OpenStack Neutron Group-based Policy (GBP)

GBP Team, Sept 18th 2014

Agenda

o Introductions - GBP Team

o Motivation for GBP

o Solution, Demo

o Next Steps

Introductions

o Group-based Policy Neutron sub-team13 code contributors + review participants

o Work Started in Havana (Oct 2013)

o Weekly IRC meeting

o Wiki page:

https://wiki.openstack.org/wiki/Neutron/GroupPolicy

Motivationo Simplification of workflow

o Capture user intent

o Separation of concerns

o Consistency of deployment

o Scalable deployment and operations

o Policy-driven automation

o Declarative abstractions

o Reusable constructs

Use casea) Application-developer: My 2-tier PCI app (database tier and web tier) can be deployed either for production or for development. When deployed for production, it needs

● solid-state storage for the DB tier● all ports but 80 closed on the web tier● no network communication to DB tier except from the web tier● no VM in the DB tier can be deployed on the same hypervisor as another VM in the DB tier;

same for the web tierb) Cloud operator.

● Applications deployed for production must have access to the internet.● Applications deployed for production must not be deployed in the DMZ cluster.● Applications deployed for production should scale based on load.● Applications deployed for development should have 1 VM instance per tier.● Every application must use VM images signed by an administrator

c) Compliance officer● No VM from a PCI app may be located on the same hypervisor as a VM from a non-PCI app.

Use case - (connectivity constraints)a) Application-developer: My 2-tier PCI app (database tier and web tier) can be deployed either for production or for development.

● all ports but 80 closed on the web tier● no network communication to DB tier except from the web tier

b) Cloud operator. ● Applications deployed for production must have access to the internet.

Use case (connectivity constraints)

Groups

Policy RulePolicy Rule

Policy Rules Set

a) Application-developer: My 2-tier PCI app (database tier and web tier) can be deployed either for production or for development. When deployed for production, it needs

● all ports but 80 closed on the web tier● no network communication to DB tier except from the web tier

b) Cloud operator. ● Applications deployed for production must have access to the internet.● All traffic from internet must be inspected by IDS.

Use case (connectivity constraints)

Policy Tags

Service Chain

Group-based Policy

GroupsPolicy Rules

Set

Policy Tags

Service Chain

Policy Rule

Groups Policy Rules Set

Policy TagsService Chain

Policy Rule

Connectivity between Groups is defined by Policy Rules Set

Introduce constraints with Policy Tags

Policy Rules Set is a collection of Policy Rules

Redirection

Demo

Policy framework

BusinessGovernance

Policy

InfrastructurePolicy

Compute Network Storage

Next steps

o GBP with Juno

o Get community feedback

o Identify synergies with other

teams/components

Thank You!

Backup

* → [0..n]

Mapping to Neutron

Neutron existing non-policy constructs