Securing Microservices in CloudFoundry
Brenden Blanco and Deepa Kalani!Architects, CTO Office - PLUMgrid!
Need for Micro Segmentation
§ Movement towards cloud native applications.§ Elastic nature of applications requires a more agile way of configuring
policies§ Operators would like to have an intuitive way of defining policies, based on
application roles and not ip addresses.§ Relying on traditional firewall rules will quickly make it unmanageable as
applications move around § Move towards a whitelist model of policy definition, where one defines
acceptable information flow and everything else is blocked
2
IPTables to define Endpoint Policy - State Explosion
IP1->IP3IP1->IP5IP1->IP7IP1->IP8IP3->IP1IP3->IP5IP3->IP7IP3->IP8
IP2->IP4IP2->IP6IP2->IP9IP2->IP10IP4->IP6IP4->IP2IP4->IP9IP4->IP10
IP2->IP4IP2->IP6IP2->IP9IP2->IP10IP4->IP6IP4->IP2IP4->IP9IP4->IP10
IP5->IP1IP5->IP3IP5->IP7IP5->IP8IP7->IP1IP7->IP5IP7->IP3IP7->IP8
IP8->IP3IP8->IP5IP8->IP7IP8->IP1
IP9->IP4IP9->IP6IP9->IP2IP9->IP10IP10->IP2IP10->IP6IP10->IP4IP10->IP9
IPTableRules
Group Based Policy - secure, scalable, intent based
4
Green->GreenRed->Red
Green->GreenRed->Red
Green->GreenRed->Red
IP1,IP3->GreenIP2,IP4->Red
IP5,IP7->GreenIP6->Red
IP8->GreenIP9,IP10->RedEndpointGroups
Policies
Policy specification for Cloud Foundry Applications
§ Define Endpoints and EPGs (Applications are represented by Groups of Endpoints)
§ Policy definition is in the nature of applications.§ e.g. A_APP->A_DB 80 allow, B_APP->A_APP allow.
§ Envision policy as a graph of application connectivity5
23 Groups 12 Rules
A_App
B_APP C_APP
A_DB DB_Ext
www.iovisor.org
IO Module, users perspective
6
IOModule
Managementinterface-RESTAPI-Cli/configfile
Interfaces-InterfaceType(Net,Tracing,Storage,…)
Somethingrunsinkernel
Somethingrunsinuserspace
Controllersliveuphere IOModulesCatalogSearchforIOMod
DownloadIOModSomewhereinthecloud(iovisor.org)thereisacatalogofpublicIOModules
www.iovisor.org
IO Module, developers perspective
7
IOModulesCatalog
PublishnewModules
Somewhereinthecloud(iovisor.org)thereisacatalogofpublicIOModules
DataPlane
Managementinterface-RESTAPI-Cli/configfile
Interfaces-InterfaceType(Net,Tracing,Storage,…)
UsersinteractwiththeModulewith:
UserspacehelperIOModule
ControlPlane(userspace)
IOModuleDataPlane(kernel)
IOModuledeveloper
IOModule
IOVisorSDK
Clang/P4
Python,C,C++,Go,JS…
www.iovisor.org
IO Module, graph composition
8
IOVisorManager
Kernela^achmentpoints
Kernelspace
Userspace
Openrepoof“IOModules”
Kernelcode
Kernelcode
• extendingLinuxKernelcapabilices
APIstoControllers
Metadata
www.iovisor.org
Composing IO Modules
9
Policy Plugin with IO Visor
10
Overlay–VXLAN
192.168.0.0/16 192.168.1.0/16
LinuxBridge
VxlanDev
C C C
Garden/1-10.244.18.3Garden/0-10.244.18.2
LinuxBridge
VxlanDev
C C C
Policyboundary
Thank You!www.iovisor.org
www.iovisor.org
Backup Slides
12
www.iovisor.org
Introducing IO Visor Project
13
FutureofLinuxKernelIOforsoDwaredefinedservices
LedbyiniHalcontribuHonsfromPLUMgrid
(UpstreamedsinceKernel3.16)
EvoluHonofKernelBPF&eBPF
(BerkeleyPacketFilter)
“IOVisorwillworkcloselywiththeLinuxkernelcommunitytoadvanceuniversalIOextensibilityforLinux.Thiscollabora=oniscri=callyimportantasvirtualiza=onispuAngmoredemandsonflexibility,performanceandsecurity.OpensourcesoFwareandcollabora=vedevelopmentaretheingredientsforaddressingmassivechangeinanyindustry.IOVisorwillprovidetheessen:alframeworkforthisworkonLinuxvirtualiza:onandnetworking.”
JimZemlin,Execu:veDirector,TheLinuxFounda:on.
www.iovisor.org
IO Visor Project: What?
14
• A programmable data plane and development tools to simplify the creation of new
infrastructure ideas
• An open source project and a community of developers • Enables a new way to Innovate, Develop and Share IO and Networking functions
Open Source & Community
Programmable Data Plane
1
2
• A place to share / standardize new ideas in the form of “IO Modules”
Repository of “IO Modules” 3
www.iovisor.org
IO Visor Project Use Cases Example: Networking
§ IO Visor is used to build a fully distributed virtual network across multiple compute nodes
§ All data plane components are inserted dynamically in the kernel
§ No usage of virtual/physical appliances needed
§ Example here https://github.com/iovisor/bcc/tree/master/examples/distributed_bridge
15
Virtual/Physical Appliances
Virtual Network Topology in Kernel Space