Data Packet's (not) secure journeys in containerland
Part I

Vainius Dangovas
IT solution architect

SMN logo

Purpose of this talk

Tools and technologies

IP route2 (2006)

One of many guides <--

Linux namespaces (2002)

Linux network devices

Linux interfaces for virtual networking

iptables (2000)

IPTABLES For growing that knowledge.. a little

IPVS - LVS (1998)

IPVS Linux Virtual Server

Legend and topology

legend Full topology

What is a container?

Container = Isolated resources + Resource limitations + Files


Network namespace (NS) in action

1 node topology

NS implemented

NS ingress/egress traffic

NS Meets World

NS ingress/egress traffic

Increasing # of NS

Single node - multiple NS

NS reachability inside a single nodes

Multiple node topology

NS reachability between multiple nodes

Multi-node topology implemented

Other Multi-Node topologies and approaches

Services in Multi-Node topologies

Virtual Service LB

Ingress traffic to services [IPVS]

Distributed service delivery problems

What makes container environments difficult to manage?

Implementations in real life solutions

Most solutions divide into two groups:

Any way leads to the same solutions, only different maintenance and support models

Implementations in real life solutions: Docker Swarm

Good for smaller scale deployments or where as much as possible should be out-of-the-box.

Implementations in real life solutions: Kubernetes

Simpler from network standpoint, extensible architecture, used for extremely large deployments.

What's ahead?

  1. Container solutions inside-out
  2. Network plugins and CNI
  3. External network integrations
  4. Distributed network security policies
  5. Sidecar proxies - distributed application level security policies


Kristen Jacobs - Container Networking (Video, Source)

SMN colleagues

CNI and Container networking configuration (Video)

Docker Swarm networking article

Manual page, article and stackoverflow topic authors

Thank you!