Modern cloud applications are increasingly being developed using lightweight, modular container formats for server virtualization as opposed to traditional virtual machines. To facilitate the automation, monitoring and management of container-based applications and infrastructures, Red Hat® has developed the Red Hat OpenShift container management solution. OpenShift adds developer and operation-centric tools to accelerate application development, deployment and long-term lifecycle maintenance operations across large teams.
Nuage Networks Virtualized Services Platform (VSP) provides virtual networking and SDN infrastructure to Docker container environments that simplifies IT operations and expands OpenShift’s native networking capabilities.
Now VSP provides support for OpenShift cloud environments, including taking advantage of the full Red Hat cloud stack, including Kubernetes container cluster management found in OpenShift.
Figure 1. – Nuage Networks VSP forms the virtual networks that glue together heterogeneous application types, virtualization formats, network and security devices, and cloud environments.
Challenges in Kubernetes Networking
Container instances are smaller than the corresponding VM format, allowing hosts to run an order of magnitude or more workloads, potentially increasing bandwidth and QoS requirements and networking complexity.
Containers are also ideal for small, modular or short-lived applications (perhaps while under development or deployed as “microservices”), increasing the requirements for on-demand, automated network provisioning and configurations.
Originally, Docker containers could only communicate between containers on the same host. Kubernetes, developed by Google and contributed to the open source community, allows distributed applications to be deployed and connected across large pools of resources. Kubernetes introduced the concept of a Pod, a group of related containers that all run on the same host.
Each pod gets its own IP address and can communicate with other pods, while containers within a pod communicate using localhost networking. Kubernetes also supports an API to integrate more sophisticated networking and SDN services into the cloud environment.
A frequent requirement that Nuage Networks’ customers are looking to address with value-added networking and policy-based automation centers on security. Customers want to be able to apply their granular security policies consistently across containers and VMs, as well as to provide isolation between tenants and applications in a multi-tenant cloud environment.
Other common customer requirements also include the ability to quickly converge networking configurations during peak container activation/deactivation events, simplified connectivity to external networks and gateways, as well as providing a common SDN policy environment across virtual and bare-metal workloads.
Introducing Nuage Networks VSP for OpenShift
Nuage Networks VSP is now available to support Docker-based applications running on the OpenShift PaaS solution to accelerate the provisioning of virtual networks between pods and traditional workloads, and to enable security policies across the entire cloud infrastructure. VSP allows for the automation of security appliances to include granular security and microsegmentation policies for container apps.
Nuage Networks VSP is a policy-based automation and virtual networking platform that is ideally suited for heterogeneous environments, unifying SDN policies across cloud platforms and server virtualization technologies. Nuage Networks can consolidate network and security policy requirements independent of the hypervisor or container format they are running, the infrastructure or the cloud management system.
VSP and OpenShift Integration
VSP is integrated into the OpenShift application workflow, which triggers events in the Nuage Networks system; similar to the way a VM Orchestrator’s events trigger virtual network configurations between virtual machines.
VSP provides a networking plug-in running on the OpenShift master, which connect the OpenShift platform to the two main VSP controller components: the Virtualized Services Controller (VSC) and the Virtualized Services Directory (VSD). VSC and VSD maintain the higher-level network and security policies and configure the relevant network devices and virtual switches to automate and provision the required overlay connectivity.
OpenShift relies on Kubernetes to launch container pods and configure the localhost networking between containers. VSP provides a network exec plug-in running on the OpenShift nodes (the Kubernetes Minions) that is invoked during pod lifecycle events, such as creation and destruction. The VSP plug-ins on the OpenShift nodes and the OpenShift master share the policy configurations and lifecycle events with the VSP controllers as well as the local VSP virtual switch (VRS), as needed (see figure 2).
Figure 2. – Nuage Networks VSP components are tightly integrated with the OpenShift PaaS framework. The SDN controller component, VSC, communicates to the OpenShift nodes via OpenFlow to VSP virtual router/switch (VRS), while the VSP plug-in on the OpenShift Master communicates policy information to the VSP plug-in on the OpenShift nodes.
Nuage Networks VSP supports OpenShift installations for bare-metal as well as VM deployments. VSP also works in nested environments, such as running OpenShift on top of OpenStack. In these latter cases, OpenStack generally delivers Infrastructure-as-a-Service (IaaS) capability, such as virtual server configuration, while OpenShift delivers PaaS for container application deployments and scale out. VSP has been validated against the primary Red Hat OpenShift distribution, as well as the open source version, OpenShift Origin.
Security Services in Nuage Networks VSP
While SDN has always delivered policy-based automation for network devices, applying the same techniques to multi-tenant cloud environments is a more urgent requirement because security policies (compared to network policies) are likely more complex, more application-specific, change more frequently, and encompass a wider range of devices from multiple vendors.
As organizations evolve their data centers and applications to the cloud and containers, the security operations are likely to overwhelm even before network issues dictate an evolution to SDN.
In multi-tenant cloud environments, there is a requirement for “microsegmentation”, i.e., enforcing security policies at a very granular level, between individual workloads and applications. Nuage Networks VSP brings these sophisticated security policies to OpenShift-based environments. Policies can be enforced between Kubernetes pods, or between pods and VM or bare-metal workloads, in a consistent fashion, ensuring compliance objectives across all environments.
For more information: http://nuagenetworks.net, and follow us on twitter @nuagenetworks
OpenShift Container Platform, How-tos