Upload
others
View
6
Download
0
Embed Size (px)
Citation preview
UpNext
Cloud Native Networking with eBPFTechnical Track Presentation
Raymond MaikaEngineering Team Lead
• Cloud Native networking• CNI Plugin landscape• Cilium Overview• Policy Overview• Policy Enforcement in Cilium• Demo
Agenda
• Primarily based on standards set by Container Network Interface (CNI)
• CNI spec is lightweight; only describes the following• Action and arguments to add container to a network• Action and arguments to remove container from network
• A project that implements the spec is a CNI plugin
Cloud Native Networking
CNI Plugin LandscapeRouted networks VXLAN overlays
Advanced features
• Cilium implements CNI spec using eBPF and XDP• eBPF = extended Berkeley Packet Filter• XDP = eXpress Data Path
• XDP enables Cilium to connect to a physical interface as close as possible
• BPF programs allow highly efficient packet processing with kernel-layer programs
• Cilium loads endpoint/IP maps into BPF maps for fast access in the kernel by BPF programs
Cilium Overview
Reference: http://docs.cilium.io/en/stable/bpf/
• eBPF is an enhancement to the original BPF implementation• Relevant features from original BPF
• BPF virtual machine that leverages RISC instructions• Buffer model that is used to capture and filter packets from an interface
• eBPF takes the filtering features from BPF, and adds:• x86/arm instruction sets• JIT kernel compiler for Linux• LLVM to compile BPF bytecode
eBPF Overview
Sources: http://docs.cilium.io/en/stable/bpf/https://www.kernel.org/doc/Documentation/networking/filter.txt
• K8s NetworkPolicy objects support both Ingress and Egress policies
• Policies can use any combination of the following to select which traffic can access an endpoint
• Pod/Namespace selectors (k8s label-based)• IPBlocks (CIDR notation)• Destination ports at endpoint
Kubernetes (K8s) Network Policy
Reference:
Cilium Policy Enforcement
Reference: https://github.com/cilium/cilium
Demo
• HTTP policy matching based on:• Path• Method (GET, POST, PUT, PATCH, DELETE,etc)• Host• Headers
• Kafka• Role• APIKey/APIVersion• ClientID• Topic
Additional Cilium Policy (L7 features)
Source: https://cilium.io/