Explore a comprehensive conference talk on Cilium, an open-source project leveraging BPF for container security and networking. Dive into the revolutionary aspects of BPF technology, including its applications in application and network security, tracing, and visibility. Learn how Cilium applies BPF to solve networking, security, and load balancing challenges for distributed applications. Discover the integration of Cilium with orchestration systems like Kubernetes to enhance security and networking for cloud-native applications. Gain insights into topics such as DDoS mitigation, L3/L4 load balancing, microservices security, and the evolution of application design and delivery frequency. Understand the implementation of least privilege security for microservices, Kubernetes integration, and policy enforcement mechanisms. Compare traditional sidecar proxy approaches with kernel-based solutions, and examine the performance benefits of socket redirection.
Cilium - Container Security and Networking Using BPF and XDP
Overview
Syllabus
Intro
BPF is revolutionizing... Tracing / Profiling
BPF Revolution #2: XDP-DDoS mitigation
Facebook published BPF/XDP numbers for L3/L4 LB at Netdev 21
BPF Revolution #3: Security
Evolution of Application Design & Delivery Frequency
Network Security for Microservices
Gordon wants to build a service to tweet out all job offerings.
Gordon uses mutual TLS Auth Good thinking Gordon
The security team has L3/L4 network security in place for all services
Back to the drawing board...
Least privilege security for microservices
Kubernetes Integration
Should I encapsulate or not?
L3 Policy (Labels Based)
L3 Policy (CIDR)
Policy - Only allow GET /v1
How are these policies enforced?
What is a sidecar proxy?
Networking Path with a Sidecar
Kernel Proxy
Socket Redirect - Performance?
The Before and After
Cilium Summary
Taught by
Linux Foundation
