Révolution eBPF - un noyau dynamique

Révolution eBPF
Un noyau Linux dynamique
Speaker :
Raphaël Pinson, @raphink | @raphink@hachyderm.io
#KCDFrance 2023

⬢ What is eBPF?
#KCDFrance 2023
Agenda
@raphink | @raphink@hachyderm.io

⬢ What is eBPF?
⬢ Principles
#KCDFrance 2023
Agenda

⬢ What is eBPF?
⬢ Principles
⬢ Observability
#KCDFrance 2023
Agenda

⬢ What is eBPF?
⬢ Principles
⬢ Observability
⬢ Networking
#KCDFrance 2023
Agenda

⬢ What is eBPF?
⬢ Principles
⬢ Observability
⬢ Networking
⬢ Security
#KCDFrance 2023
Agenda

⬢ What is eBPF?
⬢ Principles
⬢ Observability
⬢ Networking
⬢ Security
⬢ The Future
#KCDFrance 2023
Agenda

The Linux Kernel
#KCDFrance 2023
The Power Behind Modern Technology
- From cars to servers to fridges
- Foundation of the GNU/Linux operating system
- Most widely used operating system in the
world
- Powers the vast majority of:
- embedded systems / IoT
- Cloud Server
- Super Computers

Before
#KCDFrance 2023

With
#KCDFrance 2023

Have you used eBPF?
#KCDFrance 2023
eBPF is already used in many places
- Load balancing
- DDOS protection on large Internet platforms
- Kernel live-patching (5.7+ with LSM/eBPF)
- Android (e.g. app data stats)

Who am I
#KCDFrance 2023
Raphaël Pinson
Solutions Architect @ Isovalent

#KCDFrance 2023
What is eBPF?

#KCDFrance 2023
Makes the Linux kernel
programmable in a
secure and efficient way.
“What JavaScript is to the
browser, eBPF is to the
Linux Kernel”

#KCDFrance 2023

#KCDFrance 2023
Principles

How does it work?
#KCDFrance 2023

eBPF Helpers
#KCDFrance 2023

Stacks & hooks
#KCDFrance 2023

BPF / user-space communication
#KCDFrance 2023

SDK (cilium/ebpf)
#KCDFrance 2023

Safety
#KCDFrance 2023

Performance
#KCDFrance 2023

Cloud Native Identities
#KCDFrance 2023
eBPF “understands” Cloud Native identities:
- in kernel observability
- in network traffic
- in kernel security

eBPF Projects and SDKs
#KCDFrance 2023

Cilium & Friends
#KCDFrance 2023
- performance gains
(no need for iptables, bypass TCP/IP)
- simpler architecture
(e.g. no sidecar proxy for Service Mesh)
Cilium

Cilium & Friends
#KCDFrance 2023
- performance gains
Cilium
Hubble
- fine-grained network observability
- exports to SIEM
- support for OpenTelemetry

Cilium & Friends
#KCDFrance 2023
- performance gains
Cilium
Hubble
- fine-grained network observability
- exports to SIEM
- support for OpenTelemetry
Tetragon
- observe & export kernel events
- act on events (e.g. SIGKILL)

#KCDFrance 2023
Observability

Observability
#KCDFrance 2023
Observe directly in the kernel
- Low-overhead tracing/observability
- Example: network performance / SRTT / micro-bursts
- HTTP / TLS in-kernel visibility
- Troubleshooting prod on the fly (see bpftrace)

Observability
#KCDFrance 2023
Observe directly in the kernel
- Low-overhead tracing/observability
- Example: network performance / SRTT / micro-bursts
- HTTP / TLS in-kernel visibility
- Troubleshooting prod on the fly (see bpftrace)
Example software
- BCC
- bpftrace
- Cilium (network)
- Cilium Tetragon (system)

Observability: bpftrace
#KCDFrance 2023

$ kubectl get pods
NAME READY STATUS RESTARTS AGE
tiefighter 1/1 Running 0 2m34s
xwing 1/1 Running 0 2m34s
deathstar-5b7489bc84-crlxh 1/1 Running 0 2m34s
deathstar-5b7489bc84-j7qwq 1/1 Running 0 2m34s
Observability: Hubble (CLI)
#KCDFrance 2023
$ hubble observe --follow -l class=xwing
# ...
# Successful HTTPS request to www.disney.com
default/xwing:37836 (ID:16092) -> www.disney.com:443 (world) to-stack FORWARDED (TCP Flags: SYN)
www.disney.com:443 (world) -> default/xwing:37836 (ID:16092) to-endpoint FORWARDED (TCP Flags: SYN, ACK)
www.disney.com:443 (world) -> default/xwing:37836 (ID:16092) to-endpoint FORWARDED (TCP Flags: ACK, FIN)
default/xwing:37836 (ID:16092) -> www.disney.com:443 (world) to-stack FORWARDED (TCP Flags: RST)
# DNS lookup to coredns
default/xwing:41391 (ID:16092) -> kube-system/coredns-66bff467f8-28dgp:53 (ID:453) to-proxy FORWARDED (UDP)
kube-system/coredns-66bff467f8-28dgp:53 (ID:453) -> default/xwing:41391 (ID:16092) to-endpoint FORWARDED (UDP)
# ...
# Blocked HTTP request to deathstar backend
default/xwing:49610 (ID:16092) -> default/deathstar:80 (ID:16081) Policy denied DROPPED (TCP Flags: SYN)

Observability: Hubble (UI)
#KCDFrance 2023

Observability: Cilium + Grafana ❤️
#KCDFrance 2023

Observability: Network Metrics (Hubble)
#KCDFrance 2023

Observability: HTTP Metrics (Hubble)
#KCDFrance 2023

Observability: Network Policy Verdicts
#KCDFrance 2023

Observability: TLS (Tetragon)
#KCDFrance 2023

Observability: Combined Network & Runtime
#KCDFrance 2023

#KCDFrance 2023
Networking

Networking
#KCDFrance 2023
Bypass native kernel network stack:
- eXpress Data Path (XDP)
- TCP improvements (bandwidth manager, BBR, Big TCP)
- NAT64/NAT46
- Performant load-balancing algorithms (Maglev)
- Network Policies
- Cluster Mesh
- Egress Gateway
- Sidecar-free service mesh
- etc.

Networking: XDP
#KCDFrance 2023
Drop packets before they reach the kernel
- E.g. packet of death, DDOS
- XDP allows to drop packets before
- they reach the kernel routing stack

Networking: XDP
#KCDFrance 2023
Drop packets before they reach the kernel
- E.g. packet of death, DDOS
- XDP allows to drop packets before
- they reach the kernel routing stack
Efficient Cloud Native LB
- E.g. Socket Load Balancer

Networking: IPtables vs eBPF
#KCDFrance 2023
kube-proxy / iptables
- Linear list / sieve
- All rules have to be replaced as a whole
eBPF based
- Per-CPU hash table ⇒ more performant
- Native metadata (e.g. Pod labels) ⇒
Cloud Native routing
🏆

Networking: BBR (TCP Congestion)
#KCDFrance 2023
@raphink | @raphink@hachyderm.io https://isovalent.com/blog/post/accelerate-network-performance-with-cilium-bbr/

Networking: NAT46/NAT64
#KCDFrance 2023
DNS64
NAT64
[64:ff9b::<z>] -> [<z>]
IPv6 Single Stack
K8s cluster
bar.com
A 4.3.2.1
DNS
bar.com
AAAA 64:ff9b::4.3.2.1
SYN 64:ff9b::4.3.2.1
IPv4 / Internet
SYN 4.3.2.1
ext. node
(Dual Stack)
@raphink | @raphink@hachyderm.io https://www.youtube.com/watch?v=Kvdh78TURck

Networking: Big TCP
#KCDFrance 2023
2.2x lower p99 latency
@raphink | @raphink@hachyderm.io https://www.youtube.com/watch?v=Kvdh78TURck

Networking: Sidecar-free Service Mesh
#KCDFrance 2023

#KCDFrance 2023
Security

Security
#KCDFrance 2023
Observe and manipulate kernel events in real time
- Performant and transparent process visibility
- Metadata
- Fix kernel bugs on the fly
- Catch & kill

Security Visibility & Enforcement
#KCDFrance 2023
Traditional approaches
- App instrumentation / LD_PRELOAD ⇒ bypassed by statically linked executables
- ptrace(2) ⇒ TOCTTOU with syscalls
- Existing Kernel Runtime Enforcement ⇒ can benefit from BPF (BPF LSM with kernel 5.7+)
- Kernel module ⇒ stability & maintenance

Security Visibility & Enforcement with eBPF
#KCDFrance 2023

Security: Catch & Kill
#KCDFrance 2023

#KCDFrance 2023
The Future

To Infinity… and beyond 🚀
#KCDFrance 2023
- Improved device I/O perf with eBPF (XRP)
- Support for 100% of C (in a safe way)
- Cross-platform:
- archs
- compilers (LLVM/gcc)
- platforms (Linux, Windows, etc.)
- Towards a micro-kernel approach?

#KCDFrance 2023
All major cloud providers have picked
-based Networking & Security
for their Kubernetes platforms
How about you?

eBPF resources
#KCDFrance 2023
eCHO
eBPF YouTube podcast:
https://www.youtube.com/channel/UCJFUxkVQTBJh3LD1w
YBWvuQ
eBPF & Cilium Slack
http://slack.cilium.io/
eCHO News
Bi-weekly eBPF newsletter:
https://cilium.io/newsletter/

Workshops
#KCDFrance 2023
Paris
23 mai 2023
🌐 isovalent.com/workshop-tour

Révolution eBPF - un noyau dynamique

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Révolution eBPF - un noyau dynamique

Similar to Révolution eBPF - un noyau dynamique (20)

More from Raphaël PINSON

More from Raphaël PINSON (20)

Recently uploaded

Recently uploaded (20)

Révolution eBPF - un noyau dynamique