►
From YouTube: Network Isolation and Security Policies for Kubernetes Bare-meta... Girish Moodalbail & Liel Shoshan
Description
Don’t miss out! Join us at our upcoming events: EnvoyCon Virtual on October 15 and KubeCon + CloudNativeCon North America 2020 Virtual from November 17-20. Learn more at https://kubecon.io. The conferences feature presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
Network Isolation and Security Policies for Kubernetes Bare-metal Nodes - Girish Moodalbail, NVIDIA & Liel Shoshan, Mellanox
Running Kubernetes at scale in a multi-tenant Cloud requires strong network isolation and flexible stateful security policy enforcement for the bare-metal nodes used for both the tenant K8s clusters as well as in the Cloud control plane. Such isolation and security needs to be implemented in a way that consumes as little host resources as possible, while being immune to potentially malicious host root user. Additionally, the preferred implementation needs to be compatible with a high-performance (offloaded) K8s CNI. This presentation provides an overview of such an implementation for Software Defined (SDN) K8s node networking, based on Open Virtual Network (OVN) and Open vSwitch (OVS)) and offloaded to “bump-in-the-wire” Smart NICs.
https://sched.co/Zetj
A
Hello:
everyone,
my
name,
is
girish
moral
bell.
My
role
at
nvidia
is
to
design
develop
and
manage
sdn
networking
for
gp
accelerated
compute.
The
computer
itself
can
be
virtual
machines,
bare
metal
servers,
kubernetes
pods
and
each
of
them
having
nvidia
gpu
networks
and
gpu
cards
in
them.
I'm
also
upstream
contributor
and
maintainer
for
oven,
kubernetes
cni
project.
I
deal
with
the
ovs
in
in
my
day-to-day
work.
Yeah.
You
want
to
go.
Introduce
yourself.
A
A
So
deployers
have
been
building
kubernetes,
customizing
vms
as
nodes,
and
in
this
model
they
actually
take
an
application
containerize
it
they
run
the
containerized
application
inside
a
part.
The
part
itself
is
running
inside
a
vm
and
the
vm
itself
is
running
on
the
bare
metal
box.
So
there
is
several
layer
of
fencing
if
you
will
and-
and
the
whole
reason
here
is
they
want
to
protect
the
data
center
from
from
application,
which
could
which
can
be
compromised.
A
However,
this
comes
with
a
huge
performance
cost
for
the
application.
A
lot
of
the
hardware
resources
like
the
neck,
the
gpu
has
to
be
virtualized,
and
this
virtualized
thing
has
to
be
passed
down
to
the
vm
and
the
vms.
The
next
pass
down
to
the
container
there's
also
an
hypervisor
hold
it
for
the
application
performance.
A
So
that
need
not,
however,
be
the
case
with
a
help
from
bumping
the
wire
spartnic
and
distributed
sdn
control
plane.
It's
possible
that
we
can
get
both
performance
as
well
as
security
and
isolation,
and
this
kind
of
moves.
The
zone,
the
trust
zone
from
the
hypervisor
onto
the
spartanic
hardware,
and
we're
going
to
explain
how
this
bump
in
the
wire
sparknet
and
the
distributed
sdn
control
plane
enables
achieving
both
performance
at
the
at
and
not
at
the
same
time
losing
security
in
isolation
for
the
bare
metal
nodes.
A
So
so,
where
we
are
going
with
this,
is
that
so
with
the
smart,
nick
and
bom
and
the
distributed
control
plane,
it
is
possible
to
push
all
of
the
axles
and
the
firewall
rules.
If
you
will
to
the
smart
mic
itself,
the
parts
running
on
the
bare
metal
they're,
totally
unaware
of
this
bump
in
the
wire
all
the
kubernetes
network
policies
for
the
pod
are
implemented
on
the
spartnic
and
then
the
accols
for
the
host
itself
is
implemented
on
the
spartanic.
A
A
The
thing
with
avon
is
that
the
whole
data
path
for
r1
can
be
offloaded
with
the
smellinox
nick.
So
obviously,
with
the
offloads
you
get
the
reduce
utilization
and
the
cpu
can
be
used
for
applications
and
and
in
addition,
we
also
get
increased
throughput.
One
can
be
better
explained
with
the
exam.
You
know
with
an
example
and
a
diagram,
and
that's
what
we're
going
to
do
next.
A
So
in
this
diagram
you
have
the
two
things
right.
You
have
a
logical
topology
to
your
left
and
then
you
have-
and
we
have
realized
that
logical
topology
on
the
two
bare
metal
nodes.
So
on
the
logical
topology,
it's
a
very
simple,
logical,
topology,
it's
a
logical
router
with
two
logical
switches
connected
to
it
and
each
logical
switch
has
a
logical
port
attached
to
it.
A
So
logical
router
is
a
l3
entity.
It
provides
routing,
ecmp,
nat,
load,
balancing
policy
based
routing
logical
switcher,
on
the
other
hand,
provides
support
for
icos
support
for
thcp.
It
also
provides
support
for
load,
balancing
and
dns
the
logical
port
captures
the
mac
address
and
ip
address
it
captures
it
it's
where
we
apply
axles
and
then
also
it
provides
anti-spoofing
support.
A
A
A
So
what
we
do
here
is
that
we
associate
this
physical
port
with
a
logical
port
and
that
process
is
called
port
binding,
and
this
is
one
of
the
important
aspects
of
oven.
What
this
port
binding
does.
Is
it
tells
you,
the
physical
location,
of
a
port,
for
a
given
logical
port,
so
with
that
physical
location
known
now,
the
the
oven
control
plane
knows
where
to
send
the
packet
to
for
a
given
part.
A
In
this
example,
when
a
when
pod
zero
wants
to
talk
to
part
one
when
the
packet
arrives
on
the
br
end,
and
this
br
implements
the
oven,
logical,
topology
through
open
flow
tables,
it
already
knows
that
to
send
the
packet
to
part
one,
it
has
to
just
send
it
to
the
node
two's
vtep
ip
address
and
then
using
open
flow
flows.
It
just
forwards
the
packet
to
that
next
hop.
A
So
the
whole
logical
topology
is
realized
on
this
integration
bridge
and
then
the
the
physical
or
the
port
binding
thing
enables
that
end
to
end
connectivity
between
the
between
the
ports.
So
aman
has
a
collection
of
daemons
that
work
together
to
push
this
logical,
topology
information
and
the
physical
location
of
this
ports
to
each
node
and
and
then
each
node's
integration
bridge.
A
So
in
this
slide
we
basically
this
slide.
Basically
talks
about
the
oven
communities
project.
One
kubernetes
is
an
open
source
project,
contributed
or
worked
on
by
the
oven
community,
the
github
url
for
the
same
he's
here,
as
shown
in
the
slide
here,
it
implements
container
networking
spec
it.
Basically,
it's
a
layered
architecture
at
the
higher
layer.
You
have
one
kubernetes
cni
and
which
in
turn
depends
on
the
r1
and
i1
in
turn
depends
on
obs,
so
the
cna
itself
is
implemented
as
a
client,
server
architecture.
A
It's
basically
acquitted
is
watcher
and
it
has
such
several
set
of
parts.
It
kind
of
takes
the
kubernetes
resources
and
then
it
maps
into
open
resources.
For
example,
kubernetes
network
policy
is
mapped
into
our
accounts
communities.
Cluster
services
is
mapped
into
one
load.
Balancer
kubernetes
parts
is
mapped
into
logical
switch
ports
and
kubernetes
node
is
mapped
into
logical
switches,
so
it
watches
on
these
cubities
api
resources
as
and
when
these
api
objects
appear.
A
It
kind
of
translates
us
into
oven
resources,
so
the
oven,
control,
plane
kind
of
acts
on
those
oven,
resources
that
create
that
that
was
created
by
the
one
cni
and
then
converts
that
into
our
logical
flows,
and
these
logical
force
are,
in
turn,
translated
into
ovs
open
flow
rules
on
each
of
the
node
that
forms
the
qubits
cluster.
So
on
the
diagram
to
the
right,
you
see
that
you
kind
of
explain
all
the
components
running
at
various
layers
or
on
the
components
of
various
layers
running
on
various
nodes
in
the
kubernetes
cluster.
A
So
in
here
you
can
see
that
on
the
host
we
had
ovs
bridge
and
the
amount
controller
which
kind
of
was
it
adding
open
flow
flows
into
the
obvious
bridge
and
the
one
cni
come
components
itself
running
on
the
host.
But
when
we
move
to
the
smartening
model,
the
the
entire
sdn
control
plane,
the
distributed
ascent
control
plane
starts
running
on
the
sr
on
on
the
smart
nick
itself.
The
smart
nik
comes
with
the
arm
core.
A
A
So
this
is
this
diagram
kind
of
dives,
deep
into
how
things
look
like
on
the
smart
mic.
So
on
the
smart
nic
itself,
we
have
one
control,
plane,
components
running
which
is
our
controller,
and
we
have
our
obvious
components
running,
which
is
obvious.
We
switch
t
and
obstb
server
and
on
the
one
cni
side
we
have
an
agent
running
which
acts
as
a
kubernetes
watcher,
trying
to
watch
on
certain
kubernetes
resources
and
then
acting
on
those
resources
lifecycle.
A
The
amount
controller
takes
the
logical
flows
from
the
oven
and
then
translates
into
the
open
flow
tables
and
open
flow
flows
and
then
kind
of
creates
the
data
path
for
the
pawn
on
the
bare
metal
host
itself.
We
have
multus
to
orchestrate
multiple
interfaces
into
the
pod
and
we
have
a
very
basic
cni
that
takes
the
next
available
vf
from
the
pf
and
then
provides
it
into
the
pod
itself
for
every
vf
in
the
host
we
have
a
corresponding
representer.
A
We
have
a
corresponding
control
entity
on
the
blue
field
itself.
We
call
it
as
a
representer,
it
represents
the
vf
on
the
host
and
we
add
these
representers
to
the
integration
bridge
and
this
representer
maps
to
the
logical
switch
port
in
the
oven
topology.
So
this
is
the
port
binding
aspect
of
the
oven
functionality.
A
So
when
a
representative04
gets
added
to
the
pr
end,
we
we
kind
of
annotate
represented
0
4
to
tell
that
it
belongs
to
certain
logical
port.
So
now
anything
anytime.
We
change
the
logical
ports,
attributes
the
representers
attributes
change
through
open
flow
flows
and
therefore
the
vf2
that
is
attached
to
representer04.
A
A
So
the
this
this
slide
basically
captures
how
we
can
use
our
apples
to
kind
of
add
axles
at
a
different
priorities
and
therefore
override
the
axles
that
the
tenants
themselves
configure.
So
in
here,
avon
eccles
priority
range
from
zero.
All
the
way
up
to
thirty
two
thousand
seven
sixty
seven,
so
higher
the
priority
of
the
accol
higher
will
be
its
precedence.
A
A
In
fact,
the
cloud
projects
can
add
accols
to
their
own
infrastructure
services,
to
make
sure
that
the
the
tenants
host
or
the
tenants
part
do
not
talk
to
infrastructure
services
that
they're
not
supposed
to
talk
to.
So
in
this
way,
using
our
priority
accounts,
we
kind
of
make
sure
we
provide
that
isolation
of
between
the
bare
metal
host
and
the
data
center
services
and
the
data
center
itself,
and
all
of
this
echoes
the
flows
is
all
offloaded
onto
the
integration
bridge
and
leah
is
going
to
talk
to
it
in
the
next
set
of
slides.
A
So
then,
so
in
here,
what
we
have
done
is
we
have
two
different
bare
metal
servers
and
the
bare
metal
itself
is
part
of
ammon,
logical,
topology
and
then
the
kubernetes
cluster
also
is
part
of
one
logical
topology.
So
the
paths
are
kind
of
connected
together
within
our
logical
topology,
orchestrated
by
the
urban
cni.
On
the
other
hand,
the
bare
metal
servers
themselves
are
part
of
our
logical
topology,
and
then
the
interconnection
between
them
is
provided
by
our.
A
A
On
the
other
hand,
the
e-space
traffic
between
the
bare
metal
server
itself
is
achieved
through
the
oven,
logical
topology
and
using
an
overlay
and,
and
then
we'll
have
one
apples
define
which
bare
metal
hose
can
talk
to
each
other
and
which
bare
metal
hose,
cannot
talk
to
each
other.
This
is
defined
by
the
one
actuals
see
both
the
the
green
overlay
and
the
orange
overlay.
A
They
are
transported
over
the
blue
underlay.
This
forms
the
underlay
where
the
blue
fields
are
all
in
blue
fields
in
the
data
center
they're
all
interconnected
together,
and
they
form
the
underlay
over
which
the
geneva
tunnel
traffic
is
transported
between
the
pods
and
between
the
bare
metal
server
itself.
So
the
red
underlay
network
here
is
for
access
to
the
internet.
A
So
that's
this
diagram,
so
here
what
we're
capturing
is
how
one
can
provide
a
multi-tenancy
model
in
a
dc
using
oven,
distributed
control,
plane
and
a
smart
nic
in
it.
So
in
here
we
have
two
tenants:
a
blue
tenant
and
a
ping
tenant.
The
blue
tenant
has
a
bunch
of
bare
metal
servers
which
are
all
interconnected
together
using
our
logical
topology.
A
Similarly,
here
for
the
ping
tenant,
they
have
a
bunch
of
bare
metal
servers
in
the
dc
that
was
assigned
to
them,
and
the
bare
metal
servers
themselves
are
connected
together,
using
a
logical
switch
and
a
logical
router
and
then
on
those
bare
metal
servers.
They
have
their
own
kubernetes
cluster
running,
which
is
again
orchestrated
throughout
cni.
A
As
you
can
see,
they
all
use
this
overlapping
ips
and-
and
this
is
all
made
possible
because
of
the
oven,
virtual
topology
and
they
all
exit
out
to
the
underlay
and
then
finally,
they
reach
out
to
the
internet.
The
cloud
providers
can
apply
their
axles
on
the
bare
metal
on
the
smart
neck,
to
kind
of
make
sure
that
the
blue
tenant
and
the
ping
tenant
are
isolated
from
each
other
and
they're
also
isolated
from
the
cloud
provider
services
itself
and
the
next
slide
kind
of
talks
to
that.
A
A
On
top
of
this
bare
metal,
node
is
where
we
build
the
kubernetes
cluster
and
then
they
kind
of
live
within
this
island.
Similarly,
the
pink
tenant
also
has
its
own
island
with
a
set
of
bare
metal
servers
with
each
of
them
having
a
blue
field
associated
with
it,
and
they
have
their
own
logical,
topology,
and
the
tunnel
is
formed
only
between
these
four
pink
bare
metals.
B
B
So,
as
girish
explained,
we
worked
with
oven
control
plan,
which
is
based
on
ovs
switch.
Ovr
switch
is
the
most
popular
virtual
switch
is
a
flow
based
one
with
many
capabilities
among
which
are
geneve
connection
tracking,
mirroring
and
more,
and
there
are
many
multiple
control
planes
that
are
built
on
top
of
it.
Ovn
is
an
example
for
that
it
has
a
ova:
it
has
a
user
space
module
and
a
credit
space
module
and
in
the
regular
configuration
each
pod
is
assigned
a
vth,
a
pervert.
B
So
in
the
traditional
model,
the
first
packet
of
a
flow
will
go
up
to
the
user
space
there.
It
will
be
processed
and
sent
and
then
suitable
rule
will
be
inserted
to
the
kernel.
So
the
next
packets
of
the
same
flow
will
go
directly
through
the
kernel
without
going
through
the
user
space
with
connectex
hardware
offload
the
suit
this
rule
would
not
only
be
inserted
to
the
kernel,
but
also
to
the
hardware,
to
the
connected
embedded
switch
in
this
case.
B
B
B
Network
resolution
can
be
achieved
by
using
a
dedicated
hardware,
which
is
which,
which
sits
in
front
of
the
in
part
of
the
host.
We
use
bluefield
smartnic
as
a
bumper
in
the
wire
to
run
ovn
control
plane
in
a
secured
way,
we're
running
both
the
virtual
switch
and
the
utilities
configuring
it
on
the
neck.