using io visor to secure microservices running on cloudfoundry [openstack summit austin | april...
TRANSCRIPT
![Page 1: Using IO Visor to Secure Microservices Running on CloudFoundry [OpenStack Summit Austin | April 2016]](https://reader034.vdocuments.us/reader034/viewer/2022051709/586e8c2d1a28aba0038b836d/html5/thumbnails/1.jpg)
Securing Microservices in CloudFoundry
Brenden Blanco and Deepa Kalani!Architects, CTO Office - PLUMgrid!
![Page 2: Using IO Visor to Secure Microservices Running on CloudFoundry [OpenStack Summit Austin | April 2016]](https://reader034.vdocuments.us/reader034/viewer/2022051709/586e8c2d1a28aba0038b836d/html5/thumbnails/2.jpg)
Need for Micro Segmentation
§ Movement towards cloud native applications.§ Elastic nature of applications requires a more agile way of configuring
policies§ Operators would like to have an intuitive way of defining policies, based on
application roles and not ip addresses.§ Relying on traditional firewall rules will quickly make it unmanageable as
applications move around § Move towards a whitelist model of policy definition, where one defines
acceptable information flow and everything else is blocked
2
![Page 3: Using IO Visor to Secure Microservices Running on CloudFoundry [OpenStack Summit Austin | April 2016]](https://reader034.vdocuments.us/reader034/viewer/2022051709/586e8c2d1a28aba0038b836d/html5/thumbnails/3.jpg)
IPTables to define Endpoint Policy - State Explosion
IP1->IP3IP1->IP5IP1->IP7IP1->IP8IP3->IP1IP3->IP5IP3->IP7IP3->IP8
IP2->IP4IP2->IP6IP2->IP9IP2->IP10IP4->IP6IP4->IP2IP4->IP9IP4->IP10
IP2->IP4IP2->IP6IP2->IP9IP2->IP10IP4->IP6IP4->IP2IP4->IP9IP4->IP10
IP5->IP1IP5->IP3IP5->IP7IP5->IP8IP7->IP1IP7->IP5IP7->IP3IP7->IP8
IP8->IP3IP8->IP5IP8->IP7IP8->IP1
IP9->IP4IP9->IP6IP9->IP2IP9->IP10IP10->IP2IP10->IP6IP10->IP4IP10->IP9
IPTableRules
![Page 4: Using IO Visor to Secure Microservices Running on CloudFoundry [OpenStack Summit Austin | April 2016]](https://reader034.vdocuments.us/reader034/viewer/2022051709/586e8c2d1a28aba0038b836d/html5/thumbnails/4.jpg)
Group Based Policy - secure, scalable, intent based
4
Green->GreenRed->Red
Green->GreenRed->Red
Green->GreenRed->Red
IP1,IP3->GreenIP2,IP4->Red
IP5,IP7->GreenIP6->Red
IP8->GreenIP9,IP10->RedEndpointGroups
Policies
![Page 5: Using IO Visor to Secure Microservices Running on CloudFoundry [OpenStack Summit Austin | April 2016]](https://reader034.vdocuments.us/reader034/viewer/2022051709/586e8c2d1a28aba0038b836d/html5/thumbnails/5.jpg)
Policy specification for Cloud Foundry Applications
§ Define Endpoints and EPGs (Applications are represented by Groups of Endpoints)
§ Policy definition is in the nature of applications.§ e.g. A_APP->A_DB 80 allow, B_APP->A_APP allow.
§ Envision policy as a graph of application connectivity5
23 Groups 12 Rules
A_App
B_APP C_APP
A_DB DB_Ext
![Page 6: Using IO Visor to Secure Microservices Running on CloudFoundry [OpenStack Summit Austin | April 2016]](https://reader034.vdocuments.us/reader034/viewer/2022051709/586e8c2d1a28aba0038b836d/html5/thumbnails/6.jpg)
www.iovisor.org
IO Module, users perspective
6
IOModule
Managementinterface-RESTAPI-Cli/configfile
Interfaces-InterfaceType(Net,Tracing,Storage,…)
Somethingrunsinkernel
Somethingrunsinuserspace
Controllersliveuphere IOModulesCatalogSearchforIOMod
DownloadIOModSomewhereinthecloud(iovisor.org)thereisacatalogofpublicIOModules
![Page 7: Using IO Visor to Secure Microservices Running on CloudFoundry [OpenStack Summit Austin | April 2016]](https://reader034.vdocuments.us/reader034/viewer/2022051709/586e8c2d1a28aba0038b836d/html5/thumbnails/7.jpg)
www.iovisor.org
IO Module, developers perspective
7
IOModulesCatalog
PublishnewModules
Somewhereinthecloud(iovisor.org)thereisacatalogofpublicIOModules
DataPlane
Managementinterface-RESTAPI-Cli/configfile
Interfaces-InterfaceType(Net,Tracing,Storage,…)
UsersinteractwiththeModulewith:
UserspacehelperIOModule
ControlPlane(userspace)
IOModuleDataPlane(kernel)
IOModuledeveloper
IOModule
IOVisorSDK
Clang/P4
Python,C,C++,Go,JS…
![Page 8: Using IO Visor to Secure Microservices Running on CloudFoundry [OpenStack Summit Austin | April 2016]](https://reader034.vdocuments.us/reader034/viewer/2022051709/586e8c2d1a28aba0038b836d/html5/thumbnails/8.jpg)
www.iovisor.org
IO Module, graph composition
8
IOVisorManager
Kernela^achmentpoints
Kernelspace
Userspace
Openrepoof“IOModules”
Kernelcode
Kernelcode
• extendingLinuxKernelcapabilices
APIstoControllers
Metadata
![Page 9: Using IO Visor to Secure Microservices Running on CloudFoundry [OpenStack Summit Austin | April 2016]](https://reader034.vdocuments.us/reader034/viewer/2022051709/586e8c2d1a28aba0038b836d/html5/thumbnails/9.jpg)
www.iovisor.org
Composing IO Modules
9
![Page 10: Using IO Visor to Secure Microservices Running on CloudFoundry [OpenStack Summit Austin | April 2016]](https://reader034.vdocuments.us/reader034/viewer/2022051709/586e8c2d1a28aba0038b836d/html5/thumbnails/10.jpg)
Policy Plugin with IO Visor
10
Overlay–VXLAN
192.168.0.0/16 192.168.1.0/16
LinuxBridge
VxlanDev
C C C
Garden/1-10.244.18.3Garden/0-10.244.18.2
LinuxBridge
VxlanDev
C C C
Policyboundary
![Page 11: Using IO Visor to Secure Microservices Running on CloudFoundry [OpenStack Summit Austin | April 2016]](https://reader034.vdocuments.us/reader034/viewer/2022051709/586e8c2d1a28aba0038b836d/html5/thumbnails/11.jpg)
Thank You!www.iovisor.org
![Page 12: Using IO Visor to Secure Microservices Running on CloudFoundry [OpenStack Summit Austin | April 2016]](https://reader034.vdocuments.us/reader034/viewer/2022051709/586e8c2d1a28aba0038b836d/html5/thumbnails/12.jpg)
www.iovisor.org
Backup Slides
12
![Page 13: Using IO Visor to Secure Microservices Running on CloudFoundry [OpenStack Summit Austin | April 2016]](https://reader034.vdocuments.us/reader034/viewer/2022051709/586e8c2d1a28aba0038b836d/html5/thumbnails/13.jpg)
www.iovisor.org
Introducing IO Visor Project
13
FutureofLinuxKernelIOforsoDwaredefinedservices
LedbyiniHalcontribuHonsfromPLUMgrid
(UpstreamedsinceKernel3.16)
EvoluHonofKernelBPF&eBPF
(BerkeleyPacketFilter)
“IOVisorwillworkcloselywiththeLinuxkernelcommunitytoadvanceuniversalIOextensibilityforLinux.Thiscollabora=oniscri=callyimportantasvirtualiza=onispuAngmoredemandsonflexibility,performanceandsecurity.OpensourcesoFwareandcollabora=vedevelopmentaretheingredientsforaddressingmassivechangeinanyindustry.IOVisorwillprovidetheessen:alframeworkforthisworkonLinuxvirtualiza:onandnetworking.”
JimZemlin,Execu:veDirector,TheLinuxFounda:on.
![Page 14: Using IO Visor to Secure Microservices Running on CloudFoundry [OpenStack Summit Austin | April 2016]](https://reader034.vdocuments.us/reader034/viewer/2022051709/586e8c2d1a28aba0038b836d/html5/thumbnails/14.jpg)
www.iovisor.org
IO Visor Project: What?
14
• A programmable data plane and development tools to simplify the creation of new
infrastructure ideas
• An open source project and a community of developers • Enables a new way to Innovate, Develop and Share IO and Networking functions
Open Source & Community
Programmable Data Plane
1
2
• A place to share / standardize new ideas in the form of “IO Modules”
Repository of “IO Modules” 3
![Page 15: Using IO Visor to Secure Microservices Running on CloudFoundry [OpenStack Summit Austin | April 2016]](https://reader034.vdocuments.us/reader034/viewer/2022051709/586e8c2d1a28aba0038b836d/html5/thumbnails/15.jpg)
www.iovisor.org
IO Visor Project Use Cases Example: Networking
§ IO Visor is used to build a fully distributed virtual network across multiple compute nodes
§ All data plane components are inserted dynamically in the kernel
§ No usage of virtual/physical appliances needed
§ Example here https://github.com/iovisor/bcc/tree/master/examples/distributed_bridge
15
Virtual/Physical Appliances
Virtual Network Topology in Kernel Space