Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Improve performance and security for containers...

Rossella Sblendido
November 14, 2018
Technology
0
130

Improve performance and security for containers using Kuryr and Cilium

Cilium is on open source project which implements Kubernetes network policies and provides container network security by using eBPF and XDP packet filtering in the Linux kernel. Kuryr is the OpenStack project that enables native Neutron-based networking in Kubernetes. In this talk we will describe the work that we've done to provide Cilium as CNI plugin and how we used Kuryr to integrate it into OpenStack. We will demonstrate how to deploy and configure a Kubernetes cluster using the Cilium-Kuryr integration. We will explain how Cilium provides L7 network policies and its "native routing" mode, where it just allows any routing daemon to route the traffic. We will illustrate Cilium's features using concrete examples. Thanks to native packet filtering Cilium boosts performance, we will show tests results to measure how Cilium improves throughput compared to other CNI plugins.

Rossella Sblendido

November 14, 2018
Tweet

More Decks by Rossella Sblendido

See All by Rossella Sblendido
Neutron internals and future plans
rossella_s
0
35
Newcomers need you, how to be a good mentor
rossella_s
0
38
Deep dive in the Neutron upgrade story
rossella_s
0
120
Can't ping my VM!
rossella_s
0
350
Neutron L2 and L3 agents, How They Work and How Kilo Improves Them
rossella_s
0
260
HA in Neutron
rossella_s
0
95
Land your first patch in Neutron
rossella_s
0
42

Other Decks in Technology

See All in Technology
オープンソースAIとは何か? --「オープンソースAIの定義 v1.0」詳細解説
shujisado
10
1.1k
20241120_JAWS_東京_ランチタイムLT#17_AWS認定全冠の先へ
tsumita
2
300
Incident Response Practices: Waroom's Features and Future Challenges
rrreeeyyy
0
160
Adopting Jetpack Compose in Your Existing Project - GDG DevFest Bangkok 2024
akexorcist
0
110
B2B SaaSから見た最近のC#/.NETの進化
sansantech
PRO
0
900
生成AIが変えるデータ分析の全体像
ishikawa_satoru
0
170
テストコード品質を高めるためにMutation Testingライブラリ・Strykerを実戦導入してみた話
ysknsid25
7
2.7k
Python(PYNQ)がテーマのAMD主催のFPGAコンテストに参加してきた
iotengineer22
0
510
DynamoDB でスロットリングが発生したとき/when_throttling_occurs_in_dynamodb_short
emiki
0
260
AI前提のサービス運用ってなんだろう?
ryuichi1208
8
1.4k
安心してください、日本語使えますよ―Ubuntu日本語Remix提供休止に寄せて― 2024-11-17
nobutomurata
1
1k
OS 標準のデザインシステムを超えて - より柔軟な Flutter テーマ管理 | FlutterKaigi 2024
ronnnnn
0
240

Featured

See All Featured
Adopting Sorbet at Scale
ufuk
73
9.1k
Designing Experiences People Love
moore
138
23k
Measuring & Analyzing Core Web Vitals
bluesmoon
4
130
How to train your dragon (web standard)
notwaldorf
88
5.7k
Practical Orchestrator
shlominoach
186
10k
Typedesign – Prime Four
hannesfritz
40
2.4k
Save Time (by Creating Custom Rails Generators)
garrettdimon
PRO
27
840
What’s in a name? Adding method to the madness
productmarketing
PRO
22
3.1k
A designer walks into a library…
pauljervisheath
204
24k
GraphQLとの向き合い方2022年版
quramy
43
13k
Designing the Hi-DPI Web
ddemaree
280
34k
Six Lessons from altMBA
skipperchong
27
3.5k

Transcript

  1. Improve Performance and Security for Containers using Kuryr and Cilium

    Michal Rostecki Software Engineer [email protected] Rossella Sblendido Team Lead Networking [email protected]

  2. BPF From https://github.com/cilium/cilium

  3. Cilium architecture From https://github.com/cilium/cilium

  4. Introducing Kuryr From http://superuser.openstack.org/articles/networking-kubernetes-kuryr/

  5. Packet traversal vanilla Kuryr

  6. Why Cilium + Kuryr? • Support for Network Policies in

    Kubernetes • Using BPF as an underlying mechanism for Network Policies, to avoid using iptables

  7. Integration: how it works in our experiment • Kuryr-kubernetes controller

    is running as a deployment • Kuryr-kubernetes CNI plugin is not used • Cilium CNI plugin is used instead • Direct routing mode is used in Cilium

  8. Integration: challenges • Cilium CNI plugin had to be extended

    to: ◦ read the OVS bridge name and information about allocated IP from pod annotations ◦ create OVS VIFs

  9. How the integration works in the experiment User Neutron Kuryr

    ctrl K8S API Kubelet Cilium CNI Create pod Create pod API object Add annotation with Neutron port data Create port Create pod sandbox and containers Call CNI plugin to set up netns Read pod annotation with Neutron port data Create OVS VIF Create Cilium endpoint Request port creation

  10. New possibilities • Cilium in version 1.4 will have decoupled

    bits of: ◦ Networking ◦ Load balancing ◦ Policy • The goal of that decoupling is to be able to use i.e. load balancing and policy bits from Cilium and networking from any other plugin. There is an ongoing work on Cilium-Flannel integration. • Perfect opportunity for implementing Kuryr support upstream.

  11. How the integration should look like User Neutron Kuryr ctrl

    K8S API Kubelet Kuryr CNI Create pod Create pod API object Add annotation with Neutron port data Create port Create pod sandbox and containers Call CNI plugin to set up netns Read pod annotation with Neutron port data Create OVS VIF Create Cilium policy Request port creation Cilium

  12. Packet traversal with Cilium BPF prog 2 BPF prog 1

  13. Demo time!

  14. Demo • Applications simulating Star Wars (station and starfighters) on

    Kubernetes. • Tie Fighter (Empire) should have an access to Death Star. • X-Wing (Alliance) should not have an access to Death Star.

  15. Demo From https://github.com/cilium/cilium

  16. Future work • Provide support for Kubernetes Services • Provide

    support for load balancing • Gating upstream
  17. None