101 - eBPF & Dataplane v2 with GKE

Transcript

1. 101 - eBPF & Dataplane v2 with GKE Lê Anh

   Tuấn [email protected] @tuanbo91

2. Agenda • eBPF - 101 • Cilium - 101 •

   GKE Dataplane v2 • What’s next?

3. eBPF - 101

4. What is eBPF? • eBPF is a mechanism for Linux

   applications to execute code in Linux kernel space. • eBPF can run sandboxed programs in the Linux kernel without changing kernel source code or loading kernel modules. • Several complex components are involved in the functioning of eBPF programs and their execution.

5. What is eBPF? • Extended BPF (or eBPF) is similar

   to the original ("classic") BPF (cBPF) used to filter network packets. • Linux kernel runs eBPF only and loaded cBPF bytecode is transparently translated into an eBPF representation in the kernel before program execution. • eBPF programs can be attached to different events: ◦ Kprobes, tracepoints, uprobes, sockets, cgroup_filters, etc.

6. Why eBPF? • Kernel space has always been an ideal

   place to implement observability, security, and networking functionality due to the kernel’s privileged ability to oversee and control the entire system. • At the same time, Kernel is hard to evolve due to its central role and high requirement towards stability and security. The rate of innovation at the operating system level has thus traditionally been lower compared to functionality implemented outside of the operating system.

7. eBPF use cases • Security • Networking • Profiling •

   Observability (Log / Metrics / Tracing)

8. The pitfalls of eBPF • Restricted to Linux and a

   recent kernel • Sandboxed programs are limited

9. The pitfalls of eBPF • Restricted to Linux and a

   recent kernel NOT ANYMORE!

10. eBPF Foundation

11. BPF Tech Adoption

12. Cilium - 101

13. What is Cilium? • Open Source project using eBPF as

    its foundation • Networking & Load-Balancing • Network Security • Observability

14. So, why Cilium? Kubernetes uses iptables for... • kube-proxy -

    the component which implements Services and load balancing by DNAT iptables rules • Most of CNI plugins are using iptables for Network Policies

15. So, what’s wrong with iptables? • iptables updates must be

    made by recreating and updating all rules in a single transaction. • Implements chains of rules as a linked list, so all operations are O(n). • The standard practice of implementing access control lists (ACLs) as implemented by iptables was to use sequential list of rules. • It’s based on matching IPs and ports, not aware about L7 protocols.

16. Cilium performance

17. Cilium use cases • Networking ◦ Highly efficient and flexible

    networking ◦ Routing, Overlay, Cloud-provider native ◦ IPv4, IPv6, NAT 46 • Network Security ◦ Identity-based network security ◦ API-aware security (HTTP, gRPC, Kafka, Cassandra, memcached, ..) ◦ DNS-aware • Load-balancing: ◦ Highly scalable L3-L4 load balancing ◦ Kubernetes services (replaces kube-proxy) • Observability ◦ Metrics (Network, DNS, Security, Latencies, HTTP, …) ◦ Flow logs (w/ datapath aggregation)

18. Cilium: Load-balancing

19. Cilium: Network Policies

20. Cilium: Identity-based Security

21. Cilium: DNS-aware Policy

22. GKE Dataplane V2

23. GKE Dataplane V2 - Advantages • Security ◦ Kubernetes Network

    policy is always on in clusters with GKE Dataplane V2. You don't have to install and manage third-party software add-ons such as Calico to enforce network policy. • Scalability ◦ GKE Dataplane V2 is implemented without kube-proxy and does not rely on iptables for service routing. This removes a major bottleneck for scaling Kubernetes services in very large clusters. • Operations ◦ When you create a cluster with GKE Dataplane V2, network policy logging is built in. Configure the logging CRD on your cluster to see when connections are allowed and denied by your Pods. • Consistency ◦ GKE Dataplane V2 is available and provides the same features on GKE and on other Anthos clusters environments.

24. GKE Dataplane V2 - Technical specifications

25. GKE Dataplane V2 - Technical specifications

26. GKE Dataplane V2

27. GKE Dataplane V2 - Limitations • GKE Dataplane V2 can

    only be enabled when creating a new cluster. Existing clusters cannot be upgraded to use GKE Dataplane V2 (at the moment) • Not all cilium configuration are supported by GKE Dataplane V2 • https://cloud.google.com/kubernetes-engine/docs/concepts/dataplane-v2#limitations

28. What’s next

29. What’s next

30. What’s next gcloud container clusters create CLUSTER_NAME \ --enable-dataplane-v2 \

    --enable-ip-alias \ --release-channel CHANNEL_NAME \ --region COMPUTE_REGION https://cloud.google.com/kubernetes-engine/docs/how-to/dataplane-v2

31. What’s next https://console.cloud.google.com/freetrial

32. Thank you!