СТАНІСЛАВ КОЛЕНКІН «Cilium – Network security for microservices. Let’s see how it works with Istio» Lviv DevOps Conference 2019
Download as PPTX, PDF1 like68 views
The document discusses Cilium, a network security solution for microservices that integrates with Istio and leverages BPF for enhanced performance and visibility. It details features such as identity-based security, multi-cluster connectivity, and the limitations of various Cilium map types. Additionally, it highlights Cilium's role as a CNI plugin and its capabilities in service mesh integration and load balancing.
СТАНІСЛАВ КОЛЕНКІН «Cilium – Network security for microservices. Let’s see how it works with Istio» Lviv DevOps Conference 2019
- 1. Cilium - Network security for microservices. Let's see how it works with Istio. by Stanislav Kolenkin
- 2. Introduction 2 BPF - Next Generation Datapath • Replaces iptables, fast, flexible, powerful • Packet, API, process visibility Cloud Native security • Identity-based • API & DNS Aware Servicemesh Integration • Uses Envoy and co-operates with Istio • Secures and accelerates sidecar proxies Multi cluster and Multi Cloud • Connects multiple clusters across providers
- 3. BPF 3
- 4. BPF 4
- 5. BPF BPF is revolutionizing: • Tracing/Profiling • Networking • Security 5
- 6. BPF 6
- 7. BPF 7
- 8. BPF 8
- 9. BPF 9
- 10. BPF 10
- 11. BPF 11
- 12. 12
- 13. BPF 13
- 14. BPF 14
- 15. BPF Map Limitation in Cilium 15 Map Name Scope Default Limit Scale Implications Connection Tracking node or endpoint 1M TCP/256K UDP Max 1M concurrent TCP connections, max 256K expected UDP answers Endpoints node 64k Max 64k local endpoints + host IPs per node IP cache node 512K Max 256K endpoints (IPv4+IPv6), max 512k endpoints (IPv4 or IPv6) across all clusters Load Balancer node 64k Max 64k cumulative backends across all services across all clusters Policy endpoint 16k Max 16k allowed identity + port + protocol pairs for specific endpoint Proxy Map node 512k Max 512k concurrent redirected TCP connections to proxy Tunnel node 64k Max 32k nodes (IPv4+IPv6) or 64k nodes (IPv4 or IPv6) across all clusters
- 16. Cilium 16
- 17. Cilium as CNI Plugin 17
- 18. Cilium as CNI Plugin 18
- 19. LB: Kubernetes Service Implementation 19
- 20. Kubernetes Iptables Rules Overview 20
- 21. Kubernetes Iptables Rules Overview 21
- 22. Tradition API Unaware security 22
- 25. Cluster mesh 25
- 26. Cluster mesh use cases: High Availability 26
- 27. Cluster mesh use cases: Shared Services 27
- 28. Cluster mesh use cases: Splitting Stateful and Stateless services 28
- 32. Transparent Sidecar Injection with Cilium 33
- 34. Cilium sumary 36 • CNI and CMM plugin − Kubernetes, Docker, Mesos • Security − Secures ingress, east-west, and egress − Label, DNS or CIDR based. Identity enforcement. − API aware (HTTP, Kafka, gRPC) • Load-balancing • Servicemesh integration • Multi cluster / Multi Cloud Provider − Connect multiple clusters with label based policy enforcement
- 35. Thank you for your attention! Questions?