The popularity of containers as a deployment model has risen significantly in the last few years. Kubernetes has become the container orchestration engine of choice and it is gaining wider enterprise adoption at a rapid pace. Platform9 is making this enterprise adoption easy by providing “Kubernetes as a Service” on their customers’ own private data centers as well as public clouds. Platform9 also provides features like single-sign-on (with support for SAML, ADFS, Okta, OneLogin), role-based access control, and multi-tenancy.
Continuing with this enterprise enablement for enterprises, Platform9 is pleased to announce integration with OpenContrail, a leading provider of SDN in virtualization. They are bringing the same power to container networking with their integration with Kubernetes, enabling the ability to isolate Kubernetes networks at various levels.
Together, Platform9 Managed Kubernetes and OpenContrail provide a simple and secure networking solution for enterprises.
First, let’s get up and running with Kubernetes. With Platform9, it’s really easy, just sign up for a free-trial. Once our team has created an environment for you, simply follow the steps below:
- Add a new Node, and download the agent.
- Install the agent.
- Authorize the host.
- Now create a cluster, select “OpenContrail” as the networking provider. Add the OpenContrail controller address and the CIDRs for service and pods.
Once you finish, attach nodes to the cluster you just created and you will have a fully functional Kubernetes with OpenContrail integrated.
I am most excited about the security features OpenContrail has introduced, and there are three levels of isolation that can be enabled:
- Cluster Isolation: This is the default mode where a single cluster network is shared by all namespaces. In this case each Pod can access others regardless of namespaces.
- Namespace Isolation: Using a simple annotation pods in different namespaces cannot communicate with each other. Policies can be configured to allow for explicit access between specific pods.
- Application Isolation: Using name labels on Pods, replication controllers, or services, separate networks can be created for every Pod to isolate these services.
Contrail also offers other advanced features which are absent in other solutions.
- Load Balancing: OpenContrail implements non-proxy load-balancing based on ECMP without additional hops. Its native implementation is distributed in the OpenContrail vRouters for the elastic/virtual IP addresses used in Kubernetes Service objects. It eliminates need for kube-proxy controller that has the performance drawback(kube-proxy often re-configures and re-compiles IPtables to try to create complex NAT rules for the load balancing and sometimes needs to reroute packets to the correct server hosting the pod selected by the load balancing).
- Network Policy: OpenContrail implements the Kubernetes network policy objects applied to pods and much more. OpenContrail powerful SDN capability layers security at the level of multi-tenancy, virtual network isolation, and customized security groups. Furthermore it can also insert transparent service chains with stateful firewalls and other services (could be in containers, VMs or physical). With Kubernetes, you can abstract this task to OpenContrail defaults or fully control network policy to your heart’s (and CSO’s) content, ensuring security policy within and across your Kubernetes cluster.
- Ingress Controller: Kubernetes doesn’t ship with a built-in Ingress Controller unless you run on GKE, so Ingress objects are ignored by default. OpenContrail, is the only full SDN solution so far that implements Ingress using an included HAProxy setup.
Watch a demo of the setup of Platform9 Managed Kubernetes and OpenContrail and how to isolate namespaces. We are very excited about this integration and believe it will further help enterprise adoption of Kubernetes.
Please leave comments below or email us at firstname.lastname@example.org for feedback or questions.