Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Cilium - Bringing the BPF Revolution to Kubernetes Networking and Security

658 views

Published on

BPF is one of the fastest emerging technologies of the Linux kernel. The talk provides an introduction to Cilium which brings the powers of BPF to Kubernetes and other orchestration systems to provide highly scalable and efficient networking, security and load balancing for containers and microservices. The talk will provide an introduction to the capabilities of Cilium today but also deep dives into the emerging roadmap involving networking at the socket layer and service mesh datapath capabilities to provide highly efficient connectivity between cloud native apps and sidecar proxies.

Published in: Software

Cilium - Bringing the BPF Revolution to Kubernetes Networking and Security

  1. 1. Cilium API Aware Networking & Network Security for Microservices using BPF & XDP
  2. 2. FUNDAMENTALS • BPF – Next Generation Datapath – Replaces iptables, fast, flexible, powerful – Packet, API, process visibility • Cloud Native Security – Identity-based – API & DNS Aware • Servicemesh Integration – Uses Envoy and co-operates with Istio – Secures and accelerates sidecar proxies • Multi Cluster and Multi Cloud – Connects multiple clusters across providers
  3. 3. BPF/XDP Load Balancing 10x performance over IPVS
  4. 4. Networking
  5. 5. Cilium as CNI Plugin
  6. 6. Networking Model: Encapsulation or Direct Routing Mode I: Encapsulation Mode II: Direct Routing Node 1 Node 2 Node 3 L3 Network Integrations: • Cloud routers • kube-router, BIRD, … • No further dependencies Node 1 Node 2 Node 3 VXLAN VXLAN VXLAN
  7. 7. Load Balancing
  8. 8. BPF-based iptables kube-proxy Kubernetes Services Implementation • Linear List • All rules have to be replaced as a whole • Per-CPU Hash table
  9. 9. Security
  10. 10. Pod barL3/L4 GET /healthz GET /jobs/{id} GET /applicants/{job-id} POST /jobs API exposed exposed exposed GET /jobs/331 Traditional API Unaware Security Pod foo GET /jobs/{id} TLS Allow foo to bar on port 80
  11. 11. L3/L4 GET /healthz GET /jobs/{id} GET /applicants/{job-id} POST /jobs API GET /jobs/331 API Aware Security GET /jobs/{id} Allow GET /jobs/.* from identity foo TLS Pod barPod foo
  12. 12. Identity based security 1.1.1.1 1.1.1.2 1.1.1.3 1.1.1.4 1.1.1.5 1.1.1.6 1.1.1.5 1.1.1.6 1.1.1.1 1.1.1.2 1.1.1.3 1.1.1.4 Allow ToAllow To
  13. 13. Enforcements Points
  14. 14. Connecting Multiple Clusters
  15. 15. Cluster Mesh
  16. 16. Servicemesh Integration
  17. 17. • Telemetry (Tracing) • Retries • Load Balancing (HTTP/L7) • Mutual TLS • Authorization • …
  18. 18. Servicemesh Security
  19. 19. SSL Data Visbility
  20. 20. Cilium Summary • CNI and CMM plugin • Kubernetes, Docker, Mesos • Security • Secures ingress, east-west, and egress. • Label, DNS, or CIDR based. Identity enforcement. • API aware (HTTP, Kafka, gRPC) • Load-balancing • Servicemesh integration • Multi Cluster / Multi Cloud Provider • Connect multiple clusters with label based policy enforcement
  21. 21. @ciliumproject http://github.com/cilium/cilium Thank You! Q&A Getting Started: http://cilium.io/try

×