DEVNET-2617-Kubernetes and ACI

#CLUS
Kubernetes and ACI

How to build automated security and
connectivity policies for microservices
Nicolas Vermande, Technical Marketing Engineer
@nvermande
DEVNET-2617
#CLUS
Objectives of this session
• Understand the value of the ACI

CNI for Kubernetes
• Understand the technical

features provided by the ACI
CNI
• Understand how ACI can enable

DevSecOps in CI/CD pipelines
ACI: Containers
Networking
Application landscape is
changing…
#CLUS DEVNET-2617 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Application Architectural Evolution
f()
Service Microservice Function
Autonomous Single Purpose Single Action
Loosely-coupled Stateless Event Sourced
Independently Scalable Ephemeral
Automated
An effective platform for micro-services
• Containers are ideal candidates to run micro-services:
• Micro-services define stateless, loosely coupled application components
communicating over API’s, running in different runtime environments.
• Containers meet new application requirements as they provide:
• Density
• Speed
• Portability
• Low overhead management
In a multi-host environment, containers
orchestrated
need to be and have
network reachability.
What are some of the current orchestration solutions?
• Docker Native Orchestration (Swarm Mode)

• Mesos/Marathon (Mesosphere)
• Kubernetes (Google)
• Rancher
• Nomad (Hashicorp)
Different experiences for developers
• CaaS (Container as a Service)
• AWS ECS/EKS, Google GKE, Kubernetes etc
• Delivers containers, but app packaging must be managed separately
• PaaS (Platform as a Service)

• AWS Beanstalk, Fargate, PCF, Openshift, etc
• Delivers application packaging and provide development tools on top of a
containerized form factor for the application
Why Containers
with ACI?
Native Support for Container Application Platforms
Application
Container
Orchestration Docker Kubernetes Openshift Pivotal Mesosphere
Pervasive Security
Pervasive Analytics
Opflex CNI
Fast. Secure and

Scalable Networking
Cisco ACI
Intent based
Automation
Programmable
Infrastructure Any Cloud
Physical Virtual Private
Cisco ACI and Containers
Cisco ACI provides deep integration with container orchestration

platforms with the goal of:
• Providing DevOps teams a seamless, cloud-native experience using

the tools and interfaces they prefer
• Giving infrastructure teams the tools they need to deploy, operate,

and troubleshoot container networking
• Provide a means of connecting container workloads to VMs and

bare metal (ie. everything else)
Why ACI and Application Container Platforms
Fast, easy,
Turnkey solution for Flexible policy: Native Hardware-accelerated: secure and
node and container platform policy API Integrated load
connectivity and ACI policies balancing scalable
networking for
your Application
Container
Platform
Visibility: Live statistics in APIC Enhanced Multitenancy and
per container and health metrics unified networking for
containers, VMs, bare metal
In Fabric load-balancing
ACC Controller
SRC: ext DST: Pod
Second stage
load-balancing
Symmetric PBR load-
balancing
SRC: ext DST: SVC SRC: ext DST: Node
Border leaf pair

Service Type
”LoadBalancer”
Working with the ACI Network Plugin
Native Security Policy Support
Container Team Network Administrator

Infosec
1 Install Openshift and ACI plugin 1 Fabric Bring Up
-
Build service definitions Define Container
2 and define network policy
Network Policy 2
Create Openshift system
resources in ACI
Deploy and scale

3 `
containers
3 Create EPGs and Contracts
(Optional)
EPG Monitor and observe network
4 Create Network Policies 4 telemetry
Annotate objects
to map to EPGs Opflex/OVS
WEB APP WEB APP DB
Server 1 Server 2
ACI Fabric
Mapping Network Policy and EPGs
Cluster Isolation Namespace Isolation Deployment Isolation
Single EPG for entire cluster. Each namespace is mapped to its own Each deployment mapped to an EPG
(Default behavior) EPG. Contracts tightly control service traffic
No need for any internal contracts. Contracts for inter-namespace traffic.
Key Map EPG NetworkPolicy Contract

Devsecops with
ACI CNI: let’s build
a CI/CD pipeline
Jenkins Pipeline Provision EPG, contracts and attach
Container and VMM domains
Jenkins webhook
master Build container image with
new code and send to
dev container registry
Amazon ECR
Run integration tests
Commit code
on Dev branch
Create namespace, Merge dev to master,

annotate to EPG and update remote repo and
deploy application stack clean up environment
#CLUS © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Demo Time!
Q&A
Cisco Webex Teams
Questions?
Use Cisco Webex Teams to chat
with the speaker after the session
How
1 Find this session in the Cisco Live Mobile App
2 Click “Join the Discussion”
3 Install Webex Teams or go directly to the team space
4 Enter messages/questions in the team space
Webex Teams will be moderated cs.co/ciscolivebot#DEVNET-2617

by the speaker until June 16, 2019.
#CLUS © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Complete your
online session • Please complete your session survey
evaluation after each session. Your feedback
is very important.
• Complete a minimum of 4 session
surveys and the Overall Conference
survey (starting on Thursday) to
receive your Cisco Live water bottle.
• All surveys can be taken in the Cisco Live
Mobile App or by logging in to the Session
Catalog on ciscolive.cisco.com/us.
Cisco Live sessions will be available for viewing
on demand after the event at ciscolive.cisco.com.
Continue your education
Demos in the
Walk-in labs
Cisco campus
Meet the engineer

Related sessions
1:1 meetings
Thank you
#CLUS
#CLUS

DEVNET-2617-Kubernetes and ACI

Uploaded by

Copyright:

Available Formats

DEVNET-2617-Kubernetes and ACI

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

DEVNET-2617-Kubernetes and ACI

Uploaded by

Copyright:

Available Formats

#CLUS

Kubernetes and ACI

• Understand the value of the ACI

• Understand the technical

• Understand how ACI can enable

• Docker Native Orchestration (Swarm Mode)

• PaaS (Platform as a Service)

Fast. Secure and

Cisco ACI provides deep integration with container orchestration

• Providing DevOps teams a seamless, cloud-native experience using

• Giving infrastructure teams the tools they need to deploy, operate,

• Provide a means of connecting container workloads to VMs and

SRC: ext DST: Pod

SRC: ext DST: SVC SRC: ext DST: Node

Border leaf pair

Container Team Network Administrator

Deploy and scale

WEB APP WEB APP DB

Key Map EPG NetworkPolicy Contract

Create namespace, Merge dev to master,

Webex Teams will be moderated cs.co/ciscolivebot#DEVNET-2617

Meet the engineer

You might also like