GET /jobs/{id}
TLS
iptables -s 10.1.1.1-p tcp --dport 80-j ACCEPT
![Page 15: Cilium: Seattle Kubernetes MeetUp Dec 2017](https://reader033.fdocuments.us/reader033/viewer/2022051521/5a6cf3927f8b9ade418b47f1/html5/thumbnails/15.jpg)
Not exactlyleast privilegeSecurity
![Page 16: Cilium: Seattle Kubernetes MeetUp Dec 2017](https://reader033.fdocuments.us/reader033/viewer/2022051521/5a6cf3927f8b9ade418b47f1/html5/thumbnails/16.jpg)
GET /healthz
GET /jobs/{id}
GET /applicants/{job-id}
POST /jobs
APIGET /jobs/331
Back to the drawing board…
GET /jobs/{id}
TLS Jobs APIService
TweetService
![Page 17: Cilium: Seattle Kubernetes MeetUp Dec 2017](https://reader033.fdocuments.us/reader033/viewer/2022051521/5a6cf3927f8b9ade418b47f1/html5/thumbnails/17.jpg)
L3/L4
GET /healthz
GET /jobs/{id}
GET /applicants/{job-id}
POST /jobs
APIGET /jobs/331
Least privilege security for microservices
GET /jobs/{id}
FROM“TurtleTweets”ALLOW“GET/jobs/”
TLS Jobs APIService
TweetService
![Page 18: Cilium: Seattle Kubernetes MeetUp Dec 2017](https://reader033.fdocuments.us/reader033/viewer/2022051521/5a6cf3927f8b9ade418b47f1/html5/thumbnails/18.jpg)
We demanda demo
![Page 19: Cilium: Seattle Kubernetes MeetUp Dec 2017](https://reader033.fdocuments.us/reader033/viewer/2022051521/5a6cf3927f8b9ade418b47f1/html5/thumbnails/19.jpg)
BPF - TheSuperpowersinside Linux
![Page 20: Cilium: Seattle Kubernetes MeetUp Dec 2017](https://reader033.fdocuments.us/reader033/viewer/2022051521/5a6cf3927f8b9ade418b47f1/html5/thumbnails/20.jpg)
![Page 21: Cilium: Seattle Kubernetes MeetUp Dec 2017](https://reader033.fdocuments.us/reader033/viewer/2022051521/5a6cf3927f8b9ade418b47f1/html5/thumbnails/21.jpg)
KubernetesIntegration
![Page 22: Cilium: Seattle Kubernetes MeetUp Dec 2017](https://reader033.fdocuments.us/reader033/viewer/2022051521/5a6cf3927f8b9ade418b47f1/html5/thumbnails/22.jpg)
KubernetesIntegration
NetworkPolicy
StandardResources
L3,L4policy(ingressonlyink8s1.7)
![Page 23: Cilium: Seattle Kubernetes MeetUp Dec 2017](https://reader033.fdocuments.us/reader033/viewer/2022051521/5a6cf3927f8b9ade418b47f1/html5/thumbnails/23.jpg)
KubernetesIntegration
NetworkPolicy
Services
StandardResources
L3,L4policy
ClusterIP,NodePort,LoadBalancer
![Page 24: Cilium: Seattle Kubernetes MeetUp Dec 2017](https://reader033.fdocuments.us/reader033/viewer/2022051521/5a6cf3927f8b9ade418b47f1/html5/thumbnails/24.jpg)
KubernetesIntegration
NetworkPolicy
Services
StandardResources
L3,L4policy
Pods PodLabelstospecifypolicyon
ClusterIP,NodePort,LoadBalancer
![Page 25: Cilium: Seattle Kubernetes MeetUp Dec 2017](https://reader033.fdocuments.us/reader033/viewer/2022051521/5a6cf3927f8b9ade418b47f1/html5/thumbnails/25.jpg)
KubernetesIntegration
NetworkPolicy
Services
StandardResources
L3,L4policy
Nodes
Pods PodLabelstospecifypolicyon
ClusterIP,NodePort,LoadBalancer
NodeIP toNodeCIDRmapping
![Page 26: Cilium: Seattle Kubernetes MeetUp Dec 2017](https://reader033.fdocuments.us/reader033/viewer/2022051521/5a6cf3927f8b9ade418b47f1/html5/thumbnails/26.jpg)
KubernetesIntegration
NetworkPolicy
CiliumNetworkPolicy
Services
StandardResources
CustomResourceDefinitions(CRD)
L3,L4policy
L3(Labels/CIDR),L4,L7(ingress&egress)
Nodes
Pods PodLabelstospecifypolicyon
ClusterIP,NodePort,LoadBalancer
NodeIP toNodeCIDRmapping
![Page 27: Cilium: Seattle Kubernetes MeetUp Dec 2017](https://reader033.fdocuments.us/reader033/viewer/2022051521/5a6cf3927f8b9ade418b47f1/html5/thumbnails/27.jpg)
ShouldIencapsulateornot?
Node1
Node2
Node3
ModeI:Overlay
![Page 28: Cilium: Seattle Kubernetes MeetUp Dec 2017](https://reader033.fdocuments.us/reader033/viewer/2022051521/5a6cf3927f8b9ade418b47f1/html5/thumbnails/28.jpg)
ShouldIencapsulateornot?
Node1
Node2
Node3
ModeI:Overlay
Name NodeIP Node CIDRNode 1 192.168.10.1 10.0.1.0/24Node 2 192.168.10.8 10.0.2.0/24Node 3 192.168.10.9 10.0.3.0/24
KubernetesNoderesourcestable:
Installation
Run the kube-controller-manager with the --allocate-node-cidrsoption
![Page 29: Cilium: Seattle Kubernetes MeetUp Dec 2017](https://reader033.fdocuments.us/reader033/viewer/2022051521/5a6cf3927f8b9ade418b47f1/html5/thumbnails/29.jpg)
ShouldIencapsulateornot?
ModeI:Overlay ModeII:NativeRoutingNode1
Node2
Node3
L3 Network
Usecase:• Runyourownroutingdaemon• Usethecloudprovider’srouter
Usecase:• Simple• “Justworks”onKubernetes
Node1
Node2
Node3
![Page 30: Cilium: Seattle Kubernetes MeetUp Dec 2017](https://reader033.fdocuments.us/reader033/viewer/2022051521/5a6cf3927f8b9ade418b47f1/html5/thumbnails/30.jpg)
L3 Policy (Labels Based)
Metadata
Allow frompods
Pods the policyapplies to…
From Pod
To Pod
![Page 31: Cilium: Seattle Kubernetes MeetUp Dec 2017](https://reader033.fdocuments.us/reader033/viewer/2022051521/5a6cf3927f8b9ade418b47f1/html5/thumbnails/31.jpg)
L3 Policy (CIDR)
Metadata
Allow toIP 8.8.8.8/32
Pods the policyapplies to…
To CIDR
From Pod
![Page 32: Cilium: Seattle Kubernetes MeetUp Dec 2017](https://reader033.fdocuments.us/reader033/viewer/2022051521/5a6cf3927f8b9ade418b47f1/html5/thumbnails/32.jpg)
L4 Policy
Metadata
Policy appliesto pods …
Allow incomingon port 80
Pod
To Port
![Page 33: Cilium: Seattle Kubernetes MeetUp Dec 2017](https://reader033.fdocuments.us/reader033/viewer/2022051521/5a6cf3927f8b9ade418b47f1/html5/thumbnails/33.jpg)
L4 Policy
Rule 2:Allow PUTIf header is set
Rule 1:Allow “GET /v/1”
L7 Policy – Only allow “GET /v1/”
Allowed API
Calls
![Page 34: Cilium: Seattle Kubernetes MeetUp Dec 2017](https://reader033.fdocuments.us/reader033/viewer/2022051521/5a6cf3927f8b9ade418b47f1/html5/thumbnails/34.jpg)
How are these policies enforced?
![Page 35: Cilium: Seattle Kubernetes MeetUp Dec 2017](https://reader033.fdocuments.us/reader033/viewer/2022051521/5a6cf3927f8b9ade418b47f1/html5/thumbnails/35.jpg)
How are these policies enforced?
• L3 & L4: BPF in the kernel
![Page 36: Cilium: Seattle Kubernetes MeetUp Dec 2017](https://reader033.fdocuments.us/reader033/viewer/2022051521/5a6cf3927f8b9ade418b47f1/html5/thumbnails/36.jpg)
How are these policies enforced?
• L3 & L4: BPF in the kernel
• L7: Sidecar proxy or KProxy / BPF
![Page 37: Cilium: Seattle Kubernetes MeetUp Dec 2017](https://reader033.fdocuments.us/reader033/viewer/2022051521/5a6cf3927f8b9ade418b47f1/html5/thumbnails/37.jpg)
Node 2Node 1
ServiceService HTTPRequest
What is a sidecar proxy?
![Page 38: Cilium: Seattle Kubernetes MeetUp Dec 2017](https://reader033.fdocuments.us/reader033/viewer/2022051521/5a6cf3927f8b9ade418b47f1/html5/thumbnails/38.jpg)
Node 1
Service
SidecarProxy
What is a sidecar proxy?
Node 2
Service
SidecarProxy
![Page 39: Cilium: Seattle Kubernetes MeetUp Dec 2017](https://reader033.fdocuments.us/reader033/viewer/2022051521/5a6cf3927f8b9ade418b47f1/html5/thumbnails/39.jpg)
Node 1
Service
SidecarProxy
What is a sidecar proxy?
Node 2
Service
SidecarProxy
![Page 40: Cilium: Seattle Kubernetes MeetUp Dec 2017](https://reader033.fdocuments.us/reader033/viewer/2022051521/5a6cf3927f8b9ade418b47f1/html5/thumbnails/40.jpg)
Node 2Node 1
ServiceService
HTTPRequestSidecarProxy
SidecarProxy
What is a sidecar proxy?
![Page 41: Cilium: Seattle Kubernetes MeetUp Dec 2017](https://reader033.fdocuments.us/reader033/viewer/2022051521/5a6cf3927f8b9ade418b47f1/html5/thumbnails/41.jpg)
Node 2Node 1
ServiceService
HTTPRequestSidecarProxy
SidecarProxy
What is a sidecar proxy?
Provides L7 functionality• Routing / Load balancing• Retries
• Circuit breaking• Metrics
More info? Google is your friend “sidecar” / “service mesh”
![Page 42: Cilium: Seattle Kubernetes MeetUp Dec 2017](https://reader033.fdocuments.us/reader033/viewer/2022051521/5a6cf3927f8b9ade418b47f1/html5/thumbnails/42.jpg)
Node 2Node 1
Service
OperatingSystem
Service
Network
SidecarProxy
SidecarProxy
Socket
TCP/IP
Socket
TCP/IP
Socket
TCP/IP
Socket
TCP/IP
Socket
TCP/IP
Socket
TCP/IP
• 3x Socket memory requirement• 3x TCP/IP stack traversals• 3x Context switches• Complexity
Networking Path with a Sidecar
Network
![Page 43: Cilium: Seattle Kubernetes MeetUp Dec 2017](https://reader033.fdocuments.us/reader033/viewer/2022051521/5a6cf3927f8b9ade418b47f1/html5/thumbnails/43.jpg)
Canweturnthesidecarintoaracecar?
![Page 44: Cilium: Seattle Kubernetes MeetUp Dec 2017](https://reader033.fdocuments.us/reader033/viewer/2022051521/5a6cf3927f8b9ade418b47f1/html5/thumbnails/44.jpg)
Node 2Node 1
Task
OperatingSystem
Kernel Proxy
Task
Network
Socket
KProxywithBPF
TCP/IP
Socket
TCP/IP
KProxywithBPF
kTLS kTLSSidecarProxy
SidecarProxy
Network
![Page 45: Cilium: Seattle Kubernetes MeetUp Dec 2017](https://reader033.fdocuments.us/reader033/viewer/2022051521/5a6cf3927f8b9ade418b47f1/html5/thumbnails/45.jpg)
Socket Redirect
Task
Socket Socket
Task
TCP/IP TCP/IP
Loopback
![Page 46: Cilium: Seattle Kubernetes MeetUp Dec 2017](https://reader033.fdocuments.us/reader033/viewer/2022051521/5a6cf3927f8b9ade418b47f1/html5/thumbnails/46.jpg)
Socket Redirect
Task
Socket Socket
Task
TCP/IP TCP/IP
Loopback
![Page 47: Cilium: Seattle Kubernetes MeetUp Dec 2017](https://reader033.fdocuments.us/reader033/viewer/2022051521/5a6cf3927f8b9ade418b47f1/html5/thumbnails/47.jpg)
Socket Redirect – Performance?
More info: https://www.cilium.io/blog/istio
![Page 48: Cilium: Seattle Kubernetes MeetUp Dec 2017](https://reader033.fdocuments.us/reader033/viewer/2022051521/5a6cf3927f8b9ade418b47f1/html5/thumbnails/48.jpg)
Node 2Node 1
Service
OperatingSystem
Service
Network
SidecarProxy
SidecarProxy
Socket
TCP/IP
Socket
TCP/IP
Socket
TCP/IP
Socket
TCP/IP
Socket
TCP/IP
Socket
TCP/IP
The Before and After
Network
![Page 49: Cilium: Seattle Kubernetes MeetUp Dec 2017](https://reader033.fdocuments.us/reader033/viewer/2022051521/5a6cf3927f8b9ade418b47f1/html5/thumbnails/49.jpg)
Node 1 Node 2
Service
OperatingSystem
Service
Network
Socket
TCP/IP
The Before and After
KProxy
Socket
TCP/IP
KProxy
Network
![Page 50: Cilium: Seattle Kubernetes MeetUp Dec 2017](https://reader033.fdocuments.us/reader033/viewer/2022051521/5a6cf3927f8b9ade418b47f1/html5/thumbnails/50.jpg)
Cilium Summary• Kubernetes, Mesos, Docker
• CNI / libnetwork
• Networking: Overlay or Native Routing
• Network Security (ingress/egress)
• L3 (Identity or CIDR), L4
• L7: HTTP (0.11), Kafka (0.12), gRPC (0.12)
• Load Balancing (XDP / BPF)
• Dependencies: kvstore (etcd / consul)
![Page 51: Cilium: Seattle Kubernetes MeetUp Dec 2017](https://reader033.fdocuments.us/reader033/viewer/2022051521/5a6cf3927f8b9ade418b47f1/html5/thumbnails/51.jpg)
Application-Aware Security for Microservices via BPF
![Page 52: Cilium: Seattle Kubernetes MeetUp Dec 2017](https://reader033.fdocuments.us/reader033/viewer/2022051521/5a6cf3927f8b9ade418b47f1/html5/thumbnails/52.jpg)
@ciliumprojectStar Us on GitHub! http://github.com/cilium/cilium
Thank You! Questions?Tutorial / Getting Started:http://cilium.io/try