Up Cloud Native Networking with eBPF Next Technical Track - - PowerPoint PPT Presentation

up
SMART_READER_LITE
LIVE PREVIEW

Up Cloud Native Networking with eBPF Next Technical Track - - PowerPoint PPT Presentation

Nov 07, 2023 408 likes •537 views

Up Cloud Native Networking with eBPF Next Technical Track Presentation Raymond Maika Engineering Team Lead Agenda Cloud Native networking CNI Plugin landscape Cilium Overview Policy Overview Policy Enforcement in Cilium

slide-1
SLIDE 1

Up Next

Cloud Native Networking with eBPF

Technical Track Presentation

Raymond Maika

Engineering Team Lead

slide-2
SLIDE 2
  • Cloud Native networking
  • CNI Plugin landscape
  • Cilium Overview
  • Policy Overview
  • Policy Enforcement in Cilium
  • Demo

Agenda

slide-3
SLIDE 3
  • Primarily based on standards set by Container

Network Interface (CNI)

  • CNI spec is lightweight; only describes the following
  • Action and arguments to add container to a network
  • Action and arguments to remove container from network
  • A project that implements the spec is a CNI plugin

Cloud Native Networking

slide-4
SLIDE 4

CNI Plugin Landscape

Routed networks VXLAN overlays Advanced features

slide-5
SLIDE 5
  • Cilium implements CNI spec using eBPF and XDP
  • eBPF = extended Berkeley Packet Filter
  • XDP = eXpress Data Path
  • XDP enables Cilium to connect to a physical

interface as close as possible

  • BPF programs allow highly efficient packet

processing with kernel-layer programs

  • Cilium loads endpoint/IP maps into BPF maps for

fast access in the kernel by BPF programs

Cilium Overview

Reference: http://docs.cilium.io/en/stable/bpf/

slide-6
SLIDE 6
  • eBPF is an enhancement to the original BPF implementation
  • Relevant features from original BPF
  • BPF virtual machine that leverages RISC instructions
  • Buffer model that is used to capture and filter packets from an interface
  • eBPF takes the filtering features from BPF, and adds:
  • x86/arm instruction sets
  • JIT kernel compiler for Linux
  • LLVM to compile BPF bytecode

eBPF Overview

Sources: http://docs.cilium.io/en/stable/bpf/ https://www.kernel.org/doc/Documentation/networking/filter.txt

slide-7
SLIDE 7

XDP with eBPF

Source: https://www.iovisor.org/technology/xdp

slide-8
SLIDE 8
  • K8s NetworkPolicy objects support both Ingress and

Egress policies

  • Policies can use any combination of the following to

select which traffic can access an endpoint

  • Pod/Namespace selectors (k8s label-based)
  • IPBlocks (CIDR notation)
  • Destination ports at endpoint

Kubernetes (K8s) Network Policy

Reference:

slide-9
SLIDE 9

Cilium Policy Enforcement

Reference: https://github.com/cilium/cilium

slide-10
SLIDE 10

Demo

slide-11
SLIDE 11
  • HTTP policy matching based on:
  • Path
  • Method (GET, POST, PUT, PATCH, DELETE,etc)
  • Host
  • Headers
  • Kafka
  • Role
  • APIKey/APIVersion
  • ClientID
  • Topic

Additional Cilium Policy (L7 features)

Source: https://cilium.io/

slide-12
SLIDE 12

Additional Cilium Policy (L7 features)

Source: https://cilium.io/