Click here to load reader

Protecting host with calico

  • View

  • Download

Embed Size (px)

Text of Protecting host with calico

  1. 1. Anirban Sen Chowdhary
  2. 2. Project Calico,aTigeraopen-sourceprojectthatprovidesa layer3networkimplementation,aimedatscalabledatacenter deployments.Comparedtotraditionalnetworkoverlays,Calico providesamoreefficientimplementationwithminimalpacket encapsulation.Thisallowsbetterusageofnoderesourcesanda simpleyetpowerfulnetworkstackforyourinfrastructure.
  3. 3. Calico is able to secure the network interfaces of the host itself with the security policy model. RHEL (7.1, 7.2, 7.3, 7.4) Ubuntu (16.04, 17.04) SLES (12, 12 SP1, 12 SP2) It supports the same rich security policy model for host endpoints that it supports for workload endpoints. It does not support setting IPs or policing MAC addresses for host interfaces, it assumes that the interfaces are configured by the underlying network fabric.
  4. 4. Build Calico components: Calico components include calicoctl and calico/node . There are two ways to build calicoctl: natively, and dockerized calico/node can be regarded as a helper container that bundles together the various components required for networking containers with Calico.
  5. 5. Project Calico defines endpoints as network interfaces. Endpoints are generally two types: Host and Workload. Host endpoints defines network interfaces that are static with respect to Calicos perspective. Workload endpoints involves lifecycles that are managed by an orchestrator and are typically created and destroyed in conjunction with scheduling and destroying workloads. Also, Calico distinguishes workload endpoints from host endpoints by a configurable prefix. As we know, within the Calico policy data model, both types of endpoints can be associated with a set of labels, where the orchestrator supports the concept of labels, such as Kubernetes, then these come from the orchestrator. Or else they can be applied to the endpoint via Calicos APIs.
  6. 6. Run Calico to Secure Host Interfaces: After building calictoctl and calico-felix, it is ready to run as follows: 1) Creating basic connectivity and Calico policy 2) Creating host endpoint objects 3) Creating more security policy All these 3 steps are defined in next slides.
  7. 7. 1) Creating basic connectivity and Calico policy: At the beginning when a host endpoint is added, if there is no security policy for that endpoint, so Calico will default to denying traffic to/from that endpoint. Need to create a failsafe Calico security policy Need to create a single policy resource, which can be applied to all known endpoints, allows inbound ssh access from a defined management subnet, allows outbound connectivity to etcd on a particular IP. cat

Search related