Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

Cilium - API-aware Networking and Security for Containers based on BPF

434 vues

Publié le

Cilium is open source software for providing and transparently securing network connectivity and loadbalancing between application workloads such as application containers or processes. Cilium operates at Layer 3/4 to provide traditional networking and security services as well as Layer 7 to protect and secure use of modern application protocols such as HTTP, gRPC and Kafka. Cilium is integrated into common orchestration frameworks such as Kubernetes and Mesos.

Publié dans : Logiciels
  • Soyez le premier à commenter

Cilium - API-aware Networking and Security for Containers based on BPF

  1. 1. Cilium L7 Aware Network Security for Microservices using BPF & XDP
  2. 2. Application Architectures Delivery Frequency Operational Complexity Single Server App Yearly Low Evolution of Application Design & Delivery Frequency
  3. 3. Application Architectures Delivery Frequency Operational Complexity Single Server App Yearly Low 3-Tier App Monthly Moderate Evolution of Application Design & Delivery Frequency
  4. 4. Application Architectures Delivery Frequency Operational Complexity Single Server App Yearly Low Distributed Microservices 10-100 x’s / day Extreme 3-Tier App Monthly Moderate Evolution of Application Design & Delivery Frequency
  5. 5. Network Security has barely evolved $ iptables -A INPUT -p tcp -s 15.15.15.3 --dport 80 -m conntrack --ctstate NEW -j ACCEPT The world still runs on iptables matching IPs and ports:
  6. 6. Your HTTP ports be like …
  7. 7. Network Security for Microservices Gordon the intern has a brilliant idea…
  8. 8. Gordon wants to build a service to tweet out all job offerings. We’re Hiring! Tweet Service
  9. 9. GET /healthz GET /jobs/{id} GET /applicants/{job-id} POST /jobs API GET /jobs/{id} Jobs API Service Tweet Service The Jobs API service has all the data Gordon needs.
  10. 10. GET /healthz GET /jobs/{id} GET /applicants/{job-id} POST /jobs API GET /jobs/331 GET /jobs/{id} Jobs API Service Tweet Service Gordon uses the”GET /jobs/” API
  11. 11. GET /healthz GET /jobs/{id} GET /applicants/{job-id} POST /jobs API GET /jobs/331 GET /jobs/{id} TLS Jobs API Service Tweet Service Good thinking Gordon . Developer etiquette. Super simple stuff. Gordon uses mutual TLS Auth
  12. 12. L3/L4 GET /healthz GET /jobs/{id} GET /applicants/{job-id} POST /jobs API GET /jobs/331 The security team has L3/L4 network security in place for all services GET /jobs/{id} Jobs API Service Tweet Service TLS iptables -s 10.1.1.1 -p tcp --dport 80 -j ACCEPT
  13. 13. Jobs API Service L3/L4 GET /healthz GET /jobs/{id} GET /applicants/{job-id} POST /jobs API exposed exposed exposed GET /jobs/331 Large parts of the API are still exposed unnecessarily Tweet Service GET /jobs/{id} TLS iptables -s 10.1.1.1 -p tcp --dport 80 -j ACCEPT
  14. 14. Not exactly least privilege Security
  15. 15. GET /healthz GET /jobs/{id} GET /applicants/{job-id} POST /jobs API GET /jobs/331 Back to the drawing board… GET /jobs/{id} TLS Jobs API Service Tweet Service
  16. 16. L3/L4 GET /healthz GET /jobs/{id} GET /applicants/{job-id} POST /jobs API GET /jobs/331 Least privilege security for microservices GET /jobs/{id} ALLOW “GET /jobs/.*” FROM “Tweets” TLS Jobs API Service Tweet Service
  17. 17. Network Security for Microservices using BPF
  18. 18. We demand a demo
  19. 19. BPF - The Superpowers inside Linux
  20. 20. Powers of BPF: XDP - DDoS mitigation Metric iptables / ipset XDP DDoS rate [packets/s] 11.6M 11.6M Drop rate [packets/s] 7.1M 11.6M Time to load rules [time] 3 min 20 sec 31 sec Latency under load [ms] 2.3ms 0.1ms Throughput under DDoS [Gbit/s] 0.014 6.5 Requests/s under DDoS [kReq/s] 0.28 82.8 Sender: Send 64B packets as fast as possible è Receiver: Drop as fast as possible Source: Daniel Borkmann’s presentation yesterday: http://schd.ws/hosted_files/ossna2017/da/BPFandXDP.pdf
  21. 21. Facebook published BPF/XDP numbers for L3/L4 LB at Netdev 2.1 ECMP L7 LBL3/L4 LB App
  22. 22. Source: https://www.netdevconf.org/2.1/slides/apr6/zhou-netdev-xdp-2017.pdf Facebook published BPF/XDP numbers for L3/L4 LB at Netdev 2.1 BPF/XDP throughput IPVS throughput
  23. 23. Kernel community declared iptables obsolete • Kernel community decided to stop iptables development and replace it with BPF • https://lwn.net/Articles/747504/ • https://www.mail-archive.com/netdev@vger.kernel.org/msg217095.html
  24. 24. WHAT ABOUT L7?
  25. 25. NodeNode Service Operating System Service Network Socket TCP/IP Socket TCP/IP Socket TCP/IP Socket TCP/IP Socket TCP/IP Socket TCP/IP Consequences: • 3x Socket memory requirement • 3x TCP/IP stack traversals • 3x Context switches • Complexity Currently using Sidecar/ServiceMesh Network
  26. 26. Can we turn the sidecar into a racecar?
  27. 27. Service Operating System Service Network Socket TCP/IP Socket Redirect & In-Kernel L7 In-Kernel L7 Network Socket TCP/IP Socket Redirect Socket TCP/IP In-Kernel L7 kTLS
  28. 28. In-Kernel L7 with BPF
  29. 29. Cilium Summary • CNI and libnetwork plugin • Kubernetes, Docker, Mesos • Security at L3-L7 • L3-L4: Identity/Label based or CIDR based • L7: HTTP, Kafka, gRPC • Load-balancing (inside cluster) • Say goodbye to iptables • Minimal dependencies • Only requires kvstore, written in go
  30. 30. @ciliumproject http://github.com/cilium/cilium Thank You! Questions? Tutorial / Getting Started: http://cilium.io/try
  31. 31. Node 2Node 1 Task Operating System Kernel Proxy Task Network Socket KProxy with BPF TCP/IP Socket TCP/IP KProxy with BPF kTLS kTLS Sidecar Proxy Sidecar Proxy Network
  32. 32. Kubernetes Integration
  33. 33. Kubernetes Integration NetworkPolicy Standard Resources L3, L4 policy (ingress only in k8s 1.7)
  34. 34. Kubernetes Integration NetworkPolicy Services Standard Resources L3, L4 policy (ingress only in k8s 1.7) ClusterIP, NodePort, LoadBalancer
  35. 35. Kubernetes Integration NetworkPolicy Services Standard Resources L3, L4 policy (ingress only in k8s 1.7) Pods Pod Labels to specify policy on ClusterIP, NodePort, LoadBalancer
  36. 36. Kubernetes Integration NetworkPolicy Services Standard Resources L3, L4 policy (ingress only in k8s 1.7) Nodes Pods Pod Labels to specify policy on ClusterIP, NodePort, LoadBalancer NodeIP to Node CIDR mapping
  37. 37. Kubernetes Integration NetworkPolicy CiliumNetworkPolicy Services Standard Resources Custom Resource Definitions (CRD) L3, L4 policy (ingress only in k8s 1.7) L3 (Labels/CIDR), L4, L7 (ingress & egress) Nodes Pods Pod Labels to specify policy on ClusterIP, NodePort, LoadBalancer NodeIP to Node CIDR mapping
  38. 38. Should I encapsulate or not? Node 1 Node 2 Node 3 Encap Encap Encap Mode I: Overlay
  39. 39. Should I encapsulate or not? Node 1 Node 2 Node 3 Encap Encap Encap Mode I: Overlay Name NodeIP Node CIDR Node 1 192.168.10.1 10.0.1.0/24 Node 2 192.168.10.8 10.0.2.0/24 Node 3 192.168.10.9 10.0.3.0/24 Kubernetes Node resources table: Installation Run the kube-controller- manager with the --allocate- node-cidrs option
  40. 40. Should I encapsulate or not? Mode I: Overlay Mode II: Native Routing Node 1 Node 2 Node 3 L3 Network Use case: • Run your own routing daemon • Use the cloud provider’s router Use case: • Simple • “Just works” on Kubernetes Node 1 Node 2 Node 3 Encap Encap Encap
  41. 41. L3 Policy (Labels Based) Metadata Allow from pods Pods the policy applies to… From Pod To Pod
  42. 42. L3 Policy (CIDR) Metadata Allow to IP 8.8.8.8/32 Pods the policy applies to… To CIDR From Pod
  43. 43. L4 Policy Metadata Policy applies to pods … Allow incoming on port 80 Pod To Port
  44. 44. L7 Policy – Only allow “GET /v1/” L4 Policy Rule 1: Allow “GET /v/1” Rule 2: Allow PUT If header is set Allowed API Calls

×