group-based policy for networking
DESCRIPTION
Group-based Policy for NetworkingTRANSCRIPT
OpenStack Neutron Group-based Policy (GBP)
GBP Team, Sept 18th 2014
Agenda
o Introductions - GBP Team
o Motivation for GBP
o Solution, Demo
o Next Steps
Introductions
o Group-based Policy Neutron sub-team13 code contributors + review participants
o Work Started in Havana (Oct 2013)
o Weekly IRC meeting
o Wiki page:
https://wiki.openstack.org/wiki/Neutron/GroupPolicy
Motivationo Simplification of workflow
o Capture user intent
o Separation of concerns
o Consistency of deployment
o Scalable deployment and operations
o Policy-driven automation
o Declarative abstractions
o Reusable constructs
Use casea) Application-developer: My 2-tier PCI app (database tier and web tier) can be deployed either for production or for development. When deployed for production, it needs
● solid-state storage for the DB tier● all ports but 80 closed on the web tier● no network communication to DB tier except from the web tier● no VM in the DB tier can be deployed on the same hypervisor as another VM in the DB tier;
same for the web tierb) Cloud operator.
● Applications deployed for production must have access to the internet.● Applications deployed for production must not be deployed in the DMZ cluster.● Applications deployed for production should scale based on load.● Applications deployed for development should have 1 VM instance per tier.● Every application must use VM images signed by an administrator
c) Compliance officer● No VM from a PCI app may be located on the same hypervisor as a VM from a non-PCI app.
Use case - (connectivity constraints)a) Application-developer: My 2-tier PCI app (database tier and web tier) can be deployed either for production or for development.
● all ports but 80 closed on the web tier● no network communication to DB tier except from the web tier
b) Cloud operator. ● Applications deployed for production must have access to the internet.
Use case (connectivity constraints)
Groups
Policy RulePolicy Rule
Policy Rules Set
a) Application-developer: My 2-tier PCI app (database tier and web tier) can be deployed either for production or for development. When deployed for production, it needs
● all ports but 80 closed on the web tier● no network communication to DB tier except from the web tier
b) Cloud operator. ● Applications deployed for production must have access to the internet.● All traffic from internet must be inspected by IDS.
Use case (connectivity constraints)
Policy Tags
Service Chain
Group-based Policy
GroupsPolicy Rules
Set
Policy Tags
Service Chain
Policy Rule
Groups Policy Rules Set
Policy TagsService Chain
Policy Rule
Connectivity between Groups is defined by Policy Rules Set
Introduce constraints with Policy Tags
Policy Rules Set is a collection of Policy Rules
Redirection
Demo
Policy framework
BusinessGovernance
Policy
InfrastructurePolicy
Compute Network Storage
Next steps
o GBP with Juno
o Get community feedback
o Identify synergies with other
teams/components
Thank You!
Backup
* → [0..n]
Mapping to Neutron
Neutron existing non-policy constructs