Fast, Scalable and Secure Openshift Networking with Cisco ACI
As a Red Hat partner, it’s been amazing to watch the growth and success of OpenShift over the past year. OpenShift doesn’t just give developers a trusted path and tooling necessary to adopt Kubernetes — it improves agility and productivity and accelerates application delivery in on-premise, private cloud, and hybrid cloud environments. But networking still remains a challenge and Cisco and Red Hat have worked closely together to bring the best in class networking and infrastructure.
Cisco provides customers deploying OpenShift Container Platform in private on-premise environments, with easy, fast, secure and scalable networking on automated elastic physical infrastructure at the speed, reliability and efficiency expected from the public cloud.
Building on Cisco Data Center innovations, Cisco® Application Centric Infrastructure (Cisco ACI) provides foundational networking optimized for performance, scale and availability of OpenShift Container Platform. Cisco ACI is designed to offer policy-based automation, security, mobility, and visibility for application workloads regardless of whether they run on bare-metal servers, hypervisors, or Linux containers.
The Cisco ACI system-level approach extends the support for Linux containers by providing tight integration of OpenShift. This integration allows Cisco ACI to provide a ready-to-use, secure networking environment for Kubernetes. The integration maintains the simplicity of the user experience in deploying, scaling, and managing containerized applications while still offering the controls, visibility, security, and isolation required by an enterprise enhancing the capabilities that OpenShift provides. The solution uses Cisco OpFlex®, an open southbound API for Cisco ACI, and Open vSwitch (OVS) to control, manage, and enhance each container host.
The integrated ACI solution provides a number of benefits including:
– Turnkey solution to provision the required infrastructure connectivity for OpenShift nodes and pods by automating all the required base infrastructure network provisioning and establishing zero-trust access control limited to necessary API communication, service discovery and platform health check probes.
– Securely interconnecting applications in OpenShift to other applications outside the cluster regardless whether they run on containers, virtual machines, and bare-metal servers: Cisco ACI supports integration with multiple orchestration platforms and bare-metal servers in addition to containers. An intent based model to define connectivity requirements based on application profiles as expressed by application architects and system operators simplifies connecting systems by modeling networking accordingly to identified external application dependencies.
– Support for OpenShift Network Policies for isolation and segmentation of pods based on fine grained selections with support of policy enforcement for Ingress, Egress or both directions as well as selections made IP blocks, protocol and port numbers.
– Flexible approach to policy: Cisco ACI offers the option of using native OpenShift Network Policies, as well as ACI endpoint groups and contracts to isolate containers. This approach offers developers a cloud-native experience while additionally offering the option to use established Cisco ACI policy constructs to maintaining policy and compliance of security rules and regulations of any organization.
– Automated, integrated load-balancing services: Load balancing plays a critical role in OpenShift as a way of defining services. The solution automates load balancing through a combination of policy-based routing capabilities in the fabric and software based approaches using Open vSwitch allowing the system to better scale OpenShift routers, Ingress Controllers and use of service meshes like Istio by providing equal-cost multipath routing to services exposed externally providing session stickiness, hashing per traffic flow, and ICMP-based node failure detection.
– Hardware enhanced multitenancy: Complementing OpenShift project isolation, Cisco ACI and provide a bottom-up multitenant architecture. This design enables deployment of multiple, isolated OpenShift clusters on a fabric or to isolate OpenShift projects in a seamless manner through Cisco ACI policies.
– Visibility and telemetry information: The ACI Policy Infrastructure Controller visualizes a OpenShift Virtual Networking domain, where contextual information from all different OpenShift objects, including nodes, name spaces, deployments, services, and pods and their associated meta data is represented. It correlates this information with network telemetry information gathered by the network fabric.
Cisco ACI provides tight integration with OpenShift to accelerate and automate the deployment of container-based microservices. The solution offers a seamless developer experience intended to maintain the simplicity of OpenShift while still enabling advanced capabilities within the Cisco ACI fabric optimizing for reliability, performance and scale while maintaining visibility across the infrastructure.
If you would like to learn more about the solution, join us at KubeCon Copenhagen May 2-4 or at the Red Hat Summit in San Francisco, May 8-10, Booth #425.
Swing by our booth to see demonstrations of OpenShift on ACI, ask questions, or chat with our engineers.