Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Kernel advantages for Istio realized with Cilium


Published on

Istio brings a myriad of options to provide routing rules, encryption, and monitoring for microservices, typically in container environments. Cilium provides accelerated network security using a modern kernel technology called BPF. Put the two together and what do you get? A distributed security solution enabling microservices traffic management, security, and monitoring while enforcing policy as close to the microservices as possible.

Cynthia Thomas and Romain Lenglet discuss the architectural and performance benefits of using Cilium with Istio and provide a demo of this BPF-based, Linux kernel technology. Cilium provides an API-aware security solution that can make a decision on every single microservice flow, with the ability to enforce protocols such as HTTP, Kafka, and gRPC. By addressing security policy at the API layer, you can enforce policy efficiently with kernel capabilities while reducing the attack surface in a microservices deployment.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Kernel advantages for Istio realized with Cilium

  1. 1. Kernel advantages for Istio realized with Cilium #IstioDay July 17th, 2018 Romain Lenglet Chief Architect Cynthia Thomas Technology Evangelist
  2. 2. @ciliumproject Cilium provides massive performance gains for Istio Fabric (CNI) IPAM, connectivity, filtering Service Mesh routing, tracing, authn/z Policy Management change management, audit Istio Cilium k8s network security stack
  3. 3. @ciliumproject Cilium complements Istio app sidecar proxy pilot policy telemetry citadel cilium Istio control plane traffic application traffic TCPv4 other (IPv6, UDP, ICMP)
  4. 4. @ciliumproject § Istio redirects most TCP connections to Envoy - Uses iptables within the pod § CNI plugin enforces NetworkPolicy on all traffic: - App traffic redirected to Istio proxy (Envoy) - App traffic not redirected - IPv6, UDP - Connections to services outside of cluster - Istio control plane traffic Datapath considerations pod appsidecar proxy socket TCP/IP iptables Ethernet lo socket TCP/IP Ethernet socket TCP/IP iptables Ethernet eth0 REDIRECT / TPROXY CNI datapath
  5. 5. § Setup: Bookinfo App! (of course – what else?) § Breach! Bypass the sidecar proxy to get out of a pod. § Enforce a Network Policy at the Fabric layer to circumvent a compromised container’s egress traffic. Demo time!
  6. 6. @ciliumproject § CNI plugin enforces NetworkPolicy on all traffic in and out of a pod § Think about egress traffic and services outside of the Service Mesh § Known breaches take advantage of gaps in policy of egress traffic Why you need a CNI
  7. 7. @ciliumproject Integration architecture § Comprehensive L3-L7 policy language § L7 enforcement using shared Envoy proxy § Cilium-specific filters § Applies to clear traffic (mTLS support) § L3/L4 enforcement using BPF in-kernel § Applies to all traffic, incl. Istio control plane & egress traffic pod sidecar proxy appcilium filters L7 BPF program cilium agent L3 + L4 userspace kernelspace
  8. 8. @ciliumproject BPF for the win “With BPF, superpowers are coming to Linux” - Brendan Gregg Lead Performance Engineer, Netflix
  9. 9. @ciliumproject Transparent proxy redirection optimization pod BPF cilium agent pod appsidecar proxy socket TCP/IP iptables Ethernet lo socket TCP/IP Ethernet socket TCP/IP iptables Ethernet eth0 REDIRECT / TPROXY BPF appsidecar proxy socketsocketsocket TCP/IP iptables Ethernet eth0 BPF TCP/IP iptables Ethernet connection handshake connection established
  10. 10. @ciliumproject Transparent proxy redirection optimization
  11. 11. @ciliumproject TLS kernel offload using BPF § kTLS – TLS encryption / description offload to kernel § ~4% CPU gain § Transparent to process § Proxy offload - In-kernel Istio mTLS § App offload - Visibility into end-to-end TLS connections, e.g. to AWS services - Cilium L7 enforcement - Istio L7 routing, etc.
  12. 12. @ciliumproject Call to Action! § Try Cilium with Istio! § Follow us on Twitter: @ciliumproject - @romainlenglet - @_techcet_ § Join us on Slack!