SlideShare a Scribd company logo

Kubernetes with Cilium in AWS - Experience Report!

QAware GmbH
QAware GmbH

Cloud Native Night, Munich, September 2023, Bernhard Schaidhammer === Please download slides if blurred! === Cilium is a powerful tool for network policies and also encryption between the Kubernetes nodes. Cilium hooks deep into Kubernetes in the network stack as an plugin and can even replace the AWS CNI Plugin. This talk will share our project experiences. Topics involve: - Network Policies - Encryption - Hubble (Observability) - Installation - CLI Usage (Hubble / Cilium)

Software
1 of 17
Download to read offline
qaware.de Cilium and Hubble Bernhard Schaidhammer
Cilium and Hubble 1. What is Cilium? 2. The setting? 3. eBPF 4. Network Policies 5. Hubble 6. My experience so far
What is Cilium? Cilium is an open source software for providing, securing and observing network connectivity between container workloads - cloud native, and fueled by the revolutionary Kernel technology eBPF. Cilium is an open-source eBPF-based networking, security und observability plugin for kubernetes Cilium is a CNI = (Container Network Interface) https://cilium.io/
Cilium
The Setting ● We want security and observability ● Linux is wide spread in the container/cloud landscape ● Encryption, Observability & Security must be installed on top in the user space ○ Limited access to kernel resources ○ Often sidecar proxy ○ Kernelmodule -> Complex and there are runtime risks
eBPF basics - https://ebpf.io/ extended Berkley Paket Filter ● Also known as “General purpose execution engine”. 1. Part of the linux kernel 2. Can run sandboxed programs in an privileged context 3. Extending kernel capabilities safely and efficiently without changing the kernel code 4. Compiled natively with a JIT 5. Protected through a verifier Example: Manipulating TCP/IP Traffic or collecting metrices
Cilium
Cilium Identities ● Kubernetes is dynamic in nature (Pod Scaling, …). ● In Kubernetes each pod has it’s own ip address and all it’s ports available. ● Cilium abstracts network security from network addresses ● => Security is based on identities - on kubernetes labels
Cilium Network Policies Network Policies work on the “Default Deny Principle” ● Identity based network security. Based on kubernetes labels. Beispiel: Label app=my-cat-gw is allowed to connect to app=my-cat-backend ● Layer 4 capabilities are also possible Beispiel: my-cat-gw darf nur auf Port 8080 von my-cat-backend zugreifen ● Layer 7 (HTTP und RPC) policies are possible.* Beispiel: my-cat-gw can access /api/cat-shop/articles/[0-9]+ with GET. *Standard Kubernetes Network Policies cannot do that.
Cilium Network Policies ● Cilium’s network policies can also be based on DNS. Example: Label my-cat-service can access api.cat.com ● Cilium learns the IP address and will allow or deny traffic ● Wildcard mechanism Example: *.catz.com DONT: Use DNS based network policies for cluster internal communication. Use pure identity based policies.
Cilium Network Policies Some examples
Hubble Hubble is a fully distributed networking and security observability platform. It is built on top of Cilium and eBPF to enable deep visibility into the communication and behavior of services as well as the networking infrastructure in a completely transparent manner.
Hubble ● Hubble has its own web ui ● Hubble also has a command line tool ○ it is possible to filter for dropped packages ● Hubble is able to export metrices (e.g. prometheus)
Cilium & Hubble Hands-On
My experiences so far ● Network policies are very powerful ● Communication encryption was very easy to set up ● Seems to be working very stable ● Hubble is extremely good at showing the network flow of the cluster Insecurities: ● Still sometimes very complex ● Updating cilium can be cumbersome ○ When updating kubernetes itself we faced some stability issues in integration ● Didn’t try every feature yet. Still much to learn
Thank you very much, do you have any questions? Have a nice evening ! :-)
And a few links if you like… information: https://blog.container-solutions.com/wtf-is-cilium https://cilium.io/ https://b-nova.com/home/content/ebpf-based-networking-with-cilium https://www.youtube.com/watch?v=H5RqSAX-eo4&t=584s Network Policy: Editor: https://networkpolicy.io/ - Visualising network policies. https://docs.cilium.io/

Recommended

OpenNebulaConf 2013 - Keynote: Enabling Scientific Workflows on FermiCloud us...
OpenNebulaConf 2013 - Keynote: Enabling Scientific Workflows on FermiCloud us...OpenNebulaConf 2013 - Keynote: Enabling Scientific Workflows on FermiCloud us...
OpenNebulaConf 2013 - Keynote: Enabling Scientific Workflows on FermiCloud us...OpenNebula Project
 
Enabling Scientific Workflows on FermiCloud using OpenNebula
Enabling Scientific Workflows on FermiCloud using OpenNebulaEnabling Scientific Workflows on FermiCloud using OpenNebula
Enabling Scientific Workflows on FermiCloud using OpenNebulaNETWAYS
 
Cloud Native Bern 05.2023 — Zero Trust Visibility
Cloud Native Bern 05.2023 — Zero Trust VisibilityCloud Native Bern 05.2023 — Zero Trust Visibility
Cloud Native Bern 05.2023 — Zero Trust VisibilityRaphaël PINSON
 
4. CNCF kubernetes Comparison of-existing-cni-plugins-for-kubernetes
4. CNCF kubernetes Comparison of-existing-cni-plugins-for-kubernetes4. CNCF kubernetes Comparison of-existing-cni-plugins-for-kubernetes
4. CNCF kubernetes Comparison of-existing-cni-plugins-for-kubernetesJuraj Hantak
 
ContainerDays Hamburg 2023 — Cilium Workshop.pdf
ContainerDays Hamburg 2023 — Cilium Workshop.pdfContainerDays Hamburg 2023 — Cilium Workshop.pdf
ContainerDays Hamburg 2023 — Cilium Workshop.pdfRaphaël PINSON
 
Comparison of existing cni plugins for kubernetes
Comparison of existing cni plugins for kubernetesComparison of existing cni plugins for kubernetes
Comparison of existing cni plugins for kubernetesAdam Hamsik
 
Security Tips to run Docker in Production
Security Tips to run Docker in ProductionSecurity Tips to run Docker in Production
Security Tips to run Docker in ProductionGianluca Arbezzano
 
5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and Beyond5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and BeyondBlack Duck by Synopsys
 

Recommended

OpenNebulaConf 2013 - Keynote: Enabling Scientific Workflows on FermiCloud us...
OpenNebulaConf 2013 - Keynote: Enabling Scientific Workflows on FermiCloud us...OpenNebulaConf 2013 - Keynote: Enabling Scientific Workflows on FermiCloud us...
OpenNebulaConf 2013 - Keynote: Enabling Scientific Workflows on FermiCloud us...OpenNebula Project
 
Enabling Scientific Workflows on FermiCloud using OpenNebula
Enabling Scientific Workflows on FermiCloud using OpenNebulaEnabling Scientific Workflows on FermiCloud using OpenNebula
Enabling Scientific Workflows on FermiCloud using OpenNebulaNETWAYS
 
Cloud Native Bern 05.2023 — Zero Trust Visibility
Cloud Native Bern 05.2023 — Zero Trust VisibilityCloud Native Bern 05.2023 — Zero Trust Visibility
Cloud Native Bern 05.2023 — Zero Trust VisibilityRaphaël PINSON
 
4. CNCF kubernetes Comparison of-existing-cni-plugins-for-kubernetes
4. CNCF kubernetes Comparison of-existing-cni-plugins-for-kubernetes4. CNCF kubernetes Comparison of-existing-cni-plugins-for-kubernetes
4. CNCF kubernetes Comparison of-existing-cni-plugins-for-kubernetesJuraj Hantak
 
ContainerDays Hamburg 2023 — Cilium Workshop.pdf
ContainerDays Hamburg 2023 — Cilium Workshop.pdfContainerDays Hamburg 2023 — Cilium Workshop.pdf
ContainerDays Hamburg 2023 — Cilium Workshop.pdfRaphaël PINSON
 
Comparison of existing cni plugins for kubernetes
Comparison of existing cni plugins for kubernetesComparison of existing cni plugins for kubernetes
Comparison of existing cni plugins for kubernetesAdam Hamsik
 
Security Tips to run Docker in Production
Security Tips to run Docker in ProductionSecurity Tips to run Docker in Production
Security Tips to run Docker in ProductionGianluca Arbezzano
 
5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and Beyond5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and BeyondBlack Duck by Synopsys
 
Santander DevopsandCloudDays 2021 - Hardening containers.pdf
Santander DevopsandCloudDays 2021 - Hardening containers.pdfSantander DevopsandCloudDays 2021 - Hardening containers.pdf
Santander DevopsandCloudDays 2021 - Hardening containers.pdfJuan Vicente Herrera Ruiz de Alejo
 
Kubernetes security with AWS
Kubernetes security with AWSKubernetes security with AWS
Kubernetes security with AWSKasun Madura Rathnayaka
 
OpenStack Tokyo 2015: Connecting the Dots with Neutron
OpenStack Tokyo 2015: Connecting the Dots with NeutronOpenStack Tokyo 2015: Connecting the Dots with Neutron
OpenStack Tokyo 2015: Connecting the Dots with NeutronPhil Estes
 
Luca Relandini - Microservices and containers networking: Contiv, deep dive a...
Luca Relandini - Microservices and containers networking: Contiv, deep dive a...Luca Relandini - Microservices and containers networking: Contiv, deep dive a...
Luca Relandini - Microservices and containers networking: Contiv, deep dive a...Codemotion
 
Explore the World of Cilium, Tetragon & eBPF
Explore the World of Cilium, Tetragon & eBPFExplore the World of Cilium, Tetragon & eBPF
Explore the World of Cilium, Tetragon & eBPFRaphaël PINSON
 
End-to-end IoT solutions with Java and Eclipse IoT
End-to-end IoT solutions with Java and Eclipse IoTEnd-to-end IoT solutions with Java and Eclipse IoT
End-to-end IoT solutions with Java and Eclipse IoTBenjamin Cabé
 
Kubernetes and container security
Kubernetes and container securityKubernetes and container security
Kubernetes and container securityVolodymyr Shynkar
 
Kubernetes Security Best Practices for DevOps
Kubernetes Security Best Practices for DevOpsKubernetes Security Best Practices for DevOps
Kubernetes Security Best Practices for DevOpsDevOps.com
 
Protecting host with calico
Protecting host with calicoProtecting host with calico
Protecting host with calicoAnirban Sen Chowdhary
 
Ceph Day Amsterdam 2015 - Deploying flash storage for Ceph without compromisi...
Ceph Day Amsterdam 2015 - Deploying flash storage for Ceph without compromisi...Ceph Day Amsterdam 2015 - Deploying flash storage for Ceph without compromisi...
Ceph Day Amsterdam 2015 - Deploying flash storage for Ceph without compromisi...Ceph Community
 
Container security within Cisco Container Platform
Container security within Cisco Container PlatformContainer security within Cisco Container Platform
Container security within Cisco Container PlatformSanjeev Rampal
 
CoreOS and cloud provider integration: simple cloud-init example at Exoscale
CoreOS and cloud provider integration: simple cloud-init example at ExoscaleCoreOS and cloud provider integration: simple cloud-init example at Exoscale
CoreOS and cloud provider integration: simple cloud-init example at ExoscaleAntoine COETSIER
 
Kubernetes
KubernetesKubernetes
KubernetesLinjith Kunnon
 
Docker Security Overview
Docker Security OverviewDocker Security Overview
Docker Security OverviewSreenivas Makam
 
EBPF and Linux Networking
EBPF and Linux NetworkingEBPF and Linux Networking
EBPF and Linux NetworkingPLUMgrid
 
[KubeCon NA 2020] containerd: Rootless Containers 2020
[KubeCon NA 2020] containerd: Rootless Containers 2020[KubeCon NA 2020] containerd: Rootless Containers 2020
[KubeCon NA 2020] containerd: Rootless Containers 2020Akihiro Suda
 
Lessson 2
Lessson 2Lessson 2
Lessson 2MLG College of Learning, Inc
 
Considerations for Operating an OpenStack Cloud
Considerations for Operating an OpenStack CloudConsiderations for Operating an OpenStack Cloud
Considerations for Operating an OpenStack CloudAll Things Open
 
Introduction to Filecoin
Introduction to Filecoin Introduction to Filecoin
Introduction to Filecoin Vanessa Lošić
 
Linux Kernel Security Overview - KCA 2009
Linux Kernel Security Overview - KCA 2009Linux Kernel Security Overview - KCA 2009
Linux Kernel Security Overview - KCA 2009James Morris
 
50 Shades of K8s Autoscaling #JavaLand24.pdf
50 Shades of K8s Autoscaling #JavaLand24.pdf50 Shades of K8s Autoscaling #JavaLand24.pdf
50 Shades of K8s Autoscaling #JavaLand24.pdfQAware GmbH
 
Make Agile Great - PM-Erfahrungen aus zwei virtuellen internationalen SAFe-Pr...
Make Agile Great - PM-Erfahrungen aus zwei virtuellen internationalen SAFe-Pr...Make Agile Great - PM-Erfahrungen aus zwei virtuellen internationalen SAFe-Pr...
Make Agile Great - PM-Erfahrungen aus zwei virtuellen internationalen SAFe-Pr...QAware GmbH
 

More Related Content

Similar to Kubernetes with Cilium in AWS - Experience Report!

OpenStack Tokyo 2015: Connecting the Dots with Neutron
OpenStack Tokyo 2015: Connecting the Dots with NeutronOpenStack Tokyo 2015: Connecting the Dots with Neutron
OpenStack Tokyo 2015: Connecting the Dots with NeutronPhil Estes
 
Luca Relandini - Microservices and containers networking: Contiv, deep dive a...
Luca Relandini - Microservices and containers networking: Contiv, deep dive a...Luca Relandini - Microservices and containers networking: Contiv, deep dive a...
Luca Relandini - Microservices and containers networking: Contiv, deep dive a...Codemotion
 
Explore the World of Cilium, Tetragon & eBPF
Explore the World of Cilium, Tetragon & eBPFExplore the World of Cilium, Tetragon & eBPF
Explore the World of Cilium, Tetragon & eBPFRaphaël PINSON
 
End-to-end IoT solutions with Java and Eclipse IoT
End-to-end IoT solutions with Java and Eclipse IoTEnd-to-end IoT solutions with Java and Eclipse IoT
End-to-end IoT solutions with Java and Eclipse IoTBenjamin Cabé
 
Kubernetes and container security
Kubernetes and container securityKubernetes and container security
Kubernetes and container securityVolodymyr Shynkar
 
Kubernetes Security Best Practices for DevOps
Kubernetes Security Best Practices for DevOpsKubernetes Security Best Practices for DevOps
Kubernetes Security Best Practices for DevOpsDevOps.com
 
Ceph Day Amsterdam 2015 - Deploying flash storage for Ceph without compromisi...
Ceph Day Amsterdam 2015 - Deploying flash storage for Ceph without compromisi...Ceph Day Amsterdam 2015 - Deploying flash storage for Ceph without compromisi...
Ceph Day Amsterdam 2015 - Deploying flash storage for Ceph without compromisi...Ceph Community
 
Container security within Cisco Container Platform
Container security within Cisco Container PlatformContainer security within Cisco Container Platform
Container security within Cisco Container PlatformSanjeev Rampal
 
CoreOS and cloud provider integration: simple cloud-init example at Exoscale
CoreOS and cloud provider integration: simple cloud-init example at ExoscaleCoreOS and cloud provider integration: simple cloud-init example at Exoscale
CoreOS and cloud provider integration: simple cloud-init example at ExoscaleAntoine COETSIER
 
Docker Security Overview
Docker Security OverviewDocker Security Overview
Docker Security OverviewSreenivas Makam
 
EBPF and Linux Networking
EBPF and Linux NetworkingEBPF and Linux Networking
EBPF and Linux NetworkingPLUMgrid
 
[KubeCon NA 2020] containerd: Rootless Containers 2020
[KubeCon NA 2020] containerd: Rootless Containers 2020[KubeCon NA 2020] containerd: Rootless Containers 2020
[KubeCon NA 2020] containerd: Rootless Containers 2020Akihiro Suda
 
Considerations for Operating an OpenStack Cloud
Considerations for Operating an OpenStack CloudConsiderations for Operating an OpenStack Cloud
Considerations for Operating an OpenStack CloudAll Things Open
 
Introduction to Filecoin
Introduction to Filecoin Introduction to Filecoin
Introduction to Filecoin Vanessa Lošić
 
Linux Kernel Security Overview - KCA 2009
Linux Kernel Security Overview - KCA 2009Linux Kernel Security Overview - KCA 2009
Linux Kernel Security Overview - KCA 2009James Morris
 

Similar to Kubernetes with Cilium in AWS - Experience Report! (20)

Santander DevopsandCloudDays 2021 - Hardening containers.pdf
Santander DevopsandCloudDays 2021 - Hardening containers.pdfSantander DevopsandCloudDays 2021 - Hardening containers.pdf
Santander DevopsandCloudDays 2021 - Hardening containers.pdf
 
Kubernetes security with AWS
Kubernetes security with AWSKubernetes security with AWS
Kubernetes security with AWS
 
OpenStack Tokyo 2015: Connecting the Dots with Neutron
OpenStack Tokyo 2015: Connecting the Dots with NeutronOpenStack Tokyo 2015: Connecting the Dots with Neutron
OpenStack Tokyo 2015: Connecting the Dots with Neutron
 
Luca Relandini - Microservices and containers networking: Contiv, deep dive a...
Luca Relandini - Microservices and containers networking: Contiv, deep dive a...Luca Relandini - Microservices and containers networking: Contiv, deep dive a...
Luca Relandini - Microservices and containers networking: Contiv, deep dive a...
 
Explore the World of Cilium, Tetragon & eBPF
Explore the World of Cilium, Tetragon & eBPFExplore the World of Cilium, Tetragon & eBPF
Explore the World of Cilium, Tetragon & eBPF
 
End-to-end IoT solutions with Java and Eclipse IoT
End-to-end IoT solutions with Java and Eclipse IoTEnd-to-end IoT solutions with Java and Eclipse IoT
End-to-end IoT solutions with Java and Eclipse IoT
 
Kubernetes and container security
Kubernetes and container securityKubernetes and container security
Kubernetes and container security
 
Kubernetes Security Best Practices for DevOps
Kubernetes Security Best Practices for DevOpsKubernetes Security Best Practices for DevOps
Kubernetes Security Best Practices for DevOps
 
Protecting host with calico
Protecting host with calicoProtecting host with calico
Protecting host with calico
 
Ceph Day Amsterdam 2015 - Deploying flash storage for Ceph without compromisi...
Ceph Day Amsterdam 2015 - Deploying flash storage for Ceph without compromisi...Ceph Day Amsterdam 2015 - Deploying flash storage for Ceph without compromisi...
Ceph Day Amsterdam 2015 - Deploying flash storage for Ceph without compromisi...
 
Container security within Cisco Container Platform
Container security within Cisco Container PlatformContainer security within Cisco Container Platform
Container security within Cisco Container Platform
 
CoreOS and cloud provider integration: simple cloud-init example at Exoscale
CoreOS and cloud provider integration: simple cloud-init example at ExoscaleCoreOS and cloud provider integration: simple cloud-init example at Exoscale
CoreOS and cloud provider integration: simple cloud-init example at Exoscale
 
Kubernetes
KubernetesKubernetes
Kubernetes
 
Docker Security Overview
Docker Security OverviewDocker Security Overview
Docker Security Overview
 
EBPF and Linux Networking
EBPF and Linux NetworkingEBPF and Linux Networking
EBPF and Linux Networking
 
[KubeCon NA 2020] containerd: Rootless Containers 2020
[KubeCon NA 2020] containerd: Rootless Containers 2020[KubeCon NA 2020] containerd: Rootless Containers 2020
[KubeCon NA 2020] containerd: Rootless Containers 2020
 
Lessson 2
Lessson 2Lessson 2
Lessson 2
 
Considerations for Operating an OpenStack Cloud
Considerations for Operating an OpenStack CloudConsiderations for Operating an OpenStack Cloud
Considerations for Operating an OpenStack Cloud
 
Introduction to Filecoin
Introduction to Filecoin Introduction to Filecoin
Introduction to Filecoin
 
Linux Kernel Security Overview - KCA 2009
Linux Kernel Security Overview - KCA 2009Linux Kernel Security Overview - KCA 2009
Linux Kernel Security Overview - KCA 2009
 

More from QAware GmbH

50 Shades of K8s Autoscaling #JavaLand24.pdf
50 Shades of K8s Autoscaling #JavaLand24.pdf50 Shades of K8s Autoscaling #JavaLand24.pdf
50 Shades of K8s Autoscaling #JavaLand24.pdfQAware GmbH
 
Make Agile Great - PM-Erfahrungen aus zwei virtuellen internationalen SAFe-Pr...
Make Agile Great - PM-Erfahrungen aus zwei virtuellen internationalen SAFe-Pr...Make Agile Great - PM-Erfahrungen aus zwei virtuellen internationalen SAFe-Pr...
Make Agile Great - PM-Erfahrungen aus zwei virtuellen internationalen SAFe-Pr...QAware GmbH
 
Fully-managed Cloud-native Databases: The path to indefinite scale @ CNN Mainz
Fully-managed Cloud-native Databases: The path to indefinite scale @ CNN MainzFully-managed Cloud-native Databases: The path to indefinite scale @ CNN Mainz
Fully-managed Cloud-native Databases: The path to indefinite scale @ CNN MainzQAware GmbH
 
Down the Ivory Tower towards Agile Architecture
Down the Ivory Tower towards Agile ArchitectureDown the Ivory Tower towards Agile Architecture
Down the Ivory Tower towards Agile ArchitectureQAware GmbH
 
"Mixed" Scrum-Teams – Die richtige Mischung macht's!
"Mixed" Scrum-Teams – Die richtige Mischung macht's!"Mixed" Scrum-Teams – Die richtige Mischung macht's!
"Mixed" Scrum-Teams – Die richtige Mischung macht's!QAware GmbH
 
Make Developers Fly: Principles for Platform Engineering
Make Developers Fly: Principles for Platform EngineeringMake Developers Fly: Principles for Platform Engineering
Make Developers Fly: Principles for Platform EngineeringQAware GmbH
 
Der Tod der Testpyramide? – Frontend-Testing mit Playwright
Der Tod der Testpyramide? – Frontend-Testing mit PlaywrightDer Tod der Testpyramide? – Frontend-Testing mit Playwright
Der Tod der Testpyramide? – Frontend-Testing mit PlaywrightQAware GmbH
 
Was kommt nach den SPAs
Was kommt nach den SPAsWas kommt nach den SPAs
Was kommt nach den SPAsQAware GmbH
 
Cloud Migration mit KI: der Turbo
Cloud Migration mit KI: der Turbo Cloud Migration mit KI: der Turbo
Cloud Migration mit KI: der Turbo QAware GmbH
 
Migration von stark regulierten Anwendungen in die Cloud: Dem Teufel die See...
Migration von stark regulierten Anwendungen in die Cloud: Dem Teufel die See... Migration von stark regulierten Anwendungen in die Cloud: Dem Teufel die See...
Migration von stark regulierten Anwendungen in die Cloud: Dem Teufel die See...QAware GmbH
 
Aus blau wird grün! Ansätze und Technologien für nachhaltige Kubernetes-Cluster
Aus blau wird grün! Ansätze und Technologien für nachhaltige Kubernetes-Cluster Aus blau wird grün! Ansätze und Technologien für nachhaltige Kubernetes-Cluster
Aus blau wird grün! Ansätze und Technologien für nachhaltige Kubernetes-Cluster QAware GmbH
 
Endlich gute API Tests. Boldly Testing APIs Where No One Has Tested Before.
Endlich gute API Tests. Boldly Testing APIs Where No One Has Tested Before.Endlich gute API Tests. Boldly Testing APIs Where No One Has Tested Before.
Endlich gute API Tests. Boldly Testing APIs Where No One Has Tested Before.QAware GmbH
 
50 Shades of K8s Autoscaling
50 Shades of K8s Autoscaling50 Shades of K8s Autoscaling
50 Shades of K8s AutoscalingQAware GmbH
 
Kontinuierliche Sicherheitstests für APIs mit Testkube und OWASP ZAP
Kontinuierliche Sicherheitstests für APIs mit Testkube und OWASP ZAPKontinuierliche Sicherheitstests für APIs mit Testkube und OWASP ZAP
Kontinuierliche Sicherheitstests für APIs mit Testkube und OWASP ZAPQAware GmbH
 
Service Mesh Pain & Gain. Experiences from a client project.
Service Mesh Pain & Gain. Experiences from a client project.Service Mesh Pain & Gain. Experiences from a client project.
Service Mesh Pain & Gain. Experiences from a client project.QAware GmbH
 
50 Shades of K8s Autoscaling
50 Shades of K8s Autoscaling50 Shades of K8s Autoscaling
50 Shades of K8s AutoscalingQAware GmbH
 
Blue turns green! Approaches and technologies for sustainable K8s clusters.
Blue turns green! Approaches and technologies for sustainable K8s clusters.Blue turns green! Approaches and technologies for sustainable K8s clusters.
Blue turns green! Approaches and technologies for sustainable K8s clusters.QAware GmbH
 
Per Anhalter zu Cloud Nativen API Gateways
Per Anhalter zu Cloud Nativen API GatewaysPer Anhalter zu Cloud Nativen API Gateways
Per Anhalter zu Cloud Nativen API GatewaysQAware GmbH
 
Aus blau wird grün! Ansätze und Technologien für nachhaltige Kubernetes-Cluster
Aus blau wird grün! Ansätze und Technologien für nachhaltige Kubernetes-Cluster Aus blau wird grün! Ansätze und Technologien für nachhaltige Kubernetes-Cluster
Aus blau wird grün! Ansätze und Technologien für nachhaltige Kubernetes-Cluster QAware GmbH
 
How to speed up Spring Integration Tests
How to speed up Spring Integration TestsHow to speed up Spring Integration Tests
How to speed up Spring Integration TestsQAware GmbH
 

More from QAware GmbH (20)

50 Shades of K8s Autoscaling #JavaLand24.pdf
50 Shades of K8s Autoscaling #JavaLand24.pdf50 Shades of K8s Autoscaling #JavaLand24.pdf
50 Shades of K8s Autoscaling #JavaLand24.pdf
 
Make Agile Great - PM-Erfahrungen aus zwei virtuellen internationalen SAFe-Pr...
Make Agile Great - PM-Erfahrungen aus zwei virtuellen internationalen SAFe-Pr...Make Agile Great - PM-Erfahrungen aus zwei virtuellen internationalen SAFe-Pr...
Make Agile Great - PM-Erfahrungen aus zwei virtuellen internationalen SAFe-Pr...
 
Fully-managed Cloud-native Databases: The path to indefinite scale @ CNN Mainz
Fully-managed Cloud-native Databases: The path to indefinite scale @ CNN MainzFully-managed Cloud-native Databases: The path to indefinite scale @ CNN Mainz
Fully-managed Cloud-native Databases: The path to indefinite scale @ CNN Mainz
 
Down the Ivory Tower towards Agile Architecture
Down the Ivory Tower towards Agile ArchitectureDown the Ivory Tower towards Agile Architecture
Down the Ivory Tower towards Agile Architecture
 
"Mixed" Scrum-Teams – Die richtige Mischung macht's!
"Mixed" Scrum-Teams – Die richtige Mischung macht's!"Mixed" Scrum-Teams – Die richtige Mischung macht's!
"Mixed" Scrum-Teams – Die richtige Mischung macht's!
 
Make Developers Fly: Principles for Platform Engineering
Make Developers Fly: Principles for Platform EngineeringMake Developers Fly: Principles for Platform Engineering
Make Developers Fly: Principles for Platform Engineering
 
Der Tod der Testpyramide? – Frontend-Testing mit Playwright
Der Tod der Testpyramide? – Frontend-Testing mit PlaywrightDer Tod der Testpyramide? – Frontend-Testing mit Playwright
Der Tod der Testpyramide? – Frontend-Testing mit Playwright
 
Was kommt nach den SPAs
Was kommt nach den SPAsWas kommt nach den SPAs
Was kommt nach den SPAs
 
Cloud Migration mit KI: der Turbo
Cloud Migration mit KI: der Turbo Cloud Migration mit KI: der Turbo
Cloud Migration mit KI: der Turbo
 
Migration von stark regulierten Anwendungen in die Cloud: Dem Teufel die See...
Migration von stark regulierten Anwendungen in die Cloud: Dem Teufel die See... Migration von stark regulierten Anwendungen in die Cloud: Dem Teufel die See...
Migration von stark regulierten Anwendungen in die Cloud: Dem Teufel die See...
 
Aus blau wird grün! Ansätze und Technologien für nachhaltige Kubernetes-Cluster
Aus blau wird grün! Ansätze und Technologien für nachhaltige Kubernetes-Cluster Aus blau wird grün! Ansätze und Technologien für nachhaltige Kubernetes-Cluster
Aus blau wird grün! Ansätze und Technologien für nachhaltige Kubernetes-Cluster
 
Endlich gute API Tests. Boldly Testing APIs Where No One Has Tested Before.
Endlich gute API Tests. Boldly Testing APIs Where No One Has Tested Before.Endlich gute API Tests. Boldly Testing APIs Where No One Has Tested Before.
Endlich gute API Tests. Boldly Testing APIs Where No One Has Tested Before.
 
50 Shades of K8s Autoscaling
50 Shades of K8s Autoscaling50 Shades of K8s Autoscaling
50 Shades of K8s Autoscaling
 
Kontinuierliche Sicherheitstests für APIs mit Testkube und OWASP ZAP
Kontinuierliche Sicherheitstests für APIs mit Testkube und OWASP ZAPKontinuierliche Sicherheitstests für APIs mit Testkube und OWASP ZAP
Kontinuierliche Sicherheitstests für APIs mit Testkube und OWASP ZAP
 
Service Mesh Pain & Gain. Experiences from a client project.
Service Mesh Pain & Gain. Experiences from a client project.Service Mesh Pain & Gain. Experiences from a client project.
Service Mesh Pain & Gain. Experiences from a client project.
 
50 Shades of K8s Autoscaling
50 Shades of K8s Autoscaling50 Shades of K8s Autoscaling
50 Shades of K8s Autoscaling
 
Blue turns green! Approaches and technologies for sustainable K8s clusters.
Blue turns green! Approaches and technologies for sustainable K8s clusters.Blue turns green! Approaches and technologies for sustainable K8s clusters.
Blue turns green! Approaches and technologies for sustainable K8s clusters.
 
Per Anhalter zu Cloud Nativen API Gateways
Per Anhalter zu Cloud Nativen API GatewaysPer Anhalter zu Cloud Nativen API Gateways
Per Anhalter zu Cloud Nativen API Gateways
 
Aus blau wird grün! Ansätze und Technologien für nachhaltige Kubernetes-Cluster
Aus blau wird grün! Ansätze und Technologien für nachhaltige Kubernetes-Cluster Aus blau wird grün! Ansätze und Technologien für nachhaltige Kubernetes-Cluster
Aus blau wird grün! Ansätze und Technologien für nachhaltige Kubernetes-Cluster
 
How to speed up Spring Integration Tests
How to speed up Spring Integration TestsHow to speed up Spring Integration Tests
How to speed up Spring Integration Tests
 

Recently uploaded

BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEOrtus Solutions, Corp
 
Intelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmIntelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmSujith Sukumaran
 
Buds n Tech IT Solutions: Top-Notch Web Services in Noida
Buds n Tech IT Solutions: Top-Notch Web Services in NoidaBuds n Tech IT Solutions: Top-Notch Web Services in Noida
Buds n Tech IT Solutions: Top-Notch Web Services in Noidabntitsolutionsrishis
 
What are the key points to focus on before starting to learn ETL Development....
What are the key points to focus on before starting to learn ETL Development....What are the key points to focus on before starting to learn ETL Development....
What are the key points to focus on before starting to learn ETL Development....kzayra69
 
Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Velvetech LLC
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)OPEN KNOWLEDGE GmbH
 
SpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at RuntimeSpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at Runtimeandrehoraa
 
Cloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEECloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEEVICTOR MAESTRE RAMIREZ
 
Unveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesUnveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesŁukasz Chruściel
 
Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Andreas Granig
 
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...OnePlan Solutions
 
MYjobs Presentation Django-based project
MYjobs Presentation Django-based projectMYjobs Presentation Django-based project
MYjobs Presentation Django-based projectAnoyGreter
 
Folding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesFolding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesPhilip Schwarz
 
How to Track Employee Performance A Comprehensive Guide.pdf
How to Track Employee Performance A Comprehensive Guide.pdfHow to Track Employee Performance A Comprehensive Guide.pdf
How to Track Employee Performance A Comprehensive Guide.pdfLivetecs LLC
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxTier1 app
 
Introduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdfIntroduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdfFerryKemperman
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...stazi3110
 
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...soniya singh
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityNeo4j
 
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanySuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanyChristoph Pohl
 

Recently uploaded (20)

BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
 
Intelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmIntelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalm
 
Buds n Tech IT Solutions: Top-Notch Web Services in Noida
Buds n Tech IT Solutions: Top-Notch Web Services in NoidaBuds n Tech IT Solutions: Top-Notch Web Services in Noida
Buds n Tech IT Solutions: Top-Notch Web Services in Noida
 
What are the key points to focus on before starting to learn ETL Development....
What are the key points to focus on before starting to learn ETL Development....What are the key points to focus on before starting to learn ETL Development....
What are the key points to focus on before starting to learn ETL Development....
 
Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)
 
SpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at RuntimeSpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at Runtime
 
Cloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEECloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEE
 
Unveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesUnveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New Features
 
Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024
 
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
 
MYjobs Presentation Django-based project
MYjobs Presentation Django-based projectMYjobs Presentation Django-based project
MYjobs Presentation Django-based project
 
Folding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesFolding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a series
 
How to Track Employee Performance A Comprehensive Guide.pdf
How to Track Employee Performance A Comprehensive Guide.pdfHow to Track Employee Performance A Comprehensive Guide.pdf
How to Track Employee Performance A Comprehensive Guide.pdf
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
 
Introduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdfIntroduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdf
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
 
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered Sustainability
 
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanySuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
 

Kubernetes with Cilium in AWS - Experience Report!

  • 2. Cilium and Hubble 1. What is Cilium? 2. The setting? 3. eBPF 4. Network Policies 5. Hubble 6. My experience so far
  • 3. What is Cilium? Cilium is an open source software for providing, securing and observing network connectivity between container workloads - cloud native, and fueled by the revolutionary Kernel technology eBPF. Cilium is an open-source eBPF-based networking, security und observability plugin for kubernetes Cilium is a CNI = (Container Network Interface) https://cilium.io/
  • 5. The Setting ● We want security and observability ● Linux is wide spread in the container/cloud landscape ● Encryption, Observability & Security must be installed on top in the user space ○ Limited access to kernel resources ○ Often sidecar proxy ○ Kernelmodule -> Complex and there are runtime risks
  • 6. eBPF basics - https://ebpf.io/ extended Berkley Paket Filter ● Also known as “General purpose execution engine”. 1. Part of the linux kernel 2. Can run sandboxed programs in an privileged context 3. Extending kernel capabilities safely and efficiently without changing the kernel code 4. Compiled natively with a JIT 5. Protected through a verifier Example: Manipulating TCP/IP Traffic or collecting metrices
  • 8. Cilium Identities ● Kubernetes is dynamic in nature (Pod Scaling, …). ● In Kubernetes each pod has it’s own ip address and all it’s ports available. ● Cilium abstracts network security from network addresses ● => Security is based on identities - on kubernetes labels
  • 9. Cilium Network Policies Network Policies work on the “Default Deny Principle” ● Identity based network security. Based on kubernetes labels. Beispiel: Label app=my-cat-gw is allowed to connect to app=my-cat-backend ● Layer 4 capabilities are also possible Beispiel: my-cat-gw darf nur auf Port 8080 von my-cat-backend zugreifen ● Layer 7 (HTTP und RPC) policies are possible.* Beispiel: my-cat-gw can access /api/cat-shop/articles/[0-9]+ with GET. *Standard Kubernetes Network Policies cannot do that.
  • 10. Cilium Network Policies ● Cilium’s network policies can also be based on DNS. Example: Label my-cat-service can access api.cat.com ● Cilium learns the IP address and will allow or deny traffic ● Wildcard mechanism Example: *.catz.com DONT: Use DNS based network policies for cluster internal communication. Use pure identity based policies.
  • 12. Hubble Hubble is a fully distributed networking and security observability platform. It is built on top of Cilium and eBPF to enable deep visibility into the communication and behavior of services as well as the networking infrastructure in a completely transparent manner.
  • 13. Hubble ● Hubble has its own web ui ● Hubble also has a command line tool ○ it is possible to filter for dropped packages ● Hubble is able to export metrices (e.g. prometheus)
  • 15. My experiences so far ● Network policies are very powerful ● Communication encryption was very easy to set up ● Seems to be working very stable ● Hubble is extremely good at showing the network flow of the cluster Insecurities: ● Still sometimes very complex ● Updating cilium can be cumbersome ○ When updating kubernetes itself we faced some stability issues in integration ● Didn’t try every feature yet. Still much to learn
  • 16. Thank you very much, do you have any questions? Have a nice evening ! :-)
  • 17. And a few links if you like… information: https://blog.container-solutions.com/wtf-is-cilium https://cilium.io/ https://b-nova.com/home/content/ebpf-based-networking-with-cilium https://www.youtube.com/watch?v=H5RqSAX-eo4&t=584s Network Policy: Editor: https://networkpolicy.io/ - Visualising network policies. https://docs.cilium.io/