Cilium: eBPF powered CNI

[sangheee]

• https://ebpf.io
• https://dev.to/otomato_io/cilium-ebpf-powered-cni-a-nos-solution-for-modern-clouds-1hl1

The eBPF advantage for Observability in Kubernetes

How eBPF will solve Service Mesh - Goodbye Sidecars https://isovalent.com/blog/post/2021-12-08-ebpf-servicemesh/

Cilium: eBPF powered CNI, a NOS(Networking, Obervability, and Security) Solution for Moder Clouds

• 많은 CNI plugin의 iptables를 통한 Networking Policies 는 traffic이 몰릴 때나 변경 시에 performance issue가 있다.
  • https://mobilabsolutions.com/2019/01/why-we-switched-to-cilium/

  • to overcome these troubles, eBPF technology was invented

  • To use eBPF technology requires at least Linux 3.18, and to use full of eBPF, it needs Linux 4.4 or above
• eBPF, which stands for extended Berkeley Packet Filter,
  • allows to automatically collect network telemetry data(such as full body requests, resource and network metrics, application profiles, and more)
  • allows for the generation of visibility events and the collection and in-kernel aggregation of custom metrics, OS에 노출되는 guage나 static counter 에 의존하지 않아도 됨!
  • makes the kernel programmable in a safe and performant way
  • could add logic to the kernel from user-space, rather than altering the kernel code
  • eBPF programs are event based, and are executed on a specific hook(such as network events, system calls, function entries, and kernel trace points)

What is Cilium?

Cilium is an open source project built on top of eBPF. On top of eBPF, it offers a high-level abstraction.

What Kubernetes and container runtimes are to the Linux kernel's namespaces,cgroups, and seccomp, Cilium is to the eBPF: the appropriate abstraction layer above it.

• network policy를 위한 최소 권한 security paradigm
• The fundamental K8s Network Policies (which function at L3/L4) are effective, but Cilium Network Policies allow you to improve upon them (operate broader, at L3-L7).
  • giving us the ability to have enforcements on both ingress and egress.
  • Without having to write code, you can allow/block requests based on path, header and request method.
  • https://docs.cilium.io/en/stable/policy/language/#layer-7-examples
  • https://isovalent.com/blog/post/cilium-release-112/
• kubernetes without kube-proxy
  • iptables is suprseded by eBPF

Multi-Cluster Connectivity & Load Balancing

Cilium enables k8s pods to communicate and be discovered across k8s clusters by utilizing a cluster mesh. With Cilium, services are now capable of understanding topology and affinity.

observability

• hubble (https://github.com/cilium/hubble)
  • fully distributed networking and security observability platform for cloud native workloads
  • built on top of Cilium and eBPF
• Datadog team's Cilium based monitoring

[sangheee]

• https://editor.cilium.io/
• https://docs.cilium.io/en/v1.12/operations/metrics/#hubble-metrics
• https://docs.cilium.io/en/v1.12/operations/metrics/#cilium-metrics
• https://www.datadoghq.com/blog/cilium-metrics-and-architecture/#ciliums-architecture-and-performance-data
• https://isovalent.com/blog/post/cilium-release-112/

[sangheee]

https://isovalent.com/blog/post/cilium-service-mesh/