Cilium provides network security and visibility for microservices. It uses eBPF/XDP to provide fast and scalable networking and security controls at layers 3-7. Key features include identity-based firewalling, load balancing, and mutual TLS authentication between services. It integrates with Kubernetes to apply network policies using standard Kubernetes resources and custom CiliumNetworkPolicy resources for finer-grained control.
5. Network Security
has barely evolved
$ iptables -A INPUT -p tcp
-s 15.15.15.3 --dport 80
-m conntrack --ctstate NEW
-j ACCEPT
The world still runs on iptables
matching IPs and ports:
8. Gordon wants to build a service
to tweet out all job offerings.
We’re Hiring!
Tweet
Service
9. GET /healthz
GET /jobs/{id}
GET /applicants/{job-id}
POST /jobs
API
GET /jobs/{id}
Jobs API
Service
Tweet
Service
The Jobs API service has all the
data Gordon needs.
10. GET /healthz
GET /jobs/{id}
GET /applicants/{job-id}
POST /jobs
API
GET /jobs/331
GET /jobs/{id}
Jobs API
Service
Tweet
Service
Gordon uses the”GET /jobs/” API
11. GET /healthz
GET /jobs/{id}
GET /applicants/{job-id}
POST /jobs
API
GET /jobs/331
GET /jobs/{id}
TLS Jobs API
Service
Tweet
Service
Good thinking Gordon . Developer etiquette.
Super simple stuff.
Gordon uses mutual TLS Auth
12. L3/L4
GET /healthz
GET /jobs/{id}
GET /applicants/{job-id}
POST /jobs
API
GET /jobs/331
The security team has L3/L4 network
security in place for all services
GET /jobs/{id}
Jobs API
Service
Tweet
Service
TLS
iptables -s 10.1.1.1
-p tcp --dport 80
-j ACCEPT
13. Jobs API
Service
L3/L4
GET /healthz
GET /jobs/{id}
GET /applicants/{job-id}
POST /jobs
API
exposed
exposed
exposed
GET /jobs/331
Large parts of the API are still exposed
unnecessarily
Tweet
Service
GET /jobs/{id}
TLS
iptables -s 10.1.1.1
-p tcp --dport 80
-j ACCEPT
15. GET /healthz
GET /jobs/{id}
GET /applicants/{job-id}
POST /jobs
API
GET /jobs/331
Back to the drawing board…
GET /jobs/{id}
TLS Jobs API
Service
Tweet
Service
16. L3/L4
GET /healthz
GET /jobs/{id}
GET /applicants/{job-id}
POST /jobs
API
GET /jobs/331
Least privilege security for microservices
GET /jobs/{id}
ALLOW “GET /jobs/.*”
FROM “Tweets”
TLS Jobs API
Service
Tweet
Service
21. Powers of BPF: XDP - DDoS mitigation
Metric iptables / ipset XDP
DDoS rate [packets/s] 11.6M 11.6M
Drop rate [packets/s] 7.1M 11.6M
Time to load rules [time] 3 min 20 sec 31 sec
Latency under load [ms] 2.3ms 0.1ms
Throughput under DDoS [Gbit/s] 0.014 6.5
Requests/s under DDoS [kReq/s] 0.28 82.8
Sender: Send 64B packets as fast as possible è Receiver: Drop as fast as possible
Source: Daniel Borkmann’s presentation yesterday:
http://schd.ws/hosted_files/ossna2017/da/BPFandXDP.pdf
24. Kernel community declared
iptables obsolete
• Kernel community decided to stop iptables development and
replace it with BPF
• https://lwn.net/Articles/747504/
• https://www.mail-archive.com/netdev@vger.kernel.org/msg217095.html
31. Cilium Summary
• CNI and libnetwork plugin
• Kubernetes, Docker, Mesos
• Security at L3-L7
• L3-L4: Identity/Label based or CIDR based
• L7: HTTP, Kafka, gRPC
• Load-balancing (inside cluster)
• Say goodbye to iptables
• Minimal dependencies
• Only requires kvstore, written in go
40. Should I encapsulate or not?
Node 1
Node 2
Node 3
Encap
Encap
Encap
Mode I: Overlay
41. Should I encapsulate or not?
Node 1
Node 2
Node 3
Encap
Encap
Encap
Mode I: Overlay
Name NodeIP Node CIDR
Node 1 192.168.10.1 10.0.1.0/24
Node 2 192.168.10.8 10.0.2.0/24
Node 3 192.168.10.9 10.0.3.0/24
Kubernetes Node resources table:
Installation
Run the kube-controller-
manager with the --allocate-
node-cidrs option
42. Should I encapsulate or not?
Mode I: Overlay Mode II: Native Routing
Node 1
Node 2
Node 3
L3
Network
Use case:
• Run your own routing daemon
• Use the cloud provider’s router
Use case:
• Simple
• “Just works” on Kubernetes
Node 1
Node 2
Node 3
Encap
Encap
Encap
43. L3 Policy (Labels Based)
Metadata
Allow from
pods
Pods the policy
applies to…
From Pod
To Pod