bringing security and multi tenancy to kubernetes
play

Bringing Security and Multi- tenancy to Kubernetes Lei (Harry) - PowerPoint PPT Presentation

Sep 12, 2022 •201 likes •609 views

Bringing Security and Multi- tenancy to Kubernetes Lei (Harry) Zhang About Me Lei (Harry) Zhang @resouer #CNCF member, #Microsoft MVP Previous: VMware, Baidu Feature Maintainer of Kubernetes HyperCrew: https://hyper.sh/

  1. Bringing Security and Multi- tenancy to Kubernetes Lei (Harry) Zhang

  2. About Me • Lei (Harry) Zhang @resouer #CNCF member, #Microsoft MVP • Previous: VMware, Baidu • • Feature Maintainer of Kubernetes • HyperCrew: https://hyper.sh/ Publication: Docker & Kubernetes Under the Hood • • Phd Candidate #Large-scale cluster scheduling and management

  3. A survey about “boundary” • Are you comfortable with Linux containers as an effective boundary? • Yes , I use containers in my private/safe environment • No , I use containers to serve the public cloud

  4. As long as we care security… • We have to wrap containers inside full-blown virtual machines • But we lose cloud-native deployment reality • Slow startup time • Huge resources wasting dream • Memory tax for every container • …

  5. namespace cgroups Revisit container /bin /dev /etc /home /lib / lib64 /media /mnt /opt /proc / root /run /sbin /sys /tmp / read-write layer usr /var /data /temp.txt • Container Runtime “echo hello” init layer Read-Write Layer & /data • The dynamic view and boundary of your running process /etc/hosts /etc/hostname /etc/resolv.conf json CMD [“echo hello"] json read-only layer • Container Image t x VOLUME /data t . p m e t • The static view of your program, data, / ADD temp.txt / dependencies, files and directories FROM busybox FROM busybox ADD temp.txt / VOLUME /data CMD [“echo hello"] Docker Container

  6. HyperContainer Secure Kubernetes from runtime level

  7. HyperContainer • Container Runtime • RunV https://github.com/hyperhq/runv • A OCI compatible hypervisor based runtime implementation • • Control daemon https://github.com/hyperhq/hyperd • • Container Image • Docker Image Spec

  8. Combine the best parts • Portable and behaves like a Linux container • $ hyperctl run -t busybox echo helloworld • sub-second startup time*, ~12MB memory cost • Fully isolated sandbox with an independent guest kernel • $ hyperctl exec -t busybox uname -r 4.4.12-hyper (or your provided kernel) • • security, backward compatibility, maturity See: http://hypercontainer.io/why-hyper.html

  9. HyperContainer is a Pod • That’s how HyperContainer fits into the Kubernetes philosophy • Wait, why Pod is so important?

  10. Pod: lesson learned from Borg • Should sample.war be packaged with Tomcat ?

  11. Pod: lesson learned from Borg • InitContainers: one or more containers started in sequence before the pod's normal containers are started. • Share volumes, perform network operations, and perform computation prior to the app containers.

  12. So, Pod is • The group of super-affinity containers Pod • The atomic scheduling unit log app • The process group in container cloud • Do right things infra container init container • without modifying your container image • Kubernetes = Spring Framework volume • Pod = IoC

  13. Pod is not easy to simulate • log super affinity app • Requirement: app : 1G, log : 0.5G • • Available: Node_A : 1.25G, Node_B : 2G • • What happens if app scheduled to Node_A ?

  14. HyperContainer is a Pod • Linux container based runtimes • wraps and encapsulates several app containers into a logical group • Hypervisor container based runtime • hypervisor serves as a natural boundary of Pod

  15. HyperContainer is a Pod • Container Runtime Interface • create sandbox Foo --> create container C --> start container C • stop container C --> remove container C --> delete sandbox Foo • Sandbox • Normally: the infra container • HyperContainer: hypervisor with HyperKernel • a HyperStart process as PID 1 • setup mnt namespace, launch apps from the images etc •

  16. Hypernetes Kubernetes with HyperContainer Runtime

  17. Hypernetes • Also: h8s • Kubernetes + HyperContainer runtime • officially supported by using kubernetes / frakti • Multi-tenant network and persistent volumes • battle tested Neutron + Cinder plugin

  18. Multi-tenant Network • Goal: • leveraging tenant-aware neutron network for Kubernetes • following the network plugin workflow • Non-goal: • break k8s network model or hack k8s code

  19. Define the Network • Network • a top class api object • each tenant (created by Keystone) has its own Network • Network mapping to Neutron “net” • a Network Controller is responsible to manage Network lifecycle

  20. Example proxy network pod Call Neutron to replica Desired World kubelet create/delete namespace Real World SyncLoop network service job deployment volume petset controller-manager … ControlLoop proxy etcd api-server kubelet scheduler SyncLoop

  21. Kubernetes Network Model • Container reach container • all containers can communicate with all other containers without NAT • Node reach container • all nodes can communicate with all containers (and vice-versa) without NAT • IP addressing • Pod in cluster can be addressed by its IP

  22. How h8s fits that? • Network can be assigned to one or more Namespaces • Pods belonging to the same Network can reach each other directly through IP • a Pod’s network mapping to Neutron “port” • kubelet network plugin is responsible for Pod network setup

  23. Example proxy kubelet SyncLoop 1 Pod created scheduler proxy etcd api-server kubelet SyncLoop

  24. Example proxy kubelet SyncLoop 2 Pod object added scheduler proxy etcd api-server kubelet SyncLoop

  25. Example proxy kubelet SyncLoop 3.1 New pod object detected 3.2 Bind pod with node scheduler proxy etcd api-server kubelet SyncLoop

  26. Example proxy kubelet SyncLoop scheduler proxy etcd api-server kubelet SyncLoop 4.1 Detected pod bind with me 4.2 Start containers in pod

  27. Design of kubelet Choose Runtime � docker, rkt, hyper/remote � NodeStatus Network Status status Manager PLEG InitNetworkPlugin InitNetworkPlugin volume SyncLoop Manager image Manager Pod Update Worker (e.g.ADD) • generale Pod status • check volume status (talk later) PodUpdate • call runtime to start containers HandlePods • set up Pod network (see next slide) { Add, Update, Remove, Delete, … }

  28. Set Up Pod Network

  29. kubestack A standalone gRPC daemon 1. to “translate” the SetUpPod request to the Neutron network API 2. handling multi-tenant Service proxy

  30. OnServiceUpdate Service $ iptables-save | grep my-service -A KUBE-SERVICES -d 10.0.0.116/32 -p tcp -m comment --comment "default/my-service: cluster IP" -m tcp --dport 8001 -j KUBE-SVC-KEAUNL7HVWWSEZA6 -A KUBE-SVC-KEAUNL7HVWWSEZA6 -m comment --comment "default/my-service:" --mode random -j KUBE-SEP-6XXFWO3KTRMPKCHZ -A KUBE-SVC-KEAUNL7HVWWSEZA6 -m comment --comment "default/my-service:" --mode random -j KUBE-SEP-57KPRZ3JQVENLNBRZ OnEndpointsUpdate -A KUBE-SEP-6XXFWO3KTRMPKCHZ -p tcp -m comment --comment "default/my-service:" -m tcp -j DNAT --to-destination 172.17.0.2:80 -A KUBE-SEP-57KPRZ3JQVENLNBRZ -p tcp -m comment --comment "default/my-service:" -m tcp -j DNAT --to-destination 172.17.0.3:80 portal 10.10.0.116:8001 backend rule_1 172.17.0.2.:80 random mode rules backend rule_2 172.17.0.3.:80

  31. Multi-tenant Service • Default iptables-based kube-proxy is not tenant aware • Endpoint Pods and Nodes with iptables rules are isolated into different networks • Hypernetes uses a built-in HAproxy as the Service portal • to proxy all Service instances within same namespace • the same OnServiceUpdate and OnEndpointsUpdate process • ExternalProvider • a OpenStack LB will be created as Service • e.g. curl 58.215.33.98:8078

  32. Kubernetes Persistent Volume • Get mountedVolume from actualStateOfWorld • Unmount volumes in mountedVolume but not in desiredStateOfWorld Host mount • AttachVolume() if vol in desiredStateOfWorld and not attached • MountVolume() if vol in desiredStateOfWorld and not Pod Pod in mountedVolume mountPath mountPath • Verify devices that should be detached/unmounted are detached/unmounted attach path Volume • Tips: desired Manager World Cinder volume plugin 1. -v host:path 2. attach VS mount 3. Totally independent from container reconcile management

  33. Persistent Volume with HyperContainer Host • Enhanced Cinder volume plugin • Linux container: Pod Pod mountPath mountPath 1. full OpenStack cluster 2. query Nova to find node vol vol attach 3. attach Cinder volume to host path Enhanced 4. bind mount host path to Pod containers Cinder volume plugin • HyperContainer : Volume desired • directly attach block devices to Pod Manager World • thanks to the hypervisor based Pod boundary • eliminates extra time to query Nova reconcile

  34. PV Example • Create a Cinder volume • Claim volume by reference its volumeID

  35. Container Runtime Interface

  36. Future of CRI • Keep Docker as the only one default container runtime • ocid, rktlet, hyperd • Frakti: the Remote Container Runtime Kit • https://github.com/kubernetes/frakti • welcome to tryout, star and fork

  37. “if image becomes non-standard” • e.g. Docker image becomes somehow Docker specific • Don’t worry, kubelet . imageManager is moving to runtime specific • but then k8s will probably choose • NO DEFAULT runtime

Recommend

MTS: Bringing Multi-Tenancy to Virtual Networking Kashyap Thimmaraju, Saad Hermak, Gbor

MTS: Bringing Multi-Tenancy to Virtual Networking Kashyap Thimmaraju, Saad Hermak, Gbor

MTS: Bringing Multi-Tenancy to Virtual Networking Kashyap Thimmaraju, Saad Hermak, Gbor Rtvri and Stefan Schmid USENIX Annual Technical Conference 2019 July 11, Renton, Washington, USA Virtual Networks Using Virtual Switches VM VM VM

962 views • 58 slides
Architectural Principles for Secure Multi-Tenancy John Linn, Office of the CTO, RSA, The Security

Architectural Principles for Secure Multi-Tenancy John Linn, Office of the CTO, RSA, The Security

Architectural Principles for Secure Multi-Tenancy John Linn, Office of the CTO, RSA, The Security Division of EMC John Field, Office of the CTO, EMC Also adapting prior content by Burt Kaliski DIMACS Workshop in Systems and Networking Advances

508 views • 18 slides
Multi-Tenancy & Isolation Bogdan Munteanu - Dropbox Overview What is Edgestore?

Multi-Tenancy & Isolation Bogdan Munteanu - Dropbox Overview What is Edgestore?

Multi-Tenancy & Isolation Bogdan Munteanu - Dropbox Overview What is Edgestore? Workloads & API Multi-tenancy & Isolation Lessons Learned What is Edgestore Distributed Metadata Store built on top of MySQL

406 views • 36 slides
Using Cloud Native Technologies to Solve Complex Application Security Challenges in Kubernetes

Using Cloud Native Technologies to Solve Complex Application Security Challenges in Kubernetes

Using Cloud Native Technologies to Solve Complex Application Security Challenges in Kubernetes Deployments Cequence Security: A Cloud Native Approach to Application Security Venture-backed start-up bringing much-needed innovation to

304 views • 17 slides
Continuous Kubernetes Security @sublimino and @controlplaneio Im: - Andy - Dev-like -

Continuous Kubernetes Security @sublimino and @controlplaneio Im: - Andy - Dev-like -

Continuous Kubernetes Security @sublimino and @controlplaneio Im: - Andy - Dev-like - Sec-ish - Ops-y Is this Kubernetes cluster secure? EPIC FAIL GIF How secure is Kubernetes? What this Kubernetes talk is about Common Pwns

1.18k views • 113 slides
DEVELOPING A MULTI-TENANT SAAS USING CLOJURE Ari-Pekka Viitanen ME Programmer Architect

DEVELOPING A MULTI-TENANT SAAS USING CLOJURE Ari-Pekka Viitanen ME Programmer Architect

DEVELOPING A MULTI-TENANT SAAS USING CLOJURE Ari-Pekka Viitanen ME Programmer Architect VINCIT Working for ari-pekka.viitanen@vincit.com @apviitanen CASE BXX STACK DATA PERSISTENCE AND MULTI-TENANCY SINGLE TENANCY MULTI-TENANCY -

522 views • 28 slides
Security through Multi-Layer Diversity Meng Xu (Qualifying Examination Presentation) 1 Bringing

Security through Multi-Layer Diversity Meng Xu (Qualifying Examination Presentation) 1 Bringing

Security through Multi-Layer Diversity Meng Xu (Qualifying Examination Presentation) 1 Bringing Diversity to Computing Monoculture Current computing monoculture leaves our infrastructure vulnerable to massive and rapid attacks. Knowing

1.25k views • 112 slides
Armada Kubernetes multi-cluster batch scheduler 1 / 12 Introduction G-Research - Compute

Armada Kubernetes multi-cluster batch scheduler 1 / 12 Introduction G-Research - Compute

Armada Kubernetes multi-cluster batch scheduler 1 / 12 Introduction G-Research - Compute Platform Engineering Team We build tools around HTCondor clusters and Kubernetes clusters 2 / 12 Agenda 1. Project requirements 2. Current options 3.

732 views • 12 slides
Secure SDN Authentication & Authorization for Multi-tenancy (DNS based PKI model) Author:

Secure SDN Authentication & Authorization for Multi-tenancy (DNS based PKI model) Author:

IETF94 2 Nov. 2015 Yokohama SDNRG WG Secure SDN Authentication & Authorization for Multi-tenancy (DNS based PKI model) Author: www.huawei.com Hosnieh Rafiee Ietf{at}rozanak.com Motivation Problem: secure SDN authentication,

546 views • 10 slides
Towards a European Role in Tenancy Law and Housing Policy Christoph U. Schmid, ZERP, Bremen 1

Towards a European Role in Tenancy Law and Housing Policy Christoph U. Schmid, ZERP, Bremen 1

Towards a European Role in Tenancy Law and Housing Policy Christoph U. Schmid, ZERP, Bremen 1 TENLAW - Tenancy Law and Housing Policy in Multi-level Europe State of the field I Comparative dimension: Crisis has increased the number of

442 views • 16 slides
PLATFORM AS A SERVICE MULTI TENANCY AND OPEN STANDARDS Peter Chittum @pchittum

PLATFORM AS A SERVICE MULTI TENANCY AND OPEN STANDARDS Peter Chittum @pchittum

PLATFORM AS A SERVICE MULTI TENANCY AND OPEN STANDARDS Peter Chittum @pchittum salesforce.com Platform as a Service Multi Tenancy and Open Standards Peter Chittum Developer Evangelist @pchittum Safe Harbor Safe harbor statement

545 views • 39 slides
Paradrop: Enabling Lightweight Multi-tenancy at the Networks Extreme Edge Peng Liu, Dale

Paradrop: Enabling Lightweight Multi-tenancy at the Networks Extreme Edge Peng Liu, Dale

Paradrop: Enabling Lightweight Multi-tenancy at the Networks Extreme Edge Peng Liu, Dale Willis, Suman Banerjee University of Wisconsin-Madison 2016 IEEE/ACM Symposium on Edge Computing Presented by Allen Leis and Patrick Jennings Agenda

509 views • 40 slides
Airflow on Kubernetes: Containerizing your Workflows By Michael Hewitt Agenda Kubernetes

Airflow on Kubernetes: Containerizing your Workflows By Michael Hewitt Agenda Kubernetes

Airflow on Kubernetes: Containerizing your Workflows By Michael Hewitt Agenda Kubernetes Overview 1 Airflows integration with Kubernetes 2 Deployment of Airflow on Kubernetes 3 Kubernetes Pod Operator and its benefits 4 DAG Development

2.79k views • 14 slides
Kubernetes Security Zooming In, Zooming Out A comprehensive Container Security Strategy Kavya

Kubernetes Security Zooming In, Zooming Out A comprehensive Container Security Strategy Kavya

Kubernetes Security Zooming In, Zooming Out A comprehensive Container Security Strategy Kavya Pearlman Global Cybersecurity Strategist - Wallarm @KavyaPearlman | @Wallarm Rob Richardson Technical Evangelist - MemSQL @Rob_Rich | @MemSQL

279 views • 27 slides
#MicroFocusCyberSummit Shifting Security Left Bringing security into continuous integration and

#MicroFocusCyberSummit Shifting Security Left Bringing security into continuous integration and

#MicroFocusCyberSummit Shifting Security Left Bringing security into continuous integration and delivery Brenton Scott Witonski <>< , Acxiom Brandon Spruth, Target Lucas von Stockhausen, Fortify #MicroFocusCyberSummit WHY ARE YOU

711 views • 44 slides
A Multi-Tenancy Cloud-Native Digital Library Platform Yinlin Chen, Jim Tuttle, William A. Ingram

A Multi-Tenancy Cloud-Native Digital Library Platform Yinlin Chen, Jim Tuttle, William A. Ingram

A Multi-Tenancy Cloud-Native Digital Library Platform Yinlin Chen, Jim Tuttle, William A. Ingram {ylchen, jim.tuttle, waingram}@vt.edu Information Technologies and Services Virginia Tech Libraries Agenda Cloud-native concept Virginia

413 views • 20 slides
Kubernetes Matthias Haeussler Mirna Alaisami Overview Overview Kubernetes is an open-source

Kubernetes Matthias Haeussler Mirna Alaisami Overview Overview Kubernetes is an open-source

Kubernetes Matthias Haeussler Mirna Alaisami Overview Overview Kubernetes is an open-source platform designed to automate deploying , scaling , and operating application containers . Kubernetes v1.0 was released in 2015. It utilizes

916 views • 52 slides
K8s or Die! You must do Kubernetes. Or should you? If so when, where, why? How?! Marco Ceppi

K8s or Die! You must do Kubernetes. Or should you? If so when, where, why? How?! Marco Ceppi

K8s or Die! You must do Kubernetes. Or should you? If so when, where, why? How?! Marco Ceppi @marcoceppi Ryan Beisner @ryanbeisner Why Kubernetes Computing in the modern age Virtual Process Machines Containers Traditional Container

516 views • 24 slides
Multi-Cloud Federated Kubernetes at CERN Clenimar Filemon @clenimar clenimar@lsd.ufcg.edu.br

Multi-Cloud Federated Kubernetes at CERN Clenimar Filemon @clenimar clenimar@lsd.ufcg.edu.br

Multi-Cloud Federated Kubernetes at CERN Clenimar Filemon @clenimar clenimar@lsd.ufcg.edu.br Ricardo Rocha @ahcorporto ricardo.rocha@cern.ch Fundamental Science Founded in 1954 What is 96% of the universe made of? What was the state of matter

665 views • 25 slides
Security Enhanced (SE) Android: Bringing Flexible MAC to Android Stephen Smalley and Robert Craig

Security Enhanced (SE) Android: Bringing Flexible MAC to Android Stephen Smalley and Robert Craig

Security Enhanced (SE) Android: Bringing Flexible MAC to Android Stephen Smalley and Robert Craig Trusted Systems Research National Security Agency Motivation Android security relies on Linux DAC. To protect the system from apps. To

480 views • 21 slides
Easy multi-tenant Kubernetes RWX storage with Cloud Provider OpenStack and Manila CSI Tom Barron

Easy multi-tenant Kubernetes RWX storage with Cloud Provider OpenStack and Manila CSI Tom Barron

Easy multi-tenant Kubernetes RWX storage with Cloud Provider OpenStack and Manila CSI Tom Barron tbarron@redhat.com Victoria Martinez de la Cruz victoria@redhat.com WHAT ARE WE GOING TO SEE TODAY Game plan What is Manila CSI? Why RWX

1.36k views • 21 slides
Zoom In, Zoom Out. A Fresh look at Kubernetes Security Rob Richardson Technical Evangelist -

Zoom In, Zoom Out. A Fresh look at Kubernetes Security Rob Richardson Technical Evangelist -

Zoom In, Zoom Out. A Fresh look at Kubernetes Security Rob Richardson Technical Evangelist - MemSQL @Rob_Rich | @MemSQL Kavya Pearlman Global Cybersecurity Strategist - Wallarm @KavyaPearlman | @Wallarm Introducing Rob... Rob Richardson

602 views • 31 slides
From Laptop to the World With Kubernetes @saturnism @googlecloud #kubernetes Ray Tsang

From Laptop to the World With Kubernetes @saturnism @googlecloud #kubernetes Ray Tsang

From Laptop to the World With Kubernetes @saturnism @googlecloud #kubernetes Ray Tsang Developer Advocate Google Cloud Platform @saturnism | +RayTsang @saturnism @googlecloud #kubernetes Ray Tsang Developer Architect Traveler

1.29k views • 65 slides
Contributing to kubernetes Who am I? Senior Software Engineer at Gojek Organizer at Kubernetes

Contributing to kubernetes Who am I? Senior Software Engineer at Gojek Organizer at Kubernetes

Contributing to kubernetes Who am I? Senior Software Engineer at Gojek Organizer at Kubernetes & Cloud Native Meetups in Jakarta and Bandung https://www.meetup.com/jakarta-kubernetes/ https://www.meetup.com/Microservice-JKT/ You can find

709 views • 47 slides

More recommend