up cloud native networking with ebpf next technical track ... · • ebpf = extended berkeley...
TRANSCRIPT
![Page 1: Up Cloud Native Networking with eBPF Next Technical Track ... · • eBPF = extended Berkeley Packet Filter • XDP = eXpress Data Path • XDP enables Cilium to connect to a physical](https://reader034.vdocuments.mx/reader034/viewer/2022042219/5ec562fb09faa8021b7aab8f/html5/thumbnails/1.jpg)
UpNext
Cloud Native Networking with eBPFTechnical Track Presentation
Raymond MaikaEngineering Team Lead
![Page 2: Up Cloud Native Networking with eBPF Next Technical Track ... · • eBPF = extended Berkeley Packet Filter • XDP = eXpress Data Path • XDP enables Cilium to connect to a physical](https://reader034.vdocuments.mx/reader034/viewer/2022042219/5ec562fb09faa8021b7aab8f/html5/thumbnails/2.jpg)
• Cloud Native networking• CNI Plugin landscape• Cilium Overview• Policy Overview• Policy Enforcement in Cilium• Demo
Agenda
![Page 3: Up Cloud Native Networking with eBPF Next Technical Track ... · • eBPF = extended Berkeley Packet Filter • XDP = eXpress Data Path • XDP enables Cilium to connect to a physical](https://reader034.vdocuments.mx/reader034/viewer/2022042219/5ec562fb09faa8021b7aab8f/html5/thumbnails/3.jpg)
• Primarily based on standards set by Container Network Interface (CNI)
• CNI spec is lightweight; only describes the following• Action and arguments to add container to a network• Action and arguments to remove container from network
• A project that implements the spec is a CNI plugin
Cloud Native Networking
![Page 4: Up Cloud Native Networking with eBPF Next Technical Track ... · • eBPF = extended Berkeley Packet Filter • XDP = eXpress Data Path • XDP enables Cilium to connect to a physical](https://reader034.vdocuments.mx/reader034/viewer/2022042219/5ec562fb09faa8021b7aab8f/html5/thumbnails/4.jpg)
CNI Plugin LandscapeRouted networks VXLAN overlays
Advanced features
![Page 5: Up Cloud Native Networking with eBPF Next Technical Track ... · • eBPF = extended Berkeley Packet Filter • XDP = eXpress Data Path • XDP enables Cilium to connect to a physical](https://reader034.vdocuments.mx/reader034/viewer/2022042219/5ec562fb09faa8021b7aab8f/html5/thumbnails/5.jpg)
• Cilium implements CNI spec using eBPF and XDP• eBPF = extended Berkeley Packet Filter• XDP = eXpress Data Path
• XDP enables Cilium to connect to a physical interface as close as possible
• BPF programs allow highly efficient packet processing with kernel-layer programs
• Cilium loads endpoint/IP maps into BPF maps for fast access in the kernel by BPF programs
Cilium Overview
Reference: http://docs.cilium.io/en/stable/bpf/
![Page 6: Up Cloud Native Networking with eBPF Next Technical Track ... · • eBPF = extended Berkeley Packet Filter • XDP = eXpress Data Path • XDP enables Cilium to connect to a physical](https://reader034.vdocuments.mx/reader034/viewer/2022042219/5ec562fb09faa8021b7aab8f/html5/thumbnails/6.jpg)
• eBPF is an enhancement to the original BPF implementation• Relevant features from original BPF
• BPF virtual machine that leverages RISC instructions• Buffer model that is used to capture and filter packets from an interface
• eBPF takes the filtering features from BPF, and adds:• x86/arm instruction sets• JIT kernel compiler for Linux• LLVM to compile BPF bytecode
eBPF Overview
Sources: http://docs.cilium.io/en/stable/bpf/https://www.kernel.org/doc/Documentation/networking/filter.txt
![Page 8: Up Cloud Native Networking with eBPF Next Technical Track ... · • eBPF = extended Berkeley Packet Filter • XDP = eXpress Data Path • XDP enables Cilium to connect to a physical](https://reader034.vdocuments.mx/reader034/viewer/2022042219/5ec562fb09faa8021b7aab8f/html5/thumbnails/8.jpg)
• K8s NetworkPolicy objects support both Ingress and Egress policies
• Policies can use any combination of the following to select which traffic can access an endpoint
• Pod/Namespace selectors (k8s label-based)• IPBlocks (CIDR notation)• Destination ports at endpoint
Kubernetes (K8s) Network Policy
Reference:
![Page 9: Up Cloud Native Networking with eBPF Next Technical Track ... · • eBPF = extended Berkeley Packet Filter • XDP = eXpress Data Path • XDP enables Cilium to connect to a physical](https://reader034.vdocuments.mx/reader034/viewer/2022042219/5ec562fb09faa8021b7aab8f/html5/thumbnails/9.jpg)
Cilium Policy Enforcement
Reference: https://github.com/cilium/cilium
![Page 10: Up Cloud Native Networking with eBPF Next Technical Track ... · • eBPF = extended Berkeley Packet Filter • XDP = eXpress Data Path • XDP enables Cilium to connect to a physical](https://reader034.vdocuments.mx/reader034/viewer/2022042219/5ec562fb09faa8021b7aab8f/html5/thumbnails/10.jpg)
Demo
![Page 11: Up Cloud Native Networking with eBPF Next Technical Track ... · • eBPF = extended Berkeley Packet Filter • XDP = eXpress Data Path • XDP enables Cilium to connect to a physical](https://reader034.vdocuments.mx/reader034/viewer/2022042219/5ec562fb09faa8021b7aab8f/html5/thumbnails/11.jpg)
• HTTP policy matching based on:• Path• Method (GET, POST, PUT, PATCH, DELETE,etc)• Host• Headers
• Kafka• Role• APIKey/APIVersion• ClientID• Topic
Additional Cilium Policy (L7 features)
Source: https://cilium.io/