Cilium is an open source software that provides networking and security for Kubernetes. It implements Kubernetes networking, security policies, load balancing, and service mesh capabilities using eBPF. Cilium provides multi-cluster networking by coupling multiple Kubernetes clusters into a cluster mesh with a shared control plane. It also offers a sidecar-less service mesh that uses eBPF and Envoy for L4 and L7 traffic management instead of injecting proxies into each pod. Demos showed Cilium's multi-cluster load balancing and policies as well as its service mesh capabilities.
Kubernetes Networking with Cilium - Deep DiveMichal Rostecki
Cilium is open source software for providing and transparently securing network connectivity and load balancing between application workloads such as application containers or processes. Cilium operates at Layer 3/4 to provide traditional networking and security services as well as Layer 7 to protect and secure use of modern application protocols such as HTTP, gRPC and Kafka. The foundation of Cilium is the new Linux kernel technology BPF which supports the dynamic insertion of BPF bytecode into the Linux kernel at various integration points. This presentation reveals the secrets of Kubernetes networking and gives you a deep dive into Cilium and why it is awesome!
KCD Zurich 2023 — Bridge Dev & Ops with eBPF.pdfRaphaël PINSON
eBPF (extended Berkeley Packet Filter) is a powerful and versatile technology that can be used to extend observability in Linux systems. In this talk, we will explore how eBPF can be used to bridge the gap between dev and ops by providing a deeper understanding of the kernel and OS internals as well as the applications running on top. We will discuss how eBPF can be used to extend observability downwards by enabling access to low-level system information and how it can be used to extend observability upwards by providing application-level tracing capabilities.
An overview of the Kubernetes architectureIgor Sfiligoi
This talk provides a 101 introdution to Kubernetes from a user point of view.
Aimed at service providers, it was presented at the GPN Annual Meeting 2019. https://conferences.k-state.edu/gpn/
This document outlines an agenda for a workshop on Kubernetes networking with eBPF and Cilium. The workshop covers various topics including principles of eBPF and Cilium, Kubernetes networking, cluster mesh, security, observability, service mesh, and Tetragon. It provides overviews and examples for each topic. The workshop is presented by Raphaël Pinson who works on Cilium at Isovalent.
Slides from OpenSource101.com Talk (https://opensource101.com/sessions/wtf-is-gitops-why-should-you-care/)
If you’re interested in learning more about Cloud Native Computing or are already in the Kubernetes community you may have heard the term GitOps. It’s become a bit of a buzzword, but it’s so much more! The benefits of GitOps are real – they bring you security, reliability, velocity and more! And the project that started it all was Flux – a CNCF Incubating project developed and later donated by Weaveworks (the GitOps company who coined the term).
Pinky will share from personal experience why GitOps has been an essential part of achieving a best-in-class delivery and platform team. Pinky will give a brief overview of definitions, CNCF-based principles, and Flux’s capabilities: multi-tenancy, multi-cluster, (multi-everything!), for apps and infra, and more.
Pinky will cover a little of Flux’s microservices architecture and how the various components deliver this robust, secure, and trusted open source solution. Through the components of the Flux project, users today are enjoying compatibility with Helm, Jenkins, Terraform, Prometheus, and more as well as with cloud providers such as AWS, Azure, Google Cloud, and more.
Join us for this informative session and get all of your GitOps questions answered by an end user in the community!
Speaker: Priyanka (aka “Pinky”) is a Developer Experience Engineer at Weaveworks. She has worked on a multitude of topics including front end development, UI automation for testing and API development. Previously she was a software developer at State Farm where she was on the delivery engineering team working on GitOps enablement. She was instrumental in the multi-tenancy migration to utilize Flux for an internal Kubernetes offering. Outside of work, Priyanka enjoys hanging out with her husband and two rescue dogs as well as traveling around the globe.
Using eBPF for High-Performance Networking in CiliumScyllaDB
The Cilium project is a popular networking solution for Kubernetes, based on eBPF. This talk uses eBPF code and demos to explore the basics of how Cilium makes network connections, and manipulates packets so that they can avoid traversing the kernel's built-in networking stack. You'll see how eBPF enables high-performance networking as well as deep network observability and security.
Replacing iptables with eBPF in Kubernetes with CiliumMichal Rostecki
Cilium is an open source project which provides networking, security and load balancing for application services that are deployed using Linux container technologies by using the native eBPF technology in the Linux kernel. In this presentation we talked about:
- The evolution of the BPF filters and explained the advantages of eBPF Filters and its use cases today in Linux especially on how Cilium networking utilizes the eBPF Filters to secure the Kubernetes workload with increased performance when compared to legacy iptables.
- How Cilium uses SOCKMAP for layer 7 policy enforcement - How Cilium integrates with Istio and handles L7 Network Policies with Envoy Proxies.
- The new features since the last release such as running Kubernetes cluster without kube-proxy, providing clusterwide NetworkPolicies, providing fully distributed networking and security observability platform for cloud native workloads etc.
The Linux kernel is undergoing the most fundamental architecture evolution in history and is becoming a microkernel. Why is the Linux kernel evolving into a microkernel? The potentially biggest fundamental change ever happening to the Linux kernel. This talk covers how companies like Facebook and Google use BPF to patch 0-day exploits, how BPF will change the way features are added to the kernel forever, and how BPF is introducing a new type of application deployment method for the Linux kernel.
Kubernetes Networking with Cilium - Deep DiveMichal Rostecki
Cilium is open source software for providing and transparently securing network connectivity and load balancing between application workloads such as application containers or processes. Cilium operates at Layer 3/4 to provide traditional networking and security services as well as Layer 7 to protect and secure use of modern application protocols such as HTTP, gRPC and Kafka. The foundation of Cilium is the new Linux kernel technology BPF which supports the dynamic insertion of BPF bytecode into the Linux kernel at various integration points. This presentation reveals the secrets of Kubernetes networking and gives you a deep dive into Cilium and why it is awesome!
KCD Zurich 2023 — Bridge Dev & Ops with eBPF.pdfRaphaël PINSON
eBPF (extended Berkeley Packet Filter) is a powerful and versatile technology that can be used to extend observability in Linux systems. In this talk, we will explore how eBPF can be used to bridge the gap between dev and ops by providing a deeper understanding of the kernel and OS internals as well as the applications running on top. We will discuss how eBPF can be used to extend observability downwards by enabling access to low-level system information and how it can be used to extend observability upwards by providing application-level tracing capabilities.
An overview of the Kubernetes architectureIgor Sfiligoi
This talk provides a 101 introdution to Kubernetes from a user point of view.
Aimed at service providers, it was presented at the GPN Annual Meeting 2019. https://conferences.k-state.edu/gpn/
This document outlines an agenda for a workshop on Kubernetes networking with eBPF and Cilium. The workshop covers various topics including principles of eBPF and Cilium, Kubernetes networking, cluster mesh, security, observability, service mesh, and Tetragon. It provides overviews and examples for each topic. The workshop is presented by Raphaël Pinson who works on Cilium at Isovalent.
Slides from OpenSource101.com Talk (https://opensource101.com/sessions/wtf-is-gitops-why-should-you-care/)
If you’re interested in learning more about Cloud Native Computing or are already in the Kubernetes community you may have heard the term GitOps. It’s become a bit of a buzzword, but it’s so much more! The benefits of GitOps are real – they bring you security, reliability, velocity and more! And the project that started it all was Flux – a CNCF Incubating project developed and later donated by Weaveworks (the GitOps company who coined the term).
Pinky will share from personal experience why GitOps has been an essential part of achieving a best-in-class delivery and platform team. Pinky will give a brief overview of definitions, CNCF-based principles, and Flux’s capabilities: multi-tenancy, multi-cluster, (multi-everything!), for apps and infra, and more.
Pinky will cover a little of Flux’s microservices architecture and how the various components deliver this robust, secure, and trusted open source solution. Through the components of the Flux project, users today are enjoying compatibility with Helm, Jenkins, Terraform, Prometheus, and more as well as with cloud providers such as AWS, Azure, Google Cloud, and more.
Join us for this informative session and get all of your GitOps questions answered by an end user in the community!
Speaker: Priyanka (aka “Pinky”) is a Developer Experience Engineer at Weaveworks. She has worked on a multitude of topics including front end development, UI automation for testing and API development. Previously she was a software developer at State Farm where she was on the delivery engineering team working on GitOps enablement. She was instrumental in the multi-tenancy migration to utilize Flux for an internal Kubernetes offering. Outside of work, Priyanka enjoys hanging out with her husband and two rescue dogs as well as traveling around the globe.
Using eBPF for High-Performance Networking in CiliumScyllaDB
The Cilium project is a popular networking solution for Kubernetes, based on eBPF. This talk uses eBPF code and demos to explore the basics of how Cilium makes network connections, and manipulates packets so that they can avoid traversing the kernel's built-in networking stack. You'll see how eBPF enables high-performance networking as well as deep network observability and security.
Replacing iptables with eBPF in Kubernetes with CiliumMichal Rostecki
Cilium is an open source project which provides networking, security and load balancing for application services that are deployed using Linux container technologies by using the native eBPF technology in the Linux kernel. In this presentation we talked about:
- The evolution of the BPF filters and explained the advantages of eBPF Filters and its use cases today in Linux especially on how Cilium networking utilizes the eBPF Filters to secure the Kubernetes workload with increased performance when compared to legacy iptables.
- How Cilium uses SOCKMAP for layer 7 policy enforcement - How Cilium integrates with Istio and handles L7 Network Policies with Envoy Proxies.
- The new features since the last release such as running Kubernetes cluster without kube-proxy, providing clusterwide NetworkPolicies, providing fully distributed networking and security observability platform for cloud native workloads etc.
The Linux kernel is undergoing the most fundamental architecture evolution in history and is becoming a microkernel. Why is the Linux kernel evolving into a microkernel? The potentially biggest fundamental change ever happening to the Linux kernel. This talk covers how companies like Facebook and Google use BPF to patch 0-day exploits, how BPF will change the way features are added to the kernel forever, and how BPF is introducing a new type of application deployment method for the Linux kernel.
Free GitOps Workshop + Intro to Kubernetes & GitOpsWeaveworks
Follow along in this free workshop and experience GitOps!
AGENDA:
Welcome - Tamao Nakahara, Head of DX (Weaveworks)
Introduction to Kubernetes & GitOps - Mark Emeis, Principal Engineer (Weaveworks)
Weave Gitops Overview - Tamao Nakahara
Free Gitops Workshop - David Harris, Product Manager (Weaveworks)
If you're new to Kubernetes and GitOps, we'll give you a brief introduction to both and how GitOps is the natural evolution of Kubernetes.
Weave GitOps Core is a continuous delivery product to run apps in any Kubernetes. It is free and open source, and you can get started today!
https://www.weave.works/product/gitops-core
If you’re stuck, also come talk to us at our Slack channel! #weave-gitops http://bit.ly/WeaveGitOpsSlack (If you need to invite yourself to the Slack, visit https://slack.weave.works/)
Turning Virtual Machines Cloud-Native using KubeVirtSuman Chakraborty
The talk was presented at OSCONF 2020 Hyderabad Virtual event, where I have discussed about CNCF sandbox project KubeVirt and its adoption into Cloud-Native ecosystem
Accelerating Envoy and Istio with Cilium and the Linux KernelThomas Graf
The document discusses how Cilium can accelerate Envoy and Istio by using eBPF/XDP to provide transparent acceleration of network traffic between Kubernetes pods and sidecars without any changes required to applications or Envoy. Cilium also provides features like service mesh datapath, network security policies, load balancing, and visibility/tracing capabilities. BPF/XDP in Cilium allows for transparent TCP/IP acceleration during the data phase of communications between pods and sidecars.
Cilium - API-aware Networking and Security for Containers based on BPFThomas Graf
Cilium provides network security and visibility for microservices. It uses eBPF/XDP to provide fast and scalable networking and security controls at layers 3-7. Key features include identity-based firewalling, load balancing, and mutual TLS authentication between services. It integrates with Kubernetes to apply network policies using standard Kubernetes resources and custom CiliumNetworkPolicy resources for finer-grained control.
Cilium - Bringing the BPF Revolution to Kubernetes Networking and SecurityThomas Graf
BPF is one of the fastest emerging technologies of the Linux kernel. The talk provides an introduction to Cilium which brings the powers of BPF to Kubernetes and other orchestration systems to provide highly scalable and efficient networking, security and load balancing for containers and microservices. The talk will provide an introduction to the capabilities of Cilium today but also deep dives into the emerging roadmap involving networking at the socket layer and service mesh datapath capabilities to provide highly efficient connectivity between cloud native apps and sidecar proxies.
Kubernetes is an open-source container cluster manager that was originally developed by Google. It was created as a rewrite of Google's internal Borg system using Go. Kubernetes aims to provide a declarative deployment and management of containerized applications and services. It facilitates both automatic bin packing as well as self-healing of applications. Some key features include horizontal pod autoscaling, load balancing, rolling updates, and application lifecycle management.
Presentation delivered at LinuxCon China 2017.
Open vSwitch (OVS) is a multilayer open source virtual switch. OVS is designed to enable massive network automation through programmatic extension, while still supporting standard management interfaces. OVN is a new network virtualization project that brings virtual networking to the Open vSwitch user community. OVN includes logical switches and routers, security groups, and L2/L3/L4 ACLs, implemented on top of a tunnel-based overlay network.
In this presentation, we will provide an overview of the current state of the projects and their future plans, such as:
- The current state of the Linux, DPDK, and Hyper-V ports
- A status update on a portable BPF-based datapath
- The latest stateful and OpenFlow features available in OVS
- Performance and debugging enhancement to OVN
- OVN features under development such as ACL logging and encrypted tunnels
A brief study on Kubernetes and its componentsRamit Surana
Kubernetes is an open source orchestration system for Docker containers. It handles scheduling onto nodes in a compute cluster and actively manages workloads to ensure that their state matches the users declared intentions. Using the concepts of "labels" and "pods", it groups the containers which make up an application into logical units for easy management and discovery.
Kata Container & gVisor provide approaches to securely isolate containers by keeping them out of the direct kernel space. Kata Container uses virtual machines with lightweight kernels to isolate containers, while gVisor uses a userspace kernel implemented in Go to provide isolation. Both aim to protect the host kernel by preventing containers from accessing kernel resources directly. Kata Container has a larger memory footprint than gVisor due to its use of virtual machines, but provides stronger isolation of containers.
LinuxCon 2015 Linux Kernel Networking WalkthroughThomas Graf
This presentation features a walk through the Linux kernel networking stack for users and developers. It will cover insights into both, existing essential networking features and recent developments and will show how to use them properly. Our starting point is the network card driver as it feeds a packet into the stack. We will follow the packet as it traverses through various subsystems such as packet filtering, routing, protocol stacks, and the socket layer. We will pause here and there to look into concepts such as networking namespaces, segmentation offloading, TCP small queues, and low latency polling and will discuss how to configure them.
Everything You Need To Know About Persistent Storage in KubernetesThe {code} Team
This document discusses Kubernetes persistent storage options for stateful applications. It covers common use cases that require persistence like databases, messaging systems, and content management systems. It then describes Kubernetes persistent volume (PV), persistent volume claim (PVC), and storage class objects that are used to provision and consume persistent storage. Finally, it compares deployments with statefulsets and covers other volume types like emptyDir, hostPath, daemonsets and their use cases.
Cluster API is a Kubernetes sub-project that provides declarative APIs and tooling to simplify provisioning, upgrading, and operating multiple Kubernetes clusters on any infrastructure. It works by having core Cluster API components along with plugins for different bootstrap, control-plane and infrastructure providers like Openstack, AWS, GCP etc. The presentation discusses Cluster API integration with Openstack, considerations for using it in production including separate internal and public connections and reusing Openstack networking, and proposes a time-saving deployment model leveraging various Cluster API and Gardener projects.
For this info-packed and hands-on workshop we cover:
📍 Introduction to Kubernetes & GitOps talk:
We cover the most popular path that has brought success to many users already - GitOps as a natural evolution of Kubernetes. We'll give an overview of how you can benefit from Kubernetes and GitOps: greater security, reliability, velocity and more. Importantly, we cover definitions and principles standardized by the CNCF's OpenGitOps group and what it means for you.
📍 Get Started with GitOps:
You'll have GitOps up and running in about 30 mins using our free and open source tools! We'll give a brief vision of where you want to be with those security, reliability, and velocity benefits, and then we'll support you while go through the getting started steps. During the workshop, you'll also experience in action and see demos for:
- an opinionated repo structure to minimize decision fatigue
- disaster recovery using GitOps
- Helm charts example
- Multi-cluster example
- all with free and open source tools mostly in the CNCF (eg. Flux and Helm).
If you have questions before or after the workshop, talk to us at #weave-gitops http://bit.ly/WeaveGitOpsSlack (If you need to invite yourself to the Slack, visit https://slack.weave.works/)
** Kubernetes Certification Training: https://www.edureka.co/kubernetes-cer... **
This Edureka tutorial on "Kubernetes Networking" will give you an introduction to popular DevOps tool - Kubernetes, and will deep dive into Kubernetes Networking concepts. The following topics are covered in this training session:
1. What is Kubernetes?
2. Kubernetes Cluster
3. Pods, Services & Ingress Networks
4. Case Study of Wealth Wizards
5. Hands-On
DevOps Tutorial Blog Series: https://goo.gl/P0zAfF
Cilium - Fast IPv6 Container Networking with BPF and XDPThomas Graf
We present a new open source project which provides IPv6 networking for Linux Containers by generating programs for each individual container on the fly and then runs them as JITed BPF code in the kernel. By generating and compiling the code, the program is reduced to the minimally required feature set and then heavily optimised by the compiler as parameters become plain variables. The upcoming addition of the Express Data Plane (XDP) to the kernel will make this approach even more efficient as the programs will get invoked directly from the network driver.
Designing a complete ci cd pipeline using argo events, workflow and cd productsJulian Mazzitelli
https://www.youtube.com/watch?v=YmIAatr3Who
Presented at Cloud and AI DevFest GDG Montreal on September 27, 2019.
Are you looking to get more flexibility out of your CICD platform? Interested how GitOps fits into the mix? Learn how Argo CD, Workflows, and Events can be combined to craft custom CICD flows. All while staying Kubernetes native, enabling you to leverage existing observability tooling.
A basic introductory slide set on Kubernetes: What does Kubernetes do, what does Kubernetes not do, which terms are used (Containers, Pods, Services, Replica Sets, Deployments, etc...) and how basic interaction with a Kubernetes cluster is done.
Helm is a package manager for Kubernetes that allows for easy installation, upgrade, and management of Kubernetes applications. It provides repeatability, reliability, and simplifies deploying applications across multiple Kubernetes environments. Helm originated from an internal hackathon at Deis and was jointly developed by Google and Deis. It is now maintained by the Cloud Native Computing Foundation. Helm consists of a client that interacts with the Tiller server running inside the Kubernetes cluster to manage application lifecycles using charts, which are packages containing Kubernetes resource definitions.
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesSanjeev Rampal
Talk presented at Kubernetes Community Day, New York, May 2024.
Technical summary of Multi-Cluster Kubernetes Networking architectures with focus on 4 key topics.
1) Key patterns for Multi-cluster architectures
2) Architectural comparison of several OSS/ CNCF projects to address these patterns
3) Evolution trends for the APIs of these projects
4) Some design recommendations & guidelines for adopting/ deploying these solutions.
Presented as part of Container Conference 2018: www.containerconf.in
Deep dive into Kubernetes networking
"Container networking is pretty complex and Kubernetes has taken a unique approach to solve container networking challenges. Both simplicity and scalability have been key design principles of Kubernetes networking. This session will illustrate kubernetes networking concepts with examples and demos. Best practises and considerations for deploying container networks in production using Kubernetes will be covered.
This session will also go into latest developments in Kubernetes networking like Network policy and Service policy using Istio."
Free GitOps Workshop + Intro to Kubernetes & GitOpsWeaveworks
Follow along in this free workshop and experience GitOps!
AGENDA:
Welcome - Tamao Nakahara, Head of DX (Weaveworks)
Introduction to Kubernetes & GitOps - Mark Emeis, Principal Engineer (Weaveworks)
Weave Gitops Overview - Tamao Nakahara
Free Gitops Workshop - David Harris, Product Manager (Weaveworks)
If you're new to Kubernetes and GitOps, we'll give you a brief introduction to both and how GitOps is the natural evolution of Kubernetes.
Weave GitOps Core is a continuous delivery product to run apps in any Kubernetes. It is free and open source, and you can get started today!
https://www.weave.works/product/gitops-core
If you’re stuck, also come talk to us at our Slack channel! #weave-gitops http://bit.ly/WeaveGitOpsSlack (If you need to invite yourself to the Slack, visit https://slack.weave.works/)
Turning Virtual Machines Cloud-Native using KubeVirtSuman Chakraborty
The talk was presented at OSCONF 2020 Hyderabad Virtual event, where I have discussed about CNCF sandbox project KubeVirt and its adoption into Cloud-Native ecosystem
Accelerating Envoy and Istio with Cilium and the Linux KernelThomas Graf
The document discusses how Cilium can accelerate Envoy and Istio by using eBPF/XDP to provide transparent acceleration of network traffic between Kubernetes pods and sidecars without any changes required to applications or Envoy. Cilium also provides features like service mesh datapath, network security policies, load balancing, and visibility/tracing capabilities. BPF/XDP in Cilium allows for transparent TCP/IP acceleration during the data phase of communications between pods and sidecars.
Cilium - API-aware Networking and Security for Containers based on BPFThomas Graf
Cilium provides network security and visibility for microservices. It uses eBPF/XDP to provide fast and scalable networking and security controls at layers 3-7. Key features include identity-based firewalling, load balancing, and mutual TLS authentication between services. It integrates with Kubernetes to apply network policies using standard Kubernetes resources and custom CiliumNetworkPolicy resources for finer-grained control.
Cilium - Bringing the BPF Revolution to Kubernetes Networking and SecurityThomas Graf
BPF is one of the fastest emerging technologies of the Linux kernel. The talk provides an introduction to Cilium which brings the powers of BPF to Kubernetes and other orchestration systems to provide highly scalable and efficient networking, security and load balancing for containers and microservices. The talk will provide an introduction to the capabilities of Cilium today but also deep dives into the emerging roadmap involving networking at the socket layer and service mesh datapath capabilities to provide highly efficient connectivity between cloud native apps and sidecar proxies.
Kubernetes is an open-source container cluster manager that was originally developed by Google. It was created as a rewrite of Google's internal Borg system using Go. Kubernetes aims to provide a declarative deployment and management of containerized applications and services. It facilitates both automatic bin packing as well as self-healing of applications. Some key features include horizontal pod autoscaling, load balancing, rolling updates, and application lifecycle management.
Presentation delivered at LinuxCon China 2017.
Open vSwitch (OVS) is a multilayer open source virtual switch. OVS is designed to enable massive network automation through programmatic extension, while still supporting standard management interfaces. OVN is a new network virtualization project that brings virtual networking to the Open vSwitch user community. OVN includes logical switches and routers, security groups, and L2/L3/L4 ACLs, implemented on top of a tunnel-based overlay network.
In this presentation, we will provide an overview of the current state of the projects and their future plans, such as:
- The current state of the Linux, DPDK, and Hyper-V ports
- A status update on a portable BPF-based datapath
- The latest stateful and OpenFlow features available in OVS
- Performance and debugging enhancement to OVN
- OVN features under development such as ACL logging and encrypted tunnels
A brief study on Kubernetes and its componentsRamit Surana
Kubernetes is an open source orchestration system for Docker containers. It handles scheduling onto nodes in a compute cluster and actively manages workloads to ensure that their state matches the users declared intentions. Using the concepts of "labels" and "pods", it groups the containers which make up an application into logical units for easy management and discovery.
Kata Container & gVisor provide approaches to securely isolate containers by keeping them out of the direct kernel space. Kata Container uses virtual machines with lightweight kernels to isolate containers, while gVisor uses a userspace kernel implemented in Go to provide isolation. Both aim to protect the host kernel by preventing containers from accessing kernel resources directly. Kata Container has a larger memory footprint than gVisor due to its use of virtual machines, but provides stronger isolation of containers.
LinuxCon 2015 Linux Kernel Networking WalkthroughThomas Graf
This presentation features a walk through the Linux kernel networking stack for users and developers. It will cover insights into both, existing essential networking features and recent developments and will show how to use them properly. Our starting point is the network card driver as it feeds a packet into the stack. We will follow the packet as it traverses through various subsystems such as packet filtering, routing, protocol stacks, and the socket layer. We will pause here and there to look into concepts such as networking namespaces, segmentation offloading, TCP small queues, and low latency polling and will discuss how to configure them.
Everything You Need To Know About Persistent Storage in KubernetesThe {code} Team
This document discusses Kubernetes persistent storage options for stateful applications. It covers common use cases that require persistence like databases, messaging systems, and content management systems. It then describes Kubernetes persistent volume (PV), persistent volume claim (PVC), and storage class objects that are used to provision and consume persistent storage. Finally, it compares deployments with statefulsets and covers other volume types like emptyDir, hostPath, daemonsets and their use cases.
Cluster API is a Kubernetes sub-project that provides declarative APIs and tooling to simplify provisioning, upgrading, and operating multiple Kubernetes clusters on any infrastructure. It works by having core Cluster API components along with plugins for different bootstrap, control-plane and infrastructure providers like Openstack, AWS, GCP etc. The presentation discusses Cluster API integration with Openstack, considerations for using it in production including separate internal and public connections and reusing Openstack networking, and proposes a time-saving deployment model leveraging various Cluster API and Gardener projects.
For this info-packed and hands-on workshop we cover:
📍 Introduction to Kubernetes & GitOps talk:
We cover the most popular path that has brought success to many users already - GitOps as a natural evolution of Kubernetes. We'll give an overview of how you can benefit from Kubernetes and GitOps: greater security, reliability, velocity and more. Importantly, we cover definitions and principles standardized by the CNCF's OpenGitOps group and what it means for you.
📍 Get Started with GitOps:
You'll have GitOps up and running in about 30 mins using our free and open source tools! We'll give a brief vision of where you want to be with those security, reliability, and velocity benefits, and then we'll support you while go through the getting started steps. During the workshop, you'll also experience in action and see demos for:
- an opinionated repo structure to minimize decision fatigue
- disaster recovery using GitOps
- Helm charts example
- Multi-cluster example
- all with free and open source tools mostly in the CNCF (eg. Flux and Helm).
If you have questions before or after the workshop, talk to us at #weave-gitops http://bit.ly/WeaveGitOpsSlack (If you need to invite yourself to the Slack, visit https://slack.weave.works/)
** Kubernetes Certification Training: https://www.edureka.co/kubernetes-cer... **
This Edureka tutorial on "Kubernetes Networking" will give you an introduction to popular DevOps tool - Kubernetes, and will deep dive into Kubernetes Networking concepts. The following topics are covered in this training session:
1. What is Kubernetes?
2. Kubernetes Cluster
3. Pods, Services & Ingress Networks
4. Case Study of Wealth Wizards
5. Hands-On
DevOps Tutorial Blog Series: https://goo.gl/P0zAfF
Cilium - Fast IPv6 Container Networking with BPF and XDPThomas Graf
We present a new open source project which provides IPv6 networking for Linux Containers by generating programs for each individual container on the fly and then runs them as JITed BPF code in the kernel. By generating and compiling the code, the program is reduced to the minimally required feature set and then heavily optimised by the compiler as parameters become plain variables. The upcoming addition of the Express Data Plane (XDP) to the kernel will make this approach even more efficient as the programs will get invoked directly from the network driver.
Designing a complete ci cd pipeline using argo events, workflow and cd productsJulian Mazzitelli
https://www.youtube.com/watch?v=YmIAatr3Who
Presented at Cloud and AI DevFest GDG Montreal on September 27, 2019.
Are you looking to get more flexibility out of your CICD platform? Interested how GitOps fits into the mix? Learn how Argo CD, Workflows, and Events can be combined to craft custom CICD flows. All while staying Kubernetes native, enabling you to leverage existing observability tooling.
A basic introductory slide set on Kubernetes: What does Kubernetes do, what does Kubernetes not do, which terms are used (Containers, Pods, Services, Replica Sets, Deployments, etc...) and how basic interaction with a Kubernetes cluster is done.
Helm is a package manager for Kubernetes that allows for easy installation, upgrade, and management of Kubernetes applications. It provides repeatability, reliability, and simplifies deploying applications across multiple Kubernetes environments. Helm originated from an internal hackathon at Deis and was jointly developed by Google and Deis. It is now maintained by the Cloud Native Computing Foundation. Helm consists of a client that interacts with the Tiller server running inside the Kubernetes cluster to manage application lifecycles using charts, which are packages containing Kubernetes resource definitions.
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesSanjeev Rampal
Talk presented at Kubernetes Community Day, New York, May 2024.
Technical summary of Multi-Cluster Kubernetes Networking architectures with focus on 4 key topics.
1) Key patterns for Multi-cluster architectures
2) Architectural comparison of several OSS/ CNCF projects to address these patterns
3) Evolution trends for the APIs of these projects
4) Some design recommendations & guidelines for adopting/ deploying these solutions.
Presented as part of Container Conference 2018: www.containerconf.in
Deep dive into Kubernetes networking
"Container networking is pretty complex and Kubernetes has taken a unique approach to solve container networking challenges. Both simplicity and scalability have been key design principles of Kubernetes networking. This session will illustrate kubernetes networking concepts with examples and demos. Best practises and considerations for deploying container networks in production using Kubernetes will be covered.
This session will also go into latest developments in Kubernetes networking like Network policy and Service policy using Istio."
The document provides an overview of Kubernetes networking concepts including single pod networking, pod to pod communication, service discovery and load balancing, external access patterns, network policies, Istio service mesh, multi-cluster networking, and best practices. It covers topics such as pod IP addressing, communication approaches like L2, L3, overlays, services, ingress controllers, network policies, multi-cluster use cases and deployment options.
Istio is an open-source service mesh that provides traffic management, telemetry and security for microservices. It works by injecting Envoy sidecar proxies into applications. The document provides an overview of Istio architecture, setup, and how it can be used for traffic management features like canary releases and advanced load balancing.
Comparing Sidecar-less Service Mesh from Cilium and IstioChristian Posta
Service mesh is a powerful pattern for implementing strong zero-trust networking practices, introducing better network observability, and allowing for more fine-grained traffic control. Up until now, the sidecar pattern was used to implement service-mesh capability but as the technology matures, a new pattern has emerged: sidecarless service mesh. Two prominent open-source networking projects, Cilium and Istio, have implemented a sidecar-free approach to service mesh but they both make interesting design decisions and tradeoffs. In this talk we review the architecture of both, focusing on the pros and cons of implementations such as mutual authentication, ingress, and observability.
Kubernetes from scratch at veepee sysadmins days 2019🔧 Loïc BLOT
1. The document discusses Kubernetes components, tools, and architecture for deployment at Veepee. It covers the control plane components, node architecture, and tooling used including DNS resolution, metrics collection, and logging.
2. For the control plane, it describes deploying etcd, the API server, scheduler, and controller manager across multiple datacenters. It also discusses configuring the API server and admission controllers.
3. For nodes, it discusses choosing containerd over Docker, configuring the network using kube-router with BGP, and using CoreDNS for internal DNS resolution in the cluster.
4. It provides details on tooling used for DNS, metrics collection, and centralized logging to
Bandwidth: Use Cases for Elastic Cloud on Kubernetes Elasticsearch
Bandwidth has been an avid user of the Elastic Stack for aggregating their logs from its many data centers. Learn how Bandwidth uses Elastic Cloud on Kubernetes to help satisfy various use cases.
Colt SDN Strategy - FIBRE Workshop 5 Nov 2013 BarcelonaJavier Benitez
Colt's vision is to integrate IT and network platforms through software-defined networking (SDN) and network functions virtualization (NFV) to deliver an integrated customer experience. Colt's strategy is to make networks programmable like computing through SDN/NFV. This includes separating the data and control planes, standardizing network abstractions, and virtualizing network functions. Colt's plan is to develop an SDN/NFV infrastructure including DC network virtualization, virtualized network functions, and a software-defined WAN.
This document compares existing CNI plugins for Kubernetes and provides descriptions of popular plugins like Flannel, Calico, Kube-router, and AWS VPC CNI. It explains that CNI plugins provide the interface between container runtimes and network implementations, and describes the CNI workflow and requirements for pod networking in Kubernetes.
A Comprehensive Introduction to Kubernetes. This slide deck serves as the lecture portion of a full-day Workshop covering the architecture, concepts and components of Kubernetes. For the interactive portion, please see the tutorials here:
https://github.com/mrbobbytables/k8s-intro-tutorials
This document provides an overview of service meshes and Istio. It defines what a service mesh is and describes some of its key capabilities like service discovery, load balancing, and observability. It then discusses Istio and how it works with Kubernetes as a service mesh. Istio's architecture is explained, including its control plane components like Pilot and data plane component Envoy. Lastly, it covers Istio deployment models and provides a case study on mesh federation.
Presentation + demo at Triangle Kubernetes and Openshift Meetup June 2017. Architecture overview and live demo of Contiv open container networking project working with Red Hat Openshift Container platform.
Kubernetes currently has two load balancing mode: userspace and IPTables. They both have limitation on scalability and performance. We introduced IPVS as third kube-proxy mode which scales kubernetes load balancer to support 50,000 services. Beyond that, control plane needs to be optimized in order to deploy 50,000 services. We will introduce alternative solutions and our prototypes with detailed performance data.
This document provides an introduction and overview of Kubernetes presented by Milos Zubal at a technology meetup. It begins with background on Milos and an outline of the topics to be covered, including the big picture of Kubernetes, its history and main features, containers, Kubernetes architecture, main components like pods and services, and deployment options. It then goes into more detail explaining each major Kubernetes concept like replicas, services, volumes, deployments and other primitives. The presentation aims to cover all of this in 30-35 minutes and concludes with questions and additional resources.
Luca Relandini - Microservices and containers networking: Contiv, deep dive a...Codemotion
Contiv provides a higher level of networking abstraction for microservices: it provides built-in service discovery and service routing for scale out services, working with schedulers like Docker Swarm, Kubernetes, Mesos and Openshift. A powerful policy-based management that makes networking on large scale easy. We will see some code examples, use cases and an easy tutorial on the web. This session is a follow up to the successful sessions at Codemotion Rome and Amsterdam in 2016: we'll go deeper into the architecture and the use cases.
Edge Computing: A Unified Infrastructure for all the Different PiecesCloudify Community
Edge Computing along with 5G promises to revolutionize customer experience with immersive applications that we can only imagine at this point. The edge will include PNFs, VNFs, and mobile-edge applications; requiring containers, virtual machines and bare-metal compute. But while edge computing promises numerous new revenue streams, managing and orchestrating these edge infrastructure environments is not going to be a seamless, instant process. In this webinar, experts in NFV orchestration discuss the concerns you must address in the transition to the edge, and show how you can use available open source tools to create a single management environment for PNFs, VNFs, and mobile-edge applications.
Kubernetes @ Squarespace (SRE Portland Meetup October 2017)Kevin Lynch
In this presentation I talk about our motivation to converting our microservices to run on Kubernetes. I discuss many of the technical challenges we encountered along the way, including networking issues, Java issues, monitoring and alerting, and managing all of our resources!
Explore the World of Cilium, Tetragon & eBPFRaphaël PINSON
Come explore the World of Cilium with us!
In this workshop, you'll have the opportunity to discover about Cilium and Tetragon, and the kernel technology that makes them possible, eBPF.
Through a collection of hands-on labs (available at https://labs-map.isovalent.com/) and the presenter's support, you'll be able to explore many topics covering Cloud Native Networking, Security, and Observability. In this gamified approach, you'll also be able to earn badges for completing labs.
Whether you're a Platform Engineer, SRE, Network Engineer, SecOps Professional, Cloud Architect, and more, you'll certainly find subjects to explore in this session!
Container security within Cisco Container PlatformSanjeev Rampal
The document discusses security within Cisco Container Platform. It provides an overview of the security model and features, including platform hardening through the Cisco Secure Development Lifecycle process, role-based access control for Kubernetes, and secure multi-tenancy capabilities in Kubernetes clusters. It also covers container and Kubernetes security best practices like encryption, authentication, and network policies that are supported in Cisco Container Platform. The presentation concludes with a demo of secure multi-tenancy in Kubernetes clusters.
Kubecon US 2019: Kubernetes Multitenancy WG Deep DiveSanjeev Rampal
This document provides an overview and agenda for a presentation on secure multitenancy in Kubernetes. It discusses what Kubernetes multitenancy is, available solutions, architectural models for multitenancy including namespace grouping and virtual Kubernetes clusters. It also covers community initiatives for multitenancy control plane including tenant controllers and hierarchical namespaces. The document outlines benchmarking categories and a proposed baseline reference implementation for multitenancy including control plane, data plane, and network isolation techniques.
Architecture of Cisco Container Platform: A new Enterprise Multi-Cloud Kubern...Sanjeev Rampal
Introduction to the architecture of Cisco Container Platform. This is a new offering from Cisco and is an enterprise grade Multi-Cloud Kubernetes based Container platform.. The presentation covers overall architecture, internal details on networking storage, operations and automation as well as multi-cloud features including the use of this platform alongwith hosted Kubernetes offerings from AWS (EKS) and Google (GKE)
Cisco Live 2017: Container networking deep dive with Docker Enterprise Editio...Sanjeev Rampal
Container networking with Docker Enterprise Edition (EE) and Cisco Contiv allows for:
1) Defining network policies and security controls across virtual and container workloads using Contiv's open source software.
2) Deploying containerized applications on Docker EE across a swarm of nodes using network and security policies defined in Contiv.
3) Integrating Contiv with underlying data center infrastructure like Cisco Application Centric Infrastructure (ACI) to leverage physical network services and policy enforcement.
Openstack Summit: Networking and policies across Containers and VMsSanjeev Rampal
Container networking & policies across mixed cloud environments (containers, VMs, bare metal). Talk & demo at Openstack Summit 2017 Boston.
Video recording of talk: https://www.openstack.org/videos/boston-2017/cisco-networking-policies-across-containers-and-vms
Discover the benefits of outsourcing SEO to Indiadavidjhones387
"Discover the benefits of outsourcing SEO to India! From cost-effective services and expert professionals to round-the-clock work advantages, learn how your business can achieve digital success with Indian SEO solutions.
Ready to Unlock the Power of Blockchain!Toptal Tech
Imagine a world where data flows freely, yet remains secure. A world where trust is built into the fabric of every transaction. This is the promise of blockchain, a revolutionary technology poised to reshape our digital landscape.
Toptal Tech is at the forefront of this innovation, connecting you with the brightest minds in blockchain development. Together, we can unlock the potential of this transformative technology, building a future of transparency, security, and endless possibilities.
HijackLoader Evolution: Interactive Process HollowingDonato Onofri
CrowdStrike researchers have identified a HijackLoader (aka IDAT Loader) sample that employs sophisticated evasion techniques to enhance the complexity of the threat. HijackLoader, an increasingly popular tool among adversaries for deploying additional payloads and tooling, continues to evolve as its developers experiment and enhance its capabilities.
In their analysis of a recent HijackLoader sample, CrowdStrike researchers discovered new techniques designed to increase the defense evasion capabilities of the loader. The malware developer used a standard process hollowing technique coupled with an additional trigger that was activated by the parent process writing to a pipe. This new approach, called "Interactive Process Hollowing", has the potential to make defense evasion stealthier.
2. ● Cilium Overview
● Cilium Cluster Mesh
● Cilium Service Mesh
● Some aspects of other Cilium features (eBPF data path, load balancing
optimizations, policy)
● Relation to other K8s community/ RH projects
● Demos
● Summary/ Takeaways
Agenda
Source:
Insert source data here
What we will discuss today
2
6. Diagram:
Borkmann, Isovalent
Cilium E-W and N-S LB w/o kube-proxy
- Handles external traffic (N-S) for svc IP:port
- Backends can be local or remote
- Performs DNAT and DSR/SNAT/Hybrid when remote
- Same code compilable for XDP and tc/BPF
- Hairpin to remote on XDP layer, local backends
handled via tc ingress
eth0
eth0
redis
lxc0
Node A
eth0
eth0
nginx
lxc0
Node B
client
XDP/BPF
tc/BPF
sock/BPF sock/BPF
XDP/BPF
tc/BPF
- Handles internal traffic (E-W) for svc IP:port
- Backends can be local or remote
- No packet-based NAT needed due to connect(),
sendmsg(), recvmsg() hook
- No intermediate hops as in kube-proxy
- Exposes services to all local addresses and
loopback 127.0.0.1/::1
- Blocks other applications in post-bind() hook
from port reuse
Main principle: Operating as close as
possible to the socket for E-W and as close
as possible to the driver for N-S.
6
8. ● Multi-cluster networking analogous to “Submariner Mesh” or “Kubernetes Multi-Cluster
Services API” but significant differences
● Need Pod IP, service IP uniqueness and direct routability (no NAT) across the mesh
● This is not Kubernetes Federation .. still separately provisioned clusters but with coupled
networking, up to 256 clusters (possibly more in future) in a cluster mesh
● Separate control plane/ etcd for cross-cluster information sharing (e.g. pod IPs)
● MC Policy, identity at this layer, MC Load balancing (N-S, E-W)
● Use this for Multi-cluster with or without Cilium Service Mesh
● Encryption options: IPSec and Wireguard differences (per node tunnel vs per worker)
● Relation of K8s MCS API, Submariner, other community projects, compare MCS 2
resources (ClusterSetIPs/ ClusterIPs vs Cilium single service + global annotation)
● Note: Recently announced Cilium Mesh builds on this further
Cilium Cluster Mesh
8
9. Cilium Multi-Cluster Mesh -Control plane
● 2 or more (up to 256) independently provisioned k8s clusters, all running Cilium CNI, coupled in a “cluster mesh” (sort of “submariner mesh”)
● MCM control plane: A separate control plane with separate etcd datastore for the Multi-cluster mesh itself running as data plane pods within
the k8s clusters
● Cilium operator mirrors global k8s services, associated endpoints, related network policy info into MCM etcd
● A k8s Service is marked “Global” explicitly via Cilium annotations
○ Example: service.cilium.io/global: "true"
Diagram:
Cilium.io 9
11. Multi-Cluster Services & Network Policies
○ Relevant annotations:
■ service.cilium.io/global: "true" (/ “false”) Mark this local service as a “Global” (or not)
■ service.cilium.io/shared: "true" (/ “false”) Mark this local service as “Shared” (or not) within Global
■ service.cilium.io/affinity: "local|remote|none" Global service endpoint load balancing affinity/ preference
○ Note: Global services also have to adhere to namespace sameness rules
○ Multi-Cluster Network Policies
■ Exactly same API and implementation as single cluster network policies (both K8s network policy and
Cilium proprietary L4 and L7 Network policies)
■ Network policy labels/ selectors are reflected in the Multi-cluster mesh control plane so can have
global significance (plus optional additional per-cluster qualification within policy selectors)
11
12. Multi-Cluster Network Policy Example
#Sample Cilium Multicluster network policy augmented with cluster selectors
apiVersion: "cilium.io/v2"
kind: CiliumNetworkPolicy
metadata:
name: "allow-cross-cluster"
spec:
description: "Allow x-wing in cluster1 to contact rebel-base in cluster2"
endpointSelector:
matchLabels:
name: x-wing
io.cilium.k8s.policy.cluster: cluster1
egress:
- toEndpoints:
- matchLabels:
name: rebel-base
io.cilium.k8s.policy.cluster: cluster2
12
14. Demo Topology
S1 S2
S1
S2
Cluster-id 1 Cluster-id 2
Cilium install –cluster-id 1 …
Cilium clustermesh enable
Cilium clustermesh connect
–context c1 –destination-context c2
Global Service Annotations
io.cilium/global-service="true"
io.cilium/shared-service="false"
io.cilium/service-affinity=local
Example demo application:
S1 & S2 each is a global (multi-cluster)
service with 2 backend pods in each
cluster of the clustermesh
clustermesh
14
15. Demos
● Demo 1:
○ Cilium ClusterMesh intro and setup
○ Link to demo recording
● Demo 2:
○ Multi-cluster E-W Services & Load balancing
○ Multi-cluster network policy
○ Link to demo recording
● Demo 3:
○ N-S Load balancing, gateway API
○ Single and multi-cluster
○ Link to demo recording
15
16. Demo Topology
S1 S2
S1
S2
Cluster-id 1 Cluster-id 2
N-S Loadbalancing using
Cilium Ingress or Cilium GW Api
Multi-Cluster Ingress when combined
with Cilium ClusterMesh
Multiple modes possible (demo
topology shows just 1 mode)
clustermesh
GTWY
16
17. Background: Multi-Cluster Ingress LB modes/ scenarios
Svc
1
Svc
2
Svc
1
Svc
2
Svc
3
GW
(K8s GW api)
E-W GW
E-W GW
Svc
1
Svc
2
Svc
1
Svc
2
Svc
3
GW
(K8s GW api)
GW
(K8s GW api)
Single gateway, on-cluster LB, Multi-network Multi-gateway, on-cluster LB, Single-network
Svc
1
Svc
2
Svc
1
Svc
2
Svc
3
Single gateway, off-cluster (e.g. public cloud) LB, Single-network
External GLB class
Multi-cluster services can be combined
with BPG, DNS and public cloud anycast
to yield a variety of multi-cluster L4 and L7
ingress solutions for various use cases
including RH Hybrid Cloud Gateway.
Related Refs.
RH-ET blog post on this topic
18. Diagram:
Borkmann, Isovalent
Cilium E-W and N-S LB w/o kube-proxy
- Handles external traffic (N-S) for svc IP:port
- Backends can be local or remote
- Performs DNAT and DSR/SNAT/Hybrid when remote
- Same code compilable for XDP and tc/BPF
- Hairpin to remote on XDP layer, local backends
handled via tc ingress
eth0
eth0
redis
lxc0
Node A
eth0
eth0
nginx
lxc0
Node B
client
XDP/BPF
tc/BPF
sock/BPF sock/BPF
XDP/BPF
tc/BPF
- Handles internal traffic (E-W) for svc IP:port
- Backends can be local or remote
- No packet-based NAT needed due to connect(),
sendmsg(), recvmsg() hook
- No intermediate hops as in kube-proxy
- Exposes services to all local addresses and
loopback 127.0.0.1/::1
- Blocks other applications in post-bind() hook
from port reuse
Main principle: Operating as close as
possible to the socket for E-W and as close
as possible to the driver for N-S.
Additional refs: Cilium kube-proxy replacement and
related enhancements
18
19. eBpf Intercepts
for Nodeport Svc
Rx from
buffer
XDP
alloc_skb
TC ingress
nat
Prerouting
mangle
Prerouting
conntrack
raw
Prerouting
Socket
lookup
Container namespace
Prerouting & Input Chains
mangle
Postrouting
nat
Postrouting
Routing
Destined to
host
Input chain
destined
To Veth
To container
Veth ns
Socket rx
buffer/ app
Rx node pkt
filter
Forward
20. Eth0
172.18.0.2
a.a.a.a/ pa b.b.b.b/ pb
NodePort svc:
172.18.0.2:31000 =>
(10.1.2.2:80, 10.1.2.4:80)
10.1.2.2:80
xx:31000
Eth0
172.18.0.3
10.1.2.4:80
xx:31000
Cilium N-S enhancements
- Direct Server Return and Hybrid modes
(in addition to SNAT mode)
- Source IP preservation
- XDP acceleration
- 4to6 NAT, Maglev hashing
22. ● Option 1: Use Cilium only for L3/ L4 networking, use Istio control and data planes for L7
service mesh
● Option 2: Preferred long term direction but not fully ready tet.
○ Use Cilium as a single solution for all Kubernetes networking including
■ CNI plugin
■ Multi-Cluster networking
■ L4 and L7 Service Mesh
■ All networking functions incl load balancing (N-S and E-W), network policy, ingress and egress, gateway API implementation
■ 1) Data plane: Cilium. 2) Control plane: K8s native (Gateway api) + Envoy config CRD + Cilium apis
● CSM uses “sidecar-less model” in contrast with Istio/ LinkerD per pod sidecar model
● Istio community is developing “Ambient mode” of Istio in response to CSM sidecar less
mode
● Side note: State of multi-cluster in upstream native K8s apis (independent of specific
service meshes) is incomplete. Early draft proposals at initiating standards
Cilium Service Mesh (CSM)
22
23. Cilium’s Design Philosophy for Service Mesh
● A single networking plugin can serve all networking needs (basic CNI, service load
balancing, network policy, ingress, multi-cluster networking & service mesh
functions at both L4 and L7 layers). This results in a better integrated
architecture, improved user experience and lower resource consumption and
control plane complexity than using multiple separate projects to serve as CNI
plugin, service mesh plugin, ingress, gateway API plugin, multi-cluster networking
plugin etc.
○ Cilium already has had both L4 and L7 networking policy and load balancing even for its CNI
plugin, just reuse it for service mesh and augment where needed, rather than create separate
functions.
○ Cilium already has L4 traffic encryption & zero trust networking functions, reuse for service mesh
○ Extensions to Kubernetes APIs like Gateway API and others are already beginning to address all
service mesh functions without need for special APIs like the Istio & LinkerD
○ Service mesh and gateways are moving into the kernel and infra layers in any case (e.g. Ambient)
23
24. Diagram: Liz Rice: Learning eBPF
● Conventional sidecar based model => poor
latency due to suboptimal packet processing
with multiple user space<->kernel space
context switches
● Lowered reliability due to disconnect
between sidecar proxy readiness and app
readiness, server side initiated connections
● High resource consumption (proxy per pod
adds up)
Issues with Sidecar proxies
24
25. L4 + L7 data paths
L4 data path
L7 data path
25
Diagram: cilium.io
27. S1 S2 S2
GTWY
Envoy
Cilium
Agent
Envoy
IPSec Tunnel
L7 mesh
traffic
● Cilium Agent envoy 1 per
node, used for L7 proxy (N-S
and E-W service load
balancing & policy)
● Cilium kernel eBPF used for
L4 pod and service load
balancing, policy
● Single Envoy instance
wrapped inside Cilium agent
for all L7 functions
● Special mTLS + IPSec &
Wireguard optional “on the
wire”
27
28. Diagram
cilium.io
Cilium’s Alternate Architecture for Service Mesh mutual-TLS
● Conventional session based
TLS: usable only by
applications running on TCP
and HTTP, fine grained
sessions but performance
impact
● Network based encrypted
tunnels (IPSec, Wireguard
etc): usable by any app
protocol, coarse grained,
higher performance
● Cilium mTLS : Combine the
two (Cilium Proprietary
solution)
● Not full GA yet (Cilium 1.14
?)
28