Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
SlideShare a Scribd company logo

Using OpenContrail with Kubernetes

M
Matt Baldwin

OpenContrail provides a networking solution for Kubernetes that uses virtual networks and policies to connect and secure containers. It replaces kube-proxy with a new daemon that listens to the Kubernetes API and creates virtual networks on demand based on labels in the application deployment templates. This connects container veth interfaces to the OpenContrail vRouter, providing services like floating IPs, load balancing, and network policies for Kubernetes pods and services.

1 of 40
OPENCONTRAIL+  KUBERNETES Aniket  Daptari @_aniket_ Sr.  Product  Manager Cloud  Networking
2 Copyright  ©  2014  Juniper  Networks,  Inc.          www.juniper.net   AGENDA BACKGROUND   &  PROBLEM  STATEMENT CONTRAIL  PRODUCT  OVERVIEW KUBERNETES   SOLUTION  DETAILS CUSTOMER   USE-­CASES;;  Q&A 1 2 3 4
3 Copyright  ©  2014  Juniper  Networks,  Inc.          www.juniper.net   INFRASTRUCTURE  LANDSCAPE SERVICE  OVERLAY  OVER  MULTIPLE  HETEROGENOUS  ENVIRONMENTS LB WAN  OPT FIREWALL Physical  Svc  Appliances Virtualized   Svc  VMs Legacy  Servers  &  Storage (VLAN,  VMware  based) Public  Clouds AWS … SERVICE   OVERLAY UNDERLAY GCE Legacy   Interconnect Hybrid   Cloud DC  or  POP  2 Multi-­DC   Distributed   Cloud Phy  +  Virt Interconnect Phy.  +  Virtual   Svc  Insertion       MGMT VMs  &  Containers DC  or  POP  1 Gateway router Gateway router Bare-­metal  Servers  &  Storage CPE Customer  Branch vCPE
4 Copyright  ©  2014  Juniper  Networks,  Inc.          www.juniper.net   DYNAMIC  APPS CUSTOM   APPS ENTERPRISE  APP  LANDSCAPE EXCHANGE (e.g.  Equinix,  etc.) … ENTERPRISE  PRIVATE  CLOUDS   (100’s) TRADITIONAL  /  STANDARD   APPS Email CRM ERP Auth BI Expense Database … … Helpdesk xxx PUBLIC   CLOUDS … MULTIPLE   SAAS  CLOUDS … What-­If   Analysis Analytics Provide  high   speed  connectivity   enabling  Hybrid   Clouds EMERGENCE  OF  SAAS  CLOUDS § App  Vendors  are  migrating  to   SaaS  Clouds  à Almost  every   traditional  app  has  a  SaaS   offering PUBLIC  CLOUD  MIGRATION § Custom  Apps  are  migrating  to   Public  and  SaaS  Clouds § Dynamic  Apps  are  migrating  to   Public  Clouds  – but  some  still   remain  on-­prem PRIVATE  CLOUDS  (100’s) § Fewer  Private  Clouds § Financials,  Healthcare,  Hi-­Tech,   Oil  &  Gas &  Govt.  sectors § Cost,  Compliance  &  Security  à primary  drivers ENTERPRISE  DC  (1000’s) Today  large  number  of  enterprises   run  all  Ent.  Apps  on-­prem
5 Copyright  ©  2014  Juniper  Networks,  Inc.          www.juniper.net   SOFTWARE  /  DEVELOPERS…
6 Copyright  ©  2014  Juniper  Networks,  Inc.          www.juniper.net   SOFTWARE  /  DEVELOPERS  – RISE  OF  MICROSERVICES https://www.sequoiacap.com/article/build-­us-­microservices/
7 Copyright  ©  2014  Juniper  Networks,  Inc.          www.juniper.net   VIRTUALIZATION  – COMPUTE  AND  STORAGE   DATA  CENTER  EVOLUTION TRADITIONAL VIRTUALIZATION LB   Policies ACLs FW,  IPS   Policies Sec.     Device LB  Device Switches Physical   Servers Router End-­user § Sub-­Optimal  Device  Util. § Static  &  Inflexible § TCO  (Capex,  Opex) § Physically  Constrained § Silo’ed § Manual  device  config § Custom  Policy  Config § Deployment  knowledge Admin Standalone  Applications (Dedicated   Resources)   Virtual   Machines VLANs v Security LB   Policies ACLs VLAN   Config Security   Policies Router End-­user Standalone  Application (Virtualized  Resources)   Admin v LB VM   Orchestrator § Sub-­Optimal  Device  Util. § Static  &  Inflexible § TCO  (Capex,  Opex) § Physically  Constrained § Silo’ed § Manual  device  config § Custom  Policy  Config § Deployment  knowledge Main  Challenges Some  are  solved  …
8 Copyright  ©  2014  Juniper  Networks,  Inc.          www.juniper.net   LEGACY  NETWORK  VIRTUALIZATION CLOUD  ENABLED  DATA  CENTER CLOUD § Sub-­Optimal  Device  Utilization § Static  &  Inflexible § TCO  (Capex,  Opex) § Physically  Constrained § Silo’ed § Large,  Manual  Device  Config § Custom  /  Complex  Policy  Config § Specialized  deployment  knowledge Evolving  Applications (on  Resource  Pool) Compute Storage LB Security   Admin External  Cloud   Based  Resources Virtualized  Resource  Pools No  ACLs End-­user Orchestrator  /  Controller All  Policies   (incl.  ACLs) Virtual   Network Virtual   Network Resources   Across  DC’s All  Challenges   are  solved  …
9 Copyright  ©  2014  Juniper  Networks,  Inc.          www.juniper.net   EVOLUTION  TO  CLOUD  NETWORK  AUTOMATION Element  /  Device  Mgmt System  /  Services  Abstractions Human  Middleware Proprietary  Vendor  Lock-­in Intelligent  Policy  Automation Open-­Source  API’s  Ecosystem TRADITIONAL  NETWORKS CLOUD  NETWORKS
10 Copyright  ©  2014  Juniper  Networks,  Inc.          www.juniper.net   PRODUCT  OVERVIEW
11 Copyright  ©  2014  Juniper  Networks,  Inc.          www.juniper.net   BGP  SIGNALED  END-­SYSTEM  IP/VPNS
12 Copyright  ©  2014  Juniper  Networks,  Inc.          www.juniper.net   OPENCONTRAIL   ARCHITECTURE  -­ RECAP
13 Copyright  ©  2014  Juniper  Networks,  Inc.          www.juniper.net   OPENCONTRAIL   HETEROGENEOUS  NETWORKING  SYSTEM POD AWS /   GCE … Public   Clouds
14 Copyright  ©  2014  Juniper  Networks,  Inc.          www.juniper.net   VIRTUAL   NETWORK   GREEN Host  +  Hypervisor         Host  +  Hypervisor         VIRTUAL  NETWORKS:  LOGICAL  VERSUS  PHYSICAL VIRTUAL   NETWORK   BLUE VIRTUAL   NETWORK   YELLOW Contrail  Security  Policy   (Firewall-­like  e.g.  allow   only  HTTP  traffic) Contrail  Policy   with  a  Firewall   Service IP  fabric (switch  underlay) G1 G2 G3 B3 B1 B2 G1 G3 G2 Y1 Y2 Y3B1 B2 B3 Y2Y3 Y1 VM  and  virtualized    Network   function  pool Intra-­network   traffic Inter-­network  traffic  traversing  a  service … … LOGICAL (Policy  Definition) PHYSICAL (Policy  Enforcement) Non-­HTTP   traffic
15 Copyright  ©  2014  Juniper  Networks,  Inc.          www.juniper.net   SOLUTION  FOR  CONTAINERS
16 Copyright  ©  2014  Juniper  Networks,  Inc.          www.juniper.net   NETWORKING  AND  CONTAINERS  -­ DOCKER
17 Copyright  ©  2014  Juniper  Networks,  Inc.          www.juniper.net   DOCKER MULTI-­HYPERVISOR  ENVIRONMENT
18 Copyright  ©  2014  Juniper  Networks,  Inc.          www.juniper.net   SOLUTION  FOR  KUBERNETES
19 Copyright  ©  2014  Juniper  Networks,  Inc.          www.juniper.net   NETWORKING  AND  CONTAINERS  -­ KUBERNETES Kubernetes is  Google’s  Open  Source   orchestration  system  for  Docker containers. It  handles  scheduling  onto  nodes  in  a   compute  cluster  and  actively   manages  workloads  to  ensure  that   their  state  matches  the  users   declared  intentions.   Using  the  concepts  of  ”services"  and   "pods",  it  groups  the  containers   which  make  up  an  application  into   logical  units  for  easy  management   and  discovery.  Uses  “labels”  for   annotations.  
20 Copyright  ©  2014  Juniper  Networks,  Inc.          www.juniper.net   NETWORKING  AND  CONTAINERS  -­ KUBERNETES New  daemon  -­ listens  to  the  kubernetes API  on  the  Master. Creates  virtual  networks  on  demand. Connects  them  together  using  the  Labels/Annotations   present   in  app  deployment  template. A  plugin script running  on  the  minion/node   then  connects  the   container  veth-­pair  to  the  OpenContrail   vrouter rather  than  the   docker0 bridge.  
21 Copyright  ©  2014  Juniper  Networks,  Inc.          www.juniper.net   NETWORKING  AND  CONTAINERS  -­ KUBERNETES Virtual  Network  – for  a  collection  of  PODs. IP  per  POD. Floating  IP  for  Service  VIP.   ECMP  Load-­balancing   across  Service  PODs.
22 Copyright  ©  2014  Juniper  Networks,  Inc.          www.juniper.net   KUBERNETES  +  OPENCONTRAIL Opencontrail  VRouter   Opencontrail  VRouter  Opencontrail  Controller Kube-­Network-­Mgr *Opencontrail   replaces  kube-­proxy
23 Copyright  ©  2014  Juniper  Networks,  Inc.          www.juniper.net   OPENCONTRAIL  KEY  COMPONENTS POD POD Virtual  Networks Connect  Virtual  Machines   Gateway  Devices Connect  the  Virtual  to  the  Physical Network  Policy                                   Connect  Virtual  Networks
24 Copyright  ©  2014  Juniper  Networks,  Inc.          www.juniper.net   OPENCONTRAIL  NETWORK  POLICY Virtual  Network  Policies At  a  high  level  of  abstraction,  applied  at  the  boundaries  of  virtual  networks. C C C Green POD C C C Red POD Policy #{Protocol:Port}
25 Copyright  ©  2014  Juniper  Networks,  Inc.          www.juniper.net   OPENCONTRAIL  NETWORK  FUNCTION  SERVICE  POLICY Service  Policies Policy  based  application  of  virtual  services  with  scale-­out. Firewall,  Intrusion  Prevention,  Load  balancer,  Cache,  WAN  optimizer,  proxy,  ... C C C Green POD C C C Red POD Virtual Service IDS Virtual Service Cache Physical Service Firewall Policy #{Protocol:Port} #Service{NAT  +  IDS  +  Cache  +  Firewall}
26 Copyright  ©  2014  Juniper  Networks,  Inc.          www.juniper.net   OPENCONTRAIL BUILDING  BLOCKS C C C C C C POD Virtual  Network Tenant  POD  Containers Virtual  Firewall Physical  Gateway  Router Non-­Virtualized  (Bare  Metal)  Server Physical  Network  (Internet,  L3VPN,  ...) POD Physical Network Virtual  Load  Balancer Service  Chain Virtualized  Server  hosting  Virtual   Machines
27 Copyright  ©  2014  Juniper  Networks,  Inc.          www.juniper.net   OPENCONTRAIL  KUBERNETES  LABELS Opencontrail  Kubernetes   (Opencontrail  Labels)   { Name } { Uses:   } POD Virtual  Network Virtual  Network  Policy NetworkTag NetworkAccessTag POD POD POD POD POD
28 Copyright  ©  2014  Juniper  Networks,  Inc.          www.juniper.net   OPENCONTRAIL  KUBERNETES  LABELS "template":{ "metadata":{ "labels":{ "app":"guestbook", "name":  "frontend", "uses":  "redis" } }, Example:  Snippet  of  the  POD  definition  that  shows  the  opencontrail  labels   name  and  uses "template":{ "metadata":{ "labels":{ "app":"redis", "name":"redis", "role":"slave" } }, POD  – redis POD  – guestbook NetworkAccessTag aka:  Policy
29 Copyright  ©  2014  Juniper  Networks,  Inc.          www.juniper.net   KUBERNETES  +  OPENCONTRAIL  – GCE  SETUP Steps: 1.  export  NETWORK_PROVIDER=opencontrail 2.  kube-­up.sh More  details:  GETTING  STARTED  GUIDE https://github.com/Juniper/kubernetes/blob/opencontrail-­integration/docs/getting-­ started-­guides/opencontrail.md OR https://github.com/Juniper/container-­networking-­ansible
30 Copyright  ©  2014  Juniper  Networks,  Inc.          www.juniper.net   KUBERNETES  +  OPENCONTRAIL  – GCE  SETUP
31 Copyright  ©  2014  Juniper  Networks,  Inc.          www.juniper.net   KUBERNETES  +  OPENCONTRAIL  – DEPLOY  APPS guestbook-­go  is  an  example  provided  by  Kubernetes  that  shows  a  simple  multi-­tier  app. 1.  Guestbook  controller  is  the  front  end  GUI  that  connects  to  one  of  the  redis slave  instance 2.  Redis slave  instance  gets  the  IP  and  Port  of  the  redis master  from  SkyDNS 3.  Redis slave  connects  to  redis master  and  writes  the  data  provided  by  guestbook  UI Guestbook Redis Redis Redis Master Sky DNS
32 Copyright  ©  2014  Juniper  Networks,  Inc.          www.juniper.net   KUBERNETES  +  OPENCONTRAIL  – DEPLOY  APPS guestbook-­go  can  be  deployed  by  following  opencontrail.md in  the  getting-­started-­guide  section Steps: 1. get  the  patch  for  guestbook-­controller,  guestbook-­redis-­slave  and  redis-­master Patch  introduces  “name”  and  “uses”  labels  in  the  json files.   2.  Apply  the  patch: Ex:  git apply  –stat  patch  (*  execute  this  from  the  kubernetes base  directory) git apply  –check  patch git apply  patch PATCH  URL:   https://github.com/Juniper/contrail-­kubernetes/blob/vrouter-­manifest/cluster/patch_guest_book
33 Copyright  ©  2014  Juniper  Networks,  Inc.          www.juniper.net   KUBERNETES  +  OPENCONTRAIL  – DEPLOY  APPS 3.  Deploy  guestbook  app Example: kubectl create  -­f  guestbook-­go/redis-­master-­controller.json kubectl create  -­f  guestbook-­go/redis-­master-­service.json kubectl create  -­f  guestbook-­go/redis-­slave-­controller.json kubectl create  -­f  guestbook-­go/redis-­slave-­service.json kubectl create  -­f  guestbook-­go/guestbook-­controller.json kubectl create  -­f  guestbook-­go/guestbook-­service.json
34 Copyright  ©  2014  Juniper  Networks,  Inc.          www.juniper.net   KUBERNETES  +  OPENCONTRAIL  – DEPLOY  APPS
35 Copyright  ©  2014  Juniper  Networks,  Inc.          www.juniper.net   CUSTOMER  USE-­CASES
36 Copyright  ©  2014  Juniper  Networks,  Inc.          www.juniper.net   LITHIUM TECHNOLOGIES https://youtu.be/pZjNFcyC6Uo -­ https://twitter.com/lachlanevenson
37 Copyright  ©  2014  Juniper  Networks,  Inc.          www.juniper.net   SYMANTEC ENTERPRISE  PRIVATE  CLOUD Solution   DescriptionCustomer  Needs 1 Multi-­vendor  CLOS  &  Network  Virtualization § CLOS-­based  L3  Network  provides  high-­performance  and   redundancy  between  compute  nodes § Virtualized  (compute)  and  bare  metal  (Hadoop)  servers   3 Centralized  security  policy  definition,  distributed  enforcement § API-­based  policy  definition § Security  policy  at  virtual  network  level  and  VM  level § RBAC  for  Security  Teams  and  Application  Teams 4 Self-­provisioned  service  /  app  deployment § Controlled  migration  of  apps  from  development  to  production   clouds § Seamless  integration  of  new  features  /  apps 2 Multi-­vendor  Hardware  Support § Juniper  MX  as  a  gateway  router  to  Interconnect  public  internet   &  L3VPN/EVPN  for  multi-­DC  connectivity § Juniper  SRX  used  as  a  Perimeter  firewall § F5  &  A10  Load  Balancers  – Hardware  and  Virtualized OpenStack  Orchestrator,  Contrail  Network  Virtualization,   Hadoop &  Veritas Storage  Services § Common  Private  IaaS for  Production,  Dev-­Test  across  4  DCs § No  Manual  Provisioning  of  Services  – Compute,  Storage,  Network § On-­demand  &  scale-­out  network  services  – LB,  FW,  DNS,  NAT § Line  Rate  Traffic  from  Applications  to  Data-­store:  massive  hadoop datastore,  real-­time  stream  processing,  DB-­as-­a-­Service  (NoSQL  /   SQL) Contrail  /   Openstack Workload/AppsInfra  RacksOpenstack  Racks MX  GW SRX Dynamically  scaled   application  edge Hadoop Data-­Store A10  &  F5 2 1 4 3
38 Copyright  ©  2014  Juniper  Networks,  Inc.          www.juniper.net   WORKDAY ENTERPRISE  PRIVATE  CLOUD  (SAAS) Solution   DescriptionCustomer  Needs 1 Integration  of  Private  &  HP  VPC  using  Openstack § 12  Private  DCs  &  2  HP  Cloud  Service  Locations § Same  Security  Framework  across  Hybrid  Cloud 3 Strong  Security  &  Governance  Framework § Reduced  Security  Rules  Complexity  on  Firewall  – 10K  rules   to  44  templates  with  10s  of  rules.   § All  Traffic  Flows  are  Logged  and  Stored  in  STRM  – Customer  &  within  Application 4 On-­Demand  Virtualized  Network  Services § FW-­as-­a-­Service  implemented  using  Virtual  SRX § LB-­as-­a-­Service  implemented  using  F5  BIG-­IP  or  Contrail § Highly  Multi-­tenanted  &  High  Scale  SaaS Workloads § Security  framework  for  Governance,  Audit,  and  Compliance § Self  Service  Environment  for  Test-­Dev &  Production § Hybrid  Cloud  Support  – HP  &  Private 2 Self-­service  with  Mix  of  Resource  Types  across  IaaS § Developer  can  request  services  across  multiple  clouds  (AZs) § Some  Applications  not  Virtualized  (KVM)  – run  on  Docker (BM)   § Controlled  migration  from  development  to  production  on   Shared  Cloud 2 3 1 PRODUCTION Public  Clouds Internet DEVELOP-­ MENT “Open  Compute”  Platform,  Openstack Orchestrator,  KVM  &   Docker,  GlusterFS,  Contrail  Network  Virtualization   SRX F5 4
39 Copyright  ©  2014  Juniper  Networks,  Inc.          www.juniper.net   @_aniket_  /  @opencontrail http://www.opencontrail.org https://pedrormarques.wordpress.com contrail-­info@juniper.net THANK  YOU!
40 Copyright  ©  2014  Juniper  Networks,  Inc.          www.juniper.net  

More Related Content

Using OpenContrail with Kubernetes

  • 1. OPENCONTRAIL+  KUBERNETES Aniket  Daptari @_aniket_ Sr.  Product  Manager Cloud  Networking
  • 2. 2 Copyright  ©  2014  Juniper  Networks,  Inc.          www.juniper.net   AGENDA BACKGROUND   &  PROBLEM  STATEMENT CONTRAIL  PRODUCT  OVERVIEW KUBERNETES   SOLUTION  DETAILS CUSTOMER   USE-­CASES;;  Q&A 1 2 3 4
  • 3. 3 Copyright  ©  2014  Juniper  Networks,  Inc.          www.juniper.net   INFRASTRUCTURE  LANDSCAPE SERVICE  OVERLAY  OVER  MULTIPLE  HETEROGENOUS  ENVIRONMENTS LB WAN  OPT FIREWALL Physical  Svc  Appliances Virtualized   Svc  VMs Legacy  Servers  &  Storage (VLAN,  VMware  based) Public  Clouds AWS … SERVICE   OVERLAY UNDERLAY GCE Legacy   Interconnect Hybrid   Cloud DC  or  POP  2 Multi-­DC   Distributed   Cloud Phy  +  Virt Interconnect Phy.  +  Virtual   Svc  Insertion       MGMT VMs  &  Containers DC  or  POP  1 Gateway router Gateway router Bare-­metal  Servers  &  Storage CPE Customer  Branch vCPE
  • 4. 4 Copyright  ©  2014  Juniper  Networks,  Inc.          www.juniper.net   DYNAMIC  APPS CUSTOM   APPS ENTERPRISE  APP  LANDSCAPE EXCHANGE (e.g.  Equinix,  etc.) … ENTERPRISE  PRIVATE  CLOUDS   (100’s) TRADITIONAL  /  STANDARD   APPS Email CRM ERP Auth BI Expense Database … … Helpdesk xxx PUBLIC   CLOUDS … MULTIPLE   SAAS  CLOUDS … What-­If   Analysis Analytics Provide  high   speed  connectivity   enabling  Hybrid   Clouds EMERGENCE  OF  SAAS  CLOUDS § App  Vendors  are  migrating  to   SaaS  Clouds  à Almost  every   traditional  app  has  a  SaaS   offering PUBLIC  CLOUD  MIGRATION § Custom  Apps  are  migrating  to   Public  and  SaaS  Clouds § Dynamic  Apps  are  migrating  to   Public  Clouds  – but  some  still   remain  on-­prem PRIVATE  CLOUDS  (100’s) § Fewer  Private  Clouds § Financials,  Healthcare,  Hi-­Tech,   Oil  &  Gas &  Govt.  sectors § Cost,  Compliance  &  Security  à primary  drivers ENTERPRISE  DC  (1000’s) Today  large  number  of  enterprises   run  all  Ent.  Apps  on-­prem
  • 5. 5 Copyright  ©  2014  Juniper  Networks,  Inc.          www.juniper.net   SOFTWARE  /  DEVELOPERS…
  • 6. 6 Copyright  ©  2014  Juniper  Networks,  Inc.          www.juniper.net   SOFTWARE  /  DEVELOPERS  – RISE  OF  MICROSERVICES https://www.sequoiacap.com/article/build-­us-­microservices/
  • 7. 7 Copyright  ©  2014  Juniper  Networks,  Inc.          www.juniper.net   VIRTUALIZATION  – COMPUTE  AND  STORAGE   DATA  CENTER  EVOLUTION TRADITIONAL VIRTUALIZATION LB   Policies ACLs FW,  IPS   Policies Sec.     Device LB  Device Switches Physical   Servers Router End-­user § Sub-­Optimal  Device  Util. § Static  &  Inflexible § TCO  (Capex,  Opex) § Physically  Constrained § Silo’ed § Manual  device  config § Custom  Policy  Config § Deployment  knowledge Admin Standalone  Applications (Dedicated   Resources)   Virtual   Machines VLANs v Security LB   Policies ACLs VLAN   Config Security   Policies Router End-­user Standalone  Application (Virtualized  Resources)   Admin v LB VM   Orchestrator § Sub-­Optimal  Device  Util. § Static  &  Inflexible § TCO  (Capex,  Opex) § Physically  Constrained § Silo’ed § Manual  device  config § Custom  Policy  Config § Deployment  knowledge Main  Challenges Some  are  solved  …
  • 8. 8 Copyright  ©  2014  Juniper  Networks,  Inc.          www.juniper.net   LEGACY  NETWORK  VIRTUALIZATION CLOUD  ENABLED  DATA  CENTER CLOUD § Sub-­Optimal  Device  Utilization § Static  &  Inflexible § TCO  (Capex,  Opex) § Physically  Constrained § Silo’ed § Large,  Manual  Device  Config § Custom  /  Complex  Policy  Config § Specialized  deployment  knowledge Evolving  Applications (on  Resource  Pool) Compute Storage LB Security   Admin External  Cloud   Based  Resources Virtualized  Resource  Pools No  ACLs End-­user Orchestrator  /  Controller All  Policies   (incl.  ACLs) Virtual   Network Virtual   Network Resources   Across  DC’s All  Challenges   are  solved  …
  • 9. 9 Copyright  ©  2014  Juniper  Networks,  Inc.          www.juniper.net   EVOLUTION  TO  CLOUD  NETWORK  AUTOMATION Element  /  Device  Mgmt System  /  Services  Abstractions Human  Middleware Proprietary  Vendor  Lock-­in Intelligent  Policy  Automation Open-­Source  API’s  Ecosystem TRADITIONAL  NETWORKS CLOUD  NETWORKS
  • 10. 10 Copyright  ©  2014  Juniper  Networks,  Inc.          www.juniper.net   PRODUCT  OVERVIEW
  • 11. 11 Copyright  ©  2014  Juniper  Networks,  Inc.          www.juniper.net   BGP  SIGNALED  END-­SYSTEM  IP/VPNS
  • 12. 12 Copyright  ©  2014  Juniper  Networks,  Inc.          www.juniper.net   OPENCONTRAIL   ARCHITECTURE  -­ RECAP
  • 13. 13 Copyright  ©  2014  Juniper  Networks,  Inc.          www.juniper.net   OPENCONTRAIL   HETEROGENEOUS  NETWORKING  SYSTEM POD AWS /   GCE … Public   Clouds
  • 14. 14 Copyright  ©  2014  Juniper  Networks,  Inc.          www.juniper.net   VIRTUAL   NETWORK   GREEN Host  +  Hypervisor         Host  +  Hypervisor         VIRTUAL  NETWORKS:  LOGICAL  VERSUS  PHYSICAL VIRTUAL   NETWORK   BLUE VIRTUAL   NETWORK   YELLOW Contrail  Security  Policy   (Firewall-­like  e.g.  allow   only  HTTP  traffic) Contrail  Policy   with  a  Firewall   Service IP  fabric (switch  underlay) G1 G2 G3 B3 B1 B2 G1 G3 G2 Y1 Y2 Y3B1 B2 B3 Y2Y3 Y1 VM  and  virtualized    Network   function  pool Intra-­network   traffic Inter-­network  traffic  traversing  a  service … … LOGICAL (Policy  Definition) PHYSICAL (Policy  Enforcement) Non-­HTTP   traffic
  • 15. 15 Copyright  ©  2014  Juniper  Networks,  Inc.          www.juniper.net   SOLUTION  FOR  CONTAINERS
  • 16. 16 Copyright  ©  2014  Juniper  Networks,  Inc.          www.juniper.net   NETWORKING  AND  CONTAINERS  -­ DOCKER
  • 17. 17 Copyright  ©  2014  Juniper  Networks,  Inc.          www.juniper.net   DOCKER MULTI-­HYPERVISOR  ENVIRONMENT
  • 18. 18 Copyright  ©  2014  Juniper  Networks,  Inc.          www.juniper.net   SOLUTION  FOR  KUBERNETES
  • 19. 19 Copyright  ©  2014  Juniper  Networks,  Inc.          www.juniper.net   NETWORKING  AND  CONTAINERS  -­ KUBERNETES Kubernetes is  Google’s  Open  Source   orchestration  system  for  Docker containers. It  handles  scheduling  onto  nodes  in  a   compute  cluster  and  actively   manages  workloads  to  ensure  that   their  state  matches  the  users   declared  intentions.   Using  the  concepts  of  ”services"  and   "pods",  it  groups  the  containers   which  make  up  an  application  into   logical  units  for  easy  management   and  discovery.  Uses  “labels”  for   annotations.  
  • 20. 20 Copyright  ©  2014  Juniper  Networks,  Inc.          www.juniper.net   NETWORKING  AND  CONTAINERS  -­ KUBERNETES New  daemon  -­ listens  to  the  kubernetes API  on  the  Master. Creates  virtual  networks  on  demand. Connects  them  together  using  the  Labels/Annotations   present   in  app  deployment  template. A  plugin script running  on  the  minion/node   then  connects  the   container  veth-­pair  to  the  OpenContrail   vrouter rather  than  the   docker0 bridge.  
  • 21. 21 Copyright  ©  2014  Juniper  Networks,  Inc.          www.juniper.net   NETWORKING  AND  CONTAINERS  -­ KUBERNETES Virtual  Network  – for  a  collection  of  PODs. IP  per  POD. Floating  IP  for  Service  VIP.   ECMP  Load-­balancing   across  Service  PODs.
  • 22. 22 Copyright  ©  2014  Juniper  Networks,  Inc.          www.juniper.net   KUBERNETES  +  OPENCONTRAIL Opencontrail  VRouter   Opencontrail  VRouter  Opencontrail  Controller Kube-­Network-­Mgr *Opencontrail   replaces  kube-­proxy
  • 23. 23 Copyright  ©  2014  Juniper  Networks,  Inc.          www.juniper.net   OPENCONTRAIL  KEY  COMPONENTS POD POD Virtual  Networks Connect  Virtual  Machines   Gateway  Devices Connect  the  Virtual  to  the  Physical Network  Policy                                   Connect  Virtual  Networks
  • 24. 24 Copyright  ©  2014  Juniper  Networks,  Inc.          www.juniper.net   OPENCONTRAIL  NETWORK  POLICY Virtual  Network  Policies At  a  high  level  of  abstraction,  applied  at  the  boundaries  of  virtual  networks. C C C Green POD C C C Red POD Policy #{Protocol:Port}
  • 25. 25 Copyright  ©  2014  Juniper  Networks,  Inc.          www.juniper.net   OPENCONTRAIL  NETWORK  FUNCTION  SERVICE  POLICY Service  Policies Policy  based  application  of  virtual  services  with  scale-­out. Firewall,  Intrusion  Prevention,  Load  balancer,  Cache,  WAN  optimizer,  proxy,  ... C C C Green POD C C C Red POD Virtual Service IDS Virtual Service Cache Physical Service Firewall Policy #{Protocol:Port} #Service{NAT  +  IDS  +  Cache  +  Firewall}
  • 26. 26 Copyright  ©  2014  Juniper  Networks,  Inc.          www.juniper.net   OPENCONTRAIL BUILDING  BLOCKS C C C C C C POD Virtual  Network Tenant  POD  Containers Virtual  Firewall Physical  Gateway  Router Non-­Virtualized  (Bare  Metal)  Server Physical  Network  (Internet,  L3VPN,  ...) POD Physical Network Virtual  Load  Balancer Service  Chain Virtualized  Server  hosting  Virtual   Machines
  • 27. 27 Copyright  ©  2014  Juniper  Networks,  Inc.          www.juniper.net   OPENCONTRAIL  KUBERNETES  LABELS Opencontrail  Kubernetes   (Opencontrail  Labels)   { Name } { Uses:   } POD Virtual  Network Virtual  Network  Policy NetworkTag NetworkAccessTag POD POD POD POD POD
  • 28. 28 Copyright  ©  2014  Juniper  Networks,  Inc.          www.juniper.net   OPENCONTRAIL  KUBERNETES  LABELS "template":{ "metadata":{ "labels":{ "app":"guestbook", "name":  "frontend", "uses":  "redis" } }, Example:  Snippet  of  the  POD  definition  that  shows  the  opencontrail  labels   name  and  uses "template":{ "metadata":{ "labels":{ "app":"redis", "name":"redis", "role":"slave" } }, POD  – redis POD  – guestbook NetworkAccessTag aka:  Policy
  • 29. 29 Copyright  ©  2014  Juniper  Networks,  Inc.          www.juniper.net   KUBERNETES  +  OPENCONTRAIL  – GCE  SETUP Steps: 1.  export  NETWORK_PROVIDER=opencontrail 2.  kube-­up.sh More  details:  GETTING  STARTED  GUIDE https://github.com/Juniper/kubernetes/blob/opencontrail-­integration/docs/getting-­ started-­guides/opencontrail.md OR https://github.com/Juniper/container-­networking-­ansible
  • 30. 30 Copyright  ©  2014  Juniper  Networks,  Inc.          www.juniper.net   KUBERNETES  +  OPENCONTRAIL  – GCE  SETUP
  • 31. 31 Copyright  ©  2014  Juniper  Networks,  Inc.          www.juniper.net   KUBERNETES  +  OPENCONTRAIL  – DEPLOY  APPS guestbook-­go  is  an  example  provided  by  Kubernetes  that  shows  a  simple  multi-­tier  app. 1.  Guestbook  controller  is  the  front  end  GUI  that  connects  to  one  of  the  redis slave  instance 2.  Redis slave  instance  gets  the  IP  and  Port  of  the  redis master  from  SkyDNS 3.  Redis slave  connects  to  redis master  and  writes  the  data  provided  by  guestbook  UI Guestbook Redis Redis Redis Master Sky DNS
  • 32. 32 Copyright  ©  2014  Juniper  Networks,  Inc.          www.juniper.net   KUBERNETES  +  OPENCONTRAIL  – DEPLOY  APPS guestbook-­go  can  be  deployed  by  following  opencontrail.md in  the  getting-­started-­guide  section Steps: 1. get  the  patch  for  guestbook-­controller,  guestbook-­redis-­slave  and  redis-­master Patch  introduces  “name”  and  “uses”  labels  in  the  json files.   2.  Apply  the  patch: Ex:  git apply  –stat  patch  (*  execute  this  from  the  kubernetes base  directory) git apply  –check  patch git apply  patch PATCH  URL:   https://github.com/Juniper/contrail-­kubernetes/blob/vrouter-­manifest/cluster/patch_guest_book
  • 33. 33 Copyright  ©  2014  Juniper  Networks,  Inc.          www.juniper.net   KUBERNETES  +  OPENCONTRAIL  – DEPLOY  APPS 3.  Deploy  guestbook  app Example: kubectl create  -­f  guestbook-­go/redis-­master-­controller.json kubectl create  -­f  guestbook-­go/redis-­master-­service.json kubectl create  -­f  guestbook-­go/redis-­slave-­controller.json kubectl create  -­f  guestbook-­go/redis-­slave-­service.json kubectl create  -­f  guestbook-­go/guestbook-­controller.json kubectl create  -­f  guestbook-­go/guestbook-­service.json
  • 34. 34 Copyright  ©  2014  Juniper  Networks,  Inc.          www.juniper.net   KUBERNETES  +  OPENCONTRAIL  – DEPLOY  APPS
  • 35. 35 Copyright  ©  2014  Juniper  Networks,  Inc.          www.juniper.net   CUSTOMER  USE-­CASES
  • 36. 36 Copyright  ©  2014  Juniper  Networks,  Inc.          www.juniper.net   LITHIUM TECHNOLOGIES https://youtu.be/pZjNFcyC6Uo -­ https://twitter.com/lachlanevenson
  • 37. 37 Copyright  ©  2014  Juniper  Networks,  Inc.          www.juniper.net   SYMANTEC ENTERPRISE  PRIVATE  CLOUD Solution   DescriptionCustomer  Needs 1 Multi-­vendor  CLOS  &  Network  Virtualization § CLOS-­based  L3  Network  provides  high-­performance  and   redundancy  between  compute  nodes § Virtualized  (compute)  and  bare  metal  (Hadoop)  servers   3 Centralized  security  policy  definition,  distributed  enforcement § API-­based  policy  definition § Security  policy  at  virtual  network  level  and  VM  level § RBAC  for  Security  Teams  and  Application  Teams 4 Self-­provisioned  service  /  app  deployment § Controlled  migration  of  apps  from  development  to  production   clouds § Seamless  integration  of  new  features  /  apps 2 Multi-­vendor  Hardware  Support § Juniper  MX  as  a  gateway  router  to  Interconnect  public  internet   &  L3VPN/EVPN  for  multi-­DC  connectivity § Juniper  SRX  used  as  a  Perimeter  firewall § F5  &  A10  Load  Balancers  – Hardware  and  Virtualized OpenStack  Orchestrator,  Contrail  Network  Virtualization,   Hadoop &  Veritas Storage  Services § Common  Private  IaaS for  Production,  Dev-­Test  across  4  DCs § No  Manual  Provisioning  of  Services  – Compute,  Storage,  Network § On-­demand  &  scale-­out  network  services  – LB,  FW,  DNS,  NAT § Line  Rate  Traffic  from  Applications  to  Data-­store:  massive  hadoop datastore,  real-­time  stream  processing,  DB-­as-­a-­Service  (NoSQL  /   SQL) Contrail  /   Openstack Workload/AppsInfra  RacksOpenstack  Racks MX  GW SRX Dynamically  scaled   application  edge Hadoop Data-­Store A10  &  F5 2 1 4 3
  • 38. 38 Copyright  ©  2014  Juniper  Networks,  Inc.          www.juniper.net   WORKDAY ENTERPRISE  PRIVATE  CLOUD  (SAAS) Solution   DescriptionCustomer  Needs 1 Integration  of  Private  &  HP  VPC  using  Openstack § 12  Private  DCs  &  2  HP  Cloud  Service  Locations § Same  Security  Framework  across  Hybrid  Cloud 3 Strong  Security  &  Governance  Framework § Reduced  Security  Rules  Complexity  on  Firewall  – 10K  rules   to  44  templates  with  10s  of  rules.   § All  Traffic  Flows  are  Logged  and  Stored  in  STRM  – Customer  &  within  Application 4 On-­Demand  Virtualized  Network  Services § FW-­as-­a-­Service  implemented  using  Virtual  SRX § LB-­as-­a-­Service  implemented  using  F5  BIG-­IP  or  Contrail § Highly  Multi-­tenanted  &  High  Scale  SaaS Workloads § Security  framework  for  Governance,  Audit,  and  Compliance § Self  Service  Environment  for  Test-­Dev &  Production § Hybrid  Cloud  Support  – HP  &  Private 2 Self-­service  with  Mix  of  Resource  Types  across  IaaS § Developer  can  request  services  across  multiple  clouds  (AZs) § Some  Applications  not  Virtualized  (KVM)  – run  on  Docker (BM)   § Controlled  migration  from  development  to  production  on   Shared  Cloud 2 3 1 PRODUCTION Public  Clouds Internet DEVELOP-­ MENT “Open  Compute”  Platform,  Openstack Orchestrator,  KVM  &   Docker,  GlusterFS,  Contrail  Network  Virtualization   SRX F5 4
  • 39. 39 Copyright  ©  2014  Juniper  Networks,  Inc.          www.juniper.net   @_aniket_  /  @opencontrail http://www.opencontrail.org https://pedrormarques.wordpress.com contrail-­info@juniper.net THANK  YOU!
  • 40. 40 Copyright  ©  2014  Juniper  Networks,  Inc.          www.juniper.net