ContainerDays Hamburg 2023 — Cilium Workshop.pdf

Raphaël Pinson | @raphink | @raphink@mastodon.social
🧪 Cilium Alchemist, Isovalent
Cilium Workshop:
Kubernetes Networking
with eBPF

⬢ Principles
Cilium & eBPF
Cloud Native Networking & Security

⬢ Principles
⬢ Networking
Cilium & eBPF

⬢ Principles
⬢ Networking
⬢ Cluster Mesh
Cilium & eBPF

⬢ Principles
⬢ Networking
⬢ Cluster Mesh
⬢ Security
Cilium & eBPF

⬢ Principles
⬢ Networking
⬢ Cluster Mesh
⬢ Security
⬢ Observability
Cilium & eBPF

⬢ Principles
⬢ Networking
⬢ Cluster Mesh
⬢ Security
⬢ Observability
⬢ Service Mesh
Cilium & eBPF

⬢ Principles
⬢ Networking
⬢ Cluster Mesh
⬢ Security
⬢ Observability
⬢ Service Mesh
⬢ Tetragon
Cilium & eBPF

Who am I
Raphaël Pinson
Cilium Alchemist @ Isovalent

● Open Source Projects ● Company behind Cilium
● Provides Cilium Enterprise

ContainerDays Hamburg 2023 — Cilium Workshop.pdf

Makes the Linux kernel
programmable in a
secure and efficient way.
“What JavaScript is to the
browser, eBPF is to the
Linux Kernel”

Run eBPF programs on events
Attachment points
● Kernel functions (kprobes)
● Userspace functions (uprobe)
● System calls
● Tracepoints
● Sockets (data level)
● Network devices (packet level)
● Network device (DMA level) [XDP]
● ...

What is Cilium?
At the foundation of Cilium is the new Linux kernel
technology eBPF, which enables the dynamic
insertion of powerful security, visibility, and networking
control logic within Linux itself. Besides providing
traditional network level security, the ﬂexibility of BPF
enables security on API and process level to secure
communication within a container or pod.
Read More
● Networking & Load-Balancing
○ CNI, Kubernetes Services, Multi-cluster, VM Gateway
● Network Security
○ Network Policy, Identity-based, Encryption
● Observability
○ Metrics, Flow Visibility, Service Dependency

- Networking
- Security
- Observability
- Service Mesh & Ingress
-based:
Foundation
Created by
Technology

Graduation Vote Ongoing!
https://github.com/cncf/toc/pull/952#issuecomment-1716062879

Networking plugin
● Network devices
● IP Address Management
● Intra-node connectivity
● Inter-node connectivity
Kube Proxy
● Services
● iptables or ipvs
● Service discovery

● Agent on each node
● Tunneling or Direct Routing
● eBPF native dataplane
● kube-proxy replacement.

Kubernetes Services
East-west connectivity
● Durable abstraction
● Connect applications
● Ephemeral addresses
● High churn
● Iptables or ipvs

Kubernetes Services
kube-proxy / iptables
● Linear list / sieve
● All rules have to be replaced as a
whole
eBPF based
● Per-CPU hash table ⇒ more
performant
● Native metadata => Cloud Native
routing

node1
29
pod
192.168.1.1
pod
192.168.1.4
CiliumNode CRD
metadata:
name: node1
spec:
eni:
instance-id: i-123
instance-type: m4.large
preallocate: “8”
security-groups:
- sg1
- sg2
ipam:
available:
- 192.168.1.1
- 192.168.1.2
- 192.168.1.3
- 192.168.1.4
status:
ipam:
used:
- 192.168.1.1
- 192.168.1.4
Agent
Report used IPs
Use IPs
Operator
Make IPs
available
Init
Read ENI
parameters
Native Cloud Support
Alibaba, AWS, Azure, Google

Cluster Mesh - High Availability

Cluster Mesh - Shared Services

Cluster Mesh - Splitting Services

Cluster Mesh - Local Service Affinity

Cluster Mesh - Remote Service Affinity

Cluster Mesh with Service Mesh
Canary Rollout to other Cluster

Cassandra Cilium Network Policy Example

DNS-aware Cilium Network Policy

L3 Matching Capabilities
Kubernetes
● Pod labels
● Namespace name & labels
● ServiceAccount name
● Service names
● Cluster names
DNS Names
● FQDN and regular expression
CIDR
● CIDR blocks with exceptions
Cloud Providers
● Instance labels
● VPC/Subnet name/tags
● Security group name
Logical Entities
● Everything inside cluster
● Everything outside cluster
● Local host
● ...

Flow Visibility
$ kubectl get pods
NAME READY STATUS RESTARTS AGE
tiefighter 1/1 Running 0 2m34s
xwing 1/1 Running 0 2m34s
deathstar-5b7489bc84-crlxh 1/1 Running 0 2m34s
deathstar-5b7489bc84-j7qwq 1/1 Running 0 2m34s
$ hubble observe --follow -l class=xwing
# DNS lookup to coredns
default/xwing:41391 (ID:16092) -> kube-system/coredns-66bff467f8-28dgp:53 (ID:453) to-proxy FORWARDED (UDP)
kube-system/coredns-66bff467f8-28dgp:53 (ID:453) -> default/xwing:41391 (ID:16092) to-endpoint FORWARDED (UDP)
# ...
# Successful HTTPS request to www.disney.com
default/xwing:37836 (ID:16092) -> www.disney.com:443 (world) to-stack FORWARDED (TCP Flags: SYN)
www.disney.com:443 (world) -> default/xwing:37836 (ID:16092) to-endpoint FORWARDED (TCP Flags: SYN, ACK)
www.disney.com:443 (world) -> default/xwing:37836 (ID:16092) to-endpoint FORWARDED (TCP Flags: ACK, FIN)
default/xwing:37836 (ID:16092) -> www.disney.com:443 (world) to-stack FORWARDED (TCP Flags: RST)
# ...
# Blocked HTTP request to deathstar backend
default/xwing:49610 (ID:16092) -> default/deathstar:80 (ID:16081) Policy denied DROPPED (TCP Flags: SYN)
Flow Metadata
‒ Ethernet headers
‒ IP & ICMP headers
‒ UDP/TCP ports, TCP flags
‒ HTTP, DNS, Kafka, ...
Kubernetes
‒ Pod names and labels
‒ Service names
‒ Worker node names
DNS (if available)
‒ FQDN for source and
destination
Cilium
‒ Security identities and
endpoints
‒ Drop reasons
‒ Policy verdict matches

Sidecar vs per-Node Proxy
Total number of proxies required

Traffic Management
- L3/L4 forwarding & Load-balancing
- Canary, Topology Aware Routing
- Multi-cluster
Security
- Network Policy
- mTLS
Observability
- Tracing, OpenTelemetry, & Metrics
- HTTP, TLS, DNS, TCP, UDP, …
eBPF Native
(no sidecar)
Proxy
Traffic Management
- L7 Load-balancing & Ingress
Resilience
- Retries, L7 Rate Limiting
Security
- TLS Termination & Origination
When eBPF cannot do it
Whenever possible

Performance Impact of a Sidecar

@lizrice
Cilium Tetragon
● New open source project in Cilium
● eBPF based = high performance and zero modifications required to app
● Hooks into kernel functions after parameters are copied
● Adds contextual information about Kubernetes objects
● Preventative capabilities
github.com/cilium/tetragon

OSS Community
eBPF-based Networking,
Observability, Security
cilium.io
cilium.slack.com
Regular news
Learn more!
Base technology
The revolution in the Linux kernel,
safely and efficiently extending the
capabilities of the kernel.
ebpf.io
What is eBPF? - ebook
For the Enterprise
Hardened, enterprise-grade
eBPF-powered networking,
observability, and security.
isovalent.com/product
isovalent.com/labs

Which eBee are you?
@raphink | @raphink@mastodon.social
Cloud Network
Engineer
Security
Professional
Platform
Engineer
Platform Ops
(Service Mesh)
Cloud Architect

Practical Labs
… to become a Cilium & eBPF Jedi
🌐 https://labs-map.isovalent.com
Get badges 🏅

All major cloud providers have picked
-based Networking & Security
for their Kubernetes platforms
How about you?

eBPF resources
eCHO
eBPF YouTube podcast:
https://www.youtube.com/channel/UCJFUxkVQTBJh3LD1wYB
WvuQ
eBPF & Cilium Slack
http://slack.cilium.io/
eCHO News
Bi-weekly eBPF newsletter:
https://cilium.io/newsletter/

Workshops
Geneva — 14th September
Cologne — 28th September
Oslo — 17th October
Stockholm — 19th October
London — 1st November
🌐 isovalent.com/workshop-tour

ContainerDays Hamburg 2023 — Cilium Workshop.pdf

ContainerDays Hamburg 2023 — Cilium Workshop.pdf

Recommandé

Contenu connexe

Tendances

Tendances(20)

Similaire à ContainerDays Hamburg 2023 — Cilium Workshop.pdf

Similaire à ContainerDays Hamburg 2023 — Cilium Workshop.pdf(20)

Plus de Raphaël PINSON

Plus de Raphaël PINSON(20)

Dernier

Dernier(20)

ContainerDays Hamburg 2023 — Cilium Workshop.pdf