Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Improve performance and security for containers using Kuryr and Cilium

Rossella Sblendido
November 14, 2018
Technology
0
110

Improve performance and security for containers using Kuryr and Cilium

Cilium is on open source project which implements Kubernetes network policies and provides container network security by using eBPF and XDP packet filtering in the Linux kernel. Kuryr is the OpenStack project that enables native Neutron-based networking in Kubernetes. In this talk we will describe the work that we've done to provide Cilium as CNI plugin and how we used Kuryr to integrate it into OpenStack. We will demonstrate how to deploy and configure a Kubernetes cluster using the Cilium-Kuryr integration. We will explain how Cilium provides L7 network policies and its "native routing" mode, where it just allows any routing daemon to route the traffic. We will illustrate Cilium's features using concrete examples. Thanks to native packet filtering Cilium boosts performance, we will show tests results to measure how Cilium improves throughput compared to other CNI plugins.

Rossella Sblendido

November 14, 2018
Tweet

More Decks by Rossella Sblendido

See All by Rossella Sblendido
Neutron internals and future plans
rossella_s
0
26
Newcomers need you, how to be a good mentor
rossella_s
0
35
Deep dive in the Neutron upgrade story
rossella_s
0
110
Can't ping my VM!
rossella_s
0
290
Neutron L2 and L3 agents, How They Work and How Kilo Improves Them
rossella_s
0
240
HA in Neutron
rossella_s
0
76
Land your first patch in Neutron
rossella_s
0
41

Other Decks in Technology

See All in Technology
Cracking the KubeCon CfP
inductor
2
240
DevOpsDays History and my DevOps story
kawaguti
PRO
9
2.5k
Vertex AI を中心に 生成AIのアップデートを共有します
kaz1437
0
300
Azure犬駆動開発の記録/GlobalAzureFukuoka2024_20240420
nina01
1
210
ServiceNow Knowledge Learning Rise up
manarobot
0
210
「スニダン」開発組織の構造に込めた意図 ~組織作りはパッションや政治ではない!~
rinchsan
3
550
私が trocco を推す理由
__allllllllez__
1
220
MySQL の SQL クエリチューニングの要所を掴む勉強会
andpad
2
6.2k
競技としてのKaggle、役に立つKaggle
yu4u
2
330
地理空間データ可視化・解析・活用ソリューション Pacific Spatial Solutions (PSS)
pacificspatialsolutions
0
210
サーバー間 GraphQL と webmock-graphql の話 / server-to-server graphql and webmock-graphql
qsona
2
180
アクセス制御にまつわる改善 / Improving access control
itkq
0
530

Featured

See All Featured
A Tale of Four Properties
chriscoyier
151
22k
How To Stay Up To Date on Web Technology
chriscoyier
782
250k
Build The Right Thing And Hit Your Dates
maggiecrowley
24
2k
The Illustrated Children's Guide to Kubernetes
chrisshort
31
46k
Pencils Down: Stop Designing & Start Developing
hursman
117
11k
Fontdeck: Realign not Redesign
paulrobertlloyd
76
4.9k
Into the Great Unknown - MozCon
thekraken
10
990
Thoughts on Productivity
jonyablonski
58
3.8k
The Art of Programming - Codeland 2020
erikaheidi
42
12k
Reflections from 52 weeks, 52 projects
jeffersonlam
345
19k
Code Reviewing Like a Champion
maltzj
514
39k
Agile that works and the tools we love
rasmusluckow
325
20k

Transcript

  1. Improve Performance and Security for Containers using Kuryr and Cilium

    Michal Rostecki Software Engineer [email protected] Rossella Sblendido Team Lead Networking [email protected]

  2. BPF From https://github.com/cilium/cilium

  3. Cilium architecture From https://github.com/cilium/cilium

  4. Introducing Kuryr From http://superuser.openstack.org/articles/networking-kubernetes-kuryr/

  5. Packet traversal vanilla Kuryr

  6. Why Cilium + Kuryr? • Support for Network Policies in

    Kubernetes • Using BPF as an underlying mechanism for Network Policies, to avoid using iptables

  7. Integration: how it works in our experiment • Kuryr-kubernetes controller

    is running as a deployment • Kuryr-kubernetes CNI plugin is not used • Cilium CNI plugin is used instead • Direct routing mode is used in Cilium

  8. Integration: challenges • Cilium CNI plugin had to be extended

    to: ◦ read the OVS bridge name and information about allocated IP from pod annotations ◦ create OVS VIFs

  9. How the integration works in the experiment User Neutron Kuryr

    ctrl K8S API Kubelet Cilium CNI Create pod Create pod API object Add annotation with Neutron port data Create port Create pod sandbox and containers Call CNI plugin to set up netns Read pod annotation with Neutron port data Create OVS VIF Create Cilium endpoint Request port creation

  10. New possibilities • Cilium in version 1.4 will have decoupled

    bits of: ◦ Networking ◦ Load balancing ◦ Policy • The goal of that decoupling is to be able to use i.e. load balancing and policy bits from Cilium and networking from any other plugin. There is an ongoing work on Cilium-Flannel integration. • Perfect opportunity for implementing Kuryr support upstream.

  11. How the integration should look like User Neutron Kuryr ctrl

    K8S API Kubelet Kuryr CNI Create pod Create pod API object Add annotation with Neutron port data Create port Create pod sandbox and containers Call CNI plugin to set up netns Read pod annotation with Neutron port data Create OVS VIF Create Cilium policy Request port creation Cilium

  12. Packet traversal with Cilium BPF prog 2 BPF prog 1

  13. Demo time!

  14. Demo • Applications simulating Star Wars (station and starfighters) on

    Kubernetes. • Tie Fighter (Empire) should have an access to Death Star. • X-Wing (Alliance) should not have an access to Death Star.

  15. Demo From https://github.com/cilium/cilium

  16. Future work • Provide support for Kubernetes Services • Provide

    support for load balancing • Gating upstream
  17. None