Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Accelerating Envoy and Istio with Cilium and the Linux Kernel

2,299 views

Published on

This talk will provide an introduction to injection options of Envoy and then deep dive into ongoing Linux kernel work that enables injecting Envoy while introducing as little latency as possible.

The servicemesh and the sidecar proxy model are on a steep trajectory to redefine many networking and security use cases. This talk explains and demos a new socket redirect Linux kernel technology that allows running Envoy with similar performance as if the sidecar was linked to the application using a UNIX domain socket. The talk will also give an outlook on how Envoy can use the recently merged kernel TLS functionality to gain access to the clear text payload transparently for end to end encrypted applications without requiring to decrypt and re-encrypt any data to further reduce the overhead and latency.

Published in: Technology

Accelerating Envoy and Istio with Cilium and the Linux Kernel

  1. 1. Cilium Accelerating Envoy and Istio with Cilium and the Linux Kernel Thomas Graf, Covalent
  2. 2. BPF - The Superpowers inside Linux
  3. 3. The Rise of BPF [and XDP]
  4. 4. Source: https://www.netdevconf.org/2.1/slides/apr6/zhou-netdev-xdp-2017.pdf Facebook published BPF numbers for L3/L4 LB at NetDev 2.1 BPF/XDP performance IPVS performance
  5. 5. BPF/XDP: DDoS mitigation Metric iptables / ipset BPF / XDP DDoS rate [packets/s] 11.6M 11.6M Drop rate [packets/s] 7.1M 11.6M Latency under load [ms] 2.3ms 0.1ms Requests/s under DDoS [Requests/s] 280 82’800 Sender: Send 64B packets as fast as possible Receiver: Drop as fast as possible Source: http://schd.ws/hosted_files/ossna2017/da/BPFandXDP.pdf
  6. 6. BPF: “dtrace for Linux” Source: http://www.brendangregg.com/blog/
  7. 7. What is your favorite iptables memory?
  8. 8. What is your favorite iptables memory?
  9. 9. Kernel developers are saying goodbye to iptables https://lwn.net/Articles/747504/
  10. 10. Early performance benchmark Source: https://bit.ly/2Ks9gJH
  11. 11. So many more examples…. • Cloudflare DDoS mitigation [https://www.netdevconf.org/2.1/slides/apr6/bertin_Netdev-XDP.pdf] • BCC [https://github.com/iovisor/bcc] • Systemtap [https://sourceware.org/git/gitweb.cgi?p=systemtap.git;a=summary] • Weave Scope [https://github.com/weaveworks/scope] • Suricata [http://suricata.readthedocs.io/en/latest/capture-hardware/ebpf-xdp.html] • systemd [http://0pointer.net/blog/ip-accounting-and-access-lists-with-systemd.html] • gobpf [https://github.com/iovisor/gobpf] • ply [https://github.com/wkz/ply] • bpfps [https://github.com/genuinetools/bpfps] • Perf [https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/tools/perf] • bpftrace [https://github.com/ajor/bpftrace] • Open vSwitch [http://www.openvswitch.org//support/ovscon2016/7/1120-tu.pdf] • PCP [https://github.com/performancecopilot/pcp] • …
  12. 12. BPF toolchain
  13. 13. How does BPF apply to Envoy and Service Mesh?
  14. 14. Kubernetes Pod Service Kubernetes Pod Service Mesh / Sidecar Architecture Network Service SidecarSidecar
  15. 15. Kubernetes Pod Service Kubernetes Pod Operating System Socket Socket Sidecar Injection Network Service Socket Socket Socket Socket
  16. 16. Kubernetes Pod Service Kubernetes Pod Operating System Socket TCP/IP Socket TCP/IP Sidecar Injection Network Service Socket TCP/IP Socket TCP/IP Socket TCP/IP Socket TCP/IP
  17. 17. Kubernetes Pod Service Kubernetes Pod Sidecar Injection Network Service Operating System Socket TCP/IP Socket TCP/IP Socket TCP/IP Socket TCP/IP Socket TCP/IP Socket TCP/IP Ethernet Ethernet Ethernet Ethernet EthernetEthernet
  18. 18. Kubernetes Pod Service Kubernetes Pod Operating System Socket TCP/IP Socket TCP/IP Socket TCP/IP Socket TCP/IP Socket TCP/IP Socket TCP/IP Sidecar Injection (Non-transparent) Network Service Ethernet Ethernet Loopback Ethernet eth0 Ethernet Ethernet Loopback Ethernet eth0
  19. 19. Kubernetes Pod Service Kubernetes Pod Operating System Socket TCP/IP Socket TCP/IP Socket TCP/IP Socket TCP/IP Socket TCP/IP Socket TCP/IP Sidecar Injection (Transparent) Network Service Ethernet Ethernet Loopback Ethernet eth0 Ethernet Ethernet Loopback Ethernet eth0 iptables iptables iptablesiptables
  20. 20. Why use TCP and Ethernet in a single-node, lossless environment?
  21. 21. Kubernetes Pod Service Kubernetes Pod Operating System Socket Socket Socket TCP/IP Socket TCP/IP Socket Socket Transparent Sidecar Injection with Cilium Network Service Ethernet eth0 Ethernet eth0 CiliumCilium
  22. 22. Sidecar Injection Performance
  23. 23. Socket TCP/IP Socket TCP/IP Service A Service B Ethernet Ethernet Loopback TCP Handshake Phase Socket Socket Service A Process B Data Phase Cilium Transparent acceleration during data phase • Transparent acceleration, behavior stays the same • No changes to application or Envoy needed 1 2
  24. 24. Socket TCP/IP Socket TCP/IP Process A Process B Ethernet Ethernet Cilium But wait… Works with any local socket communication TCP Handshake Phase Socket Socket Process A Process B Data Phase Cilium vethveth
  25. 25. How do I get this?
  26. 26. http://github.com/cilium/cilium Cilium Sidecar Accel: - Kernel: 4.16 - Cilium: 1.1/1.2 Cilium: - Kernel: 4.9
  27. 27. Cilium in a Nutshell • Current Release: 1.0.1 • Highly efficient BPF datapath • Fully Distributed • Service Mesh datapath • CNI and CMM plugin • Network Security on both Packet and API level • Identity Based • IP/CIDR as fallback • API Aware (HTTP, gRPC, Kafka, [more coming soon]) • Distributed and Scalable Load Balancing • Simplified Networking Model • Overlay • Direct Routing • Delegation to other plugin (1.1) • Visibility / Tracing
  28. 28. It gets better…
  29. 29. It gets better… … and a little bit scary
  30. 30. Service A Service B Mutual TLS TLS in Service Mesh Clear Text Encrypted Sidecar Sidecar Key
  31. 31. Service A Accessing external services via sidecar using TLS GitHub API Clear Text Encrypted Sidecar Encrypt Decrypt
  32. 32. Service A Option #1: Inject Root CA GitHub API Clear Text Encrypted Sidecar Inject new root CA Real root CA Encrypt Decrypt Encrypt Decrypt
  33. 33. kTLS Kubernetes Pod App Kubernetes Pod Operating System Socket Socket Network App Socket Socket Socket Socket SSL SSL … … … … … … Ethernet Ethernet Loopback Ethernet eth0 Ethernet Ethernet Loopback Ethernet eth0 Symmetric encryption offloaded to kernel ~4% CPU gain
  34. 34. Kubernetes Pod App Kubernetes Pod Operating System Socket Socket Socket TCP/IP Socket TCP/IP Socket Socket kTLS + Cilium + Envoy Network App Ethernet eth0 Ethernet eth0 iptablesiptables CiliumCilium SSL SSL
  35. 35. Service A Option #2: kTLS GitHub API Clear Text Encrypted Sidecar Deferred kTLS encryption Decrypt
  36. 36. Sidecar for TLS encrypted connections without CA injection & decryption
  37. 37. What date is today?
  38. 38. @ciliumproject http://github.com/cilium/cilium Thank You! Questions? Getting Started: http://cilium.io/

×