About Group-Based Policy
Group-Based Policy (GBP) is an API framework for OpenStack that offers an intent-driven model intended to describe application requirements in a way that is independent of the underlying infrastructure. Rather than offering network-centric constructs, such as Layer 2 domains, GBP introduces a generic "Group" primitive along with a policy model to describe connectivity, security, and network services between groups. While GBP has focused on the networking domain, it can be a generic framework that extends beyond networking.
GBP runs as a service plug-in within the Neutron process space.
Group-Based Policy Use Cases
Group-Based Policy (GBP) was designed to offer a powerful, but simple language for capturing the requirements of and deploying complex applications on OpenStack clouds. GBP addresses disconnect between application developers who understand application requirements and infrastructure teams who understand various infrastructure capabilities.
GBP offers the following capabilities beyond what is present in OpenStack:
Dependency mapping | GBP enables users to specify the relationships between different tiers of applications. This dependency map acts as documentation for the security requirements of the application and allows different tiers of the application to evolve separately. The dependency map also makes it extremely easy to scale and automate infrastructure. |
Separation of concerns | GBP was designed to separate application security requirements, such as who can talk to whom, from network-specific requirements, such as what IP address ranges to use, where to draw network boundaries, and how to assign virtual IP addresses. This allows application, security, and operation teams to operate independently, but cooperatively. |
How Group-Based Policy works
Group-Based Policy (GBP) offers a policy API through multiple OpenStack interfaces, including Horizon extensions (openstack-dashboard-gbp), Heat (openstack-heat-gbp), and cli (openstack-neutron-gbp). GBP was designed to act as a layer on top of Neutron.
GBP supports two forms of mapping to the underlying infrastructure:
Neutron Mapping Driver | The Neutron mapping driver converts GBP resources into existing Neutron API calls. This allows Neutron to run any existing open source or vendor plugin, including ML2. It also allows GBP to be used in any OpenStack environment. You should define the OpenStack projects either with Neutron API or GBP API. Different projects of the same OpenStack installation could potentially use different APIs. For example, Neutron or GBP. |
Native Drivers | You can create drivers that directly render policy constructs through a separate SDN controller or external entity without first converting them to Neutron APIs. This is valuable as it gives the controller additional flexibility on how to interpret and enforce policy without being tied to L2/L3 behaviors. There are currently four native drivers, including Cisco APIC, VMware NSX policy, and One Convergence NSP. |
About the Group-Based Policy Model
Group-Based Policy (GBP) introduces a policy model to describe the relationships between different logical groups or tiers of an application. The primitives have been chosen in a way that separates their semantics from the underlying infrastructure capabilities. Resources can be public or local to a specific tenant.
The key primitives are:
Resource | Description |
---|---|
Policy Target | An individual network endpoint (generally a NIC). A policy target is a basic addressable unit in the architecture. |
Policy Group | Policy targets with the same properties are organized into policy groups, which is the fundamental primitive of GBP. Policy groups offer an infrastructure agnostic grouping construct without specifying any network semantics in the same way as a broadcast. Each group models its dependencies by declaring the rule sets that it provides to groups as well as rule sets that it will consume. |
Policy Classifier | A means of filtering network traffic, including protocol, port range, and direction (in, out, or bidirectional). |
Policy Action | An action to take when a particular rule is applied. The supported type include "allow". |
Policy Rules | Classifiers paired with actions. |
Policy Rule Sets | Policy rule sets contain a number of policy rules. Rule sets can be nested through parent-child relationships. |
About Network Policies
Group-Based Policy (GBP) aims to centralize the description of network policies and keep them separate from application-level policies, such as groups and rule sets. This allows a separation of concerns between application owners and cloud/infrastructure administrators.
Resource | Description |
---|---|
Layer 2 Policy | Specifies set of groups within the same switching domain. Layer 2 policies must reference a particular Layer 3 policy. |
Layer 3 Policy | Specifies potentially overlapping IP address space that contains any number of Layer 2 policies. |
Network Service Policy | Specifies network-specific parameters that are required for network service chaining, such as VIP allocation. |
About Shared Policies
Resources in the
Group-Based Policy (GBP) model support a
shared
attribute that can be set to make a resource visible across tenants. The
sharing of policy resources promotes the separation of concerns by allowing the
relevant team to create a policy and for other users to consume the policy. A
shared resource has global visibility, meaning that all tenants are able to see
a shared resource. The
shared
attribute can be set or updated only by a user in the administrator role.
The following example creates a shared Layer 3 policy using the CLI:
# gbp l3policy-create --shared True my-shared-l3p
Similarly, the GUI has a checkbox that enables the sharing or unsharing a resource.
There are certain constraints on when and how a resource is shared:
-
A shared resource can only be associated with other shared resources. For example, a shared Layer 2 policy can only exist on a shared Layer 3 policy.
-
A shared resource cannot be unshared if it is currently being used.
Note |
A policy target
resource does not support the
|
About the Neutron Mapping Driver
One of the most useful aspects of the Group-Based Policy (GBP) model and its implementation is the ability to map a policy directly into the Neutron API and thus be able to use the existing Neutron plugins as is. The default mapping is as follows:
GBP Resource | Neutron |
---|---|
Policy Target | Port |
Policy Target Group | Subnet |
Layer 2 Policy | Network |
Layer 3 Policy | Router |
Note |
You can design a custom mapping and implement it in a "resource mapping" policy driver. |