How not to have a ‘bad time’
securing your micro-services
Or, how to avoid firewall hell@liljenstolpe | [email protected]
Remember 3-‐tier architectures?
Getting Medieval
Fast forward to the present
Increased complexity
Resource Fungibility
Tear down the walls?
The opportunity?
The opportunity?
PSA: Do not use port mapping
NetworkFabric80 <-‐> 5389
Port 80
Port 80
4397<-‐>80
The Distributed Firewall
NetworkFabric
Routing
10.0.0.1
192.168.1.2
192.168.1.1
Routing10.0.0.2
192.168.1.3
192.168.1.4
Project Calico architecture
RouteReflector
Kernel
Routing
10.0.0.2
192.168.1.3
192.168.1.4
Routes
iptablesFelix
BGP
admin-ui.yaml
kind: NetworkPolicyapiVersion: net.alpha.kubernetes.io/v1alpha1metadata:
namespace: defaultname: allow-‐ui
spec:podSelector:ingress:-‐ from:
-‐ namespaces:role: management-‐ui
Metadata
Empty selector applies to all pods
Allow from management namespace
Network Intent
Thank’s for watching
•Main project website: www.projectcalico.org•https://github.com/Metaswitch/calico•http://lists.projectcalico.org/listinfo/calico•Download & try it out•We welcome your feedback and contributions• Follow us @projectcalico• Follow me @liljenstolpe