SlideShare a Scribd company logo

Explore the World of Cilium, Tetragon & eBPF

Raphaël PINSON
Raphaël PINSON

Come explore the World of Cilium with us! In this workshop, you'll have the opportunity to discover about Cilium and Tetragon, and the kernel technology that makes them possible, eBPF. Through a collection of hands-on labs (available at https://labs-map.isovalent.com/) and the presenter's support, you'll be able to explore many topics covering Cloud Native Networking, Security, and Observability. In this gamified approach, you'll also be able to earn badges for completing labs. Whether you're a Platform Engineer, SRE, Network Engineer, SecOps Professional, Cloud Architect, and more, you'll certainly find subjects to explore in this session!

Technology
1 of 66
Download to read offline
Raphaël Pinson | @raphink | @raphink@mastodon.social 🧪 Cilium Alchemist, Isovalent Explore the World of Cilium, Tetragon & eBPF
⬢ Principles Cilium & eBPF Cloud Native Networking & Security
⬢ Principles ⬢ Networking Cilium & eBPF Cloud Native Networking & Security
⬢ Principles ⬢ Networking ⬢ Cluster Mesh Cilium & eBPF Cloud Native Networking & Security
⬢ Principles ⬢ Networking ⬢ Cluster Mesh ⬢ Security Cilium & eBPF Cloud Native Networking & Security
⬢ Principles ⬢ Networking ⬢ Cluster Mesh ⬢ Security ⬢ Observability Cilium & eBPF Cloud Native Networking & Security
⬢ Principles ⬢ Networking ⬢ Cluster Mesh ⬢ Security ⬢ Observability ⬢ Service Mesh Cilium & eBPF Cloud Native Networking & Security
⬢ Principles ⬢ Networking ⬢ Cluster Mesh ⬢ Security ⬢ Observability ⬢ Service Mesh ⬢ Tetragon Cilium & eBPF Cloud Native Networking & Security
Who am I Raphaël Pinson Cilium Alchemist @ Isovalent CNCF Ambassador
⬢ Principles ⬢ Networking ⬢ Cluster Mesh ⬢ Security ⬢ Observability ⬢ Service Mesh ⬢ Tetragon Cilium & eBPF Cloud Native Networking & Security
● Open Source Projects ● Company behind Cilium ● Provides Cilium Enterprise
Makes the Linux kernel programmable in a secure and efficient way. “What JavaScript is to the browser, eBPF is to the Linux Kernel”
Run eBPF programs on events Attachment points ● Kernel functions (kprobes) ● Userspace functions (uprobe) ● System calls ● Tracepoints ● Sockets (data level) ● Network devices (packet level) ● Network device (DMA level) [XDP] ● ...
eBPF documentary https://isogo.to/ebpf-documentary
What is Cilium? At the foundation of Cilium is the new Linux kernel technology eBPF, which enables the dynamic insertion of powerful security, visibility, and networking control logic within Linux itself. Besides providing traditional network level security, the flexibility of BPF enables security on API and process level to secure communication within a container or pod. Read More ● Networking & Load-Balancing ○ CNI, Kubernetes Services, Multi-cluster, VM Gateway ● Network Security ○ Network Policy, Identity-based, Encryption ● Observability ○ Metrics, Flow Visibility, Service Dependency
- Networking - Security - Observability - Service Mesh & Ingress -based: Foundation Created by Technology
Cilium has Graduated!
⬢ Principles ⬢ Networking ⬢ Cluster Mesh ⬢ Security ⬢ Observability ⬢ Service Mesh ⬢ Tetragon Cilium & eBPF Cloud Native Networking & Security
Kubernetes Networking Networking plugin ● Network devices ● IP Address Management ● Intra-node connectivity ● Inter-node connectivity Kube Proxy ● Services ● iptables or ipvs ● Service discovery
Kubernetes Networking ● Agent on each node ● Tunneling or Direct Routing ● eBPF native dataplane ● kube-proxy replacement.
Kubernetes Services East-west connectivity ● Durable abstraction ● Connect applications ● Ephemeral addresses ● High churn ● Iptables or ipvs
Kubernetes Services kube-proxy / iptables ● Linear list / sieve ● All rules have to be replaced as a whole eBPF based ● Per-CPU hash table ⇒ more performant ● Native metadata => Cloud Native routing
Egress Gateway
Platform Integration
node1 30 pod 192.168.1.1 pod 192.168.1.4 CiliumNode CRD metadata: name: node1 spec: eni: instance-id: i-123 instance-type: m4.large preallocate: “8” security-groups: - sg1 - sg2 ipam: available: - 192.168.1.1 - 192.168.1.2 - 192.168.1.3 - 192.168.1.4 status: ipam: used: - 192.168.1.1 - 192.168.1.4 Agent Report used IPs Use IPs Operator Make IPs available Init Read ENI parameters Native Cloud Support Alibaba, AWS, Azure, Google
⬢ Principles ⬢ Networking ⬢ Cluster Mesh ⬢ Security ⬢ Observability ⬢ Service Mesh ⬢ Tetragon Cilium & eBPF Cloud Native Networking & Security
Cluster Mesh - Introduction
Cluster Mesh - High Availability
Cluster Mesh - Shared Services
Cluster Mesh - Splitting Services
Cluster Mesh - Local Service Affinity
Cluster Mesh - Remote Service Affinity
Cluster Mesh - Local Service Affinity
Cluster Mesh - Remote Service Affinity
Cluster Mesh with Service Mesh Canary Rollout to other Cluster
⬢ Principles ⬢ Networking ⬢ Cluster Mesh ⬢ Security ⬢ Observability ⬢ Service Mesh ⬢ Tetragon Cilium & eBPF Cloud Native Networking & Security
Identity-based Security
API-aware Authorization
Cassandra Cilium Network Policy Example
DNS-aware Cilium Network Policy
L3 Matching Capabilities Kubernetes ● Pod labels ● Namespace name & labels ● ServiceAccount name ● Service names ● Cluster names DNS Names ● FQDN and regular expression CIDR ● CIDR blocks with exceptions Cloud Providers ● Instance labels ● VPC/Subnet name/tags ● Security group name Logical Entities ● Everything inside cluster ● Everything outside cluster ● Local host ● ...
⬢ Principles ⬢ Networking ⬢ Cluster Mesh ⬢ Security ⬢ Observability ⬢ Service Mesh ⬢ Tetragon Cilium & eBPF Cloud Native Networking & Security
What is Hubble?
Flow Visibility $ kubectl get pods NAME READY STATUS RESTARTS AGE tiefighter 1/1 Running 0 2m34s xwing 1/1 Running 0 2m34s deathstar-5b7489bc84-crlxh 1/1 Running 0 2m34s deathstar-5b7489bc84-j7qwq 1/1 Running 0 2m34s $ hubble observe --follow -l class=xwing # DNS lookup to coredns default/xwing:41391 (ID:16092) -> kube-system/coredns-66bff467f8-28dgp:53 (ID:453) to-proxy FORWARDED (UDP) kube-system/coredns-66bff467f8-28dgp:53 (ID:453) -> default/xwing:41391 (ID:16092) to-endpoint FORWARDED (UDP) # ... # Successful HTTPS request to www.disney.com default/xwing:37836 (ID:16092) -> www.disney.com:443 (world) to-stack FORWARDED (TCP Flags: SYN) www.disney.com:443 (world) -> default/xwing:37836 (ID:16092) to-endpoint FORWARDED (TCP Flags: SYN, ACK) www.disney.com:443 (world) -> default/xwing:37836 (ID:16092) to-endpoint FORWARDED (TCP Flags: ACK, FIN) default/xwing:37836 (ID:16092) -> www.disney.com:443 (world) to-stack FORWARDED (TCP Flags: RST) # ... # Blocked HTTP request to deathstar backend default/xwing:49610 (ID:16092) -> default/deathstar:80 (ID:16081) Policy denied DROPPED (TCP Flags: SYN) Flow Metadata ‒ Ethernet headers ‒ IP & ICMP headers ‒ UDP/TCP ports, TCP flags ‒ HTTP, DNS, Kafka, ... Kubernetes ‒ Pod names and labels ‒ Service names ‒ Worker node names DNS (if available) ‒ FQDN for source and destination Cilium ‒ Security identities and endpoints ‒ Drop reasons ‒ Policy verdict matches
Service Map
Cilium & Grafana Integration
⬢ Principles ⬢ Networking ⬢ Cluster Mesh ⬢ Security ⬢ Observability ⬢ Service Mesh ⬢ Tetragon Cilium & eBPF Cloud Native Networking & Security
Introduction
Bring your own Control Plane
Service Mesh Evolution
Sidecar vs per-Node Proxy Total number of proxies required
Traffic Management - L3/L4 forwarding & Load-balancing - Canary, Topology Aware Routing - Multi-cluster Security - Network Policy - mTLS Observability - Tracing, OpenTelemetry, & Metrics - HTTP, TLS, DNS, TCP, UDP, … eBPF Native (no sidecar) Proxy Traffic Management - L7 Load-balancing & Ingress Resilience - Retries, L7 Rate Limiting Security - TLS Termination & Origination When eBPF cannot do it Whenever possible
Performance Impact of a Sidecar
⬢ Principles ⬢ Networking ⬢ Cluster Mesh ⬢ Security ⬢ Observability ⬢ Service Mesh ⬢ Tetragon Cilium & eBPF Cloud Native Networking & Security
@lizrice Cilium Tetragon ● New open source project in Cilium ● eBPF based = high performance and zero modifications required to app ● Hooks into kernel functions after parameters are copied ● Adds contextual information about Kubernetes objects ● Preventative capabilities github.com/cilium/tetragon
Tetragon
Process Tree View
OSS Community eBPF-based Networking, Observability, Security cilium.io cilium.slack.com Regular news Learn more! Base technology The revolution in the Linux kernel, safely and efficiently extending the capabilities of the kernel. ebpf.io What is eBPF? - ebook For the Enterprise Hardened, enterprise-grade eBPF-powered networking, observability, and security. isovalent.com/product isovalent.com/labs
Practical Labs … to become a Cilium & eBPF Jedi Get badges 🏅 @raphink | @raphink@mastodon.social
Which eBee are you? @raphink | @raphink@mastodon.social Cloud Network Engineer Platform Engineer SecOps Engineer https://isogo.to/cfgmgmtcamp24
All major cloud providers have picked -based Networking & Security for their Kubernetes platforms @raphink | @raphink@mastodon.social How about you?
eBPF resources eCHO eBPF YouTube podcast: https://www.youtube.com/channel/UCJFUxkVQTBJh3LD1wYB WvuQ eBPF & Cilium Slack http://slack.cilium.io/ eCHO News Bi-weekly eBPF newsletter: https://cilium.io/newsletter/ @raphink | @raphink@mastodon.social
Thank you!

Recommended

ContainerDays Hamburg 2023 — Cilium Workshop.pdf
ContainerDays Hamburg 2023 — Cilium Workshop.pdfContainerDays Hamburg 2023 — Cilium Workshop.pdf
ContainerDays Hamburg 2023 — Cilium Workshop.pdfRaphaël PINSON
 
Cloud Native Networking & Security with Cilium & eBPF
Cloud Native Networking & Security with Cilium & eBPFCloud Native Networking & Security with Cilium & eBPF
Cloud Native Networking & Security with Cilium & eBPFRaphaël PINSON
 
Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...
Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...
Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...ContainerDay Security 2023
 
Protocol and Integration Challenges for SDN
Protocol and Integration Challenges for SDNProtocol and Integration Challenges for SDN
Protocol and Integration Challenges for SDNGerardo Pardo-Castellote
 
Cilium:: Application-Aware Microservices via BPF
Cilium:: Application-Aware Microservices via BPFCilium:: Application-Aware Microservices via BPF
Cilium:: Application-Aware Microservices via BPFCynthia Thomas
 
Cloud Native Bern 05.2023 — Zero Trust Visibility
Cloud Native Bern 05.2023 — Zero Trust VisibilityCloud Native Bern 05.2023 — Zero Trust Visibility
Cloud Native Bern 05.2023 — Zero Trust VisibilityRaphaël PINSON
 
07 (IDNOG02) SDN Research activity in Institut Teknologi Bandung by Affan Bas...
07 (IDNOG02) SDN Research activity in Institut Teknologi Bandung by Affan Bas...07 (IDNOG02) SDN Research activity in Institut Teknologi Bandung by Affan Bas...
07 (IDNOG02) SDN Research activity in Institut Teknologi Bandung by Affan Bas...Indonesia Network Operators Group
 
How to Implement SDN Technology in ITB
How to Implement SDN Technology in ITBHow to Implement SDN Technology in ITB
How to Implement SDN Technology in ITBSDNRG ITB
 

Recommended

ContainerDays Hamburg 2023 — Cilium Workshop.pdf
ContainerDays Hamburg 2023 — Cilium Workshop.pdfContainerDays Hamburg 2023 — Cilium Workshop.pdf
ContainerDays Hamburg 2023 — Cilium Workshop.pdfRaphaël PINSON
 
Cloud Native Networking & Security with Cilium & eBPF
Cloud Native Networking & Security with Cilium & eBPFCloud Native Networking & Security with Cilium & eBPF
Cloud Native Networking & Security with Cilium & eBPFRaphaël PINSON
 
Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...
Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...
Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...ContainerDay Security 2023
 
Protocol and Integration Challenges for SDN
Protocol and Integration Challenges for SDNProtocol and Integration Challenges for SDN
Protocol and Integration Challenges for SDNGerardo Pardo-Castellote
 
Cilium:: Application-Aware Microservices via BPF
Cilium:: Application-Aware Microservices via BPFCilium:: Application-Aware Microservices via BPF
Cilium:: Application-Aware Microservices via BPFCynthia Thomas
 
Cloud Native Bern 05.2023 — Zero Trust Visibility
Cloud Native Bern 05.2023 — Zero Trust VisibilityCloud Native Bern 05.2023 — Zero Trust Visibility
Cloud Native Bern 05.2023 — Zero Trust VisibilityRaphaël PINSON
 
07 (IDNOG02) SDN Research activity in Institut Teknologi Bandung by Affan Bas...
07 (IDNOG02) SDN Research activity in Institut Teknologi Bandung by Affan Bas...07 (IDNOG02) SDN Research activity in Institut Teknologi Bandung by Affan Bas...
07 (IDNOG02) SDN Research activity in Institut Teknologi Bandung by Affan Bas...Indonesia Network Operators Group
 
How to Implement SDN Technology in ITB
How to Implement SDN Technology in ITBHow to Implement SDN Technology in ITB
How to Implement SDN Technology in ITBSDNRG ITB
 
Docker network performance in the public cloud
Docker network performance in the public cloudDocker network performance in the public cloud
Docker network performance in the public cloudContainerCamp
 
Docker network performance in the public cloud
Docker network performance in the public cloudDocker network performance in the public cloud
Docker network performance in the public cloudArjan Schaaf
 
DCEU 18: Docker Container Networking
DCEU 18: Docker Container NetworkingDCEU 18: Docker Container Networking
DCEU 18: Docker Container NetworkingDocker, Inc.
 
Simplifying and Securing your OpenShift Network with Project Calico
Simplifying and Securing your OpenShift Network with Project CalicoSimplifying and Securing your OpenShift Network with Project Calico
Simplifying and Securing your OpenShift Network with Project CalicoAndrew Randall
 
СТАНІСЛАВ КОЛЕНКІН «Cilium – Network security for microservices. Let’s see ho...
СТАНІСЛАВ КОЛЕНКІН «Cilium – Network security for microservices. Let’s see ho...СТАНІСЛАВ КОЛЕНКІН «Cilium – Network security for microservices. Let’s see ho...
СТАНІСЛАВ КОЛЕНКІН «Cilium – Network security for microservices. Let’s see ho...UA DevOps Conference
 
Opnfv & odl case study slides
Opnfv & odl case study slidesOpnfv & odl case study slides
Opnfv & odl case study slidesChristopher Price
 
Cilium - Fast IPv6 Container Networking with BPF and XDP
Cilium - Fast IPv6 Container Networking with BPF and XDPCilium - Fast IPv6 Container Networking with BPF and XDP
Cilium - Fast IPv6 Container Networking with BPF and XDPThomas Graf
 
What is a Service Mesh and what can it do for your Microservices
What is a Service Mesh and what can it do for your MicroservicesWhat is a Service Mesh and what can it do for your Microservices
What is a Service Mesh and what can it do for your MicroservicesMatt Turner
 
Contrail integrated with Kubernetes and Openstack
Contrail integrated with Kubernetes and OpenstackContrail integrated with Kubernetes and Openstack
Contrail integrated with Kubernetes and OpenstackDaisuke Nakajima
 
Kubernetes Networking 101
Kubernetes Networking 101Kubernetes Networking 101
Kubernetes Networking 101Kublr
 
[OpenStack Day in Korea 2015] Track 2-3 - 오픈스택 클라우드에 최적화된 네트워크 가상화 '누아지(Nuage)'
[OpenStack Day in Korea 2015] Track 2-3 - 오픈스택 클라우드에 최적화된 네트워크 가상화 '누아지(Nuage)'[OpenStack Day in Korea 2015] Track 2-3 - 오픈스택 클라우드에 최적화된 네트워크 가상화 '누아지(Nuage)'
[OpenStack Day in Korea 2015] Track 2-3 - 오픈스택 클라우드에 최적화된 네트워크 가상화 '누아지(Nuage)'OpenStack Korea Community
 
Tech Talk by John Casey (CTO) CPLANE_NETWORKS : High Performance OpenStack Ne...
Tech Talk by John Casey (CTO) CPLANE_NETWORKS : High Performance OpenStack Ne...Tech Talk by John Casey (CTO) CPLANE_NETWORKS : High Performance OpenStack Ne...
Tech Talk by John Casey (CTO) CPLANE_NETWORKS : High Performance OpenStack Ne...nvirters
 
Webinar: The Software Matters in Open Networking
Webinar: The Software Matters in Open NetworkingWebinar: The Software Matters in Open Networking
Webinar: The Software Matters in Open NetworkingStorage Switzerland
 
Dynamic Service Chaining
Dynamic Service Chaining Dynamic Service Chaining
Dynamic Service Chaining Tail-f Systems
 
IRATI: an open source RINA implementation for Linux/OS
IRATI: an open source RINA implementation for Linux/OSIRATI: an open source RINA implementation for Linux/OS
IRATI: an open source RINA implementation for Linux/OSICT PRISTINE
 
IEEE HPSR 2017 Keynote: Softwarized Dataplanes and the P^3 trade-offs: Progra...
IEEE HPSR 2017 Keynote: Softwarized Dataplanes and the P^3 trade-offs: Progra...IEEE HPSR 2017 Keynote: Softwarized Dataplanes and the P^3 trade-offs: Progra...
IEEE HPSR 2017 Keynote: Softwarized Dataplanes and the P^3 trade-offs: Progra...Christian Esteve Rothenberg
 
State of the OpenDaylight Union
State of the OpenDaylight UnionState of the OpenDaylight Union
State of the OpenDaylight UnionOpen Networking Summit
 
Openstack Neutron & Interconnections with BGP/MPLS VPNs
Openstack Neutron & Interconnections with BGP/MPLS VPNsOpenstack Neutron & Interconnections with BGP/MPLS VPNs
Openstack Neutron & Interconnections with BGP/MPLS VPNsThomas Morin
 
Getting Started with Kubernetes and Consul
Getting Started with Kubernetes and ConsulGetting Started with Kubernetes and Consul
Getting Started with Kubernetes and ConsulMitchell Pronschinske
 
Design and Deploy Secure Clouds for Financial Services Use Cases
Design and Deploy Secure Clouds for Financial Services Use CasesDesign and Deploy Secure Clouds for Financial Services Use Cases
Design and Deploy Secure Clouds for Financial Services Use CasesPLUMgrid
 
Cfgmgmtcamp 2024 — eBPF-based Security Observability & Runtime Enforcement wi...
Cfgmgmtcamp 2024 — eBPF-based Security Observability & Runtime Enforcement wi...Cfgmgmtcamp 2024 — eBPF-based Security Observability & Runtime Enforcement wi...
Cfgmgmtcamp 2024 — eBPF-based Security Observability & Runtime Enforcement wi...Raphaël PINSON
 
KCD Zurich 2023 — Bridge Dev & Ops with eBPF.pdf
KCD Zurich 2023 — Bridge Dev & Ops with eBPF.pdfKCD Zurich 2023 — Bridge Dev & Ops with eBPF.pdf
KCD Zurich 2023 — Bridge Dev & Ops with eBPF.pdfRaphaël PINSON
 

More Related Content

Similar to Explore the World of Cilium, Tetragon & eBPF

Docker network performance in the public cloud
Docker network performance in the public cloudDocker network performance in the public cloud
Docker network performance in the public cloudContainerCamp
 
Docker network performance in the public cloud
Docker network performance in the public cloudDocker network performance in the public cloud
Docker network performance in the public cloudArjan Schaaf
 
DCEU 18: Docker Container Networking
DCEU 18: Docker Container NetworkingDCEU 18: Docker Container Networking
DCEU 18: Docker Container NetworkingDocker, Inc.
 
Simplifying and Securing your OpenShift Network with Project Calico
Simplifying and Securing your OpenShift Network with Project CalicoSimplifying and Securing your OpenShift Network with Project Calico
Simplifying and Securing your OpenShift Network with Project CalicoAndrew Randall
 
СТАНІСЛАВ КОЛЕНКІН «Cilium – Network security for microservices. Let’s see ho...
СТАНІСЛАВ КОЛЕНКІН «Cilium – Network security for microservices. Let’s see ho...СТАНІСЛАВ КОЛЕНКІН «Cilium – Network security for microservices. Let’s see ho...
СТАНІСЛАВ КОЛЕНКІН «Cilium – Network security for microservices. Let’s see ho...UA DevOps Conference
 
Opnfv & odl case study slides
Opnfv & odl case study slidesOpnfv & odl case study slides
Opnfv & odl case study slidesChristopher Price
 
Cilium - Fast IPv6 Container Networking with BPF and XDP
Cilium - Fast IPv6 Container Networking with BPF and XDPCilium - Fast IPv6 Container Networking with BPF and XDP
Cilium - Fast IPv6 Container Networking with BPF and XDPThomas Graf
 
What is a Service Mesh and what can it do for your Microservices
What is a Service Mesh and what can it do for your MicroservicesWhat is a Service Mesh and what can it do for your Microservices
What is a Service Mesh and what can it do for your MicroservicesMatt Turner
 
Contrail integrated with Kubernetes and Openstack
Contrail integrated with Kubernetes and OpenstackContrail integrated with Kubernetes and Openstack
Contrail integrated with Kubernetes and OpenstackDaisuke Nakajima
 
Kubernetes Networking 101
Kubernetes Networking 101Kubernetes Networking 101
Kubernetes Networking 101Kublr
 
[OpenStack Day in Korea 2015] Track 2-3 - 오픈스택 클라우드에 최적화된 네트워크 가상화 '누아지(Nuage)'
[OpenStack Day in Korea 2015] Track 2-3 - 오픈스택 클라우드에 최적화된 네트워크 가상화 '누아지(Nuage)'[OpenStack Day in Korea 2015] Track 2-3 - 오픈스택 클라우드에 최적화된 네트워크 가상화 '누아지(Nuage)'
[OpenStack Day in Korea 2015] Track 2-3 - 오픈스택 클라우드에 최적화된 네트워크 가상화 '누아지(Nuage)'OpenStack Korea Community
 
Tech Talk by John Casey (CTO) CPLANE_NETWORKS : High Performance OpenStack Ne...
Tech Talk by John Casey (CTO) CPLANE_NETWORKS : High Performance OpenStack Ne...Tech Talk by John Casey (CTO) CPLANE_NETWORKS : High Performance OpenStack Ne...
Tech Talk by John Casey (CTO) CPLANE_NETWORKS : High Performance OpenStack Ne...nvirters
 
Webinar: The Software Matters in Open Networking
Webinar: The Software Matters in Open NetworkingWebinar: The Software Matters in Open Networking
Webinar: The Software Matters in Open NetworkingStorage Switzerland
 
Dynamic Service Chaining
Dynamic Service Chaining Dynamic Service Chaining
Dynamic Service Chaining Tail-f Systems
 
IRATI: an open source RINA implementation for Linux/OS
IRATI: an open source RINA implementation for Linux/OSIRATI: an open source RINA implementation for Linux/OS
IRATI: an open source RINA implementation for Linux/OSICT PRISTINE
 
IEEE HPSR 2017 Keynote: Softwarized Dataplanes and the P^3 trade-offs: Progra...
IEEE HPSR 2017 Keynote: Softwarized Dataplanes and the P^3 trade-offs: Progra...IEEE HPSR 2017 Keynote: Softwarized Dataplanes and the P^3 trade-offs: Progra...
IEEE HPSR 2017 Keynote: Softwarized Dataplanes and the P^3 trade-offs: Progra...Christian Esteve Rothenberg
 
Openstack Neutron & Interconnections with BGP/MPLS VPNs
Openstack Neutron & Interconnections with BGP/MPLS VPNsOpenstack Neutron & Interconnections with BGP/MPLS VPNs
Openstack Neutron & Interconnections with BGP/MPLS VPNsThomas Morin
 
Getting Started with Kubernetes and Consul
Getting Started with Kubernetes and ConsulGetting Started with Kubernetes and Consul
Getting Started with Kubernetes and ConsulMitchell Pronschinske
 
Design and Deploy Secure Clouds for Financial Services Use Cases
Design and Deploy Secure Clouds for Financial Services Use CasesDesign and Deploy Secure Clouds for Financial Services Use Cases
Design and Deploy Secure Clouds for Financial Services Use CasesPLUMgrid
 

Similar to Explore the World of Cilium, Tetragon & eBPF (20)

Docker network performance in the public cloud
Docker network performance in the public cloudDocker network performance in the public cloud
Docker network performance in the public cloud
 
Docker network performance in the public cloud
Docker network performance in the public cloudDocker network performance in the public cloud
Docker network performance in the public cloud
 
DCEU 18: Docker Container Networking
DCEU 18: Docker Container NetworkingDCEU 18: Docker Container Networking
DCEU 18: Docker Container Networking
 
Simplifying and Securing your OpenShift Network with Project Calico
Simplifying and Securing your OpenShift Network with Project CalicoSimplifying and Securing your OpenShift Network with Project Calico
Simplifying and Securing your OpenShift Network with Project Calico
 
СТАНІСЛАВ КОЛЕНКІН «Cilium – Network security for microservices. Let’s see ho...
СТАНІСЛАВ КОЛЕНКІН «Cilium – Network security for microservices. Let’s see ho...СТАНІСЛАВ КОЛЕНКІН «Cilium – Network security for microservices. Let’s see ho...
СТАНІСЛАВ КОЛЕНКІН «Cilium – Network security for microservices. Let’s see ho...
 
Opnfv & odl case study slides
Opnfv & odl case study slidesOpnfv & odl case study slides
Opnfv & odl case study slides
 
Cilium - Fast IPv6 Container Networking with BPF and XDP
Cilium - Fast IPv6 Container Networking with BPF and XDPCilium - Fast IPv6 Container Networking with BPF and XDP
Cilium - Fast IPv6 Container Networking with BPF and XDP
 
What is a Service Mesh and what can it do for your Microservices
What is a Service Mesh and what can it do for your MicroservicesWhat is a Service Mesh and what can it do for your Microservices
What is a Service Mesh and what can it do for your Microservices
 
Contrail integrated with Kubernetes and Openstack
Contrail integrated with Kubernetes and OpenstackContrail integrated with Kubernetes and Openstack
Contrail integrated with Kubernetes and Openstack
 
Kubernetes Networking 101
Kubernetes Networking 101Kubernetes Networking 101
Kubernetes Networking 101
 
[OpenStack Day in Korea 2015] Track 2-3 - 오픈스택 클라우드에 최적화된 네트워크 가상화 '누아지(Nuage)'
[OpenStack Day in Korea 2015] Track 2-3 - 오픈스택 클라우드에 최적화된 네트워크 가상화 '누아지(Nuage)'[OpenStack Day in Korea 2015] Track 2-3 - 오픈스택 클라우드에 최적화된 네트워크 가상화 '누아지(Nuage)'
[OpenStack Day in Korea 2015] Track 2-3 - 오픈스택 클라우드에 최적화된 네트워크 가상화 '누아지(Nuage)'
 
Tech Talk by John Casey (CTO) CPLANE_NETWORKS : High Performance OpenStack Ne...
Tech Talk by John Casey (CTO) CPLANE_NETWORKS : High Performance OpenStack Ne...Tech Talk by John Casey (CTO) CPLANE_NETWORKS : High Performance OpenStack Ne...
Tech Talk by John Casey (CTO) CPLANE_NETWORKS : High Performance OpenStack Ne...
 
Webinar: The Software Matters in Open Networking
Webinar: The Software Matters in Open NetworkingWebinar: The Software Matters in Open Networking
Webinar: The Software Matters in Open Networking
 
Dynamic Service Chaining
Dynamic Service Chaining Dynamic Service Chaining
Dynamic Service Chaining
 
IRATI: an open source RINA implementation for Linux/OS
IRATI: an open source RINA implementation for Linux/OSIRATI: an open source RINA implementation for Linux/OS
IRATI: an open source RINA implementation for Linux/OS
 
IEEE HPSR 2017 Keynote: Softwarized Dataplanes and the P^3 trade-offs: Progra...
IEEE HPSR 2017 Keynote: Softwarized Dataplanes and the P^3 trade-offs: Progra...IEEE HPSR 2017 Keynote: Softwarized Dataplanes and the P^3 trade-offs: Progra...
IEEE HPSR 2017 Keynote: Softwarized Dataplanes and the P^3 trade-offs: Progra...
 
State of the OpenDaylight Union
State of the OpenDaylight UnionState of the OpenDaylight Union
State of the OpenDaylight Union
 
Openstack Neutron & Interconnections with BGP/MPLS VPNs
Openstack Neutron & Interconnections with BGP/MPLS VPNsOpenstack Neutron & Interconnections with BGP/MPLS VPNs
Openstack Neutron & Interconnections with BGP/MPLS VPNs
 
Getting Started with Kubernetes and Consul
Getting Started with Kubernetes and ConsulGetting Started with Kubernetes and Consul
Getting Started with Kubernetes and Consul
 
Design and Deploy Secure Clouds for Financial Services Use Cases
Design and Deploy Secure Clouds for Financial Services Use CasesDesign and Deploy Secure Clouds for Financial Services Use Cases
Design and Deploy Secure Clouds for Financial Services Use Cases
 

More from Raphaël PINSON

Cfgmgmtcamp 2024 — eBPF-based Security Observability & Runtime Enforcement wi...
Cfgmgmtcamp 2024 — eBPF-based Security Observability & Runtime Enforcement wi...Cfgmgmtcamp 2024 — eBPF-based Security Observability & Runtime Enforcement wi...
Cfgmgmtcamp 2024 — eBPF-based Security Observability & Runtime Enforcement wi...Raphaël PINSON
 
KCD Zurich 2023 — Bridge Dev & Ops with eBPF.pdf
KCD Zurich 2023 — Bridge Dev & Ops with eBPF.pdfKCD Zurich 2023 — Bridge Dev & Ops with eBPF.pdf
KCD Zurich 2023 — Bridge Dev & Ops with eBPF.pdfRaphaël PINSON
 
DevOpsDays Zurich 2023 — Bridging Dev and Ops with eBPF: Extending Observabil...
DevOpsDays Zurich 2023 — Bridging Dev and Ops with eBPF: Extending Observabil...DevOpsDays Zurich 2023 — Bridging Dev and Ops with eBPF: Extending Observabil...
DevOpsDays Zurich 2023 — Bridging Dev and Ops with eBPF: Extending Observabil...Raphaël PINSON
 
Révolution eBPF - un noyau dynamique
Révolution eBPF - un noyau dynamiqueRévolution eBPF - un noyau dynamique
Révolution eBPF - un noyau dynamiqueRaphaël PINSON
 
Cfgmgmtcamp 2023 — eBPF Superpowers
Cfgmgmtcamp 2023 — eBPF SuperpowersCfgmgmtcamp 2023 — eBPF Superpowers
Cfgmgmtcamp 2023 — eBPF SuperpowersRaphaël PINSON
 
2022 DevOpsDays Geneva — The Hare and the Tortoise.pdf
2022 DevOpsDays Geneva — The Hare and the Tortoise.pdf2022 DevOpsDays Geneva — The Hare and the Tortoise.pdf
2022 DevOpsDays Geneva — The Hare and the Tortoise.pdfRaphaël PINSON
 
The Hare and the Tortoise: Open Source, Standards & Technological Debt
The Hare and the Tortoise: Open Source, Standards & Technological DebtThe Hare and the Tortoise: Open Source, Standards & Technological Debt
The Hare and the Tortoise: Open Source, Standards & Technological DebtRaphaël PINSON
 
YAML Engineering: why we need a new paradigm
YAML Engineering: why we need a new paradigmYAML Engineering: why we need a new paradigm
YAML Engineering: why we need a new paradigmRaphaël PINSON
 
Container Security: a toolchain for automatic image rebuilds
Container Security: a toolchain for automatic image rebuildsContainer Security: a toolchain for automatic image rebuilds
Container Security: a toolchain for automatic image rebuildsRaphaël PINSON
 
K9s - Kubernetes CLI To Manage Your Clusters In Style
K9s - Kubernetes CLI To Manage Your Clusters In StyleK9s - Kubernetes CLI To Manage Your Clusters In Style
K9s - Kubernetes CLI To Manage Your Clusters In StyleRaphaël PINSON
 
Bivac - Container Volumes Backup
Bivac - Container Volumes BackupBivac - Container Volumes Backup
Bivac - Container Volumes BackupRaphaël PINSON
 
Automating Puppet Certificates Renewal
Automating Puppet Certificates RenewalAutomating Puppet Certificates Renewal
Automating Puppet Certificates RenewalRaphaël PINSON
 
Running the Puppet Stack in Containers
Running the Puppet Stack in ContainersRunning the Puppet Stack in Containers
Running the Puppet Stack in ContainersRaphaël PINSON
 
Automating Puppet Certificates Renewal
Automating Puppet Certificates RenewalAutomating Puppet Certificates Renewal
Automating Puppet Certificates RenewalRaphaël PINSON
 
Narcissus — mapping configs in Go
Narcissus — mapping configs in GoNarcissus — mapping configs in Go
Narcissus — mapping configs in GoRaphaël PINSON
 
FTTH Factory — an illustration of the "Everything as Code" paradigm
FTTH Factory — an illustration of the "Everything as Code" paradigmFTTH Factory — an illustration of the "Everything as Code" paradigm
FTTH Factory — an illustration of the "Everything as Code" paradigmRaphaël PINSON
 
Puppet Test Driven Development with Travis CI and Docker
Puppet Test Driven Development with Travis CI and DockerPuppet Test Driven Development with Travis CI and Docker
Puppet Test Driven Development with Travis CI and DockerRaphaël PINSON
 

More from Raphaël PINSON (20)

Cfgmgmtcamp 2024 — eBPF-based Security Observability & Runtime Enforcement wi...
Cfgmgmtcamp 2024 — eBPF-based Security Observability & Runtime Enforcement wi...Cfgmgmtcamp 2024 — eBPF-based Security Observability & Runtime Enforcement wi...
Cfgmgmtcamp 2024 — eBPF-based Security Observability & Runtime Enforcement wi...
 
KCD Zurich 2023 — Bridge Dev & Ops with eBPF.pdf
KCD Zurich 2023 — Bridge Dev & Ops with eBPF.pdfKCD Zurich 2023 — Bridge Dev & Ops with eBPF.pdf
KCD Zurich 2023 — Bridge Dev & Ops with eBPF.pdf
 
DevOpsDays Zurich 2023 — Bridging Dev and Ops with eBPF: Extending Observabil...
DevOpsDays Zurich 2023 — Bridging Dev and Ops with eBPF: Extending Observabil...DevOpsDays Zurich 2023 — Bridging Dev and Ops with eBPF: Extending Observabil...
DevOpsDays Zurich 2023 — Bridging Dev and Ops with eBPF: Extending Observabil...
 
Révolution eBPF - un noyau dynamique
Révolution eBPF - un noyau dynamiqueRévolution eBPF - un noyau dynamique
Révolution eBPF - un noyau dynamique
 
Cfgmgmtcamp 2023 — eBPF Superpowers
Cfgmgmtcamp 2023 — eBPF SuperpowersCfgmgmtcamp 2023 — eBPF Superpowers
Cfgmgmtcamp 2023 — eBPF Superpowers
 
2022 DevOpsDays Geneva — The Hare and the Tortoise.pdf
2022 DevOpsDays Geneva — The Hare and the Tortoise.pdf2022 DevOpsDays Geneva — The Hare and the Tortoise.pdf
2022 DevOpsDays Geneva — The Hare and the Tortoise.pdf
 
SKS in git ops mode
SKS in git ops modeSKS in git ops mode
SKS in git ops mode
 
The Hare and the Tortoise: Open Source, Standards & Technological Debt
The Hare and the Tortoise: Open Source, Standards & Technological DebtThe Hare and the Tortoise: Open Source, Standards & Technological Debt
The Hare and the Tortoise: Open Source, Standards & Technological Debt
 
Devops stack
Devops stackDevops stack
Devops stack
 
YAML Engineering: why we need a new paradigm
YAML Engineering: why we need a new paradigmYAML Engineering: why we need a new paradigm
YAML Engineering: why we need a new paradigm
 
Container Security: a toolchain for automatic image rebuilds
Container Security: a toolchain for automatic image rebuildsContainer Security: a toolchain for automatic image rebuilds
Container Security: a toolchain for automatic image rebuilds
 
K9s - Kubernetes CLI To Manage Your Clusters In Style
K9s - Kubernetes CLI To Manage Your Clusters In StyleK9s - Kubernetes CLI To Manage Your Clusters In Style
K9s - Kubernetes CLI To Manage Your Clusters In Style
 
Argocd up and running
Argocd up and runningArgocd up and running
Argocd up and running
 
Bivac - Container Volumes Backup
Bivac - Container Volumes BackupBivac - Container Volumes Backup
Bivac - Container Volumes Backup
 
Automating Puppet Certificates Renewal
Automating Puppet Certificates RenewalAutomating Puppet Certificates Renewal
Automating Puppet Certificates Renewal
 
Running the Puppet Stack in Containers
Running the Puppet Stack in ContainersRunning the Puppet Stack in Containers
Running the Puppet Stack in Containers
 
Automating Puppet Certificates Renewal
Automating Puppet Certificates RenewalAutomating Puppet Certificates Renewal
Automating Puppet Certificates Renewal
 
Narcissus — mapping configs in Go
Narcissus — mapping configs in GoNarcissus — mapping configs in Go
Narcissus — mapping configs in Go
 
FTTH Factory — an illustration of the "Everything as Code" paradigm
FTTH Factory — an illustration of the "Everything as Code" paradigmFTTH Factory — an illustration of the "Everything as Code" paradigm
FTTH Factory — an illustration of the "Everything as Code" paradigm
 
Puppet Test Driven Development with Travis CI and Docker
Puppet Test Driven Development with Travis CI and DockerPuppet Test Driven Development with Travis CI and Docker
Puppet Test Driven Development with Travis CI and Docker
 

Recently uploaded

FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetEnjoy Anytime
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Hyundai Motor Group
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 

Recently uploaded (20)

FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 

Explore the World of Cilium, Tetragon & eBPF

  • 1. Raphaël Pinson | @raphink | @raphink@mastodon.social 🧪 Cilium Alchemist, Isovalent Explore the World of Cilium, Tetragon & eBPF
  • 2. ⬢ Principles Cilium & eBPF Cloud Native Networking & Security
  • 3. ⬢ Principles ⬢ Networking Cilium & eBPF Cloud Native Networking & Security
  • 4. ⬢ Principles ⬢ Networking ⬢ Cluster Mesh Cilium & eBPF Cloud Native Networking & Security
  • 5. ⬢ Principles ⬢ Networking ⬢ Cluster Mesh ⬢ Security Cilium & eBPF Cloud Native Networking & Security
  • 6. ⬢ Principles ⬢ Networking ⬢ Cluster Mesh ⬢ Security ⬢ Observability Cilium & eBPF Cloud Native Networking & Security
  • 7. ⬢ Principles ⬢ Networking ⬢ Cluster Mesh ⬢ Security ⬢ Observability ⬢ Service Mesh Cilium & eBPF Cloud Native Networking & Security
  • 8. ⬢ Principles ⬢ Networking ⬢ Cluster Mesh ⬢ Security ⬢ Observability ⬢ Service Mesh ⬢ Tetragon Cilium & eBPF Cloud Native Networking & Security
  • 9. Who am I Raphaël Pinson Cilium Alchemist @ Isovalent CNCF Ambassador
  • 10. ⬢ Principles ⬢ Networking ⬢ Cluster Mesh ⬢ Security ⬢ Observability ⬢ Service Mesh ⬢ Tetragon Cilium & eBPF Cloud Native Networking & Security
  • 11. ● Open Source Projects ● Company behind Cilium ● Provides Cilium Enterprise
  • 12.
  • 13. Makes the Linux kernel programmable in a secure and efficient way. “What JavaScript is to the browser, eBPF is to the Linux Kernel”
  • 14. Run eBPF programs on events Attachment points ● Kernel functions (kprobes) ● Userspace functions (uprobe) ● System calls ● Tracepoints ● Sockets (data level) ● Network devices (packet level) ● Network device (DMA level) [XDP] ● ...
  • 16. What is Cilium? At the foundation of Cilium is the new Linux kernel technology eBPF, which enables the dynamic insertion of powerful security, visibility, and networking control logic within Linux itself. Besides providing traditional network level security, the flexibility of BPF enables security on API and process level to secure communication within a container or pod. Read More ● Networking & Load-Balancing ○ CNI, Kubernetes Services, Multi-cluster, VM Gateway ● Network Security ○ Network Policy, Identity-based, Encryption ● Observability ○ Metrics, Flow Visibility, Service Dependency
  • 17.
  • 18. - Networking - Security - Observability - Service Mesh & Ingress -based: Foundation Created by Technology
  • 20. ⬢ Principles ⬢ Networking ⬢ Cluster Mesh ⬢ Security ⬢ Observability ⬢ Service Mesh ⬢ Tetragon Cilium & eBPF Cloud Native Networking & Security
  • 21. Kubernetes Networking Networking plugin ● Network devices ● IP Address Management ● Intra-node connectivity ● Inter-node connectivity Kube Proxy ● Services ● iptables or ipvs ● Service discovery
  • 22. Kubernetes Networking ● Agent on each node ● Tunneling or Direct Routing ● eBPF native dataplane ● kube-proxy replacement.
  • 23. Kubernetes Services East-west connectivity ● Durable abstraction ● Connect applications ● Ephemeral addresses ● High churn ● Iptables or ipvs
  • 24. Kubernetes Services kube-proxy / iptables ● Linear list / sieve ● All rules have to be replaced as a whole eBPF based ● Per-CPU hash table ⇒ more performant ● Native metadata => Cloud Native routing
  • 27. node1 30 pod 192.168.1.1 pod 192.168.1.4 CiliumNode CRD metadata: name: node1 spec: eni: instance-id: i-123 instance-type: m4.large preallocate: “8” security-groups: - sg1 - sg2 ipam: available: - 192.168.1.1 - 192.168.1.2 - 192.168.1.3 - 192.168.1.4 status: ipam: used: - 192.168.1.1 - 192.168.1.4 Agent Report used IPs Use IPs Operator Make IPs available Init Read ENI parameters Native Cloud Support Alibaba, AWS, Azure, Google
  • 28. ⬢ Principles ⬢ Networking ⬢ Cluster Mesh ⬢ Security ⬢ Observability ⬢ Service Mesh ⬢ Tetragon Cilium & eBPF Cloud Native Networking & Security
  • 29. Cluster Mesh - Introduction
  • 30. Cluster Mesh - High Availability
  • 31. Cluster Mesh - Shared Services
  • 32. Cluster Mesh - Splitting Services
  • 33. Cluster Mesh - Local Service Affinity
  • 34. Cluster Mesh - Remote Service Affinity
  • 35. Cluster Mesh - Local Service Affinity
  • 36. Cluster Mesh - Remote Service Affinity
  • 37. Cluster Mesh with Service Mesh Canary Rollout to other Cluster
  • 38. ⬢ Principles ⬢ Networking ⬢ Cluster Mesh ⬢ Security ⬢ Observability ⬢ Service Mesh ⬢ Tetragon Cilium & eBPF Cloud Native Networking & Security
  • 41. Cassandra Cilium Network Policy Example
  • 43. L3 Matching Capabilities Kubernetes ● Pod labels ● Namespace name & labels ● ServiceAccount name ● Service names ● Cluster names DNS Names ● FQDN and regular expression CIDR ● CIDR blocks with exceptions Cloud Providers ● Instance labels ● VPC/Subnet name/tags ● Security group name Logical Entities ● Everything inside cluster ● Everything outside cluster ● Local host ● ...
  • 44. ⬢ Principles ⬢ Networking ⬢ Cluster Mesh ⬢ Security ⬢ Observability ⬢ Service Mesh ⬢ Tetragon Cilium & eBPF Cloud Native Networking & Security
  • 46. Flow Visibility $ kubectl get pods NAME READY STATUS RESTARTS AGE tiefighter 1/1 Running 0 2m34s xwing 1/1 Running 0 2m34s deathstar-5b7489bc84-crlxh 1/1 Running 0 2m34s deathstar-5b7489bc84-j7qwq 1/1 Running 0 2m34s $ hubble observe --follow -l class=xwing # DNS lookup to coredns default/xwing:41391 (ID:16092) -> kube-system/coredns-66bff467f8-28dgp:53 (ID:453) to-proxy FORWARDED (UDP) kube-system/coredns-66bff467f8-28dgp:53 (ID:453) -> default/xwing:41391 (ID:16092) to-endpoint FORWARDED (UDP) # ... # Successful HTTPS request to www.disney.com default/xwing:37836 (ID:16092) -> www.disney.com:443 (world) to-stack FORWARDED (TCP Flags: SYN) www.disney.com:443 (world) -> default/xwing:37836 (ID:16092) to-endpoint FORWARDED (TCP Flags: SYN, ACK) www.disney.com:443 (world) -> default/xwing:37836 (ID:16092) to-endpoint FORWARDED (TCP Flags: ACK, FIN) default/xwing:37836 (ID:16092) -> www.disney.com:443 (world) to-stack FORWARDED (TCP Flags: RST) # ... # Blocked HTTP request to deathstar backend default/xwing:49610 (ID:16092) -> default/deathstar:80 (ID:16081) Policy denied DROPPED (TCP Flags: SYN) Flow Metadata ‒ Ethernet headers ‒ IP & ICMP headers ‒ UDP/TCP ports, TCP flags ‒ HTTP, DNS, Kafka, ... Kubernetes ‒ Pod names and labels ‒ Service names ‒ Worker node names DNS (if available) ‒ FQDN for source and destination Cilium ‒ Security identities and endpoints ‒ Drop reasons ‒ Policy verdict matches
  • 48. Cilium & Grafana Integration
  • 49. ⬢ Principles ⬢ Networking ⬢ Cluster Mesh ⬢ Security ⬢ Observability ⬢ Service Mesh ⬢ Tetragon Cilium & eBPF Cloud Native Networking & Security
  • 51. Bring your own Control Plane
  • 53. Sidecar vs per-Node Proxy Total number of proxies required
  • 54. Traffic Management - L3/L4 forwarding & Load-balancing - Canary, Topology Aware Routing - Multi-cluster Security - Network Policy - mTLS Observability - Tracing, OpenTelemetry, & Metrics - HTTP, TLS, DNS, TCP, UDP, … eBPF Native (no sidecar) Proxy Traffic Management - L7 Load-balancing & Ingress Resilience - Retries, L7 Rate Limiting Security - TLS Termination & Origination When eBPF cannot do it Whenever possible
  • 56. ⬢ Principles ⬢ Networking ⬢ Cluster Mesh ⬢ Security ⬢ Observability ⬢ Service Mesh ⬢ Tetragon Cilium & eBPF Cloud Native Networking & Security
  • 57. @lizrice Cilium Tetragon ● New open source project in Cilium ● eBPF based = high performance and zero modifications required to app ● Hooks into kernel functions after parameters are copied ● Adds contextual information about Kubernetes objects ● Preventative capabilities github.com/cilium/tetragon
  • 60. OSS Community eBPF-based Networking, Observability, Security cilium.io cilium.slack.com Regular news Learn more! Base technology The revolution in the Linux kernel, safely and efficiently extending the capabilities of the kernel. ebpf.io What is eBPF? - ebook For the Enterprise Hardened, enterprise-grade eBPF-powered networking, observability, and security. isovalent.com/product isovalent.com/labs
  • 61.
  • 62. Practical Labs … to become a Cilium & eBPF Jedi Get badges 🏅 @raphink | @raphink@mastodon.social
  • 63. Which eBee are you? @raphink | @raphink@mastodon.social Cloud Network Engineer Platform Engineer SecOps Engineer https://isogo.to/cfgmgmtcamp24
  • 64. All major cloud providers have picked -based Networking & Security for their Kubernetes platforms @raphink | @raphink@mastodon.social How about you?
  • 65. eBPF resources eCHO eBPF YouTube podcast: https://www.youtube.com/channel/UCJFUxkVQTBJh3LD1wYB WvuQ eBPF & Cilium Slack http://slack.cilium.io/ eCHO News Bi-weekly eBPF newsletter: https://cilium.io/newsletter/ @raphink | @raphink@mastodon.social