Cilium enhances Istio's performance by integrating with its service mesh to provide robust network security, policy management, and traffic optimization. It leverages BPF for efficient traffic enforcement and enables egress traffic management to prevent breaches. The document encourages users to implement Cilium with Istio for better efficiency and offers resources for getting started.

1. Kernel advantages for Istio realized
with Cilium
#IstioDay July 17th, 2018
Romain Lenglet
Chief Architect
Cynthia Thomas
Technology Evangelist

2. @ciliumproject
Cilium provides massive performance gains for Istio
Fabric (CNI)
IPAM, connectivity, filtering
Service Mesh
routing, tracing, authn/z
Policy Management
change management, audit
Istio
Cilium
k8s
network
security
stack

3. @ciliumproject
Cilium complements Istio
app
sidecar
proxy
pilot policy telemetry citadel
cilium
Istio control
plane traffic
application
traffic
TCPv4 other
(IPv6, UDP, ICMP)

4. @ciliumproject
§ Istio redirects most TCP connections to Envoy
- Uses iptables within the pod
§ CNI plugin enforces NetworkPolicy on all traffic:
- App traffic redirected to Istio proxy (Envoy)
- App traffic not redirected
- IPv6, UDP
- Connections to services outside of cluster
- Istio control plane traffic
Datapath considerations
pod
appsidecar proxy
socket
TCP/IP
iptables
Ethernet
lo
socket
TCP/IP
Ethernet
socket
TCP/IP
iptables
Ethernet
eth0
REDIRECT
/ TPROXY
CNI datapath

5. § Setup: Bookinfo App! (of course –
what else?)
§ Breach! Bypass the sidecar proxy to
get out of a pod.
§ Enforce a Network Policy at the
Fabric layer to circumvent a
compromised container’s egress
traffic.
Demo time!

6. @ciliumproject
§ CNI plugin enforces NetworkPolicy
on all traffic in and out of a pod
§ Think about egress traffic and
services outside of the Service Mesh
§ Known breaches take advantage of
gaps in policy of egress traffic
Why you need a CNI

7. @ciliumproject
Integration architecture
§ Comprehensive L3-L7 policy language
§ L7 enforcement using shared Envoy proxy
§ Cilium-specific filters
§ Applies to clear traffic (mTLS support)
§ L3/L4 enforcement using BPF in-kernel
§ Applies to all traffic, incl. Istio control plane
& egress traffic
pod
sidecar proxy
appcilium filters
L7
BPF program
cilium agent
L3 + L4
userspace
kernelspace

8. @ciliumproject
BPF for the win
“With BPF, superpowers are coming to Linux” - Brendan Gregg
Lead Performance Engineer, Netflix

9. @ciliumproject
Transparent proxy redirection optimization
pod
BPF
cilium agent
pod
appsidecar proxy
socket
TCP/IP
iptables
Ethernet
lo
socket
TCP/IP
Ethernet
socket
TCP/IP
iptables
Ethernet
eth0
REDIRECT
/ TPROXY
BPF
appsidecar proxy
socketsocketsocket
TCP/IP
iptables
Ethernet
eth0
BPF
TCP/IP
iptables
Ethernet
connection handshake connection established

10. @ciliumproject
Transparent proxy redirection optimization

11. @ciliumproject
TLS kernel offload using BPF
§ kTLS – TLS encryption / description offload to kernel
§ ~4% CPU gain
§ Transparent to process
§ Proxy offload
- In-kernel Istio mTLS
§ App offload
- Visibility into end-to-end TLS connections, e.g. to AWS services
- Cilium L7 enforcement
- Istio L7 routing, etc.

12. @ciliumproject
Call to Action!
§ Try Cilium with Istio!
http://docs.cilium.io/en/v1.1/gettingstarted/istio/
§ Follow us on Twitter: @ciliumproject
- @romainlenglet
- @_techcet_
§ Join us on Slack! cilium.io/slack