scaling container policy management with kernel features
play

Scaling container policy management with kernel features Joe - PowerPoint PPT Presentation

Apr 14, 2023 •290 likes •831 views

Scaling container policy management with kernel features Joe Stringer Cilium.io Linux Plumbers 2019, Lisbon, Portugal Joe Stringer Scaling container policy with eBPF Sep 11, 2019 1 / 29 Overview 1 Background 2 Deploying fast datapaths fast

  1. Scaling container policy management with kernel features Joe Stringer Cilium.io Linux Plumbers 2019, Lisbon, Portugal Joe Stringer Scaling container policy with eBPF Sep 11, 2019 1 / 29

  2. Overview 1 Background 2 Deploying fast datapaths fast 3 Identity-based security 4 Layer 7 security Joe Stringer Scaling container policy with eBPF Sep 11, 2019 2 / 29

  3. Background Kubernetes Architecture 101 Joe Stringer Scaling container policy with eBPF Sep 11, 2019 3 / 29

  4. Background Kubernetes networking plugins Plumb local connectivity (CNI) Connect remote nodes Services / loadbalancing Network policy https://kubernetes.io/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/ Joe Stringer Scaling container policy with eBPF Sep 11, 2019 4 / 29

  5. Background Cilium Agent runs on each node Native eBPF dataplane Identity-based security Scalable Joe Stringer Scaling container policy with eBPF Sep 11, 2019 5 / 29

  6. Background What does it mean to scale? Manage cluster interactions Minimize unnecessary events Reduce event sizes ... Optimize work within the node Apply datapath changes efficiently https://cilium.io/blog/2019/04/24/cilium-15 Joe Stringer Scaling container policy with eBPF Sep 11, 2019 6 / 29

  7. Deploying fast datapaths fast Joe Stringer Scaling container policy with eBPF Sep 11, 2019 7 / 29

  8. Deploying fast datapaths fast BPF plumbing Joe Stringer Scaling container policy with eBPF Sep 11, 2019 8 / 29

  9. Deploying fast datapaths fast ELF Templating Joe Stringer Scaling container policy with eBPF Sep 11, 2019 9 / 29

  10. Deploying fast datapaths fast 1K nodes: Scaling to 60k pods Joe Stringer Scaling container policy with eBPF Sep 11, 2019 10 / 29

  11. Deploying fast datapaths fast Future directions Optimize verifier execution: O ( n ) → O (1) Support code path templatization Joe Stringer Scaling container policy with eBPF Sep 11, 2019 11 / 29

  12. Identity-based security Joe Stringer Scaling container policy with eBPF Sep 11, 2019 12 / 29

  13. Identity-based security Joe Stringer Scaling container policy with eBPF Sep 11, 2019 13 / 29

  14. Identity-based security Policy example a p i V e r s i o n : "cilium.io/v2" kind: CiliumNetworkPolicy d e s c r i p t i o n : "Restrict deathstar access to empire ships" metadata: name: "deathstar -ingress" spec: e n d p o i n t S e l e c t o r : matchLabels: org: empire c l a s s : d e a t h s t a r i n g r e s s : - fromEndpoints: - matchLabels: org: empire toPorts: - p o r t s : - port: "80" p r o t o c o l : TCP https://docs.cilium.io/en/stable/gettingstarted/http/ Joe Stringer Scaling container policy with eBPF Sep 11, 2019 14 / 29

  15. Identity-based security Label selectors 12345 {org:empire, class:deathstar} 12468 {org:empire, class:tiefighter} 12465 {org:alliance, class:xwing} 12345 {org:empire, class:deathstar} matchLabels: org: empire 12468 {org:empire, class:tiefighter} matchLabels: 12345 {org:empire, class:deathstar} org: empire class: deathstar https://cilium.io/blog/2019/08/20/cilium-16 Joe Stringer Scaling container policy with eBPF Sep 11, 2019 15 / 29

  16. Identity-based security Datapath Configuration: Ingress Joe Stringer Scaling container policy with eBPF Sep 11, 2019 16 / 29

  17. Identity-based security Datapath Configuration: Egress Joe Stringer Scaling container policy with eBPF Sep 11, 2019 17 / 29

  18. Identity-based security Datapath Configuration: Egress Joe Stringer Scaling container policy with eBPF Sep 11, 2019 17 / 29

  19. Layer 7 security Joe Stringer Scaling container policy with eBPF Sep 11, 2019 18 / 29

  20. Layer 7 security L7 is the new L4 Joe Stringer Scaling container policy with eBPF Sep 11, 2019 19 / 29

  21. Layer 7 security Rejecting traffic in a protocol-aware manner Joe Stringer Scaling container policy with eBPF Sep 11, 2019 20 / 29

  22. Layer 7 security Rejecting traffic in a protocol-aware manner Joe Stringer Scaling container policy with eBPF Sep 11, 2019 20 / 29

  23. Layer 7 security Rejecting traffic in a protocol-aware manner Joe Stringer Scaling container policy with eBPF Sep 11, 2019 20 / 29

  24. Layer 7 security Rejecting traffic in a protocol-aware manner cilium-agent –http-403-msg="..." Joe Stringer Scaling container policy with eBPF Sep 11, 2019 20 / 29

  25. Layer 7 security Rejecting traffic in a protocol-aware manner cilium-agent –http-403-msg="..." Joe Stringer Scaling container policy with eBPF Sep 11, 2019 20 / 29

  26. Layer 7 security Datapath Configuration: L3 flow Joe Stringer Scaling container policy with eBPF Sep 11, 2019 21 / 29

  27. Layer 7 security Datapath Configuration: L7 flow Joe Stringer Scaling container policy with eBPF Sep 11, 2019 22 / 29

  28. Layer 7 security Datapath Configuration: L7 flow Joe Stringer Scaling container policy with eBPF Sep 11, 2019 22 / 29

  29. Layer 7 security L7 Configuration: Past Per-endpoint configuration A: 192.0.2.3:33333 ; B: 192.0.2.4:80 ; L: 192.0.2.1:12345 Joe Stringer Scaling container policy with eBPF Sep 11, 2019 23 / 29

  30. Layer 7 security L7 Configuration: Past A: 192.0.2.3:33333 ; B: 192.0.2.4:80 ; L: 192.0.2.1:12345 Joe Stringer Scaling container policy with eBPF Sep 11, 2019 23 / 29

  31. Layer 7 security L7 Configuration: Past A: 192.0.2.3:33333 ; B: 192.0.2.4:80 ; L: 192.0.2.1:12345 Joe Stringer Scaling container policy with eBPF Sep 11, 2019 23 / 29

  32. Layer 7 security L7 Configuration: Past A: 192.0.2.3:33333 ; B: 192.0.2.4:80 ; L: 192.0.2.1:12345 Joe Stringer Scaling container policy with eBPF Sep 11, 2019 23 / 29

  33. Layer 7 security L7 Configuration: Past A: 192.0.2.3:33333 ; B: 192.0.2.4:80 ; L: 192.0.2.1:12345 Joe Stringer Scaling container policy with eBPF Sep 11, 2019 23 / 29

  34. Layer 7 security L7 Configuration: Present Joe Stringer Scaling container policy with eBPF Sep 11, 2019 24 / 29

  35. Layer 7 security L7 Configuration: Present Joe Stringer Scaling container policy with eBPF Sep 11, 2019 24 / 29

  36. Layer 7 security L7 Configuration: Present Joe Stringer Scaling container policy with eBPF Sep 11, 2019 24 / 29

  37. Layer 7 security L7 Configuration: Present Joe Stringer Scaling container policy with eBPF Sep 11, 2019 24 / 29

  38. Layer 7 security L7 Configuration: Present Joe Stringer Scaling container policy with eBPF Sep 11, 2019 24 / 29

  39. Layer 7 security L7 Configuration: Proposal Joe Stringer Scaling container policy with eBPF Sep 11, 2019 25 / 29

  40. Layer 7 security L7 Configuration: Proposal Joe Stringer Scaling container policy with eBPF Sep 11, 2019 25 / 29

  41. Layer 7 security L7 Configuration: Socket redirect Joe Stringer Scaling container policy with eBPF Sep 11, 2019 26 / 29

  42. Layer 7 security Socket assign: Hiccup BPF progs are attached at TC ingress skb_orphan() invoked directly before PREROUTING 1 https://www.mail-archive.com/netdev@vger.kernel.org/msg303851.html 2 https://www.mail-archive.com/netdev@vger.kernel.org/msg304057.html Joe Stringer Scaling container policy with eBPF Sep 11, 2019 27 / 29

  43. Layer 7 security Socket assign: Hiccup BPF progs are attached at TC ingress skb_orphan() invoked directly before PREROUTING TC folks are already carrying hacks for this 1 1 https://www.mail-archive.com/netdev@vger.kernel.org/msg303851.html 2 https://www.mail-archive.com/netdev@vger.kernel.org/msg304057.html Joe Stringer Scaling container policy with eBPF Sep 11, 2019 27 / 29

  44. Layer 7 security Socket assign: Hiccup BPF progs are attached at TC ingress skb_orphan() invoked directly before PREROUTING TC folks are already carrying hacks for this 1 Just move to ____dev_forward_skb() 2 ? 1 https://www.mail-archive.com/netdev@vger.kernel.org/msg303851.html 2 https://www.mail-archive.com/netdev@vger.kernel.org/msg304057.html Joe Stringer Scaling container policy with eBPF Sep 11, 2019 27 / 29

  45. Layer 7 security Summary Minimize processing cost Number of events Cost for each event Separate concerns: Policy vs addressing Frontload expensive operations ... while keeping runtime costs low Joe Stringer Scaling container policy with eBPF Sep 11, 2019 28 / 29

  46. Thank you More information https://cilium.io https://cilium.io/slack https://github.com/cilium/cilium https://twitter.com/ciliumproject Joe Stringer Scaling container policy with eBPF Sep 11, 2019 29 / 29

  47. Thank you More information https://cilium.io https://cilium.io/slack https://github.com/cilium/cilium https://twitter.com/ciliumproject Joe Stringer Scaling container policy with eBPF Sep 11, 2019 29 / 29

  48. Socket redirect Joe Stringer Scaling container policy with eBPF Sep 11, 2019 30 / 29

Recommend

A Year of Container Kernel work Past, Present, and Future of Container Kernel Features FOSDEM,

A Year of Container Kernel work Past, Present, and Future of Container Kernel Features FOSDEM,

A Year of Container Kernel work Past, Present, and Future of Container Kernel Features FOSDEM, 2019 Brussels, Belgium Christian Brauner christian@brauner.io christian.brauner@ubuntu.com @brau_ner https://brauner.io/ 4.15: Bump Limit of

810 views • 12 slides
State of SELinux Paul Moore September 2017 Kernel Changes Obligatory Container Slide

State of SELinux Paul Moore September 2017 Kernel Changes Obligatory Container Slide

State of SELinux Paul Moore September 2017 Kernel Changes Obligatory Container Slide Individual file labeling for cgroup, cgroup2, and tracefs Allows for labels unique to each container, enabling SELinux enforced separation for these

482 views • 16 slides
Introduction to Kubernetes Containers container vs virtual machine Virtual machine Container

Introduction to Kubernetes Containers container vs virtual machine Virtual machine Container

Introduction to Kubernetes Containers container vs virtual machine Virtual machine Container runs its own kernel uses the host kernel user-space user-space vm user-space container user-space vm kernel host kernel host kernel

833 views • 26 slides
K8s Intermediate Kubernetes a clustered container orchestration Software an open-source system

K8s Intermediate Kubernetes a clustered container orchestration Software an open-source system

K8s Intermediate Kubernetes a clustered container orchestration Software an open-source system for automating deployment, scaling, and management of containerized applications. It groups containers that make up an application into logical units

566 views • 45 slides
DISASTER RELIEF CENTER 2x Accommodation Container 2x Sanitary Container 1x

DISASTER RELIEF CENTER 2x Accommodation Container 2x Sanitary Container 1x

DISASTER RELIEF CENTER 2x Accommodation Container 2x Sanitary Container 1x Galley Container 1x Medical Container 1x Feed Water Container 1x Water Treatment Container 2x Generator Container 1x

569 views • 8 slides
A Series Of Unfortunate Container Events Netflixs container platform lessons learned About the

A Series Of Unfortunate Container Events Netflixs container platform lessons learned About the

A Series Of Unfortunate Container Events Netflixs container platform lessons learned About the speakers and team Follow along - @sargun @tomaszbak_ca @fabiokung @aspyker @amit_joshee @anwleung 2 Netflixs container management platform

808 views • 44 slides
Skoltech Skolkovo Institute of Science and Technology Kernel Methods Refresher Kernel trick:

Skoltech Skolkovo Institute of Science and Technology Kernel Methods Refresher Kernel trick:

Quadrature-based Features for Kernel Approximation Marina Munkhoeva , Yermek Kapushev, Evgeny Burnaev, Ivan Oseledets Skoltech Skolkovo Institute of Science and Technology Kernel Methods Refresher Kernel trick: compute

1.01k views • 17 slides
Capsicum Capability-Based Sandboxing David Drysdale Google UK Features Current LXC uses the

Capsicum Capability-Based Sandboxing David Drysdale Google UK Features Current LXC uses the

Capsicum Capability-Based Sandboxing David Drysdale Google UK Features Current LXC uses the following kernel features to contain processes: Kernel namespaces (ipc, uts, mount, pid, network and user) Apparmor and SELinux profiles

521 views • 30 slides
Control Theory In Container Orchestration Vallery Lancey Lead DevOps Engineer, Checkfront

Control Theory In Container Orchestration Vallery Lancey Lead DevOps Engineer, Checkfront

Control Theory In Container Orchestration Vallery Lancey Lead DevOps Engineer, Checkfront Container Orchestration Fundamentals @vllry Goals of Container Management Reproducibility. Cohabitation. Auto-management of instances.

958 views • 48 slides
Normal and Exotic use cases of NUMA features in the Linux Kernel Christopher Lameter, Ph.D.

Normal and Exotic use cases of NUMA features in the Linux Kernel Christopher Lameter, Ph.D.

Normal and Exotic use cases of NUMA features in the Linux Kernel Christopher Lameter, Ph.D. cl@linux.com Collaboration Summit, Napa Valley, 2014 Non Uniform Memory access in the Linux Kernel Memory is segmented into nodes so that

518 views • 12 slides
Bare Metal Container National Institute of Advanced Industrial Science and Technology(AIST)

Bare Metal Container National Institute of Advanced Industrial Science and Technology(AIST)

Bare Metal Container National Institute of Advanced Industrial Science and Technology(AIST) Kuniyasu Suzaki 1 Contents Background of BMC Drawbacks of container, general kernel, and accounting. What is BMC? Current

837 views • 34 slides
advance the scaling agenda David J Spielman International Food Policy Research Institute What is

advance the scaling agenda David J Spielman International Food Policy Research Institute What is

Public policy solutions to advance the scaling agenda David J Spielman International Food Policy Research Institute What is the scaling agenda? A global consensus A wealth of novel science Zero tillage Zai planting pits Perennial

543 views • 10 slides
So#ware Scaling Mo/va/on & Goals HW Configura/on & Scale Out So#ware Scaling

So#ware Scaling Mo/va/on & Goals HW Configura/on & Scale Out So#ware Scaling

So#ware Scaling Mo/va/on & Goals HW Configura/on & Scale Out So#ware Scaling Efforts System management Opera/ng system Programming environment PreAcceptance Work HW stabiliza/on & early scaling

390 views • 19 slides
CS356 Unit 10 Memory Allocation & Heap Management 10.2 BASIC OS CONCEPTS & TERMINOLOGY

CS356 Unit 10 Memory Allocation & Heap Management 10.2 BASIC OS CONCEPTS & TERMINOLOGY

10.1 CS356 Unit 10 Memory Allocation & Heap Management 10.2 BASIC OS CONCEPTS & TERMINOLOGY 10.3 User vs. Kernel Mode Kernel mode is a special processor mode for executing trusted (OS) code Certain features/privileges (such

936 views • 38 slides
Mark Pagel pags@cray.com New features in XT MPT 3.1 and MPT 3.2 Features as a result of

Mark Pagel pags@cray.com New features in XT MPT 3.1 and MPT 3.2 Features as a result of

Mark Pagel pags@cray.com New features in XT MPT 3.1 and MPT 3.2 Features as a result of scaling to 150K MPI ranks MPI-IO Improvements(MPT 3.1 and MPT 3.2) SMP aware collective improvements(MPT 3.2) Misc Features (MPT 3.1)

694 views • 33 slides
Quality Management of Quality Management of Contracts Contracts Vigilance Perspective By: CVO

Quality Management of Quality Management of Contracts Contracts Vigilance Perspective By: CVO

Container Corporation of India Ltd. Container Corporation of India Ltd. Quality Management of Quality Management of Contracts Contracts Vigilance Perspective By: CVO 27 th March 2015 Think Container Think CONCOR 1 WHAT IS CONTRACT? WHAT

822 views • 27 slides
Container Library and FUSE Container File System Softwarepraktikum f ur Fortgeschrittene

Container Library and FUSE Container File System Softwarepraktikum f ur Fortgeschrittene

Introduction Container Library Container Tools FUSE Container File System Evaluation Container Library and FUSE Container File System Softwarepraktikum f ur Fortgeschrittene Michael Kuhn Parallele und Verteilte Systeme Institut f ur

353 views • 22 slides
Decision aid methodologies in transportation Lecture 6 (part-2): Container terminal management

Decision aid methodologies in transportation Lecture 6 (part-2): Container terminal management

Decision aid methodologies in transportation Lecture 6 (part-2): Container terminal management Ilaria Vacca ilaria.vacca@epfl.ch Transport and Mobility Laboratory Outline Introduction to maritime transport Overview container terminals

491 views • 37 slides
LTTng presentation and update mathieu.desnoyers@efcios.com 1 LTTng features Kernel

LTTng presentation and update mathieu.desnoyers@efcios.com 1 LTTng features Kernel

Progress report meeting December 2015 LTTng presentation and update mathieu.desnoyers@efcios.com 1 LTTng features Kernel tracing Tracepoints System calls k[ret]probes User-space tracing C/C++ (tracef/tracelog)

527 views • 14 slides
Container Patterns Matthias Lbken plus give feedback GiantSwarm.io Simple Microservice

Container Patterns Matthias Lbken plus give feedback GiantSwarm.io Simple Microservice

Container Patterns Matthias Lbken plus give feedback GiantSwarm.io Simple Microservice Infrastructure build for developers. Deploy your containers in seconds. Scaling with your needs: Public, Private, On-Prem Docker is an

1.07k views • 59 slides
User-level Management of Kernel Memory Andreas Haeberlen University of Karlsruhe Karlsruhe,

User-level Management of Kernel Memory Andreas Haeberlen University of Karlsruhe Karlsruhe,

User-level Management of Kernel Memory Andreas Haeberlen University of Karlsruhe Karlsruhe, Germany Kevin Elphinstone University of New South Wales Sydney, Australia 1 Motivation: Kernel memory Kernel memory is needed to implement

336 views • 18 slides
Linux Kernel Power Management (PM) Framework for ARM 64-bit Processors L.Pieralisi 21/8/2014 -

Linux Kernel Power Management (PM) Framework for ARM 64-bit Processors L.Pieralisi 21/8/2014 -

Linux Kernel Power Management (PM) Framework for ARM 64-bit Processors L.Pieralisi 21/8/2014 - LinuxCon North America 2014 Outline ARM 32-bit Linux kernel power management support for huge legacy of ARM processors from v4 Uniprocessor kernels

598 views • 29 slides
Analysis of Scaling Algorithms for Matrix & Operator Scaling Contents Scaling Algorithms

Analysis of Scaling Algorithms for Matrix & Operator Scaling Contents Scaling Algorithms

Rafael Oliveira University of Toronto Analysis of Scaling Algorithms for Matrix & Operator Scaling Contents Scaling Algorithms Three Step Analysis Generalization One More Application of Scaling Non-Negative Matrices &

604 views • 15 slides
Random Fourier Features for Kernel Ridge Regression Michael Kapralov 1 1 EPFL (Joint work with H.

Random Fourier Features for Kernel Ridge Regression Michael Kapralov 1 1 EPFL (Joint work with H.

Random Fourier Features for Kernel Ridge Regression Michael Kapralov 1 1 EPFL (Joint work with H. Avron, C. Musco, C. Musco, A. Velingker and A. Zandieh) 1 / 43 Scalable machine learning algorithms with provable guarantees In this talk: towards

1.02k views • 87 slides

More recommend