Explore scaling container policy management using kernel features in this Linux Plumbers Conference talk. Dive into Cilium, an open-source project implementing the Container Network Interface (CNI) for networking and security in modern application environments. Learn about efficiently handling cluster events, mapping them to Linux networking configurations, and minimizing discrepancies between desired and realized states. Discover how Cilium utilizes various aspects of the networking stack, including eBPF, to model datapath state changes. Examine the container policy model for whitelist filtering at layers 3, 4, and 7, as well as memoization techniques for caching policy computation artifacts. Gain insights into the impact of large container-based deployments on dataplane design and kernel features. Follow the evolution of L7 policy implementation and explore past, present, and future approaches to transparent proxies.
Overview
Syllabus
Intro
Overview
Kubernetes Architecture 101
Kubernetes networking plugins
What does it mean to scale?
BPF plumbing
ELF Templating
Future directions
Policy example
Label selectors
Datapath Configuration: Egress
L7 is the new L4
Datapath Configuration: L7 flow
L7 Configuration: Past
L7 Configuration: Present
L7 Configuration: Proposal
L7 Configuration: Socket redirect
Socket assign: Hiccup
Summary
Taught by
Linux Plumbers Conference
