Container Security and Networking - PowerPoint Presentation

1. Container Security and NetworkingOOM TeamMike Elliott - AmdocsOct 23, 2018

2. 2What problems are we trying to solve for Dublin?Our PrioritiesSecurityDramatic reduction in “attack surface” cluster proxy/load balancer (Ingress Controller)Network Policiesonly pods that should talk to each other can – pods that shouldn’t can’tGeo-diversityPluggable Networking using CNITraffic shapingNetwork overlaysSecurity filteringBuilds on Casablanca featuresnode selectors/labelsaffinity/anti-affinityConstraintsNo increase in ONAP memory footprintNo increase in network response time

3. 3What problems are we trying to solve for Dublin?Our PrioritiesSecurityDramatic reduction in “attack surface” cluster proxy/load balancer (Ingress Controller)Network Policiesonly pods that should talk to each other can – pods that shouldn’t can’tGeo-diversityPluggable Networking using CNITraffic shapingNetwork overlaysSecurity filteringBuilds on Casablanca featuresnode selectors/labelsaffinity/anti-affinityConstraintsNo increase in ONAP memory footprintNo increase in network response time

4. 4Platform ConcernsIstio installs a sidecar per podeach sidecar takes about 300-350MBONAP has about 200 pods~70GB additional memory!

5. 5Platform ConcernsTraffic bounces between kernel & proxiessignificant increase in response time

6. 6Features of a Service MeshAutomatic load balancingResiliencyretriestimeoutscircuit breakingdeadlineshigh-availabilityControl of traffic behavior Service-to-Service SecurityAutomatic collection of metrics, logs, and traces

7. 7Automatic load balancingONAP / K8s already load balances across all pods within a servicerr: round-robinlc: least connectiondh: destination hashingsh: source hashingsed: shortest expected delaynq: never queueNote: K8s 1.9 shown – planned for Dublin

8. 8Resiliency (retries, timeouts, deadlines, circuit breaking)Kubernetes Control Planeworks to maintain “desired state” (failures will happen)Container Probes (liveness+readiness)determines health of a Podcircuit breaks for unhealthy PodPods removed from Service Proxy/LBPods restartedtimeoutsautomatic retriesJobsactive deadlinesHigh-Availabilityautomatic failoverautomatically heals and redirects requests

9. 9Control of traffic behaviorCluster Edge Proxy/Load BalancerIngress controller

10. 10Control of traffic behaviorFine-grained Traffic ControlNetwork Policies rich routing rulesimplemented by CNI layerenforces valid Pod-to-Pod communicationexample Network Policy:apiVersion: networking.k8s.io/v1kind: NetworkPolicymetadata:  name: test-network-policy  namespace: defaultspec:  podSelector:    matchLabels:      role: db  policyTypes:  - Ingress  - Egress  ingress:  - from:    - ipBlock:        cidr: 172.17.0.0/16        except:        - 172.17.1.0/24    - namespaceSelector:        matchLabels:          project: onap-so    - podSelector:        matchLabels:          role: frontend    ports:    - protocol: TCP      port: 6379  egress:  - to:    - ipBlock:        cidr: 10.0.0.0/24    ports:    - protocol: TCP      port: 5978labels & roles: ... ingress: - from: - namespaceSelector: matchLabels: user: alice podSelector: matchLabels: role: client ...

11. 11Service-to-Service SecurityAuthentication frameworks needs to be resolved as discussed here ISTIO-Envoy-MutualTLSCurrently ONAP uses three systems:AAFVault (within AAF)Citadel (from Istio with MSB)Currently all projects are working on achieving TLS over GUIs and APIs directly

12. 12Automatic Metrics, Logs, and TracesMetricsAdding Prometheus (or Timelion to existing Elastic Stack)Logs, and traces:Existing Logging project uses Elastic Stack to centralize and parse logs