At the leading Kubernetes and container networking conference, KubeCon 2016, in London this week, Nuage Networks is demonstrating support for OpenShift, the PaaS automation solution for container deployments from Red Hat.
At KubeCon, the Spotlight is on Container Networking
Modern cloud applications are increasingly being developed using lightweight, modular container formats for server virtualization as opposed to traditional virtual machines. To facilitate the automation, monitoring and management of container-based applications and infrastructures, Red Hat® has developed the OpenShift Platform-as-a-Service (PaaS) solution. OpenShift is available in multiple versions, as a hosted platform offering, as a private cloud solution, for public cloud deployments, and even an open source version, OpenShift Origin.
With OpenShift, developers can quickly develop, host, and scale applications for the cloud. OpenShift adds developer and operation-centric tools to accelerate application development, deployment and long-term lifecycle maintenance operations across large teams.
Nuage Networks Virtualized Services Platform (VSP) provides virtual networking and SDN infrastructure to Docker container environments that simplifies IT operations and expands OpenShift’s native networking capabilities. Now VSP provides support for OpenShift cloud environments, including taking advantage of the Red Hat full cloud stack, including Kubernetes container cluster management.
Kubernetes Networking for Docker Containers
Container instances are smaller than the corresponding VM format, allowing hosts to run an order of magnitude or more workloads, potentially increasing bandwidth and QoS requirements and networking complexity. Containers are also ideal for small, modular or short-lived applications (perhaps while under development or deployed as “microservices”), increasing the requirement for on-demand, automated network provisioning and configurations.
Originally, Docker containers could only communicate between containers on the same host. Kubernetes was developed by Google and contributed to the open source community in order to allow applications to be deployed across large pools of resources. Kubernetes introduced the concept of a Pod, a group of related containers that all run on the same host. Each pod gets its own IP address and can communicate with other pods, while containers within a pod communicate using localhost networking. Kubernetes also supports an API to integrate more sophisticated networking and SDN services into the cloud environment.
A frequent requirement that Nuage Networks customers are looking to address with value-added networking and policy-based automation centers on security. Customers want to be able to apply their granular security policies consistently across containers and VMs, as well as to provide isolation between tenants and applications in a multi-tenant cloud environment. Other common customer requirements also include the ability to quickly converge networking configurations during peak container activation/deactivation events, simplified connectivity to external networks and gateways, as well as providing a common SDN policy environment across virtual and bare-metal workloads.
Introducing Nuage Networks VSP for OpenShift
Nuage Networks VSP is now available to support Docker-based applications running on the OpenShift PaaS solution to expand on the native virtual networking capabilities in Kubernetes and OpenShift, to accelerate the provisioning of virtual networks between pods, and to extend network service policies across the entire cloud environment to include granular security and microsegmentation policies.
Nuage Networks VSP is a policy-based automation and virtual networking platform that is ideally suited for heterogeneous environments, unifying SDN policies across cloud platforms and server virtualization technologies. Nuage Networks can consolidate network and security policy requirements independent of the hypervisor or container format they are running, the infrastructure or the cloud management system. Now, Nuage Networks VSP extends this SDN policy-based automation to Docker container environments running Kubernetes and OpenShift.
VSP is integrated into the OpenShift application workflow, which triggers events in the Nuage Networks system; similar to the way a VM Orchestrator events trigger virtual network configurations between virtual machines. VSP provides a plug-in running on the OpenShift master, which connect the OpenShift platform to the two main VSP controller components the Virtualized Services Controller (VSC) and the Virtualized Services Directory (VSD). VSC and VSD maintain the higher-level network and security policies and configure the relevant network devices and virtual networks to automate the required connectivity.
OpenShift relies on Kubernetes to launch container pods and configure the localhost networking between containers. VSP provides a network exec plug-in running on the OpenShift nodes (Kubernetes Minions) that is invoked during pod lifecycle events, such as creation and destruction. The VSP plug-ins on the OpenShift nodes and the OpenShift master communicate the policy configurations and lifecycle events between the VSP controllers as well as the local VSP virtual switch (VRS), as needed (see figure 2).
Nuage Networks VSP supports OpenShift installations for bare-metal as well as VM deployments. VSP also works in nested environments such as running OpenShift on top of OpenStack. In these latter cases, OpenStack generally delivers Infrastructure-as-a-Service (IaaS) capability, such as virtual server configuration, while OpenShift deliver PaaS for container application deployments and scale out. VSP has been validated against the primary Red Hat OpenShift Enterprise distribution, as well as the open source version, OpenShift Origin.
Security Services in Nuage Networks VSP
While SDN has always delivered policy-based automation for network devices, applying the same techniques to multi-tenant cloud environments is a more urgent requirement because security policies (compared to network policies) are likely more complex, more application-specific, change more frequently, and encompass a wider range of devices from multiple vendors. As organizations evolve their data centers to the cloud, the security operations are likely to overwhelm even before network issues dictate an evolution to SDN.
In multi-tenant cloud environments, there is a requirement for “microsegmentation”, i.e., enforcing security policies at a very granular level, between individual workloads and applications. Nuage Networks VSP brings these sophisticated security policies to OpenShift-based environments. Policies can be enforced between Kubernetes pods, or between pods and VM or bare-metal workloads, in a consistent fashion, ensuring compliance objectives across all environments. VSP also integrates with a large ecosystem of value-added security vendors to enforce advanced security policies, such as Palo Alto Networks, Fortinet, and many others.