Cilium Service Mesh - ServiceMeshCon Europe 2022

by Thomas Graf

Slide 1

Slide 1 text

Cilium Service Mesh Speaker: Thomas Graf CTO & Co-Founder Isovalent, Cilium Maintainer, Chair GB eBPF Foundation

Slide 2

Slide 2 text

Makes the Linux kernel programmable in a secure and efficient way. “What JavaScript is to the browser, eBPF is to the Linux Kernel” Process Scheduler execve() Linux Kernel Syscall

Slide 3

Slide 3 text

- Networking - Security - Observability - Service Mesh & Ingress -based: Foundation Created by Technology

Slide 4

Slide 4 text

Security Observability & Runtime Enforcement

Slide 5

Slide 5 text

Cilium Service Mesh Istio - Istio manages sidecars - Cilium enforces L7 NetworkPolicy in Istio sidecars - Cilium accelerates the sidecar network injection path - Cilium manages combination of eBPF + per-Node proxy - No sidecars - Can support any control plane Option 2: Istio Integration Option 1: Sidecar-free eBPF Mesh

Slide 6

Slide 6 text

😨 Cleartext TLS Encrypted Example of Istio + Cilium Collaboration ⚠ Anybody with CAP_NET_ADMIN can ready everything in clear text.

Slide 7

Slide 7 text

✅ No unencrypted payload on any network interfaces Istio Example of Istio + Cilium Collaboration

Slide 8

Slide 8 text

Service Mesh

Slide 9

Slide 9 text

Traditional networking is falling short tcpdump, NetFlow, sFlow, … SSH, IPsec, Wireguard, VPN, .. L4 Load-Balancing (IPVS, iptables, …) TCP retransmissions We need L4 (TCP, UDP) -> L7 (HTTP, gRPC, …) Network

Slide 10

Slide 10 text

Service Mesh Origins

Slide 11

Slide 11 text

Service Mesh with Sidecars

Slide 12

Slide 12 text

Complex Injection Many, many Sidecars Sidecar Complexity

Slide 13

Slide 13 text

Cilium Service Mesh - Sidecar-free Datapath - Use eBPF when possible, fallback to Envoy - Native performance & latency - mTLS support for any network traffic (UDP, SCTP, Multicast, …) - Envoy CRD - Bring the control plane of your choice: Istio SMI Ingress / Services Gateway API SPIFFE - Observability integrations (Hubble + Tetragon) More information: https://isovalent.com/blog/post/2021-12-08-ebpf-servicemesh Linkerd(?)

Slide 14

Slide 14 text

Service Mesh Evolution

Slide 15

Slide 15 text

What about multi-tenancy? We made the kernel aware of namespaces and cgroups to enable multi-tenancy. We call it containers.

Slide 16

Slide 16 text

Integrating Envoy into the Kernel Stack - Envoy threads can run in cgroup of pod - No sidecar injection needed - No network injection needed - No need to stop Envoy - No need to start Envoy at pod startup Granularity of proxy: - Node - Namespace - ….

Slide 17

Slide 17 text

Reduced Footprint

Slide 18

Slide 18 text

Traffic Management - L3/L4 forwarding & Load-balancing - Canary, Topology Aware Routing - Multi-cluster Security - Network Policy - mTLS Observability - Tracing, OpenTelemetry, & Metrics - HTTP, TLS, DNS, TCP, UDP, … eBPF Native (no sidecar) Proxy Traffic Management - L7 Load-balancing & Ingress Resilience - Retries, L7 Rate Limiting Security - TLS Termination & Origination When eBPF cannot do it Whenever possible

Slide 19

Slide 19 text

mTLS with Cilium Service Mesh - Works for any protocol (UDP, SCTP, …) - Avoids once allowed connections to be allowed forever - Keeps secrets out of proxy (Useful when proxy runs untrusted user filters) More information: https://isovalent.com/blog/post/2022-05-03-servicemesh-security

Slide 20

Slide 20 text

No Visibility Sidecar HTTP Visibility (P95) HTTP Authorization No Proxy Cilium Envoy Filter Istio Envoy Filter In-kernel HTTP parser Some benchmarks* - All in-kernel with - Istio concurrency & resource constraints removed - 1x per node proxy vs 2x sidecars - Cilium Envoy filter less complex All data & Scripts: https://isovalent.com/blog/post/2022-05-03-servicemesh-security

Slide 21

Slide 21 text

Cilium Envoy Filter Istio Envoy Filter Default Resource & Concurrency Contraints Bonus benchmark Make sure to review the default concurrency and resource constraints!

Slide 22

Slide 22 text

Thank you!