mesos-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Maxime Brugidou <maxime.brugi...@gmail.com>
Subject Re: Mesos clusters and security boundaries
Date Thu, 19 Mar 2015 07:13:26 GMT
You would have to break the vlans and push security into the
apps/frameworks. Vlans are a way to control communication between machines.
With mesos, the machine is not the unit of work since they tend to all
become identical and managed by a single team. What matters is the security
of the frameworks running over mesos. This requires big changes in many
apps relying on vlans or firewall to "secure" their TCP connections.

You would have to start working on authenticating connections, use TLS...
Etc. The hardest one is that vlans prevent you from DOS (either accidental
or not) from another unauthorized vlan. This is harder to do with Mesos
since at the network level you will receive the DOS connections and have to
reject them higher in the stack.

Anyway you could also work out a solution with tagged vlans and iptables
that restrict access to the vlan from a specific user. Then you authorize
some framework user to use a vlan on all slaves or not.
On Mar 18, 2015 1:20 PM, "Guido Bakker" <guido.bakker@gmail.com> wrote:

> Hi,
>
> At the company I work for we are in the process of setting up/designing a
> Mesos cluster. We do use it already for several projects & POC. But not in
> a production setup yet.
> We believe in the idea of DCOS and we would like to have the ability to
> fully utilize all the available resources depending on demand, priority and
> constraints.
> But we're struggling a bit with the right separation of security
> boundaries and amount of clusters that you need to setup.
> Currently we have DTAXP environments that are logically separated by
> network hardware. Within each environment we make the separation of DMZ,
> Front-end, Back-end & Management. Again within each environment multiple
> VLAN's.
> Theoretically you could run Mesos on every server in your DC and have 1
> big cluster. But how do you maintain the same level of security, either
> physical of logical?
> Statically partition Mesos slave's for each DTAXP or have separate Mesos
> clusters? Add overlay networking? The amount of options seem to increase
> every week...
>
> Maybe I'm missing the obvious, but I would love to hear about use-cases
> and directions other people are going...
>
> Regards,
> Guido
>

Mime
View raw message