Many IT organizations are just now starting to discover the benefits of deploying application firewalls on top of virtual machines. Now Weaveworks is moving to bring similar capabilities to container environments using the latest version of Kubernetes.
Weaveworks COO Mathew Lodge says that with the release of version 1.7 of Weave Net, IT organizations can now deploy a software-defined network (SDN) overlay designed specifically for containers that makes it possible to apply security policies down to individual containers. Lodge says organizations can now define firewall policies to filter traffic between microservices and containers, including at the Kubernetes namespace and pod level. As a result, organizations that deploy Weave Net and Kubernetes together now have fine-grained controls tied to service definitions in Kubernetes rather than an isolated subnet.
Over time, Lodge says, Weaveworks will extend this capability to other container orchestration engines. In the meantime, release 1.4 of Kubernetes provided the hooks needed for Weaveworks to deliver fine-grain security across an entire container environment.
At its core Weave Net is described as a “micro SDN” that developers or network administrators can deploy in support of container applications. What makes Weave Net different from other SDNs is it requires zero configuration or coding to implement. As such, Lodge says, version 1.7 of Weave Net extends that capability by allowing IT organizations to develop security policies that can be applied automatically to application firewalls embedded in the Weave Net SDN. The Weave Net SDN itself creates a network of software routers that eliminate any and all dependencies on an external database while still providing full multicast capabilities across both public clouds and on-premises IT environments.
With the addition of security controls, Weaveworks is challenging many of the assumptions IT organizations make about how IT security should be enforced. Historically, developers have not been a major part of the process. Now, developers can not only implement their own SDN, but also make sure the appropriate IT security policies are automatically enforced. IT security teams still need to develop those policies. But the days when the IT security team needed to implement those policies soon may be coming to an end.
Weave Net also challenges some of the basic assumptions made about how the network itself needs to be managed. By giving developers the ability to programmatically create their own SDNs, reliance on network administrators to provision networks for new applications is reduced substantially. From an IT agility perspective, that’s critical: While it may take a few minutes to spin up a container or a virtual machine, it still takes most IT organizations weeks to provision network services.
It remains to be seen just how widely containers will be deployed in production environments that just now are coming up to speed on SDNs. But given the rate at which IT organizations are making the transition to SDNs, it might not come as a surprise to see developers lose patience with network administrators. After all, all most developers care about is getting their application up and running by any means necessary regardless of what the internal IT organization may have officially sanctioned.