replacing iptables with ebpf in kubernetes with cilium
play

Replacing iptables with eBPF in Kubernetes with Cilium Cilium, - PowerPoint PPT Presentation

Dec 06, 2022 •1.49k likes •2.06k views

Replacing iptables with eBPF in Kubernetes with Cilium Cilium, eBPF, Envoy, Istio, Hubble Michal Rostecki Swaminathan Vasudevan Software Engineer Software Engineer mrostecki@suse.com svasudevan@suse.com mrostecki@opensuse.org Whats

  1. Replacing iptables with eBPF in Kubernetes with Cilium Cilium, eBPF, Envoy, Istio, Hubble Michal Rostecki Swaminathan Vasudevan Software Engineer Software Engineer mrostecki@suse.com svasudevan@suse.com mrostecki@opensuse.org

  2. What’s wrong with iptables? 2

  3. What’s wrong with legacy iptables? IPtables runs into a couple of significant problems: ● Iptables updates must be made by recreating and updating all rules in a single transaction. ● Implements chains of rules as a linked list, so all operations are O(n). ● The standard practice of implementing access control lists (ACLs) as implemented by iptables was to use sequential list of rules. ● It’s based on matching IPs and ports, not aware about L7 protocols. ● Every time you have a new IP or port to match, rules need to be added and the chain changed. ● Has high consumption of resources on Kubernetes. Based on the above mentioned issues under heavy traffic conditions or in a system that has a large number of changes to iptable rules the performance degrades. Measurements show unpredictable latency and reduced performance as the number of services grows. 3

  4. Kubernetes uses iptables for... ● kube-proxy - the component which implements Services and load balancing by DNAT iptables rules ● the most of CNI plugins are using iptables for Network Policies 4

  5. And it ends up like that 5

  6. 6

  7. What is BPF? 7

  8. Linux Network Stack Process Process Process ● The Linux kernel stack is split into multiple abstraction layers. System Call Interface ● Strong userspace API compatibility in Linux for years. Sockets ● This shows how complex the linux kernel is and its years of evolution. TCP UDP Raw ● This cannot be replaced in a short term. Netfilter ● Very hard to bypass the layers. IPv4 IPv6 ● Netfilter module has been supported by linux for more Ethernet than two decades and packet filtering has to applied to packets that moves up and down the stack. Traffic Shaping Netdevice / Drivers OVS . HW Bridge 8

  9. BPF kernel hooks Process Process Process System Call Interface BPF System calls BPF Sockmap and Sockets Sockops TCP UDP Raw Netfilter IPv4 IPv6 BPF cGroups Ethernet BPF TC hooks Traffic Shaping BPF XDP Netdevice / Drivers OVS . HW Bridge 9

  10. Mpps 10

  11. BPF replaces IPtables Local Processes PREROUTING INPUT FORWARD OUTPUT POSTROUTING IPTables Routing Decision netfilter FILTER hooks eBPF TC hooks NAT XDP hooks Routing FILTER FILTER Decision eBPF eBPF Code Code Routing NAT Decision NAT Netdev Netdev (Physical or (Physical or virtual Device) virtual Device) 11

  12. BPF based filtering architecture To Linux From Linux Stack Stack TC/XDP Ingress TC Egress hook hook NetFilter NetFilter Connection Tracking Update Store Ingress [local dst] INGRESS session session Chain CHAIN Label Packet Selector [remote dst] Update FORWARD Store session CHAIN session Label Packet [local src] Update Store Egress Chain OUTPUT session session Selector CHAIN Netdev Label Packet Netdev (Physical or (Physical or virtual Device) virtual Device) [ r e m o t e s r c ] 12

  13. BPF based tail calls LBVS is implemented Each eBPF program is Each eBPF program can exploit a per cpu _array shared across the entire program chain with a chain of eBPF injected only if there are different matching algorithm (e.g., programs, connected rules operating on that exact match, longest prefix match, through tail calls. field. Packet header offsets etc). eBPF Program #1 eBPF Program #2 eBPF Program #3 eBPF Program #N eBPF Tail call Program Search IP1 bitv1 Tail call * bitv1 rule1 act1 Headers IP.dst IP.proto first IP2 bitv2 udp bitv2 rule2 act2 Matching parsing lookup lookup Tail call IP3 bitv3 tcp bitv3 rule3 act3 rule Tail call …. Update rule1 cnt1 counters Bitwise rule2 cnt2 AND bit-vectors ACTION Header parsing is done (drop/ once and results are kept accept) in a shared map for performance reasons Packet out Packet in Bitvector with temporary result To eBPF hook From eBPF hook per cpu _array shared across the entire program chain 13

  14. BPF goes into... ● Load balancers - katran ● perf ● systemd ● Suricata ● Open vSwitch - AF_XDP ● And many many others 14

  15. BPF is used by... 15

  16. Cilium 16 16

  17. What is Cilium? 17

  18. CNI Functionality CNI is a CNCF ( Cloud Native Computing Foundation) project for Linux Containers It consists of specification and libraries for writing plugins. Only care about networking connectivity of containers ● ADD/DEL General container runtime considerations for CNI: The container runtime must ● create a new network namespace for the container before invoking any plugins ● determine the network for the container and add the container to the each network by calling the corresponding plugins for each network ● not invoke parallel operations for the same container. ● order ADD and DEL operations for a container, such that ADD is always eventually followed by a corresponding DEL. ● not call ADD twice ( without a corresponding DEL ) for the same ( network name, container id, name of the interface inside the container). When CNI ADD call is invoked it tries to add the network to the container with respective veth pairs and assigning IP address from the respective IPAM Plugin or using the Host Scope. When CNI DEL call is invoked it tries to remove the container network, release the IP Address to the IPAM Manager and cleans up the veth pairs. 18

  19. Cilium CNI Plugin control Flow Kubernetes API Server Kubectl Kubelet Userspace K8s Pod CRI-Containerd cni-add().. Container2 CNI-Plugin (Cilium) Container1 Cilium Agent bpf_syscall() BPF Maps Linux Kernel Network Stack 000 c1 FE 0A BPF 001 54 45 31 Hook 002 A1 B1 C1 004 32 66 AA Kernel eth0 19

  20. Cilium Components with BPF hook points and BPF maps shown in Linux Stack Orchestrator U CILIUM POD (Control Plane) S VM’s and Containers Apps E R CILIUM CLI CILIUM MONITOR PLUGIN S Cont Cont Cont App VM1 P CILIUM HEALTH NAMESPACE 1 3 2 A CILIUM AGENT DAEMON C CILIUM CILIUM HEALTH E OPERATOR CILIUM HOST_NET BPF Bpf_create_map K s SO_ATTACH_BPF AF-INET AF-RAW (sockmap, E sockopts Virtual B R TCP/UDP Layer N Net P E A BPF-Cilium Devices Bpf_lookup_elements L IP Layer F F BPF-Cont1 - S BPF-Cont2 P X BPF-Cont3 A D m C TC BPF P Queueing and Forwarding E a NETWORK STACK with BPF hook points p Device Driver Build sk_buff XDP s PHYSICAL LAYER ( NETWORK HARDWARE 20

  21. Cilium as CNI Plugin K8s cluster K8s node K8s node K8s pod K8s pod K8s pod container A container B container C eth0 eth0 eth0 lxc0 lxc0 lxc1 Cilium Networking CNI eth0 eth0 21

  22. Networking modes Encapsulation Direct routing Use case: Use case: Cilium handling routing between nodes Using cloud provider routers, using BGP routing daemon Node A Node A V X L A N VXLAN Node B Cloud or BGP VXLAN routing Node B Node C Node C 22

  23. Pod IP Routing - Overlay Routing ( Tunneling mode) 23

  24. Pod IP Routing - Direct Routing Mode 24

  25. L3 filtering – label based, ingress Pod Pod Labels: role=frontend Labels: role=backend IP: 10.0.0.1 IP: 10.0.0.3 allow Pod Pod Labels: role=frontend Labels: role=frontend IP: 10.0.0.2 deny IP: 10.0.0.4 Pod IP: 10.0.0.5 25

  26. L3 filtering – label based, ingress apiVersion: "cilium.io/v2" kind: CiliumNetworkPolicy description: "Allow frontends to access backends" metadata: name: "frontend-backend" spec: endpointSelector: matchLabels: role: backend ingress: - fromEndpoints: - matchLabels: class: frontend 26

  27. L3 filtering – CIDR based, egress Cluster A IP: 10.0.1.1 allow Subnet: 10.0.1.0/24 Pod Labels: role=backend IP: 10.0.0.1 IP: 10.0.2.1 y n e d Subnet: 10.0.2.0/24 Any IP not belonging to 10.0.1.0/24 27

  28. L3 filtering – CIDR based, egress apiVersion: "cilium.io/v2" kind: CiliumNetworkPolicy description: "Allow backends to access 10.0.1.0/24" metadata: name: "frontend-backend" spec: endpointSelector: matchLabels: role: backend egress: - toCIDR: - IP: “10.0.1.0/24” 28

  29. L4 filtering apiVersion: "cilium.io/v2" kind: CiliumNetworkPolicy description: "Allow to access backends only on TCP/80" metadata: name: "frontend-backend" spec: endpointSelector: matchLabels: role: backend ingress: - toPorts: - ports: - port: “80” protocol: “TCP” 29

  30. L4 filtering Pod Labels: role=backend IP: 10.0.0.1 allow TCP/80 deny Any other port 30

  31. L7 filtering – API Aware Security Pod Labels: role=api IP: 10.0.0.1 GET /articles/{id} Pod IP: 10.0.0.5 GET /private 31

  32. L7 filtering – API Aware Security apiVersion: "cilium.io/v2" kind: CiliumNetworkPolicy description: "L7 policy to restict access to specific HTTP endpoints" metadata: name: "frontend-backend" endpointSelector: matchLabels: role: backend ingress: - toPorts: - ports: - port: “80” protocol: “TCP” rules: http: - method: "GET" path: "/article/$" 32

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

eBPF and XDP walkthrough and recent updates Daniel Borkmann <daniel@iogearbox.net> cilium

eBPF and XDP walkthrough and recent updates Daniel Borkmann <daniel@iogearbox.net> cilium

eBPF and XDP walkthrough and recent updates Daniel Borkmann <daniel@iogearbox.net> cilium project fosdem17, February 4, 2017 Daniel Borkmann eBPF in tcs cls bpf and XDP February 4, 2017 1 / 11 Big Picture: eBPF and Networking eBPF:

476 views • 11 slides
Up Cloud Native Networking with eBPF Next Technical Track Presentation Raymond Maika

Up Cloud Native Networking with eBPF Next Technical Track Presentation Raymond Maika

Up Cloud Native Networking with eBPF Next Technical Track Presentation Raymond Maika Engineering Team Lead Agenda Cloud Native networking CNI Plugin landscape Cilium Overview Policy Overview Policy Enforcement in Cilium

532 views • 12 slides
Bri Bring nging ng the the Power r of eB eBPF to to Open vSwitch ch Linux Plumber 2018

Bri Bring nging ng the the Power r of eB eBPF to to Open vSwitch ch Linux Plumber 2018

Bri Bring nging ng the the Power r of eB eBPF to to Open vSwitch ch Linux Plumber 2018 William Tu, Joe Stringer, Yifeng Sun, Yi-Hung Wei VMware Inc. and Cilium.io 1 Outline Introduction and Motivation OVS-eBPF Project

429 views • 39 slides
Bri Bring nging ng the the Power r of eB eBPF to to Open vSwitch ch Linux Plumber 2018

Bri Bring nging ng the the Power r of eB eBPF to to Open vSwitch ch Linux Plumber 2018

Bri Bring nging ng the the Power r of eB eBPF to to Open vSwitch ch Linux Plumber 2018 William Tu, Joe Stringer, Yifeng Sun, Yi-Hung Wei VMware Inc. and Cilium.io 1 Outline Introduction and Motivation OVS-eBPF Project

612 views • 45 slides
NAT & IPTables NAT & IPTables NAT & IPTables From ACCEPT to MASQUERADE From ACCEPT

NAT & IPTables NAT & IPTables NAT & IPTables From ACCEPT to MASQUERADE From ACCEPT

NAT & IPTables NAT & IPTables NAT & IPTables From ACCEPT to MASQUERADE From ACCEPT to MASQUERADE Tim(othy) Clark (eclipse) Tim(othy) Clark (eclipse) NAT IPv4 Hack One external IP for a whole network Used commonly

732 views • 13 slides
Network Policy Controller in Weave Net Blocking unwanted network traffic in Kubernetes Bryan

Network Policy Controller in Weave Net Blocking unwanted network traffic in Kubernetes Bryan

Network Policy Controller in Weave Net Blocking unwanted network traffic in Kubernetes Bryan Boreham @bboreham Who knows... Kubernetes Docker Linux iptables Ancient wisdom For survival, your group needs: Leadership

675 views • 21 slides
Scaling container policy management with kernel features Joe Stringer Cilium.io Linux Plumbers

Scaling container policy management with kernel features Joe Stringer Cilium.io Linux Plumbers

Scaling container policy management with kernel features Joe Stringer Cilium.io Linux Plumbers 2019, Lisbon, Portugal Joe Stringer Scaling container policy with eBPF Sep 11, 2019 1 / 29 Overview 1 Background 2 Deploying fast datapaths fast

831 views • 53 slides
Firewalls with iptables Linux Sirindhorn International Institute of Technology Thammasat

Firewalls with iptables Linux Sirindhorn International Institute of Technology Thammasat

Linux Firewalls with iptables Concepts Examples Firewalls with iptables Linux Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 14 October 2013 Common/Reports/iptables-introduction.tex, r715

469 views • 14 slides
eBPF Offload to Hardware: cls_bpf and XDP Motivation - Avoiding Whack-a-mole Motivation - Why

eBPF Offload to Hardware: cls_bpf and XDP Motivation - Avoiding Whack-a-mole Motivation - Why

eBPF Offload to Hardware: cls_bpf and XDP Motivation - Avoiding Whack-a-mole Motivation - Why eBPF? Target architecture (NFP based NIC) RX Path Flow of eBPF Packet The Flow Processing Core (Fully Programmable) Mapping eBPF -> NFP

668 views • 24 slides
Talks outline iptables versus ipchains The goal (or: my goal) The packets way through

Talks outline iptables versus ipchains The goal (or: my goal) The packets way through

IP Masquerading using iptables Eli Billauer eli billauer@yahoo.com IP Masquerading using iptables p.1 Talks outline iptables versus ipchains The goal (or: my goal) The packets way through iptables Classic masquerading (SNAT)

785 views • 31 slides
TUT1151 Simplifying AI Applications with containers and Kubernetes Glyn Bowden, Chief

TUT1151 Simplifying AI Applications with containers and Kubernetes Glyn Bowden, Chief

TUT1151 Simplifying AI Applications with containers and Kubernetes Glyn Bowden, Chief Architect, AI & Data Science Practice SUSECON 2019 The world is replacing programming with training 23 million developers worldwide 4 in 10 companies

443 views • 21 slides
Airflow on Kubernetes: Containerizing your Workflows By Michael Hewitt Agenda Kubernetes

Airflow on Kubernetes: Containerizing your Workflows By Michael Hewitt Agenda Kubernetes

Airflow on Kubernetes: Containerizing your Workflows By Michael Hewitt Agenda Kubernetes Overview 1 Airflows integration with Kubernetes 2 Deployment of Airflow on Kubernetes 3 Kubernetes Pod Operator and its benefits 4 DAG Development

2.79k views • 14 slides
Endless Network Programming An Update from eBPF Land Quentin Monnet @qeole Outline Q.

Endless Network Programming An Update from eBPF Land Quentin Monnet @qeole Outline Q.

FOSDEM20 Brussels, 2020-02-01 Endless Network Programming An Update from eBPF Land Quentin Monnet @qeole Outline Q. Monnet eBPF Update 2/18 eBPF Basics New Features eBPF Universe eBPF Basics Q. Monnet

531 views • 18 slides
netfilter/iptables training Nov 05/06/07, 2007 Day 1 by Harald Welte

netfilter/iptables training Nov 05/06/07, 2007 Day 1 by Harald Welte

netfilter/iptables training Nov 05/06/07, 2007 Day 1 by Harald Welte <laforge@netfilter.org> 1 netfilter/iptables tutorial Contents Day 1 Introduction Highly Scalable Linux Network Stack Netfilter Hooks Packet selection based on IP

342 views • 20 slides
Continuous Kubernetes Security @sublimino and @controlplaneio Im: - Andy - Dev-like -

Continuous Kubernetes Security @sublimino and @controlplaneio Im: - Andy - Dev-like -

Continuous Kubernetes Security @sublimino and @controlplaneio Im: - Andy - Dev-like - Sec-ish - Ops-y Is this Kubernetes cluster secure? EPIC FAIL GIF How secure is Kubernetes? What this Kubernetes talk is about Common Pwns

1.18k views • 113 slides
Kubernetes Matthias Haeussler Mirna Alaisami Overview Overview Kubernetes is an open-source

Kubernetes Matthias Haeussler Mirna Alaisami Overview Overview Kubernetes is an open-source

Kubernetes Matthias Haeussler Mirna Alaisami Overview Overview Kubernetes is an open-source platform designed to automate deploying , scaling , and operating application containers . Kubernetes v1.0 was released in 2015. It utilizes

916 views • 52 slides
Mixin Up the ML Module System Derek Dreyer and Andreas Rossberg Max Planck Institute for

Mixin Up the ML Module System Derek Dreyer and Andreas Rossberg Max Planck Institute for

Mixin Up the ML Module System Derek Dreyer and Andreas Rossberg Max Planck Institute for Software Systems Saarbrcken, Germany ICFP 2008 Victoria, British Columbia September 24, 2008 The ML Module System Widely used feature of ML

767 views • 38 slides
3 - Namespaces Andreas Pieris and Wolfgang Fischl, Summer term 2016 Outline The Need for

3 - Namespaces Andreas Pieris and Wolfgang Fischl, Summer term 2016 Outline The Need for

Semi-structured Data 3 - Namespaces Andreas Pieris and Wolfgang Fischl, Summer term 2016 Outline The Need for Namespaces Namespace Syntax Default Namespace Multiple Namespaces A Common Problem Merging of XML

533 views • 13 slides
Building a Distributed Data Access Layer for Analytics on Any Cloud Bin Fan | Founding Engineer

Building a Distributed Data Access Layer for Analytics on Any Cloud Bin Fan | Founding Engineer

Building a Distributed Data Access Layer for Analytics on Any Cloud Bin Fan | Founding Engineer & VP Open Source | Alluxio binfan@alluxio.com About Me @binfan binfan@alluxio.com The journey to a fragmented data world More data More

474 views • 30 slides
Building Data Orchestration for Big Data Analytics in the Cloud Bin Fan | Founding Engineer |

Building Data Orchestration for Big Data Analytics in the Cloud Bin Fan | Founding Engineer |

Building Data Orchestration for Big Data Analytics in the Cloud Bin Fan | Founding Engineer | Alluxio binfan@alluxio.com 07/17/2019 About Me @binfan binfan@alluxio.com @apc999 Founding Engineer & Open Source Maintainer | Alluxio The

869 views • 34 slides
Monitoring Kubernetes with Prometheus Henri Dubois-Ferriere @henridf Percona Live, 2018-11-06

Monitoring Kubernetes with Prometheus Henri Dubois-Ferriere @henridf Percona Live, 2018-11-06

Monitoring Kubernetes with Prometheus Henri Dubois-Ferriere @henridf Percona Live, 2018-11-06 Hello. Henri Dubois-Ferriere Technical Director, Sysdig Doing observability for many many years, from network to web apps via many startups.

899 views • 35 slides
An OpenAFS Site Report Code Name Sunrise Ralf Brunckhorst Michael Meffie (SNA) June 19, 2019

An OpenAFS Site Report Code Name Sunrise Ralf Brunckhorst Michael Meffie (SNA) June 19, 2019

An OpenAFS Site Report Code Name Sunrise Ralf Brunckhorst Michael Meffie (SNA) June 19, 2019 An OpenAFS Site Report 1 of 21 History of AFS at Sunrise 1999 AFS was introduced at one site in Sweden. 2000s More sites were added. 2006 AFS

363 views • 21 slides
using namespace cln; 756482337867831652712019091456485669234603486104543266482133936072602491412

using namespace cln; 756482337867831652712019091456485669234603486104543266482133936072602491412

3 .1415926535897932384626433832795028841971693993751058209749445923078164062 862089986280348253421170679821480865132823066470938446095505822317253594081 284811174502841027019385211055596446229489549303819644288109756659334461284 using namespace

632 views • 20 slides
Architecture of the CORBA Component Model C++ Language Mapping: Data Types Requirements

Architecture of the CORBA Component Model C++ Language Mapping: Data Types Requirements

Architecture of the CORBA Component Model C++ Language Mapping: Data Types Requirements Intuitive and easy to use. Preserve commonly used C++ idioms, and feel like normal C++ as much as possible. Should be type-safe. Should be efficient

1.19k views • 41 slides

More recommend