Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Cilium: a firewall 🔥 to secure them all

Pierre-Yves Aillet
June 04, 2019
Technology
0
220

Cilium: a firewall 🔥 to secure them all

Kubernetes is cool. You can have a lot of different services in various technologies. How to secure an REST API, gRPC communications between pods or a kafka queue with a single tool ?

Cilium is a networking driver used to secure a kubernetes cluster. It handles component communications on many layers (L3, L4, L7) providing load-balancing, filtering, ... It operates at kernel level to give blazing fast processing.

During our talk, we will introduce kubernetes networking concepts and ways to secure it. We will then demo the Cilium project and introduce eBPF concepts. We will finally give you our feedback on the project.

Pierre-Yves Aillet

June 04, 2019
Tweet

More Decks by Pierre-Yves Aillet

See All by Pierre-Yves Aillet
Cilium: one firewall 🔥 to secure them all
pyaillet
0
78
Comment étendre Kubernetes ?
pyaillet
1
130
Linuxkit : le linux façon ikea
pyaillet
1
210
Linuxkit : le linux façon ikea
pyaillet
1
65
Métrologie et Alerting avec Prometheus et Grafana
pyaillet
1
370
Monitorer les xénomorphes avec Prometheus et Grafana
pyaillet
0
150

Other Decks in Technology

See All in Technology
競技としてのKaggle、役に立つKaggle
yu4u
6
2.4k
社内アプリで Cloudflare D1を プロダクト運用してみた体験談(Tokyo)
haochenx
0
120
Python と Snowflake はズッ友だょ!~ Snowflake の Python 関連機能をふりかえる ~
__allllllllez__
2
140
[新卒向け研修資料] テスト文字列に「うんこ」と入れるな(2024年版)
infiniteloop_inc
5
18k
Babylon.js JAPAN活動紹介 (2024/4)
limes2018
1
120
ExaDB-D dbaascli で出来ること
oracle4engineer
PRO
0
2.1k
いいたいことちゃんという
tkengo
0
240
開発パフォーマンスを最大化するための開発体制
ham0215
7
1.1k
今さら聞けないDocker入門 〜 Dockerfileのベストプラクティス編
devops_vtj
19
5k
Oracle Base Database Service 技術詳細
oracle4engineer
PRO
5
37k
M&A戦略を支えるデータマネジメント (MIDAS Tech Study #16 GENDA Komiyama)
kommy339
1
120
Gitlab本から学んだこと - そーだいなるプレイバック / gitlab-book
soudai
7
1.3k

Featured

See All Featured
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
275
13k
From Idea to $5000 a Month in 5 Months
shpigford
378
45k
Embracing the Ebb and Flow
colly
80
4.2k
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
9
1.3k
A designer walks into a library…
pauljervisheath
201
23k
Git: the NoSQL Database
bkeepers
PRO
423
63k
Designing the Hi-DPI Web
ddemaree
276
33k
Designing with Data
zakiwarfel
96
4.8k
Imperfection Machines: The Place of Print at Facebook
scottboms
261
12k
Ruby is Unlike a Banana
tanoku
96
10k
What’s in a name? Adding method to the madness
productmarketing
PRO
17
2.7k
Writing Fast Ruby
sferik
622
60k

Transcript

  1. Standards & Craftsmanship Cilium: one firewall to secure them all

    Pierre-Yves Aillet @pyaillet Eric Briand @eric_briand

  2. #ContainerDayFR 2 Eric Briand Dev’ touche à tout à Zenika

    Nantes Organisateur du CNCF Meetup Nantes @eric_briand @ebriand Pierre-Yves Aillet Consultant formateur à Zenika Nantes @pyaillet @pyaillet

  3. #ContainerDayFR 3

  4. #ContainerDayFR 4

  5. Architecture du SI #ContainerDayFR events internal api kafka kafka zookeeper

    internal-frontend api events-frontend

  6. Démo #ContainerDayFR

  7. Networking Kubernetes #ContainerDayFR eth0 eth0 eth0 eth0

  8. Network addons #ContainerDayFR Overlay • Weave • Flannel • Calico…

    Routage natif • GKE • kube-router

  9. Network policy #ContainerDayFR kind: NetworkPolicy apiVersion: networking.k8s.io/v1 metadata: namespace: webapp

    name: only-backend spec: podSelector: matchLabels: role: db ingress: - from: - podSelector: matchLabels: role: backend Type de la ressource Méta-données Informations habituelles de toutes les ressources Kubernetes

  10. Network policy #ContainerDayFR kind: NetworkPolicy apiVersion: networking.k8s.io/v1 metadata: namespace: webapp

    name: only-backend spec: podSelector: matchLabels: role: db ingress: - from: - podSelector: matchLabels: role: backend Les pods ayant le label “db” À partir du moment où le(s) Pod(s) correspond à une règle : - Le traffic est bloqué par défaut

  11. Network policy #ContainerDayFR kind: NetworkPolicy apiVersion: networking.k8s.io/v1 metadata: namespace: webapp

    name: only-backend spec: podSelector: matchLabels: role: db ingress: - from: - podSelector: matchLabels: role: backend Sens du traffic Source du traffic Seul le traffic explicitement autorisé est passant

  12. Architecture de notre SI avec network policy #ContainerDayFR events internal

    api kafka kafka zookeeper internal-frontend api events-frontend

  13. Démo #ContainerDayFR

  14. Accès API #ContainerDayFR internal-frontend api events-frontend /heroes/* /identities/* /heroes/* /identities/*

  15. Cilium #ContainerDayFR • https://github.com/cilium/cilium • Go + C pour la

    partie eBPF • Version 1.5 • Network addon Kubernetes • Sécurisation à différents niveaux • S’intègre avec Istio, Docker, Mesos

  16. #ContainerDayFR Linux Kernel BPF Program BPF Virtual Machine syscall bpf(BPF_PROG_LOAD,

    ...); BPF Bytecode bcc eBPF

  17. #ContainerDayFR

  18. Cilium network policies #ContainerDayFR internal-frontend api events-frontend /heroes/* /identities/* /heroes/*

    /identities/*

  19. Cilium network policies apiVersion: [...] spec: endpointSelector: matchLabels: app: heroes-api

    ingress: - fromEndpoints: - matchLabels: k8s:io.kubernetes.pod.namespace: internal toPorts: - ports: - port: "80" protocol: TCP rules: http: - method: "GET" path: "/heroes/?.*" • Structure similaire aux networks policies natives • Labels spécifiques Cilium/Kubernetes • Règles spécifiques au protocole L7

  20. Démo #ContainerDayFR

  21. Architecture de notre SI v2 #ContainerDayFR events internal api kafka

    kafka zookeeper internal-frontend api events-frontend

  22. Démo #ContainerDayFR

  23. Ok, mais en vrai il se passe quoi ? #ContainerDayFR

    Endpoint TC @ Endpoint bpf_lxc TC @ Endpoint bpf_netdev Endpoint L7 Policy Userspace Proxy Envoy

  24. C’était cool ? #ContainerDayFR • Installation avec l’operator simple mais

    architecture complexe • Le tooling pratique (ex : cilium policy trace) mais pas à tous les niveaux ! • Utilisation et syntaxe simples

  25. Multicluster #ContainerDayFR Source : https://cilium.io/blog/2019/03/12/clustermesh

  26. Multicluster #ContainerDayFR

  27. Performances #ContainerDayFR -- Source : https://itnext.io/4a9886efe9c4

  28. Suppression kube-proxy #ContainerDayFR Rôle de kube-proxy: - ClusterIP - NodePort

    Aujourd’hui Cilium: ClusterIP - Demain: ClusterIP + NodePort et au revoir kube-proxy

  29. Démo #ContainerDayFR

  30. Extensibilité #ContainerDayFR -- Source : http://docs.cilium.io/en/v1.5/envoy/extensions/

  31. Conclusion #ContainerDayFR • Projet prometteur ◦ Network policies++ ◦ Remplacement

    de kube-proxy • Usage intéressant de eBPF ◦ Lien userspace/kernel par les maps ◦ Affectation d’une identité k8s/docker/… aux src et dst des paquets

  32. Code & Références #ContainerDayFR Sources : • https://github.com/ebriand/conf-cilium Références :

    • https://cilium.io/ • http://www.brendangregg.com/ebpf.html • https://jvns.ca/blog/2017/06/28/notes-on-bpf---ebpf/ • https://www.youtube.com/watch?v=_Iq1xxNZOAo • https://cilium.io/blog/2018/12/03/cni-performance • https://itnext.io/benchmark-results-of-kubernetes-network-plugins-cni-ov er-10gbit-s-network-updated-april-2019-4a9886efe9c4

  33. Merci ! Pierre-Yves Aillet @pyaillet Eric Briand @eric_briand #ContainerDayFR