How many proxies do you need? Liz Rice | @lizrice Chief Open Source Officer, Isovalent Emeritus Chair, CNCF Technical Oversight Committee Thomas Graf | @tgraf_ CTO & Co-founder, Isovalent Chair, eBPF Foundation GB

Service Mesh

Service Mesh Origins

Service Mesh with Sidecars

Complex Injection Many, many Sidecars Sidecar Complications

No content

Let’s remove sidecars!

- Cilium Service Mesh beta tester, Jan 2022 “ While we're big fans of Envoy we're not hugely fond of the sidecar model and the extra latency & complexity involved ”

No content

userspace kernel Reduce resource usage Sidecars are a little bit inefficient [...] you have to allocate the RAM and CPU for that sidecar for kind of the worst-case usage that you expect for that pod. – Ethan Jackson, Ambient Mesh, Google, Kubernetes Podcast #189

userspace kernel userspace kernel Reduce resource usage

userspace kernel userspace kernel eBPF maps Reduce resource usage

@lizrice The network cost of sidecar proxies

userspace kernel userspace kernel Solving the Injection Problem

userspace pod containe r sidecar container userspace pod container sidecar container my-app.yaml containers: - name: my-app ... - name: my-app-init … - name: my-sidecar ... The operational cost of sidecars

If not sidecars, where should proxies be?

Delegating responsibility to user space userspace kernel Cilium eBPF delegates - L7 termination to Envoy proxy - L7 observability to Envoy proxy - L7 network policy to Envoy proxy - L7 identity to SPIFFE or cert-manager

Delegating responsibility to user space

Traffic Management - L3/L4 forwarding & Load-balancing - Canary, Topology Aware Routing - Multi-Cluster Routing Security - Network Policy - mTLS Observability - Tracing, OpenTelemetry, & Metrics - HTTP, TLS, DNS, TCP, UDP, … eBPF Native (no proxy needed) Proxy Traffic Management - L7 Load-balancing & Ingress Resilience - Retries, L7 Rate Limiting Security - TLS Termination & Origination - L7 Network Policy* *Roadmap for eBPF Native When eBPF can’t support it Whenever possible

Proxy per pod (sidecar model) userspace kernel - Share pod’s namespaces and cgroups → Resources for app + proxy - Proxy access to pod’s service account → Secrets / identity management directly from app Cilium Status: → Supported via Istio Integration on top of Cilium CNI

Proxy on the node - Proxy is co-located on same node → No additional proxies needed on network → No ability to share proxy for single tenant across nodes Cilium Service Mesh Status: → Defaulting to Per-Node Model → Flexible deployment granularity on the roadmap userspace kernel

Proxy on the network userspace kernel - Proxy is located on network → Requires additional network hops → Ability to share proxy for individual tenants across nodes Cilium Service Mesh Status: → Evaluating interest in ztunnel/HBONE to support Waypoint proxies userspace kernel

Increased performance, reduced complexity Increased isolation Proxy per app Proxy per namespace Proxy per node

What about encryption?

Cilium network level encryption userspace kernel Encryption at L3 - no need to traverse proxy Uses node identity. Do you trust your nodes?

Cilium Next-Gen Mutual Authentication - Works for any protocol (UDP, SCTP, …) - IPsec/Wireguard can use TLS negoiated service-specific keys - User space mTLS authentication - Proxy-free in-kernel datapath - Keeps secrets out of L7 proxies More information: https://isovalent.com/blog/post/2022-05-03-servicemesh-security

NetworkPolicy - mTLS Policy Require authentication for connections to backends

SPIFFE Integration Tracking CFP / PR: https://github.com/cilium/cilium/issues/4016 CiliumIdentity SPIFFE ID Logical Identity X.509 Certificate

What about observability?

New Strategic Partnership to provide -based Observability & Monitoring https://grafana.com/blog/2022/10/24/grafana-and-cilium-deep-ebpf-powered-obser vability-for-kubernetes-and-cloud-native-infrastructure/

Embedded dashboards in hubble-ui Network Observability

Golden Signal Dashboards Tracing & HTTP Observability

Your Service Mesh choices

Data plane Control plane Configuration Ingress Gateway API Services EnvoyConfig SPIFFE Network Policy Kubernetes cert-manager Cilium Service Mesh mTLS Traffic Management Identity Management Observability Envoy Secrets Service Discovery Stable Available in Dev Branch WIP / Roadmap +

Original L7 Load-balancing standard in K8s Simple Supported since Cilium 1.12 Services Ingress Layer 7 Traffic Management Options EnvoyConfig Use of K8s services with annotations Simple Support coming In Cilium 1.13 Pull Request: cilium/cilium#21244 Raw Envoy Config via CustomResource Advanced Users & Integrations Supported since Cilium 1.12 Gateway API Originally labelled Ingress v2. Richer in features. Simple Support for v0.5.1 coming in Cilium 1.13 Pull Request: cilium/cilium#21749

Ingress HTTP Path Prefix based Routing

Service + Annotations Simple way to enable gRPC weighted-least-request load-balancing

Service + Annotations + Multi-Cluster Compatible with multi-cluster load-balancing

Gateway API Use of Gateway and HTTPRoute objects for path-based routing

EnvoyConfig Ability to define raw Envoy configuration

Thank you! @tgraf_ | @lizrice | @isovalent