bringing security and multi- tenancy to kubernetes · multi-tenant service • default...

Bringing Security and Multi- tenancy to Kubernetes Lei (Harry) Zhang

Upload: others

Post on 03-Oct-2020




0 download


Page 1: Bringing Security and Multi- tenancy to Kubernetes · Multi-tenant Service • Default iptables-based kube-proxy is not tenant aware • Endpoint Pods and Nodes with iptables rules

Bringing Security and Multi-tenancy to Kubernetes

Lei (Harry) Zhang

Page 2: Bringing Security and Multi- tenancy to Kubernetes · Multi-tenant Service • Default iptables-based kube-proxy is not tenant aware • Endpoint Pods and Nodes with iptables rules

About Me• Lei (Harry) Zhang @resouer

• #CNCF member, #Microsoft MVP

• Previous: VMware, Baidu

• Feature Maintainer of Kubernetes

• HyperCrew:

• Publication: Docker & Kubernetes Under the Hood

• Phd Candidate #Large-scale cluster scheduling and management

Page 3: Bringing Security and Multi- tenancy to Kubernetes · Multi-tenant Service • Default iptables-based kube-proxy is not tenant aware • Endpoint Pods and Nodes with iptables rules

A survey about “boundary”

• Are you comfortable with Linux containers as an effective boundary?

• Yes, I use containers in my private/safe environment

• No, I use containers to serve the public cloud

Page 4: Bringing Security and Multi- tenancy to Kubernetes · Multi-tenant Service • Default iptables-based kube-proxy is not tenant aware • Endpoint Pods and Nodes with iptables rules

As long as we care security…• We have to wrap containers inside full-blown virtual machines

• But we lose cloud-native deployment

• Slow startup time

• Huge resources wasting

• Memory tax for every container

• …



Page 5: Bringing Security and Multi- tenancy to Kubernetes · Multi-tenant Service • Default iptables-based kube-proxy is not tenant aware • Endpoint Pods and Nodes with iptables rules

Revisit container

• Container Runtime

• The dynamic view and boundary of your running process

• Container Image

• The static view of your program, data, dependencies, files and directories

namespace cgroups

FROM busybox

ADD temp.txt /

VOLUME /data

CMD [“echo hello"]

Read-Write Layer & /data

“echo hello”

read-only layer

/bin /dev /etc /home /lib /lib64 /media /mnt /opt /proc /root /run /sbin /sys /tmp /usr /var /data /temp.txt

/etc/hosts /etc/hostname /etc/resolv.conf

read-write layer





init layer

FROM busybox ADD temp.txt /  VOLUME /data  CMD [“echo hello"]Docker Container

Page 6: Bringing Security and Multi- tenancy to Kubernetes · Multi-tenant Service • Default iptables-based kube-proxy is not tenant aware • Endpoint Pods and Nodes with iptables rules

HyperContainerSecure Kubernetes from runtime level

Page 7: Bringing Security and Multi- tenancy to Kubernetes · Multi-tenant Service • Default iptables-based kube-proxy is not tenant aware • Endpoint Pods and Nodes with iptables rules

HyperContainer• Container Runtime

• RunV


• A OCI compatible hypervisor based runtime implementation

• Control daemon


• Container Image

• Docker Image Spec

Page 8: Bringing Security and Multi- tenancy to Kubernetes · Multi-tenant Service • Default iptables-based kube-proxy is not tenant aware • Endpoint Pods and Nodes with iptables rules

Combine the best parts• Portable and behaves like a Linux container

• $ hyperctl run -t busybox echo helloworld

• sub-second startup time*, ~12MB memory cost

• Fully isolated sandbox with an independent guest kernel

• $ hyperctl exec -t busybox uname -r

• 4.4.12-hyper (or your provided kernel)

• security, backward compatibility, maturity


Page 9: Bringing Security and Multi- tenancy to Kubernetes · Multi-tenant Service • Default iptables-based kube-proxy is not tenant aware • Endpoint Pods and Nodes with iptables rules

HyperContainer is a Pod

• That’s how HyperContainer fits into the Kubernetes philosophy

• Wait, why Pod is so important?

Page 10: Bringing Security and Multi- tenancy to Kubernetes · Multi-tenant Service • Default iptables-based kube-proxy is not tenant aware • Endpoint Pods and Nodes with iptables rules

Pod: lesson learned from Borg• Should sample.war be packaged with Tomcat?

Page 11: Bringing Security and Multi- tenancy to Kubernetes · Multi-tenant Service • Default iptables-based kube-proxy is not tenant aware • Endpoint Pods and Nodes with iptables rules

Pod: lesson learned from Borg

• InitContainers: one or more containers started in sequence before the pod's normal containers are started.

• Share volumes, perform network operations, and perform computation prior to the app containers.

Page 12: Bringing Security and Multi- tenancy to Kubernetes · Multi-tenant Service • Default iptables-based kube-proxy is not tenant aware • Endpoint Pods and Nodes with iptables rules

So, Pod is• The group of super-affinity containers

• The atomic scheduling unit

• The process group in container cloud

• Do right things

• without modifying your container image

• Kubernetes = Spring Framework

• Pod = IoC


log app

infra container


init container

Page 13: Bringing Security and Multi- tenancy to Kubernetes · Multi-tenant Service • Default iptables-based kube-proxy is not tenant aware • Endpoint Pods and Nodes with iptables rules

Pod is not easy to simulate• log super affinity app

• Requirement:

• app: 1G, log: 0.5G

• Available:

• Node_A: 1.25G, Node_B: 2G

• What happens if app scheduled to Node_A?

Page 14: Bringing Security and Multi- tenancy to Kubernetes · Multi-tenant Service • Default iptables-based kube-proxy is not tenant aware • Endpoint Pods and Nodes with iptables rules

HyperContainer is a Pod

• Linux container based runtimes

• wraps and encapsulates several app containers into a logical group

• Hypervisor container based runtime

• hypervisor serves as a natural boundary of Pod

Page 15: Bringing Security and Multi- tenancy to Kubernetes · Multi-tenant Service • Default iptables-based kube-proxy is not tenant aware • Endpoint Pods and Nodes with iptables rules

HyperContainer is a Pod• Container Runtime Interface

• create sandbox Foo --> create container C --> start container C

• stop container C --> remove container C --> delete sandbox Foo

• Sandbox

• Normally: the infra container

• HyperContainer: hypervisor

• with HyperKernel

• a HyperStart process as PID 1

• setup mnt namespace, launch apps from the images etc

Page 16: Bringing Security and Multi- tenancy to Kubernetes · Multi-tenant Service • Default iptables-based kube-proxy is not tenant aware • Endpoint Pods and Nodes with iptables rules

HypernetesKubernetes with HyperContainer Runtime

Page 17: Bringing Security and Multi- tenancy to Kubernetes · Multi-tenant Service • Default iptables-based kube-proxy is not tenant aware • Endpoint Pods and Nodes with iptables rules

Hypernetes• Also: h8s

• Kubernetes + HyperContainer runtime

• officially supported by using kubernetes/frakti

• Multi-tenant network and persistent volumes

• battle tested Neutron + Cinder plugin

Page 18: Bringing Security and Multi- tenancy to Kubernetes · Multi-tenant Service • Default iptables-based kube-proxy is not tenant aware • Endpoint Pods and Nodes with iptables rules

Multi-tenant Network• Goal:

• leveraging tenant-aware neutron network for Kubernetes

• following the network plugin workflow

• Non-goal:

• break k8s network model or hack k8s code

Page 19: Bringing Security and Multi- tenancy to Kubernetes · Multi-tenant Service • Default iptables-based kube-proxy is not tenant aware • Endpoint Pods and Nodes with iptables rules

Define the Network

• Network

• a top class api object

• each tenant (created by Keystone) has its own Network

• Network mapping to Neutron “net”

• a Network Controller is responsible to manage Network lifecycle

Page 20: Bringing Security and Multi- tenancy to Kubernetes · Multi-tenant Service • Default iptables-based kube-proxy is not tenant aware • Endpoint Pods and Nodes with iptables rules







networkpod replica namespace service job deployment volume petset …




Desired World Real World

Call Neutron to create/delete


Page 21: Bringing Security and Multi- tenancy to Kubernetes · Multi-tenant Service • Default iptables-based kube-proxy is not tenant aware • Endpoint Pods and Nodes with iptables rules

Kubernetes Network Model• Container reach container

• all containers can communicate with all other containers without NAT

• Node reach container

• all nodes can communicate with all containers (and vice-versa) without NAT

• IP addressing

• Pod in cluster can be addressed by its IP

Page 22: Bringing Security and Multi- tenancy to Kubernetes · Multi-tenant Service • Default iptables-based kube-proxy is not tenant aware • Endpoint Pods and Nodes with iptables rules

How h8s fits that?• Network can be assigned to one or more


• Pods belonging to the same Network can reach each other directly through IP

• a Pod’s network mapping to Neutron “port”

• kubelet network plugin is responsible for Pod network setup

Page 23: Bringing Security and Multi- tenancy to Kubernetes · Multi-tenant Service • Default iptables-based kube-proxy is not tenant aware • Endpoint Pods and Nodes with iptables rules






1 Pod created




Page 24: Bringing Security and Multi- tenancy to Kubernetes · Multi-tenant Service • Default iptables-based kube-proxy is not tenant aware • Endpoint Pods and Nodes with iptables rules






2 Pod object added




Page 25: Bringing Security and Multi- tenancy to Kubernetes · Multi-tenant Service • Default iptables-based kube-proxy is not tenant aware • Endpoint Pods and Nodes with iptables rules






3.1 New pod object detected3.2 Bind pod with node




Page 26: Bringing Security and Multi- tenancy to Kubernetes · Multi-tenant Service • Default iptables-based kube-proxy is not tenant aware • Endpoint Pods and Nodes with iptables rules






4.1 Detected pod bind with me4.2 Start containers in pod




Page 27: Bringing Security and Multi- tenancy to Kubernetes · Multi-tenant Service • Default iptables-based kube-proxy is not tenant aware • Endpoint Pods and Nodes with iptables rules

Design of kubelet


Choose Runtimedocker, rkt, hyper/remote


HandlePods{Add, Update, Remove, Delete, …}


Network Status

status Manager



Pod Update Worker (e.g.ADD) • generale Pod status • check volume status (talk later) • call runtime to start containers

• set up Pod network (see next slide)

volume Manager


image Manager

Page 28: Bringing Security and Multi- tenancy to Kubernetes · Multi-tenant Service • Default iptables-based kube-proxy is not tenant aware • Endpoint Pods and Nodes with iptables rules

Set Up Pod Network

Page 29: Bringing Security and Multi- tenancy to Kubernetes · Multi-tenant Service • Default iptables-based kube-proxy is not tenant aware • Endpoint Pods and Nodes with iptables rules


A standalone gRPC daemon

1. to “translate” the SetUpPod request to the Neutron network API

2. handling multi-tenant Service proxy

Page 30: Bringing Security and Multi- tenancy to Kubernetes · Multi-tenant Service • Default iptables-based kube-proxy is not tenant aware • Endpoint Pods and Nodes with iptables rules

Service$ iptables-save | grep my-service -A KUBE-SERVICES -d -p tcp -m comment --comment "default/my-service: cluster IP" -m tcp --dport 8001 -j KUBE-SVC-KEAUNL7HVWWSEZA6

-A KUBE-SVC-KEAUNL7HVWWSEZA6 -m comment --comment "default/my-service:" --mode random -j KUBE-SEP-6XXFWO3KTRMPKCHZ -A KUBE-SVC-KEAUNL7HVWWSEZA6 -m comment --comment "default/my-service:" --mode random -j KUBE-SEP-57KPRZ3JQVENLNBRZ

-A KUBE-SEP-6XXFWO3KTRMPKCHZ -p tcp -m comment --comment "default/my-service:" -m tcp -j DNAT --to-destination -A KUBE-SEP-57KPRZ3JQVENLNBRZ -p tcp -m comment --comment "default/my-service:" -m tcp -j DNAT --to-destination


random mode rules

backend rule_1

backend rule_2



Page 31: Bringing Security and Multi- tenancy to Kubernetes · Multi-tenant Service • Default iptables-based kube-proxy is not tenant aware • Endpoint Pods and Nodes with iptables rules

Multi-tenant Service• Default iptables-based kube-proxy is not tenant aware

• Endpoint Pods and Nodes with iptables rules are isolated into different networks

• Hypernetes uses a built-in HAproxy as the Service portal

• to proxy all Service instances within same namespace

• the same OnServiceUpdate and OnEndpointsUpdate process

• ExternalProvider

• a OpenStack LB will be created as Service

• e.g. curl

Page 32: Bringing Security and Multi- tenancy to Kubernetes · Multi-tenant Service • Default iptables-based kube-proxy is not tenant aware • Endpoint Pods and Nodes with iptables rules

Kubernetes Persistent Volume



Cinder volume plugin

Pod PodmountPath mountPath



VolumeManager desired



• Get mountedVolume from actualStateOfWorld

• Unmount volumes in mountedVolume but not in desiredStateOfWorld

• AttachVolume() if vol in desiredStateOfWorld and not attached

• MountVolume() if vol in desiredStateOfWorld and not in mountedVolume

• Verify devices that should be detached/unmounted are detached/unmounted

• Tips:

1. -v host:path

2. attach VS mount

3. Totally independent from container management

Page 33: Bringing Security and Multi- tenancy to Kubernetes · Multi-tenant Service • Default iptables-based kube-proxy is not tenant aware • Endpoint Pods and Nodes with iptables rules

Persistent Volume with HyperContainer• Enhanced Cinder volume plugin

• Linux container:

1. full OpenStack cluster

2. query Nova to find node

3. attach Cinder volume to host path

4. bind mount host path to Pod containers

• HyperContainer:

• directly attach block devices to Pod

• thanks to the hypervisor based Pod boundary

• eliminates extra time to query Nova



Enhanced Cinder volume plugin

Pod PodmountPath mountPath

attach vol

desired World



Page 34: Bringing Security and Multi- tenancy to Kubernetes · Multi-tenant Service • Default iptables-based kube-proxy is not tenant aware • Endpoint Pods and Nodes with iptables rules

PV Example

• Create a Cinder volume

• Claim volume by reference its volumeID

Page 35: Bringing Security and Multi- tenancy to Kubernetes · Multi-tenant Service • Default iptables-based kube-proxy is not tenant aware • Endpoint Pods and Nodes with iptables rules

Container Runtime Interface

Page 36: Bringing Security and Multi- tenancy to Kubernetes · Multi-tenant Service • Default iptables-based kube-proxy is not tenant aware • Endpoint Pods and Nodes with iptables rules

Future of CRI

• Keep Docker as the only one default container runtime

• ocid, rktlet, hyperd

• Frakti: the Remote Container Runtime Kit


• welcome to tryout, star and fork

Page 37: Bringing Security and Multi- tenancy to Kubernetes · Multi-tenant Service • Default iptables-based kube-proxy is not tenant aware • Endpoint Pods and Nodes with iptables rules

“if image becomes non-standard”

• e.g. Docker image becomes somehow Docker specific

• Don’t worry, kubelet.imageManager is moving to runtime specific

• but then k8s will probably choose

• NO DEFAULT runtime

Page 38: Bringing Security and Multi- tenancy to Kubernetes · Multi-tenant Service • Default iptables-based kube-proxy is not tenant aware • Endpoint Pods and Nodes with iptables rules

Node Node

Full TopologyNode


Neutron L2 Agent



Cinder Plugin

Pod Pod Pod PodKeyStone




Object: Network


Object: Pod

Object: …

Page 39: Bringing Security and Multi- tenancy to Kubernetes · Multi-tenant Service • Default iptables-based kube-proxy is not tenant aware • Endpoint Pods and Nodes with iptables rules

Summary• A new way to build secure and multi-tenant Kubernetes

• Kubernetes + HyperContainer + Neutron Plugin + Cinder Plugin + Keystone

• Roadmap

• Graduate HyperContainer runtime on k8s upstream

• Neutron CNI plugin

• Project URL:

• Tip: is totally built on Hypernetes, try it out :)

Page 40: Bringing Security and Multi- tenancy to Kubernetes · Multi-tenant Service • Default iptables-based kube-proxy is not tenant aware • Endpoint Pods and Nodes with iptables rules

ENDLei (Harry) Zhang
