Cilium's Envoy Filter and VS Bridge to Kubernetes

Transcript

1. Cilium’s Envoy Go Filter Ruian @ GopherCon TW 2020-11-14 And

   Bridge To Kubernetes

2. Hi, I am Ruian • Dcard Backend Engineer • https://medium.com/@ruian

   • http://github.com/rueian • https://speakerdeck.com/rueian Previous Sharing

3. • Cilium Overview • What is Cilium & Why Cilium

   is important • How Cilium L7 Network Policy works
 • Imporve Development Experience with Cilium • What is Bridge To Kubernetes and its limitations • How to customize Cilium L7 Network Policy to address the Bridge To Kubernetes limitations Outline

4. What is Cilium? Source: https://cilium.io

5. Why Cilium? Source: https://cilium.io/blog/2020/08/19/google-chooses-cilium-for-gke-networking/

6. Why Cilium? Linux Network Acceleration with BPF Source: https://www.infoq.com/presentations/linux-cilium-ebpf/ Local

   Socket Redirect

7. Why Cilium? Linux Network Acceleration with BPF K8s Service Endpoint

   Selection on connect(2) Syscall Source: https://cilium.io/blog/2020/02/18/cilium-17#kubeproxy-removal

8. Why Cilium? Linux Network Acceleration with BPF Source: https://cilium.io/blog/2020/02/18/cilium-17#kubeproxy-removal K8s

   NodePort Forward and Direct Server Return on XDP

9. Why Cilium? Linux Network Acceleration with BPF Source: https://cilium.io/blog/2020/11/10/cilium-19 Veth

   Optimization

10. What is Cilium? Source: https://cilium.io

11. Cilium Network Policy Source: https://cilium.io

12. Cilium L7 Network Policy Example (http) Source: https://docs.cilium.io/en/v1.9.0-rc2/gettingstarted/http/

13. Cilium L7 Network Policy Example (http) Source: https://docs.cilium.io/en/v1.9.0-rc2/gettingstarted/http/

14. Cilium L7 Network Policy Example (http) Source: https://docs.cilium.io/en/v1.9.0-rc2/gettingstarted/http/

15. Cilium L7 Network Policy Example (http) Source: https://docs.cilium.io/en/v1.9.0-rc2/gettingstarted/http/

16. Cilium L7 Network Policy Example (http) Source: https://docs.cilium.io/en/v1.9.0-rc2/gettingstarted/http/

17. Any L7 Protocol can be supported Not Only for HTTP

18. Cilium L7 Network Policy Example (kafka) Source: https://docs.cilium.io/en/v1.9.0-rc2/gettingstarted/kafka/#gs-kafka

19. https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/filter/filter How Cilium L7 Network Policy Works

20. Envoy Network Filters https://www.envoyproxy.io/docs/envoy/latest/intro/life_of_a_request

21. How Cilium L7 Network Policy Works Source: https://cilium.io/blog/2018/10/23/cilium-13-envoy-go/

22. How Cilium L7 Network Policy Works Source: https://cilium.io/blog/2018/10/23/cilium-13-envoy-go/ From kube-api-server

23. How Cilium L7 Network Policy Works Source: https://cilium.io/blog/2018/10/23/cilium-13-envoy-go/ fork exec

24. How Cilium L7 Network Policy Works Source: https://cilium.io/blog/2018/10/23/cilium-13-envoy-go/ xDS request

25. How Cilium L7 Network Policy Works Source: https://cilium.io/blog/2018/10/23/cilium-13-envoy-go/ xDS response

26. How Cilium L7 Network Policy Works Source: https://cilium.io/blog/2018/10/23/cilium-13-envoy-go/ dlopen libcilium.so

27. How Cilium L7 Network Policy Works Source: https://cilium.io/blog/2018/10/23/cilium-13-envoy-go/

28. How Cilium L7 Network Policy Works Source: https://cilium.io/blog/2018/10/23/cilium-13-envoy-go/

29. How Cilium L7 Network Policy Works Source: https://cilium.io/blog/2018/10/23/cilium-13-envoy-go/

30. How Cilium L7 Network Policy Works Source: https://cilium.io/blog/2018/10/23/cilium-13-envoy-go/

31. How Cilium L7 Network Policy Works Source: https://cilium.io/blog/2018/10/23/cilium-13-envoy-go/

32. How Cilium L7 Network Policy Works Source: https://cilium.io/blog/2018/10/23/cilium-13-envoy-go/

33. How Cilium L7 Network Policy Works Source: https://cilium.io/blog/2018/10/23/cilium-13-envoy-go/

34. How Cilium L7 Network Policy Works Source: https://cilium.io/blog/2018/10/23/cilium-13-envoy-go/

35. FULL Control of L7 Traffic with Golang

36. • NO need to inject sidecars • NO need to

    restart pods • ONLY traffic matched by L4 level policy is processed • Do whatever you want to the traffic, ex: • HTTP access control • RPC redirection • DB connection mutation, auditing FULL control of L7 traffic With Golang Envoy Filter

37. How can the power improve development experience?

38. • For Developing: • Hard to prepare other service dependancies

    • Need to re-deploy container to reflect code changes • For Debugging: • Hard to target traffic to the which remote container • Hard to inspect the memory of the remote container (maybe uprobe) Microservice Development Experience Some Pain Points

39. Visual Studio Bridge To Kubernetes Source: https://devblogs.microsoft.com/visualstudio/bridge-to-kubernetes-ga/

40. Visual Studio Bridge To Kubernetes Source: https://devblogs.microsoft.com/visualstudio/bridge-to-kubernetes-ga/

41. Visual Studio Bridge To Kubernetes Source: https://devblogs.microsoft.com/visualstudio/bridge-to-kubernetes-ga/

42. Visual Studio Bridge To Kubernetes Source: https://devblogs.microsoft.com/visualstudio/bridge-to-kubernetes-ga/

43. Visual Studio Bridge To Kubernetes Source: https://github.com/microsoft/mindaro

44. Visual Studio Bridge To Kubernetes Source: https://docs.microsoft.com/en-US/visualstudio/containers/overview-bridge-to-kubernetes?view=vs-2019#limitations

45. Visual Studio Bridge To Kubernetes Source: https://docs.microsoft.com/en-US/visualstudio/containers/overview-bridge-to-kubernetes?view=vs-2019#limitations

46. Let’s Build Bridge To Kubernetes with Cilium’s Envoy Go Filter

47. Original Image Source: https://cilium.io/blog/2018/10/23/cilium-13-envoy-go/ How to build Bridge To Kubernetes?

48. Original Image Source: https://cilium.io/blog/2018/10/23/cilium-13-envoy-go/ Tunnel Agent Laptop How to build

    Bridge To Kubernetes?

49. Original Image Source: https://cilium.io/blog/2018/10/23/cilium-13-envoy-go/ Laptop Create Tunnel Tunnel Agent How

    to build Bridge To Kubernetes?

50. Original Image Source: https://cilium.io/blog/2018/10/23/cilium-13-envoy-go/ Laptop Tunnel Agent Create CRD How

    to build Bridge To Kubernetes?

51. Original Image Source: https://cilium.io/blog/2018/10/23/cilium-13-envoy-go/ Laptop Tunnel Agent From kube-api-server How

    to build Bridge To Kubernetes?

52. Original Image Source: https://cilium.io/blog/2018/10/23/cilium-13-envoy-go/ Laptop Tunnel Agent How to build

    Bridge To Kubernetes?

53. Original Image Source: https://cilium.io/blog/2018/10/23/cilium-13-envoy-go/ Laptop Tunnel Agent How to build

    Bridge To Kubernetes? Should redirect?

54. Original Image Source: https://cilium.io/blog/2018/10/23/cilium-13-envoy-go/ Laptop Tunnel Agent How to build

    Bridge To Kubernetes?

55. Original Image Source: https://cilium.io/blog/2018/10/23/cilium-13-envoy-go/ Laptop Tunnel Agent How to build

    Bridge To Kubernetes?

56. Original Image Source: https://cilium.io/blog/2018/10/23/cilium-13-envoy-go/ Laptop Tunnel Agent How to build

    Bridge To Kubernetes?

57. Original Image Source: https://cilium.io/blog/2018/10/23/cilium-13-envoy-go/ Laptop Tunnel Agent How to build

    Bridge To Kubernetes?

58. Cilium Envoy Golang Filter Internal Architecture

59. https://docs.cilium.io/en/latest/concepts/security/proxy/envoy Cilium Envoy Golang Filter Architecture

60. https://github.com/cilium/cilium/blob/2ecf64773d8bfa414ea558392ed9275ee028a208/proxylib/proxylib/policymap.go Rule Parser Interfaces

61. https://github.com/cilium/cilium/blob/2ecf64773d8bfa414ea558392ed9275ee028a208/proxylib/proxylib/parserfactory.go Protocol Parser Interfaces

62. Register on libcilium.so Init

63. Example Implementation

64. Rule Parser Impl Example

65. Rule Matches Impl Example

66. Parser OnData Impl Example

67. • Cilium’ Golang Envoy Filter • Do whatever you want

    to L7 traffic • Visual Studio Bridge To Kubernetes • Improve microservice development experience • Build your own Bridge To Kubernetes with Cilium • Addressing the BTK limitations • Full Code of Tunnel and Golang Envoy Filter: • http://github.com/rueian/aerial • https://github.com/rueian/cilium/tree/httpredirect Recap
68. None