SlideShare a Scribd company logo

cilium-public.pdf

Sanjeev Rampal
Sanjeev Rampal

Cilium is an open source software that provides networking and security for Kubernetes. It implements Kubernetes networking, security policies, load balancing, and service mesh capabilities using eBPF. Cilium provides multi-cluster networking by coupling multiple Kubernetes clusters into a cluster mesh with a shared control plane. It also offers a sidecar-less service mesh that uses eBPF and Envoy for L4 and L7 traffic management instead of injecting proxies into each pod. Demos showed Cilium's multi-cluster load balancing and policies as well as its service mesh capabilities.

1 of 38
Download to read offline
Architecture Analysis, Hands-On Evaluation/ Demo Cilium Multi-Cluster Networking & Service Mesh Sanjeev Rampal 1
● Cilium Overview ● Cilium Cluster Mesh ● Cilium Service Mesh ● Some aspects of other Cilium features (eBPF data path, load balancing optimizations, policy) ● Relation to other K8s community/ RH projects ● Demos ● Summary/ Takeaways Agenda Source: Insert source data here What we will discuss today 2
Cilium Overview 3
Cilium Overview & Architecture Source: Cilium.io & other Cilium/ Isovalent material Entirely based on kernel networking + Cilium eBpf data plane for added performance & functionality Implements Kubernetes CNI w/ full featured v4, v6 support on Linux & Windows, overlay & BGP modes (aka direct routing vs tunneling modes vs hybrid mode) Kubernetes Network Policy + Cilium Network policy (advanced L4, L7 policies, Global network policy) K8s E-W Service Load Balancing (ClusterIP) K8s N-S Load Balancing (NodePort, LoadBalancer, Ingress, Gateway API resources) Cilium Host Firewall, Egress Gateway, Kube-proxy replacement Cilium Service Mesh (L7 + L4 traffic management, mTLS, Istio-like but without sidecar proxies) Multi-Cluster Support (Cluster Mesh, Service mesh, Multi-Clus. policy, Multi-Clus. load balancing) Cilium Overall Overview 4
Diagram: Cilium.io Cilium Datapath -Pod to pod case eBpf tc switching Datapaths eBpf Socket switching datapaths -> Ref. Cilium data path 5
Diagram: Borkmann, Isovalent Cilium E-W and N-S LB w/o kube-proxy - Handles external traffic (N-S) for svc IP:port - Backends can be local or remote - Performs DNAT and DSR/SNAT/Hybrid when remote - Same code compilable for XDP and tc/BPF - Hairpin to remote on XDP layer, local backends handled via tc ingress eth0 eth0 redis lxc0 Node A eth0 eth0 nginx lxc0 Node B client XDP/BPF tc/BPF sock/BPF sock/BPF XDP/BPF tc/BPF - Handles internal traffic (E-W) for svc IP:port - Backends can be local or remote - No packet-based NAT needed due to connect(), sendmsg(), recvmsg() hook - No intermediate hops as in kube-proxy - Exposes services to all local addresses and loopback 127.0.0.1/::1 - Blocks other applications in post-bind() hook from port reuse Main principle: Operating as close as possible to the socket for E-W and as close as possible to the driver for N-S. 6
Cilium Multi-Cluster Mesh Cilium Multi-Cluster Mesh 7
● Multi-cluster networking analogous to “Submariner Mesh” or “Kubernetes Multi-Cluster Services API” but significant differences ● Need Pod IP, service IP uniqueness and direct routability (no NAT) across the mesh ● This is not Kubernetes Federation .. still separately provisioned clusters but with coupled networking, up to 256 clusters (possibly more in future) in a cluster mesh ● Separate control plane/ etcd for cross-cluster information sharing (e.g. pod IPs) ● MC Policy, identity at this layer, MC Load balancing (N-S, E-W) ● Use this for Multi-cluster with or without Cilium Service Mesh ● Encryption options: IPSec and Wireguard differences (per node tunnel vs per worker) ● Relation of K8s MCS API, Submariner, other community projects, compare MCS 2 resources (ClusterSetIPs/ ClusterIPs vs Cilium single service + global annotation) ● Note: Recently announced Cilium Mesh builds on this further Cilium Cluster Mesh 8
Cilium Multi-Cluster Mesh -Control plane ● 2 or more (up to 256) independently provisioned k8s clusters, all running Cilium CNI, coupled in a “cluster mesh” (sort of “submariner mesh”) ● MCM control plane: A separate control plane with separate etcd datastore for the Multi-cluster mesh itself running as data plane pods within the k8s clusters ● Cilium operator mirrors global k8s services, associated endpoints, related network policy info into MCM etcd ● A k8s Service is marked “Global” explicitly via Cilium annotations ○ Example: service.cilium.io/global: "true" Diagram: Cilium.io 9
Cluster Mesh Architecture 10 Diagram: Cilium.io
Multi-Cluster Services & Network Policies ○ Relevant annotations: ■ service.cilium.io/global: "true" (/ “false”) Mark this local service as a “Global” (or not) ■ service.cilium.io/shared: "true" (/ “false”) Mark this local service as “Shared” (or not) within Global ■ service.cilium.io/affinity: "local|remote|none" Global service endpoint load balancing affinity/ preference ○ Note: Global services also have to adhere to namespace sameness rules ○ Multi-Cluster Network Policies ■ Exactly same API and implementation as single cluster network policies (both K8s network policy and Cilium proprietary L4 and L7 Network policies) ■ Network policy labels/ selectors are reflected in the Multi-cluster mesh control plane so can have global significance (plus optional additional per-cluster qualification within policy selectors) 11
Multi-Cluster Network Policy Example #Sample Cilium Multicluster network policy augmented with cluster selectors apiVersion: "cilium.io/v2" kind: CiliumNetworkPolicy metadata: name: "allow-cross-cluster" spec: description: "Allow x-wing in cluster1 to contact rebel-base in cluster2" endpointSelector: matchLabels: name: x-wing io.cilium.k8s.policy.cluster: cluster1 egress: - toEndpoints: - matchLabels: name: rebel-base io.cilium.k8s.policy.cluster: cluster2 12
Cilium Cluster Mesh Demos 13
Demo Topology S1 S2 S1 S2 Cluster-id 1 Cluster-id 2 Cilium install –cluster-id 1 … Cilium clustermesh enable Cilium clustermesh connect –context c1 –destination-context c2 Global Service Annotations io.cilium/global-service="true" io.cilium/shared-service="false" io.cilium/service-affinity=local Example demo application: S1 & S2 each is a global (multi-cluster) service with 2 backend pods in each cluster of the clustermesh clustermesh 14
Demos ● Demo 1: ○ Cilium ClusterMesh intro and setup ○ Link to demo recording ● Demo 2: ○ Multi-cluster E-W Services & Load balancing ○ Multi-cluster network policy ○ Link to demo recording ● Demo 3: ○ N-S Load balancing, gateway API ○ Single and multi-cluster ○ Link to demo recording 15
Demo Topology S1 S2 S1 S2 Cluster-id 1 Cluster-id 2 N-S Loadbalancing using Cilium Ingress or Cilium GW Api Multi-Cluster Ingress when combined with Cilium ClusterMesh Multiple modes possible (demo topology shows just 1 mode) clustermesh GTWY 16
Background: Multi-Cluster Ingress LB modes/ scenarios Svc 1 Svc 2 Svc 1 Svc 2 Svc 3 GW (K8s GW api) E-W GW E-W GW Svc 1 Svc 2 Svc 1 Svc 2 Svc 3 GW (K8s GW api) GW (K8s GW api) Single gateway, on-cluster LB, Multi-network Multi-gateway, on-cluster LB, Single-network Svc 1 Svc 2 Svc 1 Svc 2 Svc 3 Single gateway, off-cluster (e.g. public cloud) LB, Single-network External GLB class Multi-cluster services can be combined with BPG, DNS and public cloud anycast to yield a variety of multi-cluster L4 and L7 ingress solutions for various use cases including RH Hybrid Cloud Gateway. Related Refs. RH-ET blog post on this topic
Diagram: Borkmann, Isovalent Cilium E-W and N-S LB w/o kube-proxy - Handles external traffic (N-S) for svc IP:port - Backends can be local or remote - Performs DNAT and DSR/SNAT/Hybrid when remote - Same code compilable for XDP and tc/BPF - Hairpin to remote on XDP layer, local backends handled via tc ingress eth0 eth0 redis lxc0 Node A eth0 eth0 nginx lxc0 Node B client XDP/BPF tc/BPF sock/BPF sock/BPF XDP/BPF tc/BPF - Handles internal traffic (E-W) for svc IP:port - Backends can be local or remote - No packet-based NAT needed due to connect(), sendmsg(), recvmsg() hook - No intermediate hops as in kube-proxy - Exposes services to all local addresses and loopback 127.0.0.1/::1 - Blocks other applications in post-bind() hook from port reuse Main principle: Operating as close as possible to the socket for E-W and as close as possible to the driver for N-S. Additional refs: Cilium kube-proxy replacement and related enhancements 18
eBpf Intercepts for Nodeport Svc Rx from buffer XDP alloc_skb TC ingress nat Prerouting mangle Prerouting conntrack raw Prerouting Socket lookup Container namespace Prerouting & Input Chains mangle Postrouting nat Postrouting Routing Destined to host Input chain destined To Veth To container Veth ns Socket rx buffer/ app Rx node pkt filter Forward
Eth0 172.18.0.2 a.a.a.a/ pa b.b.b.b/ pb NodePort svc: 172.18.0.2:31000 => (10.1.2.2:80, 10.1.2.4:80) 10.1.2.2:80 xx:31000 Eth0 172.18.0.3 10.1.2.4:80 xx:31000 Cilium N-S enhancements - Direct Server Return and Hybrid modes (in addition to SNAT mode) - Source IP preservation - XDP acceleration - 4to6 NAT, Maglev hashing
Cilium Service Mesh 21
● Option 1: Use Cilium only for L3/ L4 networking, use Istio control and data planes for L7 service mesh ● Option 2: Preferred long term direction but not fully ready tet. ○ Use Cilium as a single solution for all Kubernetes networking including ■ CNI plugin ■ Multi-Cluster networking ■ L4 and L7 Service Mesh ■ All networking functions incl load balancing (N-S and E-W), network policy, ingress and egress, gateway API implementation ■ 1) Data plane: Cilium. 2) Control plane: K8s native (Gateway api) + Envoy config CRD + Cilium apis ● CSM uses “sidecar-less model” in contrast with Istio/ LinkerD per pod sidecar model ● Istio community is developing “Ambient mode” of Istio in response to CSM sidecar less mode ● Side note: State of multi-cluster in upstream native K8s apis (independent of specific service meshes) is incomplete. Early draft proposals at initiating standards Cilium Service Mesh (CSM) 22
Cilium’s Design Philosophy for Service Mesh ● A single networking plugin can serve all networking needs (basic CNI, service load balancing, network policy, ingress, multi-cluster networking & service mesh functions at both L4 and L7 layers). This results in a better integrated architecture, improved user experience and lower resource consumption and control plane complexity than using multiple separate projects to serve as CNI plugin, service mesh plugin, ingress, gateway API plugin, multi-cluster networking plugin etc. ○ Cilium already has had both L4 and L7 networking policy and load balancing even for its CNI plugin, just reuse it for service mesh and augment where needed, rather than create separate functions. ○ Cilium already has L4 traffic encryption & zero trust networking functions, reuse for service mesh ○ Extensions to Kubernetes APIs like Gateway API and others are already beginning to address all service mesh functions without need for special APIs like the Istio & LinkerD ○ Service mesh and gateways are moving into the kernel and infra layers in any case (e.g. Ambient) 23
Diagram: Liz Rice: Learning eBPF ● Conventional sidecar based model => poor latency due to suboptimal packet processing with multiple user space<->kernel space context switches ● Lowered reliability due to disconnect between sidecar proxy readiness and app readiness, server side initiated connections ● High resource consumption (proxy per pod adds up) Issues with Sidecar proxies 24
L4 + L7 data paths L4 data path L7 data path 25 Diagram: cilium.io
eBPF vs Proxy function split 26 Diagram: cilium.io
S1 S2 S2 GTWY Envoy Cilium Agent Envoy IPSec Tunnel L7 mesh traffic ● Cilium Agent envoy 1 per node, used for L7 proxy (N-S and E-W service load balancing & policy) ● Cilium kernel eBPF used for L4 pod and service load balancing, policy ● Single Envoy instance wrapped inside Cilium agent for all L7 functions ● Special mTLS + IPSec & Wireguard optional “on the wire” 27
Diagram cilium.io Cilium’s Alternate Architecture for Service Mesh mutual-TLS ● Conventional session based TLS: usable only by applications running on TCP and HTTP, fine grained sessions but performance impact ● Network based encrypted tunnels (IPSec, Wireguard etc): usable by any app protocol, coarse grained, higher performance ● Cilium mTLS : Combine the two (Cilium Proprietary solution) ● Not full GA yet (Cilium 1.14 ?) 28
Cilium Service Mesh Demos 29
Demo ● Cilium Service Mesh ○ L4 Cilium mesh proxy with IPSec encryption ○ <<< Demo recording Link to be added here>>> ○ L7 Cilium proxy without IPSec encryption 30
S1 S2 S2 Cilium L4 eBPF IPSec Tunnel L4 mesh traffic ● Current release (1.13.x) IPSec encryption limited to L4 mesh traffic proxy, policy & load balancing 31
Cilium Service Mesh S1 S2 S2 Cilium L7 proxy Envoy L7 Svc mesh traffic ● In current release (1.13.x) Cilium L7 proxy functions supported without IPSec/ encryption support ● L7 traffic management via EnvoyConfig CRD. In future via Gateway API & extensions Demo Topology Google gRPC microservices demo app 32
Extra: Notes on some additional Cilium Features 33
L7 Network Policy examples ● Cilium CNI already supported L4 and L7 network policy ● Hence L7 network policy can also be used for svc mesh ● Https, gRPC, Cassandra, Redis, TLS SNI 34
Big TCP support 35 Diagram cilium.io
“Meta”devices 36 Diagram cilium.io
BBR Algorithm for advanced congestion control 37 Diagram cilium.io
Thank you Twitter: @sr2357 Github: @srampal 38

Recommended

Kubernetes Networking with Cilium - Deep Dive
Kubernetes Networking with Cilium - Deep DiveKubernetes Networking with Cilium - Deep Dive
Kubernetes Networking with Cilium - Deep Dive
Michal Rostecki
 
KCD Zurich 2023 — Bridge Dev & Ops with eBPF.pdf
KCD Zurich 2023 — Bridge Dev & Ops with eBPF.pdfKCD Zurich 2023 — Bridge Dev & Ops with eBPF.pdf
KCD Zurich 2023 — Bridge Dev & Ops with eBPF.pdf
Raphaël PINSON
 
An overview of the Kubernetes architecture
An overview of the Kubernetes architectureAn overview of the Kubernetes architecture
An overview of the Kubernetes architecture
Igor Sfiligoi
 
ContainerDays Hamburg 2023 — Cilium Workshop.pdf
ContainerDays Hamburg 2023 — Cilium Workshop.pdfContainerDays Hamburg 2023 — Cilium Workshop.pdf
ContainerDays Hamburg 2023 — Cilium Workshop.pdf
Raphaël PINSON
 
WTF is GitOps and Why You Should Care?
WTF is GitOps and Why You Should Care?WTF is GitOps and Why You Should Care?
WTF is GitOps and Why You Should Care?
Weaveworks
 
Using eBPF for High-Performance Networking in Cilium
Using eBPF for High-Performance Networking in CiliumUsing eBPF for High-Performance Networking in Cilium
Using eBPF for High-Performance Networking in Cilium
ScyllaDB
 
Replacing iptables with eBPF in Kubernetes with Cilium
Replacing iptables with eBPF in Kubernetes with CiliumReplacing iptables with eBPF in Kubernetes with Cilium
Replacing iptables with eBPF in Kubernetes with Cilium
Michal Rostecki
 
eBPF - Rethinking the Linux Kernel
eBPF - Rethinking the Linux KerneleBPF - Rethinking the Linux Kernel
eBPF - Rethinking the Linux Kernel
Thomas Graf
 

Recommended

Kubernetes Networking with Cilium - Deep Dive
Kubernetes Networking with Cilium - Deep DiveKubernetes Networking with Cilium - Deep Dive
Kubernetes Networking with Cilium - Deep Dive
Michal Rostecki
 
KCD Zurich 2023 — Bridge Dev & Ops with eBPF.pdf
KCD Zurich 2023 — Bridge Dev & Ops with eBPF.pdfKCD Zurich 2023 — Bridge Dev & Ops with eBPF.pdf
KCD Zurich 2023 — Bridge Dev & Ops with eBPF.pdf
Raphaël PINSON
 
An overview of the Kubernetes architecture
An overview of the Kubernetes architectureAn overview of the Kubernetes architecture
An overview of the Kubernetes architecture
Igor Sfiligoi
 
ContainerDays Hamburg 2023 — Cilium Workshop.pdf
ContainerDays Hamburg 2023 — Cilium Workshop.pdfContainerDays Hamburg 2023 — Cilium Workshop.pdf
ContainerDays Hamburg 2023 — Cilium Workshop.pdf
Raphaël PINSON
 
WTF is GitOps and Why You Should Care?
WTF is GitOps and Why You Should Care?WTF is GitOps and Why You Should Care?
WTF is GitOps and Why You Should Care?
Weaveworks
 
Using eBPF for High-Performance Networking in Cilium
Using eBPF for High-Performance Networking in CiliumUsing eBPF for High-Performance Networking in Cilium
Using eBPF for High-Performance Networking in Cilium
ScyllaDB
 
Replacing iptables with eBPF in Kubernetes with Cilium
Replacing iptables with eBPF in Kubernetes with CiliumReplacing iptables with eBPF in Kubernetes with Cilium
Replacing iptables with eBPF in Kubernetes with Cilium
Michal Rostecki
 
eBPF - Rethinking the Linux Kernel
eBPF - Rethinking the Linux KerneleBPF - Rethinking the Linux Kernel
eBPF - Rethinking the Linux Kernel
Thomas Graf
 
Free GitOps Workshop + Intro to Kubernetes & GitOps
Free GitOps Workshop + Intro to Kubernetes & GitOpsFree GitOps Workshop + Intro to Kubernetes & GitOps
Free GitOps Workshop + Intro to Kubernetes & GitOps
Weaveworks
 
Turning Virtual Machines Cloud-Native using KubeVirt
Turning Virtual Machines Cloud-Native using KubeVirtTurning Virtual Machines Cloud-Native using KubeVirt
Turning Virtual Machines Cloud-Native using KubeVirt
Suman Chakraborty
 
Accelerating Envoy and Istio with Cilium and the Linux Kernel
Accelerating Envoy and Istio with Cilium and the Linux KernelAccelerating Envoy and Istio with Cilium and the Linux Kernel
Accelerating Envoy and Istio with Cilium and the Linux Kernel
Thomas Graf
 
Room 2 - 4 - Juncheng Anthony Lin - Redhat - A Practical Approach to Traditio...
Room 2 - 4 - Juncheng Anthony Lin - Redhat - A Practical Approach to Traditio...Room 2 - 4 - Juncheng Anthony Lin - Redhat - A Practical Approach to Traditio...
Room 2 - 4 - Juncheng Anthony Lin - Redhat - A Practical Approach to Traditio...
Vietnam Open Infrastructure User Group
 
Cilium - API-aware Networking and Security for Containers based on BPF
Cilium - API-aware Networking and Security for Containers based on BPFCilium - API-aware Networking and Security for Containers based on BPF
Cilium - API-aware Networking and Security for Containers based on BPF
Thomas Graf
 
Cilium - Bringing the BPF Revolution to Kubernetes Networking and Security
Cilium - Bringing the BPF Revolution to Kubernetes Networking and SecurityCilium - Bringing the BPF Revolution to Kubernetes Networking and Security
Cilium - Bringing the BPF Revolution to Kubernetes Networking and Security
Thomas Graf
 
Kubernetes Introduction
Kubernetes IntroductionKubernetes Introduction
Kubernetes Introduction
Eric Gustafson
 
The Open vSwitch and OVN Projects
The Open vSwitch and OVN ProjectsThe Open vSwitch and OVN Projects
The Open vSwitch and OVN Projects
LinuxCon ContainerCon CloudOpen China
 
A brief study on Kubernetes and its components
A brief study on Kubernetes and its componentsA brief study on Kubernetes and its components
A brief study on Kubernetes and its components
Ramit Surana
 
Secure container: Kata container and gVisor
Secure container: Kata container and gVisorSecure container: Kata container and gVisor
Secure container: Kata container and gVisor
Ching-Hsuan Yen
 
LinuxCon 2015 Linux Kernel Networking Walkthrough
LinuxCon 2015 Linux Kernel Networking WalkthroughLinuxCon 2015 Linux Kernel Networking Walkthrough
LinuxCon 2015 Linux Kernel Networking Walkthrough
Thomas Graf
 
Everything You Need To Know About Persistent Storage in Kubernetes
Everything You Need To Know About Persistent Storage in KubernetesEverything You Need To Know About Persistent Storage in Kubernetes
Everything You Need To Know About Persistent Storage in Kubernetes
The {code} Team
 
Room 1 - 4 - Phạm Tường Chiến & Trần Văn Thắng - Deliver managed Kubernetes C...
Room 1 - 4 - Phạm Tường Chiến & Trần Văn Thắng - Deliver managed Kubernetes C...Room 1 - 4 - Phạm Tường Chiến & Trần Văn Thắng - Deliver managed Kubernetes C...
Room 1 - 4 - Phạm Tường Chiến & Trần Văn Thắng - Deliver managed Kubernetes C...
Vietnam Open Infrastructure User Group
 
Intro to Kubernetes & GitOps Workshop
Intro to Kubernetes & GitOps WorkshopIntro to Kubernetes & GitOps Workshop
Intro to Kubernetes & GitOps Workshop
Weaveworks
 
Kubernetes Networking | Kubernetes Services, Pods & Ingress Networks | Kubern...
Kubernetes Networking | Kubernetes Services, Pods & Ingress Networks | Kubern...Kubernetes Networking | Kubernetes Services, Pods & Ingress Networks | Kubern...
Kubernetes Networking | Kubernetes Services, Pods & Ingress Networks | Kubern...
Edureka!
 
Cilium - Fast IPv6 Container Networking with BPF and XDP
Cilium - Fast IPv6 Container Networking with BPF and XDPCilium - Fast IPv6 Container Networking with BPF and XDP
Cilium - Fast IPv6 Container Networking with BPF and XDP
Thomas Graf
 
Designing a complete ci cd pipeline using argo events, workflow and cd products
Designing a complete ci cd pipeline using argo events, workflow and cd productsDesigning a complete ci cd pipeline using argo events, workflow and cd products
Designing a complete ci cd pipeline using argo events, workflow and cd products
Julian Mazzitelli
 
Kubernetes Introduction
Kubernetes IntroductionKubernetes Introduction
Kubernetes Introduction
Martin Danielsson
 
Architecture Overview: Kubernetes with Red Hat Enterprise Linux 7.1
Architecture Overview: Kubernetes with Red Hat Enterprise Linux 7.1Architecture Overview: Kubernetes with Red Hat Enterprise Linux 7.1
Architecture Overview: Kubernetes with Red Hat Enterprise Linux 7.1
Etsuji Nakai
 
Introduction to helm
Introduction to helmIntroduction to helm
Introduction to helm
Jeeva Chelladhurai
 
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesMulti-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Sanjeev Rampal
 
Kubernetes Networking - Sreenivas Makam - Google - CC18
Kubernetes Networking - Sreenivas Makam - Google - CC18Kubernetes Networking - Sreenivas Makam - Google - CC18
Kubernetes Networking - Sreenivas Makam - Google - CC18
CodeOps Technologies LLP
 

More Related Content

What's hot

Free GitOps Workshop + Intro to Kubernetes & GitOps
Free GitOps Workshop + Intro to Kubernetes & GitOpsFree GitOps Workshop + Intro to Kubernetes & GitOps
Free GitOps Workshop + Intro to Kubernetes & GitOps
Weaveworks
 
Turning Virtual Machines Cloud-Native using KubeVirt
Turning Virtual Machines Cloud-Native using KubeVirtTurning Virtual Machines Cloud-Native using KubeVirt
Turning Virtual Machines Cloud-Native using KubeVirt
Suman Chakraborty
 
Accelerating Envoy and Istio with Cilium and the Linux Kernel
Accelerating Envoy and Istio with Cilium and the Linux KernelAccelerating Envoy and Istio with Cilium and the Linux Kernel
Accelerating Envoy and Istio with Cilium and the Linux Kernel
Thomas Graf
 
Room 2 - 4 - Juncheng Anthony Lin - Redhat - A Practical Approach to Traditio...
Room 2 - 4 - Juncheng Anthony Lin - Redhat - A Practical Approach to Traditio...Room 2 - 4 - Juncheng Anthony Lin - Redhat - A Practical Approach to Traditio...
Room 2 - 4 - Juncheng Anthony Lin - Redhat - A Practical Approach to Traditio...
Vietnam Open Infrastructure User Group
 
Cilium - API-aware Networking and Security for Containers based on BPF
Cilium - API-aware Networking and Security for Containers based on BPFCilium - API-aware Networking and Security for Containers based on BPF
Cilium - API-aware Networking and Security for Containers based on BPF
Thomas Graf
 
Cilium - Bringing the BPF Revolution to Kubernetes Networking and Security
Cilium - Bringing the BPF Revolution to Kubernetes Networking and SecurityCilium - Bringing the BPF Revolution to Kubernetes Networking and Security
Cilium - Bringing the BPF Revolution to Kubernetes Networking and Security
Thomas Graf
 
Kubernetes Introduction
Kubernetes IntroductionKubernetes Introduction
Kubernetes Introduction
Eric Gustafson
 
The Open vSwitch and OVN Projects
The Open vSwitch and OVN ProjectsThe Open vSwitch and OVN Projects
The Open vSwitch and OVN Projects
LinuxCon ContainerCon CloudOpen China
 
A brief study on Kubernetes and its components
A brief study on Kubernetes and its componentsA brief study on Kubernetes and its components
A brief study on Kubernetes and its components
Ramit Surana
 
Secure container: Kata container and gVisor
Secure container: Kata container and gVisorSecure container: Kata container and gVisor
Secure container: Kata container and gVisor
Ching-Hsuan Yen
 
LinuxCon 2015 Linux Kernel Networking Walkthrough
LinuxCon 2015 Linux Kernel Networking WalkthroughLinuxCon 2015 Linux Kernel Networking Walkthrough
LinuxCon 2015 Linux Kernel Networking Walkthrough
Thomas Graf
 
Everything You Need To Know About Persistent Storage in Kubernetes
Everything You Need To Know About Persistent Storage in KubernetesEverything You Need To Know About Persistent Storage in Kubernetes
Everything You Need To Know About Persistent Storage in Kubernetes
The {code} Team
 
Room 1 - 4 - Phạm Tường Chiến & Trần Văn Thắng - Deliver managed Kubernetes C...
Room 1 - 4 - Phạm Tường Chiến & Trần Văn Thắng - Deliver managed Kubernetes C...Room 1 - 4 - Phạm Tường Chiến & Trần Văn Thắng - Deliver managed Kubernetes C...
Room 1 - 4 - Phạm Tường Chiến & Trần Văn Thắng - Deliver managed Kubernetes C...
Vietnam Open Infrastructure User Group
 
Intro to Kubernetes & GitOps Workshop
Intro to Kubernetes & GitOps WorkshopIntro to Kubernetes & GitOps Workshop
Intro to Kubernetes & GitOps Workshop
Weaveworks
 
Kubernetes Networking | Kubernetes Services, Pods & Ingress Networks | Kubern...
Kubernetes Networking | Kubernetes Services, Pods & Ingress Networks | Kubern...Kubernetes Networking | Kubernetes Services, Pods & Ingress Networks | Kubern...
Kubernetes Networking | Kubernetes Services, Pods & Ingress Networks | Kubern...
Edureka!
 
Cilium - Fast IPv6 Container Networking with BPF and XDP
Cilium - Fast IPv6 Container Networking with BPF and XDPCilium - Fast IPv6 Container Networking with BPF and XDP
Cilium - Fast IPv6 Container Networking with BPF and XDP
Thomas Graf
 
Designing a complete ci cd pipeline using argo events, workflow and cd products
Designing a complete ci cd pipeline using argo events, workflow and cd productsDesigning a complete ci cd pipeline using argo events, workflow and cd products
Designing a complete ci cd pipeline using argo events, workflow and cd products
Julian Mazzitelli
 
Kubernetes Introduction
Kubernetes IntroductionKubernetes Introduction
Kubernetes Introduction
Martin Danielsson
 
Architecture Overview: Kubernetes with Red Hat Enterprise Linux 7.1
Architecture Overview: Kubernetes with Red Hat Enterprise Linux 7.1Architecture Overview: Kubernetes with Red Hat Enterprise Linux 7.1
Architecture Overview: Kubernetes with Red Hat Enterprise Linux 7.1
Etsuji Nakai
 
Introduction to helm
Introduction to helmIntroduction to helm
Introduction to helm
Jeeva Chelladhurai
 

What's hot (20)

Free GitOps Workshop + Intro to Kubernetes & GitOps
Free GitOps Workshop + Intro to Kubernetes & GitOpsFree GitOps Workshop + Intro to Kubernetes & GitOps
Free GitOps Workshop + Intro to Kubernetes & GitOps
 
Turning Virtual Machines Cloud-Native using KubeVirt
Turning Virtual Machines Cloud-Native using KubeVirtTurning Virtual Machines Cloud-Native using KubeVirt
Turning Virtual Machines Cloud-Native using KubeVirt
 
Accelerating Envoy and Istio with Cilium and the Linux Kernel
Accelerating Envoy and Istio with Cilium and the Linux KernelAccelerating Envoy and Istio with Cilium and the Linux Kernel
Accelerating Envoy and Istio with Cilium and the Linux Kernel
 
Room 2 - 4 - Juncheng Anthony Lin - Redhat - A Practical Approach to Traditio...
Room 2 - 4 - Juncheng Anthony Lin - Redhat - A Practical Approach to Traditio...Room 2 - 4 - Juncheng Anthony Lin - Redhat - A Practical Approach to Traditio...
Room 2 - 4 - Juncheng Anthony Lin - Redhat - A Practical Approach to Traditio...
 
Cilium - API-aware Networking and Security for Containers based on BPF
Cilium - API-aware Networking and Security for Containers based on BPFCilium - API-aware Networking and Security for Containers based on BPF
Cilium - API-aware Networking and Security for Containers based on BPF
 
Cilium - Bringing the BPF Revolution to Kubernetes Networking and Security
Cilium - Bringing the BPF Revolution to Kubernetes Networking and SecurityCilium - Bringing the BPF Revolution to Kubernetes Networking and Security
Cilium - Bringing the BPF Revolution to Kubernetes Networking and Security
 
Kubernetes Introduction
Kubernetes IntroductionKubernetes Introduction
Kubernetes Introduction
 
The Open vSwitch and OVN Projects
The Open vSwitch and OVN ProjectsThe Open vSwitch and OVN Projects
The Open vSwitch and OVN Projects
 
A brief study on Kubernetes and its components
A brief study on Kubernetes and its componentsA brief study on Kubernetes and its components
A brief study on Kubernetes and its components
 
Secure container: Kata container and gVisor
Secure container: Kata container and gVisorSecure container: Kata container and gVisor
Secure container: Kata container and gVisor
 
LinuxCon 2015 Linux Kernel Networking Walkthrough
LinuxCon 2015 Linux Kernel Networking WalkthroughLinuxCon 2015 Linux Kernel Networking Walkthrough
LinuxCon 2015 Linux Kernel Networking Walkthrough
 
Everything You Need To Know About Persistent Storage in Kubernetes
Everything You Need To Know About Persistent Storage in KubernetesEverything You Need To Know About Persistent Storage in Kubernetes
Everything You Need To Know About Persistent Storage in Kubernetes
 
Room 1 - 4 - Phạm Tường Chiến & Trần Văn Thắng - Deliver managed Kubernetes C...
Room 1 - 4 - Phạm Tường Chiến & Trần Văn Thắng - Deliver managed Kubernetes C...Room 1 - 4 - Phạm Tường Chiến & Trần Văn Thắng - Deliver managed Kubernetes C...
Room 1 - 4 - Phạm Tường Chiến & Trần Văn Thắng - Deliver managed Kubernetes C...
 
Intro to Kubernetes & GitOps Workshop
Intro to Kubernetes & GitOps WorkshopIntro to Kubernetes & GitOps Workshop
Intro to Kubernetes & GitOps Workshop
 
Kubernetes Networking | Kubernetes Services, Pods & Ingress Networks | Kubern...
Kubernetes Networking | Kubernetes Services, Pods & Ingress Networks | Kubern...Kubernetes Networking | Kubernetes Services, Pods & Ingress Networks | Kubern...
Kubernetes Networking | Kubernetes Services, Pods & Ingress Networks | Kubern...
 
Cilium - Fast IPv6 Container Networking with BPF and XDP
Cilium - Fast IPv6 Container Networking with BPF and XDPCilium - Fast IPv6 Container Networking with BPF and XDP
Cilium - Fast IPv6 Container Networking with BPF and XDP
 
Designing a complete ci cd pipeline using argo events, workflow and cd products
Designing a complete ci cd pipeline using argo events, workflow and cd productsDesigning a complete ci cd pipeline using argo events, workflow and cd products
Designing a complete ci cd pipeline using argo events, workflow and cd products
 
Kubernetes Introduction
Kubernetes IntroductionKubernetes Introduction
Kubernetes Introduction
 
Architecture Overview: Kubernetes with Red Hat Enterprise Linux 7.1
Architecture Overview: Kubernetes with Red Hat Enterprise Linux 7.1Architecture Overview: Kubernetes with Red Hat Enterprise Linux 7.1
Architecture Overview: Kubernetes with Red Hat Enterprise Linux 7.1
 
Introduction to helm
Introduction to helmIntroduction to helm
Introduction to helm
 

Similar to cilium-public.pdf

Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesMulti-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Sanjeev Rampal
 
Kubernetes Networking - Sreenivas Makam - Google - CC18
Kubernetes Networking - Sreenivas Makam - Google - CC18Kubernetes Networking - Sreenivas Makam - Google - CC18
Kubernetes Networking - Sreenivas Makam - Google - CC18
CodeOps Technologies LLP
 
Deep dive into Kubernetes Networking
Deep dive into Kubernetes NetworkingDeep dive into Kubernetes Networking
Deep dive into Kubernetes Networking
Sreenivas Makam
 
Introduction to istio
Introduction to istioIntroduction to istio
Introduction to istio
Andrea Monacchi
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
Christian Posta
 
Kubernetes from scratch at veepee sysadmins days 2019
Kubernetes from scratch at veepee sysadmins days 2019Kubernetes from scratch at veepee sysadmins days 2019
Kubernetes from scratch at veepee sysadmins days 2019
🔧 Loïc BLOT
 
Bandwidth: Use Cases for Elastic Cloud on Kubernetes
Bandwidth: Use Cases for Elastic Cloud on Kubernetes Bandwidth: Use Cases for Elastic Cloud on Kubernetes
Bandwidth: Use Cases for Elastic Cloud on Kubernetes
Elasticsearch
 
Comparison of existing cni plugins for kubernetes
Comparison of existing cni plugins for kubernetesComparison of existing cni plugins for kubernetes
Comparison of existing cni plugins for kubernetes
Adam Hamsik
 
Colt's SDN/NFV Vision
Colt's SDN/NFV VisionColt's SDN/NFV Vision
Colt's SDN/NFV Vision
FIBRE Testbed
 
Colt SDN Strategy - FIBRE Workshop 5 Nov 2013 Barcelona
Colt SDN Strategy - FIBRE Workshop 5 Nov 2013 BarcelonaColt SDN Strategy - FIBRE Workshop 5 Nov 2013 Barcelona
Colt SDN Strategy - FIBRE Workshop 5 Nov 2013 Barcelona
Javier Benitez
 
4. CNCF kubernetes Comparison of-existing-cni-plugins-for-kubernetes
4. CNCF kubernetes Comparison of-existing-cni-plugins-for-kubernetes4. CNCF kubernetes Comparison of-existing-cni-plugins-for-kubernetes
4. CNCF kubernetes Comparison of-existing-cni-plugins-for-kubernetes
Juraj Hantak
 
Introduction to Kubernetes Workshop
Introduction to Kubernetes WorkshopIntroduction to Kubernetes Workshop
Introduction to Kubernetes Workshop
Bob Killen
 
Service Mesh For Beginner
Service Mesh For BeginnerService Mesh For Beginner
Service Mesh For Beginner
Mien Dinh
 
Triangle Kubernetes Meetup: Container cloud networking - Contiv for K8S & Ope...
Triangle Kubernetes Meetup: Container cloud networking - Contiv for K8S & Ope...Triangle Kubernetes Meetup: Container cloud networking - Contiv for K8S & Ope...
Triangle Kubernetes Meetup: Container cloud networking - Contiv for K8S & Ope...
Sanjeev Rampal
 
Scale Kubernetes to support 50000 services
Scale Kubernetes to support 50000 servicesScale Kubernetes to support 50000 services
Scale Kubernetes to support 50000 services
LinuxCon ContainerCon CloudOpen China
 
Kubernetes Introduction
Kubernetes IntroductionKubernetes Introduction
Kubernetes Introduction
Miloš Zubal
 
Luca Relandini - Microservices and containers networking: Contiv, deep dive a...
Luca Relandini - Microservices and containers networking: Contiv, deep dive a...Luca Relandini - Microservices and containers networking: Contiv, deep dive a...
Luca Relandini - Microservices and containers networking: Contiv, deep dive a...
Codemotion
 
Edge Computing: A Unified Infrastructure for all the Different Pieces
Edge Computing: A Unified Infrastructure for all the Different PiecesEdge Computing: A Unified Infrastructure for all the Different Pieces
Edge Computing: A Unified Infrastructure for all the Different Pieces
Cloudify Community
 
Kubernetes @ Squarespace (SRE Portland Meetup October 2017)
Kubernetes @ Squarespace (SRE Portland Meetup October 2017)Kubernetes @ Squarespace (SRE Portland Meetup October 2017)
Kubernetes @ Squarespace (SRE Portland Meetup October 2017)
Kevin Lynch
 
Explore the World of Cilium, Tetragon & eBPF
Explore the World of Cilium, Tetragon & eBPFExplore the World of Cilium, Tetragon & eBPF
Explore the World of Cilium, Tetragon & eBPF
Raphaël PINSON
 

Similar to cilium-public.pdf (20)

Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesMulti-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
 
Kubernetes Networking - Sreenivas Makam - Google - CC18
Kubernetes Networking - Sreenivas Makam - Google - CC18Kubernetes Networking - Sreenivas Makam - Google - CC18
Kubernetes Networking - Sreenivas Makam - Google - CC18
 
Deep dive into Kubernetes Networking
Deep dive into Kubernetes NetworkingDeep dive into Kubernetes Networking
Deep dive into Kubernetes Networking
 
Introduction to istio
Introduction to istioIntroduction to istio
Introduction to istio
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
 
Kubernetes from scratch at veepee sysadmins days 2019
Kubernetes from scratch at veepee sysadmins days 2019Kubernetes from scratch at veepee sysadmins days 2019
Kubernetes from scratch at veepee sysadmins days 2019
 
Bandwidth: Use Cases for Elastic Cloud on Kubernetes
Bandwidth: Use Cases for Elastic Cloud on Kubernetes Bandwidth: Use Cases for Elastic Cloud on Kubernetes
Bandwidth: Use Cases for Elastic Cloud on Kubernetes
 
Comparison of existing cni plugins for kubernetes
Comparison of existing cni plugins for kubernetesComparison of existing cni plugins for kubernetes
Comparison of existing cni plugins for kubernetes
 
Colt's SDN/NFV Vision
Colt's SDN/NFV VisionColt's SDN/NFV Vision
Colt's SDN/NFV Vision
 
Colt SDN Strategy - FIBRE Workshop 5 Nov 2013 Barcelona
Colt SDN Strategy - FIBRE Workshop 5 Nov 2013 BarcelonaColt SDN Strategy - FIBRE Workshop 5 Nov 2013 Barcelona
Colt SDN Strategy - FIBRE Workshop 5 Nov 2013 Barcelona
 
4. CNCF kubernetes Comparison of-existing-cni-plugins-for-kubernetes
4. CNCF kubernetes Comparison of-existing-cni-plugins-for-kubernetes4. CNCF kubernetes Comparison of-existing-cni-plugins-for-kubernetes
4. CNCF kubernetes Comparison of-existing-cni-plugins-for-kubernetes
 
Introduction to Kubernetes Workshop
Introduction to Kubernetes WorkshopIntroduction to Kubernetes Workshop
Introduction to Kubernetes Workshop
 
Service Mesh For Beginner
Service Mesh For BeginnerService Mesh For Beginner
Service Mesh For Beginner
 
Triangle Kubernetes Meetup: Container cloud networking - Contiv for K8S & Ope...
Triangle Kubernetes Meetup: Container cloud networking - Contiv for K8S & Ope...Triangle Kubernetes Meetup: Container cloud networking - Contiv for K8S & Ope...
Triangle Kubernetes Meetup: Container cloud networking - Contiv for K8S & Ope...
 
Scale Kubernetes to support 50000 services
Scale Kubernetes to support 50000 servicesScale Kubernetes to support 50000 services
Scale Kubernetes to support 50000 services
 
Kubernetes Introduction
Kubernetes IntroductionKubernetes Introduction
Kubernetes Introduction
 
Luca Relandini - Microservices and containers networking: Contiv, deep dive a...
Luca Relandini - Microservices and containers networking: Contiv, deep dive a...Luca Relandini - Microservices and containers networking: Contiv, deep dive a...
Luca Relandini - Microservices and containers networking: Contiv, deep dive a...
 
Edge Computing: A Unified Infrastructure for all the Different Pieces
Edge Computing: A Unified Infrastructure for all the Different PiecesEdge Computing: A Unified Infrastructure for all the Different Pieces
Edge Computing: A Unified Infrastructure for all the Different Pieces
 
Kubernetes @ Squarespace (SRE Portland Meetup October 2017)
Kubernetes @ Squarespace (SRE Portland Meetup October 2017)Kubernetes @ Squarespace (SRE Portland Meetup October 2017)
Kubernetes @ Squarespace (SRE Portland Meetup October 2017)
 
Explore the World of Cilium, Tetragon & eBPF
Explore the World of Cilium, Tetragon & eBPFExplore the World of Cilium, Tetragon & eBPF
Explore the World of Cilium, Tetragon & eBPF
 

More from Sanjeev Rampal

Container security within Cisco Container Platform
Container security within Cisco Container PlatformContainer security within Cisco Container Platform
Container security within Cisco Container Platform
Sanjeev Rampal
 
Kubecon US 2019: Kubernetes Multitenancy WG Deep Dive
Kubecon US 2019: Kubernetes Multitenancy WG Deep DiveKubecon US 2019: Kubernetes Multitenancy WG Deep Dive
Kubecon US 2019: Kubernetes Multitenancy WG Deep Dive
Sanjeev Rampal
 
Kubernetes Multitenancy - KubeSec Enterprise Security Summit
Kubernetes Multitenancy - KubeSec Enterprise Security SummitKubernetes Multitenancy - KubeSec Enterprise Security Summit
Kubernetes Multitenancy - KubeSec Enterprise Security Summit
Sanjeev Rampal
 
Architecture of Cisco Container Platform: A new Enterprise Multi-Cloud Kubern...
Architecture of Cisco Container Platform: A new Enterprise Multi-Cloud Kubern...Architecture of Cisco Container Platform: A new Enterprise Multi-Cloud Kubern...
Architecture of Cisco Container Platform: A new Enterprise Multi-Cloud Kubern...
Sanjeev Rampal
 
Cisco Live 2017: Container networking deep dive with Docker Enterprise Editio...
Cisco Live 2017: Container networking deep dive with Docker Enterprise Editio...Cisco Live 2017: Container networking deep dive with Docker Enterprise Editio...
Cisco Live 2017: Container networking deep dive with Docker Enterprise Editio...
Sanjeev Rampal
 
Openstack Summit: Networking and policies across Containers and VMs
Openstack Summit: Networking and policies across Containers and VMsOpenstack Summit: Networking and policies across Containers and VMs
Openstack Summit: Networking and policies across Containers and VMs
Sanjeev Rampal
 
NYC Docker Meetup: Contiv networking on Docker
NYC Docker Meetup: Contiv networking on DockerNYC Docker Meetup: Contiv networking on Docker
NYC Docker Meetup: Contiv networking on Docker
Sanjeev Rampal
 

More from Sanjeev Rampal (7)

Container security within Cisco Container Platform
Container security within Cisco Container PlatformContainer security within Cisco Container Platform
Container security within Cisco Container Platform
 
Kubecon US 2019: Kubernetes Multitenancy WG Deep Dive
Kubecon US 2019: Kubernetes Multitenancy WG Deep DiveKubecon US 2019: Kubernetes Multitenancy WG Deep Dive
Kubecon US 2019: Kubernetes Multitenancy WG Deep Dive
 
Kubernetes Multitenancy - KubeSec Enterprise Security Summit
Kubernetes Multitenancy - KubeSec Enterprise Security SummitKubernetes Multitenancy - KubeSec Enterprise Security Summit
Kubernetes Multitenancy - KubeSec Enterprise Security Summit
 
Architecture of Cisco Container Platform: A new Enterprise Multi-Cloud Kubern...
Architecture of Cisco Container Platform: A new Enterprise Multi-Cloud Kubern...Architecture of Cisco Container Platform: A new Enterprise Multi-Cloud Kubern...
Architecture of Cisco Container Platform: A new Enterprise Multi-Cloud Kubern...
 
Cisco Live 2017: Container networking deep dive with Docker Enterprise Editio...
Cisco Live 2017: Container networking deep dive with Docker Enterprise Editio...Cisco Live 2017: Container networking deep dive with Docker Enterprise Editio...
Cisco Live 2017: Container networking deep dive with Docker Enterprise Editio...
 
Openstack Summit: Networking and policies across Containers and VMs
Openstack Summit: Networking and policies across Containers and VMsOpenstack Summit: Networking and policies across Containers and VMs
Openstack Summit: Networking and policies across Containers and VMs
 
NYC Docker Meetup: Contiv networking on Docker
NYC Docker Meetup: Contiv networking on DockerNYC Docker Meetup: Contiv networking on Docker
NYC Docker Meetup: Contiv networking on Docker
 

Recently uploaded

快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
3a0sd7z3
 
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
xjq03c34
 
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
fovkoyb
 
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
ysasp1
 
Discover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to IndiaDiscover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to India
davidjhones387
 
manuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaal
manuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaalmanuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaal
manuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaal
wolfsoftcompanyco
 
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
rtunex8r
 
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
3a0sd7z3
 
办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理
办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理
办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理
uehowe
 
Ready to Unlock the Power of Blockchain!
Ready to Unlock the Power of Blockchain!Ready to Unlock the Power of Blockchain!
Ready to Unlock the Power of Blockchain!
Toptal Tech
 
一比一原版(USYD毕业证)悉尼大学毕业证如何办理
一比一原版(USYD毕业证)悉尼大学毕业证如何办理一比一原版(USYD毕业证)悉尼大学毕业证如何办理
一比一原版(USYD毕业证)悉尼大学毕业证如何办理
k4ncd0z
 
Bengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal BrandingBengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal Branding
Tarandeep Singh
 
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
uehowe
 
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
uehowe
 
HijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process HollowingHijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process Hollowing
Donato Onofri
 
Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?
Paul Walk
 

Recently uploaded (16)

快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
 
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
 
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
 
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
 
Discover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to IndiaDiscover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to India
 
manuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaal
manuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaalmanuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaal
manuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaal
 
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
 
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
 
办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理
办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理
办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理
 
Ready to Unlock the Power of Blockchain!
Ready to Unlock the Power of Blockchain!Ready to Unlock the Power of Blockchain!
Ready to Unlock the Power of Blockchain!
 
一比一原版(USYD毕业证)悉尼大学毕业证如何办理
一比一原版(USYD毕业证)悉尼大学毕业证如何办理一比一原版(USYD毕业证)悉尼大学毕业证如何办理
一比一原版(USYD毕业证)悉尼大学毕业证如何办理
 
Bengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal BrandingBengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal Branding
 
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
 
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
 
HijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process HollowingHijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process Hollowing
 
Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?
 

cilium-public.pdf

  • 1. Architecture Analysis, Hands-On Evaluation/ Demo Cilium Multi-Cluster Networking & Service Mesh Sanjeev Rampal 1
  • 2. ● Cilium Overview ● Cilium Cluster Mesh ● Cilium Service Mesh ● Some aspects of other Cilium features (eBPF data path, load balancing optimizations, policy) ● Relation to other K8s community/ RH projects ● Demos ● Summary/ Takeaways Agenda Source: Insert source data here What we will discuss today 2
  • 4. Cilium Overview & Architecture Source: Cilium.io & other Cilium/ Isovalent material Entirely based on kernel networking + Cilium eBpf data plane for added performance & functionality Implements Kubernetes CNI w/ full featured v4, v6 support on Linux & Windows, overlay & BGP modes (aka direct routing vs tunneling modes vs hybrid mode) Kubernetes Network Policy + Cilium Network policy (advanced L4, L7 policies, Global network policy) K8s E-W Service Load Balancing (ClusterIP) K8s N-S Load Balancing (NodePort, LoadBalancer, Ingress, Gateway API resources) Cilium Host Firewall, Egress Gateway, Kube-proxy replacement Cilium Service Mesh (L7 + L4 traffic management, mTLS, Istio-like but without sidecar proxies) Multi-Cluster Support (Cluster Mesh, Service mesh, Multi-Clus. policy, Multi-Clus. load balancing) Cilium Overall Overview 4
  • 5. Diagram: Cilium.io Cilium Datapath -Pod to pod case eBpf tc switching Datapaths eBpf Socket switching datapaths -> Ref. Cilium data path 5
  • 6. Diagram: Borkmann, Isovalent Cilium E-W and N-S LB w/o kube-proxy - Handles external traffic (N-S) for svc IP:port - Backends can be local or remote - Performs DNAT and DSR/SNAT/Hybrid when remote - Same code compilable for XDP and tc/BPF - Hairpin to remote on XDP layer, local backends handled via tc ingress eth0 eth0 redis lxc0 Node A eth0 eth0 nginx lxc0 Node B client XDP/BPF tc/BPF sock/BPF sock/BPF XDP/BPF tc/BPF - Handles internal traffic (E-W) for svc IP:port - Backends can be local or remote - No packet-based NAT needed due to connect(), sendmsg(), recvmsg() hook - No intermediate hops as in kube-proxy - Exposes services to all local addresses and loopback 127.0.0.1/::1 - Blocks other applications in post-bind() hook from port reuse Main principle: Operating as close as possible to the socket for E-W and as close as possible to the driver for N-S. 6
  • 7. Cilium Multi-Cluster Mesh Cilium Multi-Cluster Mesh 7
  • 8. ● Multi-cluster networking analogous to “Submariner Mesh” or “Kubernetes Multi-Cluster Services API” but significant differences ● Need Pod IP, service IP uniqueness and direct routability (no NAT) across the mesh ● This is not Kubernetes Federation .. still separately provisioned clusters but with coupled networking, up to 256 clusters (possibly more in future) in a cluster mesh ● Separate control plane/ etcd for cross-cluster information sharing (e.g. pod IPs) ● MC Policy, identity at this layer, MC Load balancing (N-S, E-W) ● Use this for Multi-cluster with or without Cilium Service Mesh ● Encryption options: IPSec and Wireguard differences (per node tunnel vs per worker) ● Relation of K8s MCS API, Submariner, other community projects, compare MCS 2 resources (ClusterSetIPs/ ClusterIPs vs Cilium single service + global annotation) ● Note: Recently announced Cilium Mesh builds on this further Cilium Cluster Mesh 8
  • 9. Cilium Multi-Cluster Mesh -Control plane ● 2 or more (up to 256) independently provisioned k8s clusters, all running Cilium CNI, coupled in a “cluster mesh” (sort of “submariner mesh”) ● MCM control plane: A separate control plane with separate etcd datastore for the Multi-cluster mesh itself running as data plane pods within the k8s clusters ● Cilium operator mirrors global k8s services, associated endpoints, related network policy info into MCM etcd ● A k8s Service is marked “Global” explicitly via Cilium annotations ○ Example: service.cilium.io/global: "true" Diagram: Cilium.io 9
  • 11. Multi-Cluster Services & Network Policies ○ Relevant annotations: ■ service.cilium.io/global: "true" (/ “false”) Mark this local service as a “Global” (or not) ■ service.cilium.io/shared: "true" (/ “false”) Mark this local service as “Shared” (or not) within Global ■ service.cilium.io/affinity: "local|remote|none" Global service endpoint load balancing affinity/ preference ○ Note: Global services also have to adhere to namespace sameness rules ○ Multi-Cluster Network Policies ■ Exactly same API and implementation as single cluster network policies (both K8s network policy and Cilium proprietary L4 and L7 Network policies) ■ Network policy labels/ selectors are reflected in the Multi-cluster mesh control plane so can have global significance (plus optional additional per-cluster qualification within policy selectors) 11
  • 12. Multi-Cluster Network Policy Example #Sample Cilium Multicluster network policy augmented with cluster selectors apiVersion: "cilium.io/v2" kind: CiliumNetworkPolicy metadata: name: "allow-cross-cluster" spec: description: "Allow x-wing in cluster1 to contact rebel-base in cluster2" endpointSelector: matchLabels: name: x-wing io.cilium.k8s.policy.cluster: cluster1 egress: - toEndpoints: - matchLabels: name: rebel-base io.cilium.k8s.policy.cluster: cluster2 12
  • 14. Demo Topology S1 S2 S1 S2 Cluster-id 1 Cluster-id 2 Cilium install –cluster-id 1 … Cilium clustermesh enable Cilium clustermesh connect –context c1 –destination-context c2 Global Service Annotations io.cilium/global-service="true" io.cilium/shared-service="false" io.cilium/service-affinity=local Example demo application: S1 & S2 each is a global (multi-cluster) service with 2 backend pods in each cluster of the clustermesh clustermesh 14
  • 15. Demos ● Demo 1: ○ Cilium ClusterMesh intro and setup ○ Link to demo recording ● Demo 2: ○ Multi-cluster E-W Services & Load balancing ○ Multi-cluster network policy ○ Link to demo recording ● Demo 3: ○ N-S Load balancing, gateway API ○ Single and multi-cluster ○ Link to demo recording 15
  • 16. Demo Topology S1 S2 S1 S2 Cluster-id 1 Cluster-id 2 N-S Loadbalancing using Cilium Ingress or Cilium GW Api Multi-Cluster Ingress when combined with Cilium ClusterMesh Multiple modes possible (demo topology shows just 1 mode) clustermesh GTWY 16
  • 17. Background: Multi-Cluster Ingress LB modes/ scenarios Svc 1 Svc 2 Svc 1 Svc 2 Svc 3 GW (K8s GW api) E-W GW E-W GW Svc 1 Svc 2 Svc 1 Svc 2 Svc 3 GW (K8s GW api) GW (K8s GW api) Single gateway, on-cluster LB, Multi-network Multi-gateway, on-cluster LB, Single-network Svc 1 Svc 2 Svc 1 Svc 2 Svc 3 Single gateway, off-cluster (e.g. public cloud) LB, Single-network External GLB class Multi-cluster services can be combined with BPG, DNS and public cloud anycast to yield a variety of multi-cluster L4 and L7 ingress solutions for various use cases including RH Hybrid Cloud Gateway. Related Refs. RH-ET blog post on this topic
  • 18. Diagram: Borkmann, Isovalent Cilium E-W and N-S LB w/o kube-proxy - Handles external traffic (N-S) for svc IP:port - Backends can be local or remote - Performs DNAT and DSR/SNAT/Hybrid when remote - Same code compilable for XDP and tc/BPF - Hairpin to remote on XDP layer, local backends handled via tc ingress eth0 eth0 redis lxc0 Node A eth0 eth0 nginx lxc0 Node B client XDP/BPF tc/BPF sock/BPF sock/BPF XDP/BPF tc/BPF - Handles internal traffic (E-W) for svc IP:port - Backends can be local or remote - No packet-based NAT needed due to connect(), sendmsg(), recvmsg() hook - No intermediate hops as in kube-proxy - Exposes services to all local addresses and loopback 127.0.0.1/::1 - Blocks other applications in post-bind() hook from port reuse Main principle: Operating as close as possible to the socket for E-W and as close as possible to the driver for N-S. Additional refs: Cilium kube-proxy replacement and related enhancements 18
  • 19. eBpf Intercepts for Nodeport Svc Rx from buffer XDP alloc_skb TC ingress nat Prerouting mangle Prerouting conntrack raw Prerouting Socket lookup Container namespace Prerouting & Input Chains mangle Postrouting nat Postrouting Routing Destined to host Input chain destined To Veth To container Veth ns Socket rx buffer/ app Rx node pkt filter Forward
  • 20. Eth0 172.18.0.2 a.a.a.a/ pa b.b.b.b/ pb NodePort svc: 172.18.0.2:31000 => (10.1.2.2:80, 10.1.2.4:80) 10.1.2.2:80 xx:31000 Eth0 172.18.0.3 10.1.2.4:80 xx:31000 Cilium N-S enhancements - Direct Server Return and Hybrid modes (in addition to SNAT mode) - Source IP preservation - XDP acceleration - 4to6 NAT, Maglev hashing
  • 22. ● Option 1: Use Cilium only for L3/ L4 networking, use Istio control and data planes for L7 service mesh ● Option 2: Preferred long term direction but not fully ready tet. ○ Use Cilium as a single solution for all Kubernetes networking including ■ CNI plugin ■ Multi-Cluster networking ■ L4 and L7 Service Mesh ■ All networking functions incl load balancing (N-S and E-W), network policy, ingress and egress, gateway API implementation ■ 1) Data plane: Cilium. 2) Control plane: K8s native (Gateway api) + Envoy config CRD + Cilium apis ● CSM uses “sidecar-less model” in contrast with Istio/ LinkerD per pod sidecar model ● Istio community is developing “Ambient mode” of Istio in response to CSM sidecar less mode ● Side note: State of multi-cluster in upstream native K8s apis (independent of specific service meshes) is incomplete. Early draft proposals at initiating standards Cilium Service Mesh (CSM) 22
  • 23. Cilium’s Design Philosophy for Service Mesh ● A single networking plugin can serve all networking needs (basic CNI, service load balancing, network policy, ingress, multi-cluster networking & service mesh functions at both L4 and L7 layers). This results in a better integrated architecture, improved user experience and lower resource consumption and control plane complexity than using multiple separate projects to serve as CNI plugin, service mesh plugin, ingress, gateway API plugin, multi-cluster networking plugin etc. ○ Cilium already has had both L4 and L7 networking policy and load balancing even for its CNI plugin, just reuse it for service mesh and augment where needed, rather than create separate functions. ○ Cilium already has L4 traffic encryption & zero trust networking functions, reuse for service mesh ○ Extensions to Kubernetes APIs like Gateway API and others are already beginning to address all service mesh functions without need for special APIs like the Istio & LinkerD ○ Service mesh and gateways are moving into the kernel and infra layers in any case (e.g. Ambient) 23
  • 24. Diagram: Liz Rice: Learning eBPF ● Conventional sidecar based model => poor latency due to suboptimal packet processing with multiple user space<->kernel space context switches ● Lowered reliability due to disconnect between sidecar proxy readiness and app readiness, server side initiated connections ● High resource consumption (proxy per pod adds up) Issues with Sidecar proxies 24
  • 25. L4 + L7 data paths L4 data path L7 data path 25 Diagram: cilium.io
  • 26. eBPF vs Proxy function split 26 Diagram: cilium.io
  • 27. S1 S2 S2 GTWY Envoy Cilium Agent Envoy IPSec Tunnel L7 mesh traffic ● Cilium Agent envoy 1 per node, used for L7 proxy (N-S and E-W service load balancing & policy) ● Cilium kernel eBPF used for L4 pod and service load balancing, policy ● Single Envoy instance wrapped inside Cilium agent for all L7 functions ● Special mTLS + IPSec & Wireguard optional “on the wire” 27
  • 28. Diagram cilium.io Cilium’s Alternate Architecture for Service Mesh mutual-TLS ● Conventional session based TLS: usable only by applications running on TCP and HTTP, fine grained sessions but performance impact ● Network based encrypted tunnels (IPSec, Wireguard etc): usable by any app protocol, coarse grained, higher performance ● Cilium mTLS : Combine the two (Cilium Proprietary solution) ● Not full GA yet (Cilium 1.14 ?) 28
  • 30. Demo ● Cilium Service Mesh ○ L4 Cilium mesh proxy with IPSec encryption ○ <<< Demo recording Link to be added here>>> ○ L7 Cilium proxy without IPSec encryption 30
  • 31. S1 S2 S2 Cilium L4 eBPF IPSec Tunnel L4 mesh traffic ● Current release (1.13.x) IPSec encryption limited to L4 mesh traffic proxy, policy & load balancing 31
  • 32. Cilium Service Mesh S1 S2 S2 Cilium L7 proxy Envoy L7 Svc mesh traffic ● In current release (1.13.x) Cilium L7 proxy functions supported without IPSec/ encryption support ● L7 traffic management via EnvoyConfig CRD. In future via Gateway API & extensions Demo Topology Google gRPC microservices demo app 32
  • 33. Extra: Notes on some additional Cilium Features 33
  • 34. L7 Network Policy examples ● Cilium CNI already supported L4 and L7 network policy ● Hence L7 network policy can also be used for svc mesh ● Https, gRPC, Cassandra, Redis, TLS SNI 34
  • 37. BBR Algorithm for advanced congestion control 37 Diagram cilium.io