Upload
others
View
18
Download
0
Embed Size (px)
Citation preview
Information Classification: General
#ContainerWorld
@ContainerWrld
https://tmt.knect365.com/container-world/
BPF: Bringing Linux to the Microservices Era
Dan Wendlandt
Co-founder / CEO
Isovalent
Information Classification: General
2
Who am I?
@ @ @
Information Classification: General
3
A New Microservices Stack is Emerging
Kubernetes Istio
App1 App2 App3
+ BPF
Information Classification: General
4
What is BPF / eBPF?Highly efficient sandboxed virtual
machine in the Linux kernel.
Making the Linux kernel programmable
at native execution speed.
Origins in the humble “tcpdump”:
Berkeley Packet Filter
tcpdump -n dst host 192.168.1.1
Information Classification: General
5
Why BPF?
OS kernel functionality is
traditionally general purpose
and static….
… Linux BPF enables rich
expressiveness in describing
new kernel behavior
Information Classification: General
6
BPF: The How
eth0
connect(…)
Kernel
Userspace
BPF-Aware
ToolApp
Workload
Creates custom logic as pseudo C code,
to be run at a specific BPF trace point. 1
2 Compiles to BPF byte code
3Loads byte code into
kernel using bpf() syscall.
Kernel verifies safety of code,
JIT-compiles for native perf. 4
5
BPF Maps
BPF program executes each
time trace point is invoked.
Can modify kernel data (e.g.,
modify/drop packets).
5 Highly efficient communication
of data between kernel +
userspace using BPF maps.
BPFSOCK_FILTER
Information Classification: General
BPF Tech Adoption● L3-L4 Load balancing
● Network security
● Traffic optimization
● Profiling
https://code.fb.com/open-
source/linux/
● QoS & Traffic optimization
● Network Security
● Profiling
● http://vger.kernel.org/lpc-
bpf2018.html#session-1
● Replacing iptables with BPF
● NFV & Load balancing (XDP)
● Profiling & Tracing
https://goo.gl/6JYYJW
● Performance Troubleshooting
● Tracing & Systems Monitoring
● Networking
http://www.brendangregg.com/
blog/2016-03-05/linux-bpf-
superpowers.html
7Learn More: http://docs.cilium.io/en/latest/bpf
Information Classification: General
8
Cilium: BPF-Powered Networking &
Security for Kubernetes
Information Classification: General
9
How Cilium Uses BPF
eth0
connect(…)
Kernel
Userspace
CiliumApp
Workload
BPF Maps
BPFSCHED_CLS
K8s
pod
Kubernetes API
Workload Identity
Service Mappings
Network Policy
Cilium-generated BPF
programs control:
• Pod-to-Pod Network
Connectivity.
• Service-based Load-
balancing.
• Network Visibility and
Security Enforcement
Information Classification: General
Why Cilum/BPF for Kubernetes?
Not design for scale / rapid
change: • Modifying rules is extremely expensive. • Long rule sets ➔ linear traversals.
Linux networking & security core has changed little in 20 years….
Limited to packet-layer: • IP addresses, not service identity.• TCP/UDP ports, not API calls.
Information Classification: General
11
K8s Label-aware Security/Visibility
Pod
role=frontend
Pod
role=backend
← HTTP GET / HTTP GET / →
deny
endpointSelector:
matchLabels:
role = “backend”
ingress:
matchLabels:
role = “frontend”
Pod
role=otherallow
Label-based Security Policy: Label-based Security Visibility Logs:
23:15:01: allow: role=frontend → role=backend
23:16:34: deny: role=other → role=backend
…
Information Classification: General
12
DNS-aware Security
PodDNS
Serverfoo.domain.com →
← 18.1.1.1
18.1.1.1HTTP GET / →
← 200 OK
PodDNS
Serverwww.leaker.com →
← 20.1.1.1
20.1.1.1HTTP GET / →
drop
- toFQDNs:
- matchPattern: "*.domain.com"
toPorts:
- ports:
- port: '443'
protocol: TCP
Information Classification: General
Cluster
13
Cluster
frontend-1 frontend-2 frontend-3
backend-1 backend-2 backend-1 backend-2
Backend
Service
Multi-Cluster Service Routing
frontend-1 frontend-2
Backend
Service
metadata:
annotations:
io.cilium/global-service: "true"
Information Classification: General
14
Socket-level
Networking & Security
Information Classification: General
15
Socket-level Networking & Security
Packet-Level: Socket-Level:
Identity (who?)
Resource (what?)
IP Address
Pod Labels
Process / Code
Identity
TCP/UDP
Service port API resources
Information Classification: General
16
App
Workload
Kubernetes pod
Init/Sidecar
Container
kubectl
exec …
Packet-Level Firewall
(IP-level Identity):
IP=10.8.9.24
Socket-Level Firewall
(Code-level Identity):
App
Workload
Kubernetes pod
Init/Sidecar
Container
kubectl
exec …
Socket-level Security Identity
container=nodejs
root-process=true
container=init-s3
root-process=truecontainer=nodejs
root-process=false
Information Classification: General
17
Cilum + Envoy for L7-Awareness
eth0
connect(…)
Kernel
Userspace
CiliumApp
Workload
BPF Maps
BPFSCHED_CLS
K8s
pod
Envoy
Cilium + Envoy
Integration:• No changes to the
application / pod.
• Low-overhead
redirection, single Envoy
per host.
• Leverages built-in Envoy
protocol parsers +
golang extensions.
Information Classification: General
API
Firewall
18
Information Classification: General
Data Store
Authorization
apiVersion: "cilium.io/v2"
kind: CiliumNetworkPolicy
[...]
specs:
- endpointSelector:
matchLabels:
app: cassandra
ingress:
- toPorts:
- ports:
- port: "9042"
protocol: TCP
l7proto: cassandra
l7:
- query_action: "select"
query_table: "myTable"
19
Information Classification: General
20
Socket-level Envoy Acceleration (3X gain)
More info in KubeCon EU 2018 slides:
Accelerating Envoy and Istio with Cilium and the Linux Kernel
https://bit.ly/2G7DfIY
Information Classification: General
21
Socket-level SSL Visibility via kTLS
More info in KubeCon EU 2018 slides:
Accelerating Envoy and Istio with Cilium and the Linux Kernel
https://bit.ly/2G7DfIY
Filter
ChainProxy
Service External
EndpointTLS
Clear Encrypted
HandshakeEncryption
TLSDeferred encryption
Information Classification: General
22
Service Mesh
Envoy Acceleration Process-level Identity
kTLS visibility into
encrypted traffic
Security for
non-TCP traffic
Socket-level Networking
‘sIstio
+ BPF
Kernel-based
Transparent
Encryption
Information Classification: General
What is Cilium?
23
Service and API-Aware
Linux Networking & Security
Service IdentityVisibility + filtering based on
Kubernetes service labels, DNS-
names, etc, not IP addresses.
API-Aware SecurityGoes beyond TCP/UDP ports,
natively understanding HTTP,
gRPC, Kafka, DNS, & more.
Performance & ScaleBPF datapath and control plane
optimized for highly dynamic, large
scale envs with high throughput.,
Multi-Cluster RoutingProvides simple, efficient, and
secure connectivity between
multiple Kubernetes clusters
Universal EncryptionAdds encryption to all traffic
between Cilium endpoints with no
application/pod changes.
Transparent to Apps By running in the kernel, BPF +
Cilium require no changes by or
coordinate with app teams. Open
Source
Powered
by BPF
Information Classification: General
More Information
Source Code:
https://github.com/cilium/cilium
Twitter:
https://twitter.com/ciliumproject
Website:
https://cilium.io/
Blog:
https://cilium.io/blog/
Contact Me:
@danwendlandt
Information Classification: General
25
Transparent Encryption
Cluster
NodeNode Node
Cilium CNI
Encryption
Pod
Pod PodPod
Pod