Container Networking - State of the Ecosystem [ContainerConf, Mannheim, Nov 2016]
Feb 20, 2017
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
![Page 1: Container Networking - State of the Ecosystem [ContainerConf, Mannheim, Nov 2016]](https://reader042.cupdf.com/reader042/viewer/2022021813/58ab128b1a28ab70038b602b/html5/page/1.jpg)
![Page 2: Container Networking - State of the Ecosystem [ContainerConf, Mannheim, Nov 2016]](https://reader042.cupdf.com/reader042/viewer/2022021813/58ab128b1a28ab70038b602b/html5/page/2.jpg)
@projectcalico Copyright © 2016 Tigera, Inc. | Proprietary and Confidential
▪ Network Architecture Redux
▪ State of the Ecosystem
▪ Security and Policy
▪ Looking Forward
Topics
![Page 3: Container Networking - State of the Ecosystem [ContainerConf, Mannheim, Nov 2016]](https://reader042.cupdf.com/reader042/viewer/2022021813/58ab128b1a28ab70038b602b/html5/page/3.jpg)
@projectcalico Copyright © 2016 Tigera, Inc. | Proprietary and Confidential
▪ Network Architecture Redux▪ Lessons learned from decades of Internetwork deployment experience
▪ State of the Ecosystem▪ Abstractions & Architectures: Understand tradeoffs.
▪ Security and Policy▪ Enable app isolation with labels and policy automation
▪ Looking Forward▪ Facilitate planning for new capabilities
Why Should -You- Care?
![Page 4: Container Networking - State of the Ecosystem [ContainerConf, Mannheim, Nov 2016]](https://reader042.cupdf.com/reader042/viewer/2022021813/58ab128b1a28ab70038b602b/html5/page/4.jpg)
Network Architecture & Design
![Page 5: Container Networking - State of the Ecosystem [ContainerConf, Mannheim, Nov 2016]](https://reader042.cupdf.com/reader042/viewer/2022021813/58ab128b1a28ab70038b602b/html5/page/5.jpg)
@projectcalico Copyright © 2016 Tigera, Inc. | Proprietary and Confidential
Server
Simple enterprise network
Server Server Server
Physical Network
![Page 6: Container Networking - State of the Ecosystem [ContainerConf, Mannheim, Nov 2016]](https://reader042.cupdf.com/reader042/viewer/2022021813/58ab128b1a28ab70038b602b/html5/page/6.jpg)
@projectcalico Copyright © 2016 Tigera, Inc. | Proprietary and Confidential
Server
We should probably have some kind of security...
Server Server Server
Physical Network Physical Network
PhysicalFirewall
![Page 7: Container Networking - State of the Ecosystem [ContainerConf, Mannheim, Nov 2016]](https://reader042.cupdf.com/reader042/viewer/2022021813/58ab128b1a28ab70038b602b/html5/page/7.jpg)
@projectcalico Copyright © 2016 Tigera, Inc. | Proprietary and Confidential
VM
Then came virtualization...
VM VM VM
Tier 1 Overlay Tier 2 Overlay
Physical / Cloud Network
VirtualFirewall
![Page 8: Container Networking - State of the Ecosystem [ContainerConf, Mannheim, Nov 2016]](https://reader042.cupdf.com/reader042/viewer/2022021813/58ab128b1a28ab70038b602b/html5/page/8.jpg)
@projectcalico Copyright © 2016 Tigera, Inc. | Proprietary and Confidential
VM
Then came containers...
VM VM
Tier 1 Overlay
VM
Tier 2 Overlay
Physical / Cloud Network
VirtualFirewall
Blue Overlay
Yellow Overlay Blue Overlay
Green Overlay
![Page 9: Container Networking - State of the Ecosystem [ContainerConf, Mannheim, Nov 2016]](https://reader042.cupdf.com/reader042/viewer/2022021813/58ab128b1a28ab70038b602b/html5/page/9.jpg)
@projectcalico Copyright © 2016 Tigera, Inc. | Proprietary and Confidential
Scale & Churn
Thousands of instancesLow churn
Millions of containersHigh churn
![Page 10: Container Networking - State of the Ecosystem [ContainerConf, Mannheim, Nov 2016]](https://reader042.cupdf.com/reader042/viewer/2022021813/58ab128b1a28ab70038b602b/html5/page/10.jpg)
10© 2016 Tigera, Inc. | Proprietary and Confidential
https://upload.wikimedia.org/wikipedia/commons/1/1b/MSC_Oscar_(ship,_2014)_002.jpg
http://theunholycow.com/wp-content/uploads/2014/03/delivery-man.jpg
“In networking,...
… there is no substitute for thinking”
![Page 11: Container Networking - State of the Ecosystem [ContainerConf, Mannheim, Nov 2016]](https://reader042.cupdf.com/reader042/viewer/2022021813/58ab128b1a28ab70038b602b/html5/page/11.jpg)
@projectcalico Copyright © 2016 Tigera, Inc. | Proprietary and Confidential
Common Considerations
Interconnectivity: Overlay vs. Native
Address Space: Admin-assigned vs. Overlapping/BYOA
Visibility: Private vs. DC-wide vs. Filtered
Network State: Centralized vs. Distributed
Network Abstraction: L2 (Ethernet) vs. L3 (IP)
![Page 12: Container Networking - State of the Ecosystem [ContainerConf, Mannheim, Nov 2016]](https://reader042.cupdf.com/reader042/viewer/2022021813/58ab128b1a28ab70038b602b/html5/page/12.jpg)
State of the Ecosystem
![Page 13: Container Networking - State of the Ecosystem [ContainerConf, Mannheim, Nov 2016]](https://reader042.cupdf.com/reader042/viewer/2022021813/58ab128b1a28ab70038b602b/html5/page/13.jpg)
13© 2016 Tigera, Inc. | Proprietary and Confidential
Container Networking Model (CNM)
Orchestrators
Drivers /Plugins
Bridge Overlay KuryrCalico
macvlan
Evolution to Alternative Network Abstractions
Source: https://success.docker.com/Datacenter/Apply/Docker_Reference_Architecture:_Designing_Scalable,_Portable_Docker_Container_Networks
![Page 14: Container Networking - State of the Ecosystem [ContainerConf, Mannheim, Nov 2016]](https://reader042.cupdf.com/reader042/viewer/2022021813/58ab128b1a28ab70038b602b/html5/page/14.jpg)
14© 2016 Tigera, Inc. | Proprietary and Confidential
Container Networking Model (CNM)
Container Networking Interface (CNI)
Orchestrators
Drivers /Plugins
Bridge Overlay KuryrCalico
macvlanKuryr
Calico
Alternative Container Networking Abstractions
Source: https://success.docker.com/Datacenter/Apply/Docker_Reference_Architecture:_Designing_Scalable,_Portable_Docker_Container_Networks
![Page 15: Container Networking - State of the Ecosystem [ContainerConf, Mannheim, Nov 2016]](https://reader042.cupdf.com/reader042/viewer/2022021813/58ab128b1a28ab70038b602b/html5/page/15.jpg)
15© 2016 Tigera, Inc. | Proprietary and Confidential
Mesos Containerizers
Docker Engine
CNI Plugin(e.g.,Calico-CNI )
Mesos-Agent
CNI Libnetwork
CNM Driver(e.g.,libnetwork/Calico)
Docker Containerizer
Mesos Containerizer
![Page 16: Container Networking - State of the Ecosystem [ContainerConf, Mannheim, Nov 2016]](https://reader042.cupdf.com/reader042/viewer/2022021813/58ab128b1a28ab70038b602b/html5/page/16.jpg)
16© 2016 Tigera, Inc. | Proprietary and Confidential
Mesos Containerizers - Unified Containerizer
CNI Plugin(e.g.,Calico-CNI )
Mesos-Agent
CNIIsolator
Unified Containerizer
![Page 17: Container Networking - State of the Ecosystem [ContainerConf, Mannheim, Nov 2016]](https://reader042.cupdf.com/reader042/viewer/2022021813/58ab128b1a28ab70038b602b/html5/page/17.jpg)
@projectcalico Copyright © 2016 Tigera, Inc. | Proprietary and Confidential
Flannel
VXLAN UDP ...
flannelCNI plugin
Orchestrator
Network Fabric
![Page 18: Container Networking - State of the Ecosystem [ContainerConf, Mannheim, Nov 2016]](https://reader042.cupdf.com/reader042/viewer/2022021813/58ab128b1a28ab70038b602b/html5/page/18.jpg)
@projectcalico Copyright © 2016 Tigera, Inc. | Proprietary and Confidential
Calico
CalicoCNI plugin
BGP IPIP
Policy enforcement
Native
Orchestrator
Network Fabric
![Page 19: Container Networking - State of the Ecosystem [ContainerConf, Mannheim, Nov 2016]](https://reader042.cupdf.com/reader042/viewer/2022021813/58ab128b1a28ab70038b602b/html5/page/19.jpg)
@projectcalico Copyright © 2016 Tigera, Inc. | Proprietary and Confidential
IP
Service
Router
Router
Router
IP
Service
IP
Service
IP
Service
IP
Service
IP
Service
IP
Service
IP
Service
Conceptual View
![Page 20: Container Networking - State of the Ecosystem [ContainerConf, Mannheim, Nov 2016]](https://reader042.cupdf.com/reader042/viewer/2022021813/58ab128b1a28ab70038b602b/html5/page/20.jpg)
@projectcalico Copyright © 2016 Tigera, Inc. | Proprietary and Confidential
IP
Service
Router
Router
Router
IP
Service
IP
Service
IP
Service
IP
Service
IP
Service
IP
Service
IP
Service
Container Host Container Host
Calico Conceptual View
![Page 21: Container Networking - State of the Ecosystem [ContainerConf, Mannheim, Nov 2016]](https://reader042.cupdf.com/reader042/viewer/2022021813/58ab128b1a28ab70038b602b/html5/page/21.jpg)
@projectcalico Copyright © 2016 Tigera, Inc. | Proprietary and Confidential
Calico
Route▪ Get packets from A to B▪ Flat IP or overlay/tunnel
Secure▪ Stop packets getting from A to B
(that shouldn’t, based on developer and operator intent)
▪ Capture suspicious flows
![Page 22: Container Networking - State of the Ecosystem [ContainerConf, Mannheim, Nov 2016]](https://reader042.cupdf.com/reader042/viewer/2022021813/58ab128b1a28ab70038b602b/html5/page/22.jpg)
Security and Policy
![Page 23: Container Networking - State of the Ecosystem [ContainerConf, Mannheim, Nov 2016]](https://reader042.cupdf.com/reader042/viewer/2022021813/58ab128b1a28ab70038b602b/html5/page/23.jpg)
@projectcalico Copyright © 2016 Tigera, Inc. | Proprietary and Confidential
Open By Default
![Page 24: Container Networking - State of the Ecosystem [ContainerConf, Mannheim, Nov 2016]](https://reader042.cupdf.com/reader042/viewer/2022021813/58ab128b1a28ab70038b602b/html5/page/24.jpg)
@projectcalico Copyright © 2016 Tigera, Inc. | Proprietary and Confidential
Issue With Default Open
![Page 25: Container Networking - State of the Ecosystem [ContainerConf, Mannheim, Nov 2016]](https://reader042.cupdf.com/reader042/viewer/2022021813/58ab128b1a28ab70038b602b/html5/page/25.jpg)
@projectcalico Copyright © 2016 Tigera, Inc. | Proprietary and Confidential
Namespace A Namespace B
Namespaces
![Page 26: Container Networking - State of the Ecosystem [ContainerConf, Mannheim, Nov 2016]](https://reader042.cupdf.com/reader042/viewer/2022021813/58ab128b1a28ab70038b602b/html5/page/26.jpg)
@projectcalico Copyright © 2016 Tigera, Inc. | Proprietary and Confidential
Namespace A Namespace B
Namespaces With Default Open
![Page 27: Container Networking - State of the Ecosystem [ContainerConf, Mannheim, Nov 2016]](https://reader042.cupdf.com/reader042/viewer/2022021813/58ab128b1a28ab70038b602b/html5/page/27.jpg)
@projectcalico Copyright © 2016 Tigera, Inc. | Proprietary and Confidential
Namespace A Namespace B
Namespaces With Labels and Policy
![Page 28: Container Networking - State of the Ecosystem [ContainerConf, Mannheim, Nov 2016]](https://reader042.cupdf.com/reader042/viewer/2022021813/58ab128b1a28ab70038b602b/html5/page/28.jpg)
@projectcalico Copyright © 2016 Tigera, Inc. | Proprietary and Confidential
~DEMO~
![Page 29: Container Networking - State of the Ecosystem [ContainerConf, Mannheim, Nov 2016]](https://reader042.cupdf.com/reader042/viewer/2022021813/58ab128b1a28ab70038b602b/html5/page/29.jpg)
@projectcalico Copyright © 2016 Tigera, Inc. | Proprietary and Confidential
Demo example: nginx policy
kind: NetworkPolicyapiVersion: extensions/v1beta1metadata: name: access-nginx namespace: policy-demospec: podSelector: matchLabels: run: nginx ingress: - from: - podSelector: matchLabels: run: access
Metadata
Rich selector for pods to apply to
Fine-grained rules
![Page 30: Container Networking - State of the Ecosystem [ContainerConf, Mannheim, Nov 2016]](https://reader042.cupdf.com/reader042/viewer/2022021813/58ab128b1a28ab70038b602b/html5/page/30.jpg)
30© 2016 Tigera, Inc. | Proprietary and Confidential
CalicoCNI plugin
BGP IPIP
Policy enforcement
Native
flannelCNI plugin
VXLAN UDP ...
Canal: Calico Policy Enforcement with Flannel Networking
![Page 31: Container Networking - State of the Ecosystem [ContainerConf, Mannheim, Nov 2016]](https://reader042.cupdf.com/reader042/viewer/2022021813/58ab128b1a28ab70038b602b/html5/page/31.jpg)
Looking Forward
![Page 32: Container Networking - State of the Ecosystem [ContainerConf, Mannheim, Nov 2016]](https://reader042.cupdf.com/reader042/viewer/2022021813/58ab128b1a28ab70038b602b/html5/page/32.jpg)
@projectcalico Copyright © 2016 Tigera, Inc. | Proprietary and Confidential
- Egress Policy & Filtering- Tracing & Troubleshooting- Federation- Service Routing / Cluster-IP’s- Policy API’s for Docker & Mesos- Application Authentication
Future Plans & Ongoing Initiatives
![Page 33: Container Networking - State of the Ecosystem [ContainerConf, Mannheim, Nov 2016]](https://reader042.cupdf.com/reader042/viewer/2022021813/58ab128b1a28ab70038b602b/html5/page/33.jpg)
github.com/projectcalico
@projectcalico
slack.projectcalico.org
We’re Hiring!
http://www.projectcalico.org/
Related Documents
