Barcelona, Spain
October 25-28, 2016

Event Details

Please note: All times listed below are in Central Time Zone

<< Go back
Bringing L7 Security to Kubernetes with OpenStack Kuryr
Security

We demo a solution for bringing L7 security to Kubernetes (K8s). Openstack Kuryr's new K8s components enable the placement of Pods on Neutron-managed networks, in turn enabling Neutron's service-chaining to redirect traffic to security Pods for inspection.

The Neutron topology is inferred by Kuryr's K8s API Watcher from standard K8s models. We are proposing a small extension to K8s' new Network Policy template to map workloads to externally defined and named security policies.

Our design leverages Kuryr's new CNI Driver and API Watcher "Raven", MidoNet Neutron Plugin, Forcepoint Containerized Next Generation Firewall (NGFW) and Intel Open Security Controller (OSC) as service orchestrator. In our demo:

1) An admin defines a DPI policy for traffic between Pods matched by label keys and values

2) OSC deploys a preconfigured containerized NGFW

3) OSC calls Neutron APIs to redirect appropriate packets into the NGFW

4) Layer 7 attacks are then blocked by the NGFW


What can I expect to learn?

We will discuss the challenges in orchestrating L7 security policies for containerized applications and learn about solutions that are now available to address the problem. They will also learn how a network security appliance can be containerized and what are the design and operational considerations for doing so.

Container Orchestrator Engines (COEs) have recently started to address network isolation and micro-segmentation issues by introducing ways to express these concepts natively and naturally in their configuration languages.

Kubernetes' new Network Policy template is an excellent example. The K8s community introduced the ability to express Ingress rules matching Layer 3 and Layer 4 packet headers on traffic between arbitrary sets of Pods (matched by keys/values in K8s' labeling system). In Kubernetes' case the community is poised to further extend Network Policy in future releases to express Egress rules and QoS requirements, but L7 security is still entirely lacking.

 

 

Thursday, October 27, 9:50am-10:30am (7:50am - 8:30am UTC)
CCIB - Centre de Convencions Internacional de Barcelona - P1 - Room 111
View video
Difficulty Level: Intermediate
Tags: Containers Enterprise Security CxO Neutron
Manish Dave
Intel Corp.
Manish Dave is a Platform Architect, working in Intel's Datacenter Platform Security Division. He has over 20 years of broad experience in networking and security. In his previous role as Intel IT Principal Engineer he was responsible for the network security architecture for Intel IT’s datacenters which host hundreds of applications on several thousands servers. Manish is very interested... FULL PROFILE
Jaume Devesa
Midokura
I like to think I am a Software Engineer. I landed in Midokura one year and half ago from another OpenStack focused Spanish company and I've been pinging Virtual Machines for seven years. I've played QA, Developer and DevOps roles. I like crazy-unpredictable start-up environments, open source communities and work with smart people. Previously I've maintained the MidoNet's Puppet manifests and... FULL PROFILE
Ville Mattila
FULL PROFILE
Comments
0 Reviews
0