networking & security for mesos -...

@projectcalico Project Calico is sponsored by

Sponsored by

Networking & Security for MesosAN IP FOR EVERY CONTAINER… AND MORE!

Christopher Liljenstolpe February 24, 2016

The #1 Challenge for Cloud?

Recent data breaches due to hacking or poor securityhttp://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

Cloud-native app

architectures are driving100-1000x growth in workloadsin an era of heightened

security threats

Enterprise security is still in the middle ages

Medieval security architecture

“Oh, hey! I just love these things! … Crunchy on the outside and a chewy center!”

Fast forward to the present

Increased complexity

Resource Fungibility

Tear down the walls?

The opportunity?

The Dynamic, Distributed Firewall

NetworkFabric

eth0eth0

192.168.1.2Ro

192.168.1.3

192.168.1.4

192.168.1.7

192.168.1.6

192.168.1.5

10.0.0.1 10.0.0.2

WorkloadB2001:db8::2

WorkloadA2001:db8::1

The Dynamic, Distributed Firewall: Worked Example

WorkloadC2001:db8::3

1. to 2001:db8::2 port 80 allow2. to 2001:db8::3 port 80 allow3. from <qaRobots> port 443 allow4. default deny

A: loadBal; QAB: webAppC: webApploadBal: allow 80 to webAppwebApp: allow 80 fm loadBal

QA: allow 443 fm <qaRobots>

Pub: allow 443 fm any

1. from 2001:db8::1 port 80 allow2. default deny

Mesos / HAProxy introduce another problem…

Host [10.0.0.1]

Application[172.17.0.2]

A service[172.17.0.3]

… another[172.17.0.4]

IP:10.0.0.1:80IP:10.0.0.1:80IP:10.0.0.1:8080

The Solution…

Mesos AgentMesos Agent

Project Calico & Mesos – Logical Architecture

Mesos Agent

Host Kernel

Workload (container

or VM)

Workload (container

or VM)

Workload (container

or VM)…

Efficient Packet Forwarding(IP per workload, direct integration with cloud fabric)

Policy Enforcement

Security Policy

Routes &Addresses

Mesos Master

Net-modules Work Flow – Actual Architecture

Update task state

Plug-‐in (Calico)AgentMasterFramework

Networkvirtualizer

Get IP

Isolatormodule

Isolate (IP, policy)

Cleanupmodule

Launch task (NetworkInfo)

Task update (NetworkInfo)

Mesos module

Network plug-‐in

§ Mesos cluster with 2 agents§ Launching 4 probe tasks

§ Each probe listens to port 9000§ Each probe tries to reach all other probes

§ We want all 4 to launch successfully (no port conflicts)

§ We want to isolate them into two groups of 2 probes

Demonstration of basic network isolation

Demonstration (video)

§ Net-modules supported with Mesos containerizersince Mesos 0.26§ IP per container§ IP Address Management (IPAM)§ DNS-based service discovery (Mesos-DNS)§ Network isolation

§ Try it out – https://github.com/mesosphere/net-modules§ Includes step-by-step instructions to repeat the demo

Where are we at today?

§ Other frameworks (only Marathon supported today)§ Community work ongoing to integrate Spark, Chronos, ...

§ Docker daemon support via same net-modules mechanism§ Docker daemon includes a different networking model, via

the libnetwork API, but it is not well integrated with Mesos

§ Tighter integration of fine-grained policy control§ Today, fine-grained policy is ”side loaded” via calicoctl

§ One-step install via DCOS§ Support for Container Network Interface (CNI)

model (as used by Kubernetes)

Restrictions / Wish List

Summary

networking & security for mesos -...

Documents

mesos and yarn

mesos sys adminday

apache flink meets apache mesos and dc/os @ mesos meetup...

kubernetes apache mesos...kubernetes, and mesos all have...

terraform + mesos

cs 744: mesos

spark / mesos cluster optimization

meetup mesos : mesos, chronos and marathon in ci/cd factory

docker on mesos

vag-com installation-v1-02b.pdf

a whirlwind tour of apache mesos - yow! conferences ·...

growing the mesos ecosystem

mesos introduction

podila mesos con-northamerica_sep2017

2/026578-02b.pdf · created date: 10/13/2005 3:00:12 pm

introduction to mesos bay

mesos tech report

mesos ♥ docker

datacenter( management(with(...

apache mesos