up
play

Up Cloud Native Networking with eBPF Next Technical Track - PowerPoint PPT Presentation

Nov 07, 2023 •408 likes •532 views

Up Cloud Native Networking with eBPF Next Technical Track Presentation Raymond Maika Engineering Team Lead Agenda Cloud Native networking CNI Plugin landscape Cilium Overview Policy Overview Policy Enforcement in Cilium

  1. Up Cloud Native Networking with eBPF Next Technical Track Presentation Raymond Maika Engineering Team Lead

  2. Agenda • Cloud Native networking • CNI Plugin landscape • Cilium Overview • Policy Overview • Policy Enforcement in Cilium • Demo

  3. Cloud Native Networking • Primarily based on standards set by Container Network Interface (CNI) • CNI spec is lightweight; only describes the following • Action and arguments to add container to a network • Action and arguments to remove container from network • A project that implements the spec is a CNI plugin

  4. CNI Plugin Landscape Routed networks VXLAN overlays Advanced features

  5. Cilium Overview • Cilium implements CNI spec using eBPF and XDP • eBPF = extended Berkeley Packet Filter • XDP = eXpress Data Path • XDP enables Cilium to connect to a physical interface as close as possible • BPF programs allow highly efficient packet processing with kernel-layer programs • Cilium loads endpoint/IP maps into BPF maps for fast access in the kernel by BPF programs Reference: http://docs.cilium.io/en/stable/bpf/

  6. eBPF Overview • eBPF is an enhancement to the original BPF implementation • Relevant features from original BPF • BPF virtual machine that leverages RISC instructions • Buffer model that is used to capture and filter packets from an interface • eBPF takes the filtering features from BPF, and adds: • x86/arm instruction sets • JIT kernel compiler for Linux • LLVM to compile BPF bytecode Sources: http://docs.cilium.io/en/stable/bpf/ https://www.kernel.org/doc/Documentation/networking/filter.txt

  7. XDP with eBPF Source: https://www.iovisor.org/technology/xdp

  8. Kubernetes (K8s) Network Policy • K8s NetworkPolicy objects support both Ingress and Egress policies • Policies can use any combination of the following to select which traffic can access an endpoint • Pod/Namespace selectors (k8s label-based) • IPBlocks (CIDR notation) • Destination ports at endpoint Reference:

  9. Cilium Policy Enforcement Reference: https://github.com/cilium/cilium

  10. Demo

  11. Additional Cilium Policy (L7 features) • HTTP policy matching based on: • Path • Method (GET, POST, PUT, PATCH, DELETE,etc) • Host • Headers • Kafka • Role • APIKey/APIVersion • ClientID • Topic Source: https://cilium.io/

  12. Additional Cilium Policy (L7 features) Source: https://cilium.io/

Recommend

More recommend