Explore kernel-native security and DDoS mitigation for microservices using BPF in this Docker conference talk. Dive deep into recent kernel developments addressing application-aware security, routing efficiency, and protection against DDoS attacks. Learn about kproxy, a kernel-based socket proxy for minimal-overhead application-aware routing and security enforcement. Discover XDP, a high-speed packet processing datapath using BPF for DDoS mitigation, load-balancing, and forwarding. Understand how Cilium leverages BPF and these kernel features to enhance Docker container security on Linux. Follow along with practical demonstrations, including a Lego robot competition, to see these concepts in action. Gain insights into microservices architecture, deployment tasks, HTTP policies, and application design delivery. Explore topics such as IP tables, policy enforcement, Kafka concepts, and image upload services. Witness the scalability and power of BPF programs through CLI agents and real-world examples. Conclude with a comprehensive overview of the project status and actionable steps to implement these advanced security measures in your own Docker environments.
Cilium - Kernel Native Security and DDOS Mitigation for Microservices with BPF
Overview
Syllabus
Introduction
Meet Gordon
Lego Robot Competition
Microservices Architecture
Deployment Tasks
Update HTTP Policies
Application Design Delivery
IP Tables
Robot Competition
Image Upload Service
Policy Enforcement
Summary
What is BPF
BPF Example
Cilium
Cilium Agent
Docker Container
BPF Scalability
BPF Program
CLI Agents
Kafka
Kafka Concepts
Broker
Consumer Groups
Coppa
Kafka Broker
Isolation
Kafka API
Image Upload
Kafka Port
Kafka Parse
Demo
Demo Overview
Demo Example
Sidecar Proxy
Kafka Parsing
Lego Competition
Architecture
Leveraging XDP
XDP throughput
XDP vs IPtables
What we saw
Project status
Take action
QA
Taught by
Docker
