scaling container policy management with kernel features
play

Scaling container policy management with kernel features Joe - PowerPoint PPT Presentation

Apr 14, 2023 •290 likes •831 views

Scaling container policy management with kernel features Joe Stringer Cilium.io Linux Plumbers 2019, Lisbon, Portugal Joe Stringer Scaling container policy with eBPF Sep 11, 2019 1 / 29 Overview 1 Background 2 Deploying fast datapaths fast

  1. Scaling container policy management with kernel features Joe Stringer Cilium.io Linux Plumbers 2019, Lisbon, Portugal Joe Stringer Scaling container policy with eBPF Sep 11, 2019 1 / 29

  2. Overview 1 Background 2 Deploying fast datapaths fast 3 Identity-based security 4 Layer 7 security Joe Stringer Scaling container policy with eBPF Sep 11, 2019 2 / 29

  3. Background Kubernetes Architecture 101 Joe Stringer Scaling container policy with eBPF Sep 11, 2019 3 / 29

  4. Background Kubernetes networking plugins Plumb local connectivity (CNI) Connect remote nodes Services / loadbalancing Network policy https://kubernetes.io/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/ Joe Stringer Scaling container policy with eBPF Sep 11, 2019 4 / 29

  5. Background Cilium Agent runs on each node Native eBPF dataplane Identity-based security Scalable Joe Stringer Scaling container policy with eBPF Sep 11, 2019 5 / 29

  6. Background What does it mean to scale? Manage cluster interactions Minimize unnecessary events Reduce event sizes ... Optimize work within the node Apply datapath changes efficiently https://cilium.io/blog/2019/04/24/cilium-15 Joe Stringer Scaling container policy with eBPF Sep 11, 2019 6 / 29

  7. Deploying fast datapaths fast Joe Stringer Scaling container policy with eBPF Sep 11, 2019 7 / 29

  8. Deploying fast datapaths fast BPF plumbing Joe Stringer Scaling container policy with eBPF Sep 11, 2019 8 / 29

  9. Deploying fast datapaths fast ELF Templating Joe Stringer Scaling container policy with eBPF Sep 11, 2019 9 / 29

  10. Deploying fast datapaths fast 1K nodes: Scaling to 60k pods Joe Stringer Scaling container policy with eBPF Sep 11, 2019 10 / 29

  11. Deploying fast datapaths fast Future directions Optimize verifier execution: O ( n ) → O (1) Support code path templatization Joe Stringer Scaling container policy with eBPF Sep 11, 2019 11 / 29

  12. Identity-based security Joe Stringer Scaling container policy with eBPF Sep 11, 2019 12 / 29

  13. Identity-based security Joe Stringer Scaling container policy with eBPF Sep 11, 2019 13 / 29

  14. Identity-based security Policy example a p i V e r s i o n : "cilium.io/v2" kind: CiliumNetworkPolicy d e s c r i p t i o n : "Restrict deathstar access to empire ships" metadata: name: "deathstar -ingress" spec: e n d p o i n t S e l e c t o r : matchLabels: org: empire c l a s s : d e a t h s t a r i n g r e s s : - fromEndpoints: - matchLabels: org: empire toPorts: - p o r t s : - port: "80" p r o t o c o l : TCP https://docs.cilium.io/en/stable/gettingstarted/http/ Joe Stringer Scaling container policy with eBPF Sep 11, 2019 14 / 29

  15. Identity-based security Label selectors 12345 {org:empire, class:deathstar} 12468 {org:empire, class:tiefighter} 12465 {org:alliance, class:xwing} 12345 {org:empire, class:deathstar} matchLabels: org: empire 12468 {org:empire, class:tiefighter} matchLabels: 12345 {org:empire, class:deathstar} org: empire class: deathstar https://cilium.io/blog/2019/08/20/cilium-16 Joe Stringer Scaling container policy with eBPF Sep 11, 2019 15 / 29

  16. Identity-based security Datapath Configuration: Ingress Joe Stringer Scaling container policy with eBPF Sep 11, 2019 16 / 29

  17. Identity-based security Datapath Configuration: Egress Joe Stringer Scaling container policy with eBPF Sep 11, 2019 17 / 29

  18. Identity-based security Datapath Configuration: Egress Joe Stringer Scaling container policy with eBPF Sep 11, 2019 17 / 29

  19. Layer 7 security Joe Stringer Scaling container policy with eBPF Sep 11, 2019 18 / 29

  20. Layer 7 security L7 is the new L4 Joe Stringer Scaling container policy with eBPF Sep 11, 2019 19 / 29

  21. Layer 7 security Rejecting traffic in a protocol-aware manner Joe Stringer Scaling container policy with eBPF Sep 11, 2019 20 / 29

  22. Layer 7 security Rejecting traffic in a protocol-aware manner Joe Stringer Scaling container policy with eBPF Sep 11, 2019 20 / 29

  23. Layer 7 security Rejecting traffic in a protocol-aware manner Joe Stringer Scaling container policy with eBPF Sep 11, 2019 20 / 29

  24. Layer 7 security Rejecting traffic in a protocol-aware manner cilium-agent –http-403-msg="..." Joe Stringer Scaling container policy with eBPF Sep 11, 2019 20 / 29

  25. Layer 7 security Rejecting traffic in a protocol-aware manner cilium-agent –http-403-msg="..." Joe Stringer Scaling container policy with eBPF Sep 11, 2019 20 / 29

  26. Layer 7 security Datapath Configuration: L3 flow Joe Stringer Scaling container policy with eBPF Sep 11, 2019 21 / 29

  27. Layer 7 security Datapath Configuration: L7 flow Joe Stringer Scaling container policy with eBPF Sep 11, 2019 22 / 29

  28. Layer 7 security Datapath Configuration: L7 flow Joe Stringer Scaling container policy with eBPF Sep 11, 2019 22 / 29

  29. Layer 7 security L7 Configuration: Past Per-endpoint configuration A: 192.0.2.3:33333 ; B: 192.0.2.4:80 ; L: 192.0.2.1:12345 Joe Stringer Scaling container policy with eBPF Sep 11, 2019 23 / 29

  30. Layer 7 security L7 Configuration: Past A: 192.0.2.3:33333 ; B: 192.0.2.4:80 ; L: 192.0.2.1:12345 Joe Stringer Scaling container policy with eBPF Sep 11, 2019 23 / 29

  31. Layer 7 security L7 Configuration: Past A: 192.0.2.3:33333 ; B: 192.0.2.4:80 ; L: 192.0.2.1:12345 Joe Stringer Scaling container policy with eBPF Sep 11, 2019 23 / 29

  32. Layer 7 security L7 Configuration: Past A: 192.0.2.3:33333 ; B: 192.0.2.4:80 ; L: 192.0.2.1:12345 Joe Stringer Scaling container policy with eBPF Sep 11, 2019 23 / 29

  33. Layer 7 security L7 Configuration: Past A: 192.0.2.3:33333 ; B: 192.0.2.4:80 ; L: 192.0.2.1:12345 Joe Stringer Scaling container policy with eBPF Sep 11, 2019 23 / 29

  34. Layer 7 security L7 Configuration: Present Joe Stringer Scaling container policy with eBPF Sep 11, 2019 24 / 29

  35. Layer 7 security L7 Configuration: Present Joe Stringer Scaling container policy with eBPF Sep 11, 2019 24 / 29

  36. Layer 7 security L7 Configuration: Present Joe Stringer Scaling container policy with eBPF Sep 11, 2019 24 / 29

  37. Layer 7 security L7 Configuration: Present Joe Stringer Scaling container policy with eBPF Sep 11, 2019 24 / 29

  38. Layer 7 security L7 Configuration: Present Joe Stringer Scaling container policy with eBPF Sep 11, 2019 24 / 29

  39. Layer 7 security L7 Configuration: Proposal Joe Stringer Scaling container policy with eBPF Sep 11, 2019 25 / 29

  40. Layer 7 security L7 Configuration: Proposal Joe Stringer Scaling container policy with eBPF Sep 11, 2019 25 / 29

  41. Layer 7 security L7 Configuration: Socket redirect Joe Stringer Scaling container policy with eBPF Sep 11, 2019 26 / 29

  42. Layer 7 security Socket assign: Hiccup BPF progs are attached at TC ingress skb_orphan() invoked directly before PREROUTING 1 https://www.mail-archive.com/netdev@vger.kernel.org/msg303851.html 2 https://www.mail-archive.com/netdev@vger.kernel.org/msg304057.html Joe Stringer Scaling container policy with eBPF Sep 11, 2019 27 / 29

  43. Layer 7 security Socket assign: Hiccup BPF progs are attached at TC ingress skb_orphan() invoked directly before PREROUTING TC folks are already carrying hacks for this 1 1 https://www.mail-archive.com/netdev@vger.kernel.org/msg303851.html 2 https://www.mail-archive.com/netdev@vger.kernel.org/msg304057.html Joe Stringer Scaling container policy with eBPF Sep 11, 2019 27 / 29

  44. Layer 7 security Socket assign: Hiccup BPF progs are attached at TC ingress skb_orphan() invoked directly before PREROUTING TC folks are already carrying hacks for this 1 Just move to ____dev_forward_skb() 2 ? 1 https://www.mail-archive.com/netdev@vger.kernel.org/msg303851.html 2 https://www.mail-archive.com/netdev@vger.kernel.org/msg304057.html Joe Stringer Scaling container policy with eBPF Sep 11, 2019 27 / 29

  45. Layer 7 security Summary Minimize processing cost Number of events Cost for each event Separate concerns: Policy vs addressing Frontload expensive operations ... while keeping runtime costs low Joe Stringer Scaling container policy with eBPF Sep 11, 2019 28 / 29

  46. Thank you More information https://cilium.io https://cilium.io/slack https://github.com/cilium/cilium https://twitter.com/ciliumproject Joe Stringer Scaling container policy with eBPF Sep 11, 2019 29 / 29

  47. Thank you More information https://cilium.io https://cilium.io/slack https://github.com/cilium/cilium https://twitter.com/ciliumproject Joe Stringer Scaling container policy with eBPF Sep 11, 2019 29 / 29

  48. Socket redirect Joe Stringer Scaling container policy with eBPF Sep 11, 2019 30 / 29

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

A Year of Container Kernel work Past, Present, and Future of Container Kernel Features FOSDEM,

A Year of Container Kernel work Past, Present, and Future of Container Kernel Features FOSDEM,

A Year of Container Kernel work Past, Present, and Future of Container Kernel Features FOSDEM, 2019 Brussels, Belgium Christian Brauner christian@brauner.io christian.brauner@ubuntu.com @brau_ner https://brauner.io/ 4.15: Bump Limit of

810 views • 12 slides
State of SELinux Paul Moore September 2017 Kernel Changes Obligatory Container Slide

State of SELinux Paul Moore September 2017 Kernel Changes Obligatory Container Slide

State of SELinux Paul Moore September 2017 Kernel Changes Obligatory Container Slide Individual file labeling for cgroup, cgroup2, and tracefs Allows for labels unique to each container, enabling SELinux enforced separation for these

482 views • 16 slides
Introduction to Kubernetes Containers container vs virtual machine Virtual machine Container

Introduction to Kubernetes Containers container vs virtual machine Virtual machine Container

Introduction to Kubernetes Containers container vs virtual machine Virtual machine Container runs its own kernel uses the host kernel user-space user-space vm user-space container user-space vm kernel host kernel host kernel

833 views • 26 slides
K8s Intermediate Kubernetes a clustered container orchestration Software an open-source system

K8s Intermediate Kubernetes a clustered container orchestration Software an open-source system

K8s Intermediate Kubernetes a clustered container orchestration Software an open-source system for automating deployment, scaling, and management of containerized applications. It groups containers that make up an application into logical units

566 views • 45 slides
DISASTER RELIEF CENTER 2x Accommodation Container 2x Sanitary Container 1x

DISASTER RELIEF CENTER 2x Accommodation Container 2x Sanitary Container 1x

DISASTER RELIEF CENTER 2x Accommodation Container 2x Sanitary Container 1x Galley Container 1x Medical Container 1x Feed Water Container 1x Water Treatment Container 2x Generator Container 1x

569 views • 8 slides
A Series Of Unfortunate Container Events Netflixs container platform lessons learned About the

A Series Of Unfortunate Container Events Netflixs container platform lessons learned About the

A Series Of Unfortunate Container Events Netflixs container platform lessons learned About the speakers and team Follow along - @sargun @tomaszbak_ca @fabiokung @aspyker @amit_joshee @anwleung 2 Netflixs container management platform

808 views • 44 slides
Skoltech Skolkovo Institute of Science and Technology Kernel Methods Refresher Kernel trick:

Skoltech Skolkovo Institute of Science and Technology Kernel Methods Refresher Kernel trick:

Quadrature-based Features for Kernel Approximation Marina Munkhoeva , Yermek Kapushev, Evgeny Burnaev, Ivan Oseledets Skoltech Skolkovo Institute of Science and Technology Kernel Methods Refresher Kernel trick: compute

1.01k views • 17 slides
Capsicum Capability-Based Sandboxing David Drysdale Google UK Features Current LXC uses the

Capsicum Capability-Based Sandboxing David Drysdale Google UK Features Current LXC uses the

Capsicum Capability-Based Sandboxing David Drysdale Google UK Features Current LXC uses the following kernel features to contain processes: Kernel namespaces (ipc, uts, mount, pid, network and user) Apparmor and SELinux profiles

521 views • 30 slides
Control Theory In Container Orchestration Vallery Lancey Lead DevOps Engineer, Checkfront

Control Theory In Container Orchestration Vallery Lancey Lead DevOps Engineer, Checkfront

Control Theory In Container Orchestration Vallery Lancey Lead DevOps Engineer, Checkfront Container Orchestration Fundamentals @vllry Goals of Container Management Reproducibility. Cohabitation. Auto-management of instances.

958 views • 48 slides
Normal and Exotic use cases of NUMA features in the Linux Kernel Christopher Lameter, Ph.D.

Normal and Exotic use cases of NUMA features in the Linux Kernel Christopher Lameter, Ph.D.

Normal and Exotic use cases of NUMA features in the Linux Kernel Christopher Lameter, Ph.D. cl@linux.com Collaboration Summit, Napa Valley, 2014 Non Uniform Memory access in the Linux Kernel Memory is segmented into nodes so that

518 views • 12 slides
Bare Metal Container National Institute of Advanced Industrial Science and Technology(AIST)

Bare Metal Container National Institute of Advanced Industrial Science and Technology(AIST)

Bare Metal Container National Institute of Advanced Industrial Science and Technology(AIST) Kuniyasu Suzaki 1 Contents Background of BMC Drawbacks of container, general kernel, and accounting. What is BMC? Current

837 views • 34 slides
advance the scaling agenda David J Spielman International Food Policy Research Institute What is

advance the scaling agenda David J Spielman International Food Policy Research Institute What is

Public policy solutions to advance the scaling agenda David J Spielman International Food Policy Research Institute What is the scaling agenda? A global consensus A wealth of novel science Zero tillage Zai planting pits Perennial

543 views • 10 slides
So#ware Scaling Mo/va/on & Goals HW Configura/on & Scale Out So#ware Scaling

So#ware Scaling Mo/va/on & Goals HW Configura/on & Scale Out So#ware Scaling

So#ware Scaling Mo/va/on & Goals HW Configura/on & Scale Out So#ware Scaling Efforts System management Opera/ng system Programming environment PreAcceptance Work HW stabiliza/on & early scaling

390 views • 19 slides
CS356 Unit 10 Memory Allocation & Heap Management 10.2 BASIC OS CONCEPTS & TERMINOLOGY

CS356 Unit 10 Memory Allocation & Heap Management 10.2 BASIC OS CONCEPTS & TERMINOLOGY

10.1 CS356 Unit 10 Memory Allocation & Heap Management 10.2 BASIC OS CONCEPTS & TERMINOLOGY 10.3 User vs. Kernel Mode Kernel mode is a special processor mode for executing trusted (OS) code Certain features/privileges (such

936 views • 38 slides
Mark Pagel pags@cray.com New features in XT MPT 3.1 and MPT 3.2 Features as a result of

Mark Pagel pags@cray.com New features in XT MPT 3.1 and MPT 3.2 Features as a result of

Mark Pagel pags@cray.com New features in XT MPT 3.1 and MPT 3.2 Features as a result of scaling to 150K MPI ranks MPI-IO Improvements(MPT 3.1 and MPT 3.2) SMP aware collective improvements(MPT 3.2) Misc Features (MPT 3.1)

694 views • 33 slides
Quality Management of Quality Management of Contracts Contracts Vigilance Perspective By: CVO

Quality Management of Quality Management of Contracts Contracts Vigilance Perspective By: CVO

Container Corporation of India Ltd. Container Corporation of India Ltd. Quality Management of Quality Management of Contracts Contracts Vigilance Perspective By: CVO 27 th March 2015 Think Container Think CONCOR 1 WHAT IS CONTRACT? WHAT

822 views • 27 slides
Large-scale Graph Mining @ Google NY Vahab Mirrokni Google Research New York, NY DIMACS

Large-scale Graph Mining @ Google NY Vahab Mirrokni Google Research New York, NY DIMACS

Large-scale Graph Mining @ Google NY Vahab Mirrokni Google Research New York, NY DIMACS Workshop Large-scale graph mining Many applications Friend suggestions Recommendation systems Security Advertising Benefits Big data available Rich

822 views • 71 slides
Classifier Inspired Scaling for Training Set Selection Walter Bennette DISTRIBUTION A: Approved

Classifier Inspired Scaling for Training Set Selection Walter Bennette DISTRIBUTION A: Approved

Classifier Inspired Scaling for Training Set Selection Walter Bennette DISTRIBUTION A: Approved for public release: distribution unlimited: 16 May 2016. Case #88ABW-2016- 2511 Outline Instance-based classification Training set

609 views • 46 slides
Scaled Machine Learning at Matroid Reza Zadeh @Reza_Zadeh | http://reza-zadeh.com Machine Learning

Scaled Machine Learning at Matroid Reza Zadeh @Reza_Zadeh | http://reza-zadeh.com Machine Learning

Scaled Machine Learning at Matroid Reza Zadeh @Reza_Zadeh | http://reza-zadeh.com Machine Learning Pipeline Learning Replicate Algorithm model Data Trained Serve Model Model Repeat entire pipeline Scaling Machine Learning Datasets and

890 views • 21 slides
disordered field theories Ofer Aharony Weizmann Institute of Science CRM-PCTS workshop, October

disordered field theories Ofer Aharony Weizmann Institute of Science CRM-PCTS workshop, October

Renormalization group flows in disordered field theories Ofer Aharony Weizmann Institute of Science CRM-PCTS workshop, October 4, 2018 Based on the papers 1803.08529,1803.08534 with Vladimir Narovlansky Disorder In QFT we like to assume

483 views • 34 slides
Scaling Methodology Scaling Methodology Dan Smith Director HW Engineering dsmith@nvidia.com

Scaling Methodology Scaling Methodology Dan Smith Director HW Engineering dsmith@nvidia.com

EDP- -2002 2002 EDP Scaling Methodology Scaling Methodology Dan Smith Director HW Engineering dsmith@nvidia.com Introduction NVIDIA NVIDIAs growth Methodology Group NVIDIAs methodology beginnings How the methodology has changed

135 views • 13 slides
Scaling the Practical Education Experience Joel Sommers Andrew Moore Colgate University

Scaling the Practical Education Experience Joel Sommers Andrew Moore Colgate University

Scaling the Practical Education Experience Joel Sommers Andrew Moore Colgate University University of Cambridge jsommers@colgate.edu andrew.moore@cl.cam.ac.uk Motivation Many tools, environments, and approaches developed for practical,

349 views • 7 slides
Platforms and Algorithms for Big Data Analytics Chandan K. Reddy Department of Computer Science

Platforms and Algorithms for Big Data Analytics Chandan K. Reddy Department of Computer Science

Platforms and Algorithms for Big Data Analytics Chandan K. Reddy Department of Computer Science Wayne State University http://www.cs.wayne.edu/~reddy/ http://dmkd.cs.wayne.edu/TUTORIAL/Bigdata/ What is Big Data? A collection of large and

1.28k views • 89 slides
Finite-size scaling For a system of length L, the correlation length Express divergent quantities

Finite-size scaling For a system of length L, the correlation length Express divergent quantities

Finite-size scaling For a system of length L, the correlation length Express divergent quantities in terms of correlation length, e.g., The largest value is obtained by substituting At what T does the maximum occur? The peak position of a

427 views • 14 slides

More recommend