Cloud Native Night, Munich, September 2023, Bernhard Schaidhammer
=== Please download slides if blurred! ===
Cilium is a powerful tool for network policies and also encryption between the Kubernetes nodes. Cilium hooks deep into Kubernetes in the network stack as an plugin and can even replace the AWS CNI Plugin. This talk will share our project experiences.
Topics involve:
- Network Policies
- Encryption
- Hubble (Observability)
- Installation
- CLI Usage (Hubble / Cilium)
2. Cilium and Hubble
1. What is Cilium?
2. The setting?
3. eBPF
4. Network Policies
5. Hubble
6. My experience so far
3. What is Cilium?
Cilium is an open source software for providing, securing and observing network connectivity between
container workloads - cloud native, and fueled by the revolutionary Kernel technology eBPF.
Cilium is an open-source eBPF-based networking, security und observability plugin for kubernetes
Cilium is a CNI = (Container Network Interface)
https://cilium.io/
5. The Setting
● We want security and observability
● Linux is wide spread in the container/cloud landscape
● Encryption, Observability & Security must be installed on top in the user space
○ Limited access to kernel resources
○ Often sidecar proxy
○ Kernelmodule -> Complex and there are runtime risks
6. eBPF basics - https://ebpf.io/
extended Berkley Paket Filter
● Also known as “General purpose execution engine”.
1. Part of the linux kernel
2. Can run sandboxed programs in an privileged context
3. Extending kernel capabilities safely and efficiently without changing the kernel code
4. Compiled natively with a JIT
5. Protected through a verifier
Example: Manipulating TCP/IP Traffic or collecting metrices
8. Cilium Identities
● Kubernetes is dynamic in nature (Pod Scaling, …).
● In Kubernetes each pod has it’s own ip address and all it’s ports available.
● Cilium abstracts network security from network addresses
● => Security is based on identities - on kubernetes labels
9. Cilium Network Policies
Network Policies work on the “Default Deny Principle”
● Identity based network security. Based on kubernetes labels.
Beispiel: Label app=my-cat-gw is allowed to connect to app=my-cat-backend
● Layer 4 capabilities are also possible
Beispiel: my-cat-gw darf nur auf Port 8080 von my-cat-backend zugreifen
● Layer 7 (HTTP und RPC) policies are possible.*
Beispiel: my-cat-gw can access /api/cat-shop/articles/[0-9]+ with GET.
*Standard Kubernetes Network Policies cannot do that.
10. Cilium Network Policies
● Cilium’s network policies can also be based on DNS.
Example: Label my-cat-service can access api.cat.com
● Cilium learns the IP address and will allow or deny traffic
● Wildcard mechanism
Example: *.catz.com
DONT: Use DNS based network policies for cluster internal communication. Use pure identity based policies.
12. Hubble
Hubble is a fully distributed networking and security
observability platform. It is built on top of Cilium and eBPF
to enable deep visibility into the communication and behavior
of services as well as the networking infrastructure in a
completely transparent manner.
13. Hubble
● Hubble has its own web ui
● Hubble also has a command line tool
○ it is possible to filter for dropped packages
● Hubble is able to export metrices (e.g. prometheus)
15. My experiences so far
● Network policies are very powerful
● Communication encryption was very easy to set up
● Seems to be working very stable
● Hubble is extremely good at showing the network flow of the cluster
Insecurities:
● Still sometimes very complex
● Updating cilium can be cumbersome
○ When updating kubernetes itself we faced some stability issues in integration
● Didn’t try every feature yet. Still much to learn
16. Thank you very much,
do you have any questions?
Have a nice evening ! :-)
17. And a few links if you like…
information:
https://blog.container-solutions.com/wtf-is-cilium
https://cilium.io/
https://b-nova.com/home/content/ebpf-based-networking-with-cilium
https://www.youtube.com/watch?v=H5RqSAX-eo4&t=584s
Network Policy:
Editor: https://networkpolicy.io/ - Visualising network policies.
https://docs.cilium.io/