Cilium - Bringing the BPF Revolution to Kubernetes Networking and Security
Report
Thomas GrafFollow
Aug. 31, 2018•0 likes•2,532 views
Cilium - Bringing the BPF Revolution to Kubernetes Networking and Security
Aug. 31, 2018•0 likes•2,532 views
Download to read offline
Report
Software
BPF is one of the fastest emerging technologies of the Linux kernel. The talk provides an introduction to Cilium which brings the powers of BPF to Kubernetes and other orchestration systems to provide highly scalable and efficient networking, security and load balancing for containers and microservices. The talk will provide an introduction to the capabilities of Cilium today but also deep dives into the emerging roadmap involving networking at the socket layer and service mesh datapath capabilities to provide highly efficient connectivity between cloud native apps and sidecar proxies.
Thomas GrafFollow
Recommended
Cilium - Network security for microservicesThomas Graf
EBPF and Linux NetworkingPLUMgrid
Kubernetes NetworkingCJ Cullen
Kubernetes Networking with Cilium - Deep DiveMichal Rostecki
Cloud Native Networking & Security with Cilium & eBPFRaphaël PINSON
Using eBPF for High-Performance Networking in CiliumScyllaDB
More Related Content
What's hot
Introduction to the Container Network Interface (CNI)Weaveworks
【Interop Tokyo 2018】 Telemetryの匠が解説~オープン技術を用いたマイクロバースト検知の最前線~Juniper Networks (日本)
Deep dive into Kubernetes NetworkingSreenivas Makam
왜 쿠버네티스는 systemd로 cgroup을 관리하려고 할까요Jo Hoon
eBPF - Observability In DeepMydbops
Kubernetes a comprehensive overviewGabriel Carro
Similar to Cilium - Bringing the BPF Revolution to Kubernetes Networking and Security
СТАНІСЛАВ КОЛЕНКІН «Cilium – Network security for microservices. Let’s see ho...UA DevOps Conference
RINA as a Clean-Slate Approach to Software Networks ICT PRISTINE
ContainerDays Hamburg 2023 — Cilium Workshop.pdfRaphaël PINSON
Pristine rina-security-icc-2016ICT PRISTINE
PLNOG16: Automatyzacja kreaowania usług operatorskich w separacji od rodzaju ...PROIDEA
Kube ovn-sandbox-proposal梦馨 刘
More from Thomas Graf
eBPF - Rethinking the Linux KernelThomas Graf
BPF & Cilium - Turning Linux into a Microservices-aware Operating SystemThomas Graf
Accelerating Envoy and Istio with Cilium and the Linux KernelThomas Graf
Cilium - API-aware Networking and Security for Containers based on BPFThomas Graf
DockerCon 2017 - Cilium - Network and Application Security with BPF and XDPThomas Graf
BPF: Next Generation of Programmable DatapathThomas Graf
Recently uploaded
Travel SoftwareSharmiMehta
PostgreSQL PrologueMd. Golam Hossain
KaseSync: Revolutionizing Support Experiences With Community-CRM IntegrationGrazitti Interactive
Software Bill of Materials and the Vulnerability Exploitability eXchange Petar Radanliev
Winter 24 Highlights.pdfPatrickYANG48
Why Should You Choose a Personal Trainer over Group Gym Classes? Neighborhood Trainer
![[DPE Summit] How Improving the Testing Experience Goes Beyond Quality: A Deve...](https://cdn.slidesharecdn.com/ss_thumbnails/dpesummitseptember20-212023-howimprovingthetestingexperiencegoesbeyondqualityadeveloperproductivityp-230924000523-453e8af8-thumbnail.jpg?width=1600&height=908&fit=bounds)
Cilium - Bringing the BPF Revolution to Kubernetes Networking and Security
- 1. Cilium API Aware Networking & Network Security for Microservices using BPF & XDP
- 2. FUNDAMENTALS • BPF – Next Generation Datapath – Replaces iptables, fast, flexible, powerful – Packet, API, process visibility • Cloud Native Security – Identity-based – API & DNS Aware • Servicemesh Integration – Uses Envoy and co-operates with Istio – Secures and accelerates sidecar proxies • Multi Cluster and Multi Cloud – Connects multiple clusters across providers
- 6. BPF/XDP Load Balancing 10x performance over IPVS
- 12. Networking
- 13. Cilium as CNI Plugin
- 14. Networking Model: Encapsulation or Direct Routing Mode I: Encapsulation Mode II: Direct Routing Node 1 Node 2 Node 3 L3 Network Integrations: • Cloud routers • kube-router, BIRD, … • No further dependencies Node 1 Node 2 Node 3 VXLAN VXLAN VXLAN
- 15. Load Balancing
- 16. BPF-based iptables kube-proxy Kubernetes Services Implementation • Linear List • All rules have to be replaced as a whole • Per-CPU Hash table
- 17. Security
- 18. Pod barL3/L4 GET /healthz GET /jobs/{id} GET /applicants/{job-id} POST /jobs API exposed exposed exposed GET /jobs/331 Traditional API Unaware Security Pod foo GET /jobs/{id} TLS Allow foo to bar on port 80
- 19. L3/L4 GET /healthz GET /jobs/{id} GET /applicants/{job-id} POST /jobs API GET /jobs/331 API Aware Security GET /jobs/{id} Allow GET /jobs/.* from identity foo TLS Pod barPod foo
- 20. Identity based security 1.1.1.1 1.1.1.2 1.1.1.3 1.1.1.4 1.1.1.5 1.1.1.6 1.1.1.5 1.1.1.6 1.1.1.1 1.1.1.2 1.1.1.3 1.1.1.4 Allow ToAllow To
- 21. Enforcements Points
- 22. Connecting Multiple Clusters
- 23. Cluster Mesh
- 24. Servicemesh Integration
- 25. • Telemetry (Tracing) • Retries • Load Balancing (HTTP/L7) • Mutual TLS • Authorization • …
- 26. Servicemesh Security
- 30. SSL Data Visbility
- 31. Cilium Summary • CNI and CMM plugin • Kubernetes, Docker, Mesos • Security • Secures ingress, east-west, and egress. • Label, DNS, or CIDR based. Identity enforcement. • API aware (HTTP, Kafka, gRPC) • Load-balancing • Servicemesh integration • Multi Cluster / Multi Cloud Provider • Connect multiple clusters with label based policy enforcement
- 32. @ciliumproject http://github.com/cilium/cilium Thank You! Q&A Getting Started: http://cilium.io/try