ON THIS PAGE
Understanding cSRX with Kubernetes
Containerized SRX (cSRX) is a virtual security solution based on Docker container to deliver agile, elastic and cost-saving security services for comprehensive L7 security protection.
Kubernetes (K8s) is an open-source system for automating deployment, scaling, and management of containerized applications. With K8s support, cSRX can scale out in a cluster running as elastic firewall service with smaller footprint when compared to virtual machines. cSRX running in K8s cluster provides advantages such as:
Runs services with smaller footprint
Enables faster Scale out and scale in of cSRX
Automated management and controlled workflow
In K8s deployment, you can use Multus with both Flannel and Weave CNI.
To support Kubernetes Node Port/Ingress controller with cSRX, environment variable CSRX_MGMT_PORT_REORDER allows cSRX to use container management interface. The Kubernetes Node Port/Ingress controller feature with cSRX is only supported with Flannel/Weave CNI. With CSRX_MGMT_PORT_REORDER set to "yes", you can explicitly control the re-configuration of the management port behavior. Like the access to cSRX shell or SD discovery on to the interface attached to cSRX using Multus CNI.
For example, if cSRX is brought up with eth0/eth1/eth2 with CSRX_MGMT_PORT_REORDER=yes, you can use eth2 as the new management interface.
The traffic forwarding to this eth2 has to be done through the iptables rules defined explicitly by you.
The cSRX Container Firewall is a containerized version of the SRX Series Services Gateway with a low memory footprint. cSRX provides advanced security services, including content security, AppSecure, and unified threat management in the form of a container. By using a Docker container the cSRX can substantially reduce overhead as each container shares the Linux host’s OS kernel. Regardless of how many containers a Linux server hosts, only one OS instance is in use. Also, because of the containers’ lightweight quality, a server can host many more container instances than virtual machines (VMs), yielding tremendous improvements in utilization. With its small footprint and Docker as a container management system, the cSRX Container Firewall enables deployment of agile, high-density security service.
See Junos OS Features Supported on cSRX for a summary of the features supported on cSRX.
Licensing
The cSRX Container Firewall software features require a license to activate the feature. To understand more about cSRX Container Firewall licenses, see Supported Features on cSRX, Juniper Agile Licensing Guide, and Managing cSRX Licenses.
Kubernetes Overview
K8s is an open-source system for automating deployment, scaling, and management of containerized applications. It groups containers that make up an application into logical units for easy management and discovery.
K8s defines a set of building objects that collectively provide mechanisms that orchestrate containerized applications across a distributed cluster of nodes, based on system resources (CPU, memory, or other custom metrics). K8s masks the complexity of managing a group of containers by providing REST APIs for the required functionalities.
A node refers to a logical unit in a cluster, like a server, which can either be physical or virtual. In context of Kubernetes clusters, a node usually refers specifically to a worker node. Kubernetes nodes in a cluster are the machines that run the end user applications.
There are two type of nodes in a Kubernetes cluster, and each one runs a well-defined set of processes:
head node: also called primary, or primary node, it is the head and brain that does all the thinking and makes all the decisions; all of the intelligence is located here.
worker node: also called node, or minion, it’s the hands and feet that conducts the workforce.
The nodes are controlled by the primary in most cases.
The interfaces between the cluster and you is the command-line tool kubectl. It is installed as a client application, either in the same primary node or in a separate machine.
Kubernetes’s objects are:
Pod
Service
Volume
Namespace
Replication
Controller
ReplicaSet
Deployment
StatefulSet
DaemonSet
Job