101 - eBPF & Dataplane v2 with GKE Lê Anh Tuấn [email protected] @tuanbo91

Agenda ● eBPF - 101 ● Cilium - 101 ● GKE Dataplane v2 ● What’s next?

eBPF - 101

What is eBPF? ● eBPF is a mechanism for Linux applications to execute code in Linux kernel space. ● eBPF can run sandboxed programs in the Linux kernel without changing kernel source code or loading kernel modules. ● Several complex components are involved in the functioning of eBPF programs and their execution.

What is eBPF? ● Extended BPF (or eBPF) is similar to the original ("classic") BPF (cBPF) used to filter network packets. ● Linux kernel runs eBPF only and loaded cBPF bytecode is transparently translated into an eBPF representation in the kernel before program execution. ● eBPF programs can be attached to different events: ○ Kprobes, tracepoints, uprobes, sockets, cgroup_filters, etc.

Why eBPF? ● Kernel space has always been an ideal place to implement observability, security, and networking functionality due to the kernel’s privileged ability to oversee and control the entire system. ● At the same time, Kernel is hard to evolve due to its central role and high requirement towards stability and security. The rate of innovation at the operating system level has thus traditionally been lower compared to functionality implemented outside of the operating system.

eBPF use cases ● Security ● Networking ● Profiling ● Observability (Log / Metrics / Tracing)

The pitfalls of eBPF ● Restricted to Linux and a recent kernel ● Sandboxed programs are limited

The pitfalls of eBPF ● Restricted to Linux and a recent kernel NOT ANYMORE!

eBPF Foundation

BPF Tech Adoption

Cilium - 101

What is Cilium? ● Open Source project using eBPF as its foundation ● Networking & Load-Balancing ● Network Security ● Observability

So, why Cilium? Kubernetes uses iptables for... ● kube-proxy - the component which implements Services and load balancing by DNAT iptables rules ● Most of CNI plugins are using iptables for Network Policies

So, what’s wrong with iptables? ● iptables updates must be made by recreating and updating all rules in a single transaction. ● Implements chains of rules as a linked list, so all operations are O(n). ● The standard practice of implementing access control lists (ACLs) as implemented by iptables was to use sequential list of rules. ● It’s based on matching IPs and ports, not aware about L7 protocols.

Cilium performance

Cilium use cases ● Networking ○ Highly efficient and flexible networking ○ Routing, Overlay, Cloud-provider native ○ IPv4, IPv6, NAT 46 ● Network Security ○ Identity-based network security ○ API-aware security (HTTP, gRPC, Kafka, Cassandra, memcached, ..) ○ DNS-aware ● Load-balancing: ○ Highly scalable L3-L4 load balancing ○ Kubernetes services (replaces kube-proxy) ● Observability ○ Metrics (Network, DNS, Security, Latencies, HTTP, …) ○ Flow logs (w/ datapath aggregation)

Cilium: Load-balancing

Cilium: Network Policies

Cilium: Identity-based Security

Cilium: DNS-aware Policy

GKE Dataplane V2

GKE Dataplane V2 - Advantages ● Security ○ Kubernetes Network policy is always on in clusters with GKE Dataplane V2. You don't have to install and manage third-party software add-ons such as Calico to enforce network policy. ● Scalability ○ GKE Dataplane V2 is implemented without kube-proxy and does not rely on iptables for service routing. This removes a major bottleneck for scaling Kubernetes services in very large clusters. ● Operations ○ When you create a cluster with GKE Dataplane V2, network policy logging is built in. Configure the logging CRD on your cluster to see when connections are allowed and denied by your Pods. ● Consistency ○ GKE Dataplane V2 is available and provides the same features on GKE and on other Anthos clusters environments.

GKE Dataplane V2 - Technical specifications

GKE Dataplane V2 - Technical specifications

GKE Dataplane V2

GKE Dataplane V2 - Limitations ● GKE Dataplane V2 can only be enabled when creating a new cluster. Existing clusters cannot be upgraded to use GKE Dataplane V2 (at the moment) ● Not all cilium configuration are supported by GKE Dataplane V2 ● https://cloud.google.com/kubernetes-engine/docs/concepts/dataplane-v2#limitations

What’s next

What’s next

What’s next gcloud container clusters create CLUSTER_NAME \ --enable-dataplane-v2 \ --enable-ip-alias \ --release-channel CHANNEL_NAME \ --region COMPUTE_REGION https://cloud.google.com/kubernetes-engine/docs/how-to/dataplane-v2

What’s next https://console.cloud.google.com/freetrial

Thank you!