Cilium - Bringing the BPF Revolution to Kubernetes Networking and Security
12 likes2,958 views
Cilium provides API-aware networking and security for microservices using BPF and XDP, replacing traditional mechanisms like iptables with a faster and more flexible solution. It integrates with service meshes and supports multi-cluster and multi-cloud connectivity, ensuring security through identity-based policies. Cilium also enhances performance with BPF-based load balancing and API-aware security for applications in various deployment environments, including Kubernetes.
Cilium - Bringing the BPF Revolution to Kubernetes Networking and Security
- 1. Cilium API Aware Networking & Network Security for Microservices using BPF & XDP
- 2. FUNDAMENTALS • BPF – Next Generation Datapath – Replaces iptables, fast, flexible, powerful – Packet, API, process visibility • Cloud Native Security – Identity-based – API & DNS Aware • Servicemesh Integration – Uses Envoy and co-operates with Istio – Secures and accelerates sidecar proxies • Multi Cluster and Multi Cloud – Connects multiple clusters across providers
- 6. BPF/XDP Load Balancing 10x performance over IPVS
- 12. Networking
- 13. Cilium as CNI Plugin
- 14. Networking Model: Encapsulation or Direct Routing Mode I: Encapsulation Mode II: Direct Routing Node 1 Node 2 Node 3 L3 Network Integrations: • Cloud routers • kube-router, BIRD, … • No further dependencies Node 1 Node 2 Node 3 VXLAN VXLAN VXLAN
- 15. Load Balancing
- 16. BPF-based iptables kube-proxy Kubernetes Services Implementation • Linear List • All rules have to be replaced as a whole • Per-CPU Hash table
- 17. Security
- 18. Pod barL3/L4 GET /healthz GET /jobs/{id} GET /applicants/{job-id} POST /jobs API exposed exposed exposed GET /jobs/331 Traditional API Unaware Security Pod foo GET /jobs/{id} TLS Allow foo to bar on port 80
- 19. L3/L4 GET /healthz GET /jobs/{id} GET /applicants/{job-id} POST /jobs API GET /jobs/331 API Aware Security GET /jobs/{id} Allow GET /jobs/.* from identity foo TLS Pod barPod foo
- 20. Identity based security 1.1.1.1 1.1.1.2 1.1.1.3 1.1.1.4 1.1.1.5 1.1.1.6 1.1.1.5 1.1.1.6 1.1.1.1 1.1.1.2 1.1.1.3 1.1.1.4 Allow ToAllow To
- 23. Cluster Mesh
- 25. • Telemetry (Tracing) • Retries • Load Balancing (HTTP/L7) • Mutual TLS • Authorization • …
- 31. Cilium Summary • CNI and CMM plugin • Kubernetes, Docker, Mesos • Security • Secures ingress, east-west, and egress. • Label, DNS, or CIDR based. Identity enforcement. • API aware (HTTP, Kafka, gRPC) • Load-balancing • Servicemesh integration • Multi Cluster / Multi Cloud Provider • Connect multiple clusters with label based policy enforcement
- 32. @ciliumproject http://github.com/cilium/cilium Thank You! Q&A Getting Started: http://cilium.io/try