Cilium - Bringing the BPF Revolution to Kubernetes Networking and Security

This talk will start with a deep dive and hands on examples of BPF, possibly the most promising low level technology to address challenges in application and network security, tracing, and visibility. We will discuss how BPF evolved from a simple bytecode language to filter raw sockets for tcpdump to the a JITable virtual machine capable of universally extending and instrumenting both the Linux kernel and user space applications. The introduction is followed by a concrete example of how the Cilium open source project applies BPF to solve networking, security, and load balancing for highly distributed applications. We will discuss and demonstrate how Cilium with the help of BPF can be combined with distributed system orchestration such as Docker to simplify security, operations, and troubleshooting of distributed applications.

Container runtimes cause Linux to return to its original purpose: to serve applications interacting directly with the kernel. At the same time, the Linux kernel is traditionally difficult to change and its development process is full of myths. A new efficient in-kernel programming language called eBPF is changing this and allows everyone to extend existing kernel components or glue them together in new forms without requiring to change the kernel itself.

Cilium is an open source software that provides networking and security for Kubernetes. It implements Kubernetes networking, security policies, load balancing, and service mesh capabilities using eBPF. Cilium provides multi-cluster networking by coupling multiple Kubernetes clusters into a cluster mesh with a shared control plane. It also offers a sidecar-less service mesh that uses eBPF and Envoy for L4 and L7 traffic management instead of injecting proxies into each pod. Demos showed Cilium's multi-cluster load balancing and policies as well as its service mesh capabilities.

This document provides an overview of cBPF and eBPF. It discusses the history and implementation of cBPF, including how it was originally used for packet filtering. It then covers eBPF in more depth, explaining what it is, its history, implementation including different program types and maps. It also discusses several uses of eBPF including networking, firewalls, DDoS mitigation, profiling, security, and chaos engineering. Finally, it introduces XDP and DPDK, comparing XDP's benefits over DPDK.

In the Cloud Native community, eBPF is gaining popularity, which can often be the best solution for solving different challenges with deep observability of system. Currently, eBPF is being embraced by major players. Mydbops co-Founder, Kabilesh P.R (MySQL and Mongo Consultant) illustrates on debugging linux issues with eBPF. A brief about BPF & eBPF, BPF internals and the tools in actions for faster resolution.

This document provides an introduction to eBPF (Extended Berkeley Packet Filter), which allows running user-space code in the Linux kernel without needing to compile a kernel module. It describes how eBPF avoids unnecessary copying of packets between kernel and user-space for improved performance. Examples are given of using eBPF for networking tasks like SDN configuration, DDoS mitigation, intrusion detection, and load balancing. The document concludes by noting eBPF provides alternatives to iptables that are better suited for microservices architectures.

Cilium - BPF & XDP for containers by Thomas Graf (Noiro Networks) Cilium - https://github.com/cilium/cilium Liveblogging: http://canopy.mirage.io/Liveblog/NetworkingDDS2016

Session at ContainerDay Security 2023 on the 8th of March in Hamburg. Cilium is the next generation, eBPF powered open-source Cloud Native Networking solution, providing security, observability, scalability, and superior performance. Cilium is an incubating project under CNCF and the leading CNI for Kubernetes. In this session we will introduce the fundamentals of Cilium Network Policies and the basics of application-aware and Identity-based Security. We will discuss the default-allow and default-deny approaches and visualize the corresponding ingress and egress connections. Using the Network Policy Editor we will be able to demonstrate how a Cilium Network Policy looks like and what they mean on a given Kubernetes cluster. Additionally, we will walk through different examples and demonstrate how application traffic can be observed with Hubble and show how you can use the Network Policy Editor to apply new Cilium Network Policies for your workloads. Finally, we’ll demonstrate how Tetragon provides eBPF-based transparent security observability combined with real-time runtime enforcement.

eBPF is an exciting new technology that is poised to transform Linux performance engineering. eBPF enables users to dynamically and programatically trace any kernel or user space code path, safely and efficiently. However, understanding eBPF is not so simple. The goal of this talk is to give audiences a fundamental understanding of eBPF, how it interconnects existing Linux tracing technologies, and provides a powerful aplatform to solve any Linux performance problem.

The document discusses Cilium and Istio with Gloo Mesh. It provides an overview of Gloo Mesh, an enterprise service mesh for multi-cluster, cross-cluster and hybrid environments based on upstream Istio. Gloo Mesh focuses on ease of use, powerful best practices built in, security, and extensibility. It allows for consistent API for multi-cluster north-south and east-west policy, team tenancy with service mesh as a service, and driving everything through GitOps.

Kubernetes has two simple but powerful network concepts: every Pod is connected to the same network, and Services let you talk to a Pod by name. Bryan will take you through how these concepts are implemented - Pod Networks via the Container Network Interface (CNI), Service Discovery via kube-dns and Service virtual IPs, then on to how Services are exposed to the rest of the world.

2013年05月20日の講演の資料です。内容は発表当時の時点でのものですので現在では有用でない情報も含まれます。また個人的な情報収集に基づく資料ですので誤りがある可能性があることをご了承ください。

KubeCon + CloudNativeCon North America 2021 で発表された最新のScheduler拡張事例を共有します。

Cilium provides network security and visibility for microservices. It uses eBPF/XDP to provide fast and scalable networking and security controls at layers 3-7. Key features include identity-based firewalling, load balancing, and mutual TLS authentication between services. It integrates with Kubernetes to apply network policies using standard Kubernetes resources and custom CiliumNetworkPolicy resources for finer-grained control.

This document summarizes a presentation about Cilium and eBPF. Cilium provides cloud native networking and security using eBPF. eBPF allows programs to run securely in the Linux kernel for networking, security, and observability. Cilium offers networking features like Kubernetes services, cluster mesh for multi-cluster connectivity, and platform integration. It also provides security using identity-based policies and API authorization. Observability features include flow visibility and service maps. Cilium can be used as a service mesh or with Tetragon for prevention capabilities without proxies.

Full recorded presentation at https://www.youtube.com/watch?v=2UfAgCSKPZo for Tetrate Tech Talks on 2022/05/13. Envoy's support for Kafka protocol, in form of broker-filter and mesh-filter. Contents: - overview of Kafka (usecases, partitioning, producer/consumer, protocol); - proxying Kafka (non-Envoy specific); - proxying Kafka with Envoy; - handling Kafka protocol in Envoy; - Kafka-broker-filter for per-connection proxying; - Kafka-mesh-filter to provide front proxy for multiple Kafka clusters. References: - https://adam-kotwasinski.medium.com/deploying-envoy-and-kafka-8aa7513ec0a0 - https://adam-kotwasinski.medium.com/kafka-mesh-filter-in-envoy-a70b3aefcdef

Presented as part of Container Conference 2018: www.containerconf.in Deep dive into Kubernetes networking "Container networking is pretty complex and Kubernetes has taken a unique approach to solve container networking challenges. Both simplicity and scalability have been key design principles of Kubernetes networking. This session will illustrate kubernetes networking concepts with examples and demos. Best practises and considerations for deploying container networks in production using Kubernetes will be covered. This session will also go into latest developments in Kubernetes networking like Network policy and Service policy using Istio."

Lviv DevOps Conference 2019 СТАНІСЛАВ КОЛЕНКІН «Cilium – Network security for microservices. Let’s see how it works with Istio» Телеграм канал: https://t.me/GoDevOpsEvent Фейсбук сторінці: https://www.facebook.com/godevopsevent/ Сайт: https://devopsconf.org/

RINA is a clean-slate networking architecture that models the network as a hierarchy of applications interconnected across distributed application frameworks (DAFs). It uses a single layer approach with two protocols for data transfer and application management. RINA addresses many of the goals for 5G networks, such as facilitating dense device deployments, reducing service creation times, and providing secure, reliable connectivity. The document proposes using RINA to provide the infrastructure for network function virtualization, such as through service chains, VNF connectivity and resiliency, and software-based management. This could optimize fabric usage within network points of presence while being compatible with current IP-based network deployments.

Come explore the World of Cilium with us! In this workshop, you'll have the opportunity to discover about Cilium and Tetragon, and the kernel technology that makes them possible, eBPF. Through a collection of hands-on labs (available at https://labs-map.isovalent.com/) and the presenter's support, you'll be able to explore many topics covering Cloud Native Networking, Security, and Observability. In this gamified approach, you'll also be able to earn badges for completing labs. Whether you're a Platform Engineer, SRE, Network Engineer, SecOps Professional, Cloud Architect, and more, you'll certainly find subjects to explore in this session!

The document summarizes security policies in the Recursive InterNetwork Architecture (RINA). It discusses how RINA protects layers instead of protocols by applying consistent security models across all layers. It also describes how RINA separates mechanism from policy, allowing security functions to be programmed via policies instead of implementing specific security protocols. The document outlines experiments with authentication and encrypted packet policies using the IRATI open source RINA implementation.

PLNOG16: Automatyzacja kreaowania usług operatorskich w separacji od rodzaju urządzeń - Network Services Orchestration, Krzysztof Konkowski

Kube-OVN is a CNCF sandbox proposal for a container networking solution that addresses more complex requirements like VPC networking between multiple clusters, static IP allocation, and connectivity to legacy infrastructure. It is based on OVS/OVN for the data plane and combines with cloud native architecture. Key features include subnet per namespace, IP floating across clusters, multi-NIC management, observability tools, and high performance using DPDK and SmartNIC offloading. It has over 700 stars on GitHub with 24 contributors and is adopted by companies like Alauda, China Telecom, Intel, and Huawei. Kube-OVN proposes to join CNCF to accelerate industry adoption of cloud native technologies in telecom and other sectors

OpenStack is HOT! No doubt about it. A recent survey by The New Stack and The Linux Foundation shows OpenStack as the most popular open source project ahead of other hot projects like Docker and KVM. OpenStack is now taking its rightful place as the open source cloud solution for enterprises and service providers. To date OpenStack networking has not yet achieved the performance, scalability and reliability that many large enterprises demand. CPLANE NETWORKS solves that problem by delivering secure multi-tenant virtual networking that overcomes the limitations of the standard Neutron networking service. By making all networking services local to the compute node and achieving near line-rate throughput, CPLANE NETWORKS Dynamic Virtual Networks (DVN) delivers mega-scale networking for the most demanding application environments. In this session John Casey will cover the basics of DVN and explain how CPLANE NETWORKS achieves "at scale" network performance within and across data centers. About John Casey John Casey has over 20 years of deep technology leadership. His proven success with a variety of technical leadership roles in Telecom, Enterprise and Government and in software design and development provide the foundation for the system architecture and engineering team. Previously John led worldwide deployment teams for both IBM’s Software Group and Narus, Inc. His work in large scale, high performance system design at Transarc Labs and Walker Interactive Systems brings leadership to the CPLANE NETWORKS product suite.