Information Classification: General

#ContainerWorld

@ContainerWrld

https://tmt.knect365.com/container-world/

BPF: Bringing Linux to the Microservices Era

Dan Wendlandt

Co-founder / CEO

Isovalent

Information Classification: General

2

Who am I?

@ @ @

Information Classification: General

3

A New Microservices Stack is Emerging

Kubernetes Istio

App1 App2 App3

+ BPF

Information Classification: General

4

What is BPF / eBPF?Highly efficient sandboxed virtual

machine in the Linux kernel.

Making the Linux kernel programmable

at native execution speed.

Origins in the humble “tcpdump”:

Berkeley Packet Filter

tcpdump -n dst host 192.168.1.1

Information Classification: General

5

Why BPF?

OS kernel functionality is

traditionally general purpose

and static….

… Linux BPF enables rich

expressiveness in describing

new kernel behavior

Information Classification: General

6

BPF: The How

eth0

connect(…)

Kernel

Userspace

BPF-Aware

ToolApp

Workload

Creates custom logic as pseudo C code,

to be run at a specific BPF trace point. 1

2 Compiles to BPF byte code

3Loads byte code into

kernel using bpf() syscall.

Kernel verifies safety of code,

JIT-compiles for native perf. 4

5

BPF Maps

BPF program executes each

time trace point is invoked.

Can modify kernel data (e.g.,

modify/drop packets).

5 Highly efficient communication

of data between kernel +

userspace using BPF maps.

BPFSOCK_FILTER

Information Classification: General

BPF Tech Adoption● L3-L4 Load balancing

● Network security

● Traffic optimization

● Profiling

https://code.fb.com/open-

source/linux/

● QoS & Traffic optimization

● Network Security

● Profiling

● http://vger.kernel.org/lpc-

bpf2018.html#session-1

● Replacing iptables with BPF

● NFV & Load balancing (XDP)

● Profiling & Tracing

https://goo.gl/6JYYJW

● Performance Troubleshooting

● Tracing & Systems Monitoring

● Networking

http://www.brendangregg.com/

blog/2016-03-05/linux-bpf-

superpowers.html

7Learn More: http://docs.cilium.io/en/latest/bpf

Information Classification: General

8

Cilium: BPF-Powered Networking &

Security for Kubernetes

Information Classification: General

9

How Cilium Uses BPF

eth0

connect(…)

Kernel

Userspace

CiliumApp

Workload

BPF Maps

BPFSCHED_CLS

K8s

pod

Kubernetes API

Workload Identity

Service Mappings

Network Policy

Cilium-generated BPF

programs control:

• Pod-to-Pod Network

Connectivity.

• Service-based Load-

balancing.

• Network Visibility and

Security Enforcement

Information Classification: General

Why Cilum/BPF for Kubernetes?

Not design for scale / rapid

change: • Modifying rules is extremely expensive. • Long rule sets ➔ linear traversals.

Linux networking & security core has changed little in 20 years….

Limited to packet-layer: • IP addresses, not service identity.• TCP/UDP ports, not API calls.

Information Classification: General

11

K8s Label-aware Security/Visibility

Pod

role=frontend

Pod

role=backend

← HTTP GET / HTTP GET / →

deny

endpointSelector:

matchLabels:

role = “backend”

ingress:

matchLabels:

role = “frontend”

Pod

role=otherallow

Label-based Security Policy: Label-based Security Visibility Logs:

23:15:01: allow: role=frontend → role=backend

23:16:34: deny: role=other → role=backend

…

Information Classification: General

12

DNS-aware Security

PodDNS

Serverfoo.domain.com →

← 18.1.1.1

18.1.1.1HTTP GET / →

← 200 OK

PodDNS

Serverwww.leaker.com →

← 20.1.1.1

20.1.1.1HTTP GET / →

drop

- toFQDNs:

- matchPattern: "*.domain.com"

toPorts:

- ports:

- port: '443'

protocol: TCP

Information Classification: General

Cluster

13

Cluster

frontend-1 frontend-2 frontend-3

backend-1 backend-2 backend-1 backend-2

Backend

Service

Multi-Cluster Service Routing

frontend-1 frontend-2

Backend

Service

metadata:

annotations:

io.cilium/global-service: "true"

Information Classification: General

14

Socket-level

Networking & Security

Information Classification: General

15

Socket-level Networking & Security

Packet-Level: Socket-Level:

Identity (who?)

Resource (what?)

IP Address

Pod Labels

Process / Code

Identity

TCP/UDP

Service port API resources

Information Classification: General

16

App

Workload

Kubernetes pod

Init/Sidecar

Container

kubectl

exec …

Packet-Level Firewall

(IP-level Identity):

IP=10.8.9.24

Socket-Level Firewall

(Code-level Identity):

App

Workload

Kubernetes pod

Init/Sidecar

Container

kubectl

exec …

Socket-level Security Identity

container=nodejs

root-process=true

container=init-s3

root-process=truecontainer=nodejs

root-process=false

Information Classification: General

17

Cilum + Envoy for L7-Awareness

eth0

connect(…)

Kernel

Userspace

CiliumApp

Workload

BPF Maps

BPFSCHED_CLS

K8s

pod

Envoy

Cilium + Envoy

Integration:• No changes to the

application / pod.

• Low-overhead

redirection, single Envoy

per host.

• Leverages built-in Envoy

protocol parsers +

golang extensions.

Information Classification: General

API

Firewall

18

Information Classification: General

Data Store

Authorization

apiVersion: "cilium.io/v2"

kind: CiliumNetworkPolicy

[...]

specs:

- endpointSelector:

matchLabels:

app: cassandra

ingress:

- toPorts:

- ports:

- port: "9042"

protocol: TCP

l7proto: cassandra

l7:

- query_action: "select"

query_table: "myTable"

19

Information Classification: General

20

Socket-level Envoy Acceleration (3X gain)

More info in KubeCon EU 2018 slides:

Accelerating Envoy and Istio with Cilium and the Linux Kernel

https://bit.ly/2G7DfIY

Information Classification: General

21

Socket-level SSL Visibility via kTLS

More info in KubeCon EU 2018 slides:

Accelerating Envoy and Istio with Cilium and the Linux Kernel

https://bit.ly/2G7DfIY

Filter

ChainProxy

Service External

EndpointTLS

Clear Encrypted

HandshakeEncryption

TLSDeferred encryption

Information Classification: General

22

Service Mesh

Envoy Acceleration Process-level Identity

kTLS visibility into

encrypted traffic

Security for

non-TCP traffic

Socket-level Networking

‘sIstio

+ BPF

Kernel-based

Transparent

Encryption

Information Classification: General

What is Cilium?

23

Service and API-Aware

Linux Networking & Security

Service IdentityVisibility + filtering based on

Kubernetes service labels, DNS-

names, etc, not IP addresses.

API-Aware SecurityGoes beyond TCP/UDP ports,

natively understanding HTTP,

gRPC, Kafka, DNS, & more.

Performance & ScaleBPF datapath and control plane

optimized for highly dynamic, large

scale envs with high throughput.,

Multi-Cluster RoutingProvides simple, efficient, and

secure connectivity between

multiple Kubernetes clusters

Universal EncryptionAdds encryption to all traffic

between Cilium endpoints with no

application/pod changes.

Transparent to Apps By running in the kernel, BPF +

Cilium require no changes by or

coordinate with app teams. Open

Source

Powered

by BPF

Information Classification: General

More Information

Source Code:

https://github.com/cilium/cilium

Twitter:

https://twitter.com/ciliumproject

Website:

https://cilium.io/

Blog:

https://cilium.io/blog/

Contact Me:

dan@isovalent.com

@danwendlandt

Information Classification: General

25

Transparent Encryption

Cluster

NodeNode Node

Cilium CNI

Encryption

Pod

Pod PodPod

Pod