SlideShare a Scribd company logo

Cilium - Bringing the BPF Revolution to Kubernetes Networking and Security

BPF is one of the fastest emerging technologies of the Linux kernel. The talk provides an introduction to Cilium which brings the powers of BPF to Kubernetes and other orchestration systems to provide highly scalable and efficient networking, security and load balancing for containers and microservices. The talk will provide an introduction to the capabilities of Cilium today but also deep dives into the emerging roadmap involving networking at the socket layer and service mesh datapath capabilities to provide highly efficient connectivity between cloud native apps and sidecar proxies.

1 of 32
Download to read offline
Cilium API Aware Networking & Network Security for Microservices using BPF & XDP
FUNDAMENTALS • BPF – Next Generation Datapath – Replaces iptables, fast, flexible, powerful – Packet, API, process visibility • Cloud Native Security – Identity-based – API & DNS Aware • Servicemesh Integration – Uses Envoy and co-operates with Istio – Secures and accelerates sidecar proxies • Multi Cluster and Multi Cloud – Connects multiple clusters across providers
Cilium - Bringing the BPF Revolution to Kubernetes Networking and Security
Cilium - Bringing the BPF Revolution to Kubernetes Networking and Security
Cilium - Bringing the BPF Revolution to Kubernetes Networking and Security
BPF/XDP Load Balancing 10x performance over IPVS
Cilium - Bringing the BPF Revolution to Kubernetes Networking and Security
Cilium - Bringing the BPF Revolution to Kubernetes Networking and Security
Cilium - Bringing the BPF Revolution to Kubernetes Networking and Security
Cilium - Bringing the BPF Revolution to Kubernetes Networking and Security
Cilium - Bringing the BPF Revolution to Kubernetes Networking and Security
Networking
Cilium as CNI Plugin
Networking Model: Encapsulation or Direct Routing Mode I: Encapsulation Mode II: Direct Routing Node 1 Node 2 Node 3 L3 Network Integrations: • Cloud routers • kube-router, BIRD, … • No further dependencies Node 1 Node 2 Node 3 VXLAN VXLAN VXLAN
Load Balancing
BPF-based iptables kube-proxy Kubernetes Services Implementation • Linear List • All rules have to be replaced as a whole • Per-CPU Hash table
Security
Pod barL3/L4 GET /healthz GET /jobs/{id} GET /applicants/{job-id} POST /jobs API exposed exposed exposed GET /jobs/331 Traditional API Unaware Security Pod foo GET /jobs/{id} TLS Allow foo to bar on port 80
L3/L4 GET /healthz GET /jobs/{id} GET /applicants/{job-id} POST /jobs API GET /jobs/331 API Aware Security GET /jobs/{id} Allow GET /jobs/.* from identity foo TLS Pod barPod foo
Identity based security 1.1.1.1 1.1.1.2 1.1.1.3 1.1.1.4 1.1.1.5 1.1.1.6 1.1.1.5 1.1.1.6 1.1.1.1 1.1.1.2 1.1.1.3 1.1.1.4 Allow ToAllow To
Enforcements Points
Connecting Multiple Clusters
Cluster Mesh
Servicemesh Integration
• Telemetry (Tracing) • Retries • Load Balancing (HTTP/L7) • Mutual TLS • Authorization • …
Servicemesh Security
Cilium - Bringing the BPF Revolution to Kubernetes Networking and Security
Cilium - Bringing the BPF Revolution to Kubernetes Networking and Security
Cilium - Bringing the BPF Revolution to Kubernetes Networking and Security
SSL Data Visbility
Cilium Summary • CNI and CMM plugin • Kubernetes, Docker, Mesos • Security • Secures ingress, east-west, and egress. • Label, DNS, or CIDR based. Identity enforcement. • API aware (HTTP, Kafka, gRPC) • Load-balancing • Servicemesh integration • Multi Cluster / Multi Cloud Provider • Connect multiple clusters with label based policy enforcement
@ciliumproject http://github.com/cilium/cilium Thank You! Q&A Getting Started: http://cilium.io/try

More Related Content

Cilium - Bringing the BPF Revolution to Kubernetes Networking and Security