Nephe supports micro-segmentation of Public Cloud Virtual Machines by
realizing Antrea NetworkPolicies
on Virtual Machines. It leverages cloud network security groups to enforce
Antrea NetworkPolicies
. Nephe supports enforcing policies on AWS and Azure
Cloud VMs. The support for Public Cloud platform is designed to be a pluggable
architecture, so that it can be extended to support other cloud platforms in the
future.
Nephe Controller
imports Public Cloud VMs onto the Kubernetes cluster as
VirtualMachine
CRs and then converts them into ExternalEntity
CRs. The users
will use ExternalEntity
CR to define custom Antrea NetworkPolicies
. The
Nephe Controller
translates these Antrea NetworkPolicies
into cloud-native
network security groups and rules. These security groups are then
attached to Public Cloud VMs. The Nephe Controller
is deployed as a Kubernetes
Deployment in the cluster.
The following diagram illustrates the nephe-controller
components and the
relevant resources in a Kubernetes cluster.
The CPA controller interfaces with the cloud providers APIs, and it is
responsible for management of cloud accounts. The CPA controller watches
CloudProviderAccount
CR resources specified by the user, and sets up cloud
access in the cloud plugin. It extracts credentials from the CR and initializes
cloud sessions, which is then consumed by the account poller, network policy
controller etc.
The CES controller watches CloudEntitySelectors
CR specified by the user. It
extracts the specified CloudProviderAccount
and the match selectors in the
CR. It scans corresponding cloud providers' VPC / VNET, discovers matching
cloud resources such as VMs, and caches them. An account poller is configured by
the controller in the same Namespace as the CloudEntitySelector
.
Account poller is created for each configured CloudEntitySelector
at the
Namespace level. On every polling interval, the account poller accesses
Cloud-Interface plugin routines and gets all cached cloud resources.
For each cloud resource, it creates a corresponding VirtualMachine
CR and
imports them into the same Namespace as the CloudEntitySelector
.
It compares the cloud resources stored in etcd
against the cloud
resources fetched and identifies which cloud resources needs to be created,
updated, and deleted. Accordingly etcd
is updated.
The Virtual Machine Controller watches VirtualMachine
CR and forwards the
updated CR objects to the Converter module.
The Converter receives VirtualMachine
CRs from VM controller and converts them
into ExternalEntity
CRs, which will be consumed by Antrea Controller
and
NP Controller
. Each ExternalEntity
object has K8s Labels that match cloud
resource properties, such as Kind, Name, VPC/VNET, and tags. It may also contain
IP addresses of cloud resources when applicable.
The Antrea Controller
watches on the changes in Antrea NetworkPolicy
, and
computes the scopes, computes the address groups, translates to appropriate
Antrea internal networkpolicy structs, and disperses them accordingly to Antrea
CNI agent or Nephe Controller
. To support cloud use case, the
antrea-controller
understands ExternalEntity
CRD and externalEntitySelector
fields, and use them accordingly for ANP span computation and dispersion.
The NP controller watches for the NetworkPolicy
events from
Antrea Controller
. Antrea Controller
guarantees that any internal
networkpolicy object and the associated CRs are pushed to the NP controller,
while the NP controller guarantees that NetworkPolicies are applied to Public
Cloud VMs managed by the Nephe Controller
instance. It will translate network
policies into one or more cloud security groups and rules. The NP controller
uses cloud plugins to attach the security groups to the cloud VMs.
For more information, please refer to NetworkPolicy document.
The cloud plugins are used by other components to access cloud resources. It stores cloud account information configured by the CPA controller and initiates cloud sessions. It is built with a plugin model. This enables extending the controller to support different clouds. Currently, supported plugins include:
- AWS
- Azure