Cilium Service Mesh - ServiceMeshCon Europe 2022

Transcript

1. Cilium Service Mesh Speaker: Thomas Graf CTO & Co-Founder Isovalent,

   Cilium Maintainer, Chair GB eBPF Foundation

2. Makes the Linux kernel programmable in a secure and efficient

   way. “What JavaScript is to the browser, eBPF is to the Linux Kernel” Process Scheduler execve() Linux Kernel Syscall

3. - Networking - Security - Observability - Service Mesh &

   Ingress -based: Foundation Created by Technology

4. Security Observability & Runtime Enforcement

5. Cilium Service Mesh Istio - Istio manages sidecars - Cilium

   enforces L7 NetworkPolicy in Istio sidecars - Cilium accelerates the sidecar network injection path - Cilium manages combination of eBPF + per-Node proxy - No sidecars - Can support any control plane Option 2: Istio Integration Option 1: Sidecar-free eBPF Mesh

6. 😨 Cleartext TLS Encrypted Example of Istio + Cilium Collaboration

   ⚠ Anybody with CAP_NET_ADMIN can ready everything in clear text.

7. ✅ No unencrypted payload on any network interfaces Istio Example

   of Istio + Cilium Collaboration

8. Service Mesh

9. Traditional networking is falling short tcpdump, NetFlow, sFlow, … SSH,

   IPsec, Wireguard, VPN, .. L4 Load-Balancing (IPVS, iptables, …) TCP retransmissions We need L4 (TCP, UDP) -> L7 (HTTP, gRPC, …) Network

10. Service Mesh Origins

11. Service Mesh with Sidecars

12. Complex Injection Many, many Sidecars Sidecar Complexity

13. Cilium Service Mesh - Sidecar-free Datapath - Use eBPF when

    possible, fallback to Envoy - Native performance & latency - mTLS support for any network traffic (UDP, SCTP, Multicast, …) - Envoy CRD - Bring the control plane of your choice: Istio SMI Ingress / Services Gateway API SPIFFE - Observability integrations (Hubble + Tetragon) More information: https://isovalent.com/blog/post/2021-12-08-ebpf-servicemesh Linkerd(?)

14. Service Mesh Evolution

15. What about multi-tenancy? We made the kernel aware of namespaces

    and cgroups to enable multi-tenancy. We call it containers.

16. Integrating Envoy into the Kernel Stack - Envoy threads can

    run in cgroup of pod - No sidecar injection needed - No network injection needed - No need to stop Envoy - No need to start Envoy at pod startup Granularity of proxy: - Node - Namespace - ….

17. Reduced Footprint

18. Traffic Management - L3/L4 forwarding & Load-balancing - Canary, Topology

    Aware Routing - Multi-cluster Security - Network Policy - mTLS Observability - Tracing, OpenTelemetry, & Metrics - HTTP, TLS, DNS, TCP, UDP, … eBPF Native (no sidecar) Proxy Traffic Management - L7 Load-balancing & Ingress Resilience - Retries, L7 Rate Limiting Security - TLS Termination & Origination When eBPF cannot do it Whenever possible

19. mTLS with Cilium Service Mesh - Works for any protocol

    (UDP, SCTP, …) - Avoids once allowed connections to be allowed forever - Keeps secrets out of proxy (Useful when proxy runs untrusted user filters) More information: https://isovalent.com/blog/post/2022-05-03-servicemesh-security

20. No Visibility Sidecar HTTP Visibility (P95) HTTP Authorization No Proxy

    Cilium Envoy Filter Istio Envoy Filter In-kernel HTTP parser Some benchmarks* - All in-kernel with - Istio concurrency & resource constraints removed - 1x per node proxy vs 2x sidecars - Cilium Envoy filter less complex All data & Scripts: https://isovalent.com/blog/post/2022-05-03-servicemesh-security

21. Cilium Envoy Filter Istio Envoy Filter Default Resource & Concurrency

    Contraints Bonus benchmark Make sure to review the default concurrency and resource constraints!

22. Thank you!