Cfgmgmtcamp 2023 — eBPF Superpowers

1. eBPF Superpowers Raphaël Pinson | @raphink | @raphink@mastodon.social A dynamic Kernel Solutions Architect, Isovalent

2. ⬢ What is eBPF? eBPF Superpowers A dynamic Kernel

3. ⬢ What is eBPF? ⬢ Principles eBPF Superpowers A dynamic Kernel

4. ⬢ What is eBPF? ⬢ Principles ⬢ Observability eBPF Superpowers A dynamic Kernel

5. ⬢ What is eBPF? ⬢ Principles ⬢ Observability ⬢ Networking eBPF Superpowers A dynamic Kernel

6. ⬢ What is eBPF? ⬢ Principles ⬢ Observability ⬢ Networking ⬢ Security eBPF Superpowers A dynamic Kernel

7. ⬢ What is eBPF? ⬢ Principles ⬢ Observability ⬢ Networking ⬢ Security ⬢ The Future eBPF Superpowers A dynamic Kernel

8. ⬢ What is eBPF? ⬢ Principles ⬢ Observability ⬢ Networking ⬢ Security ⬢ The Future ⬢ Practical Labs eBPF Superpowers A dynamic Kernel

9. The Linux Kernel The Power Behind Modern Technology - From cars to servers to fridges - Foundation of the GNU/Linux operating system - Most widely used operating system in the world - Powers the vast majority of: - embedded systems / IoT - Cloud Server - Super Computers @raphink | @raphink@mastodon.social

10. Before @raphink | @raphink@mastodon.social

11. With @raphink | @raphink@mastodon.social

12. Have you used eBPF? eBPF is already used in many places - Load balancing - DDOS protection on large Internet platforms - Kernel live-patching (5.7+ with LSM/eBPF) - Android (e.g. app data stats) @raphink | @raphink@mastodon.social

13. Who am I Raphaël Pinson Solutions Architect @ Isovalent

15. Makes the Linux kernel programmable in a secure and efficient way. “What JavaScript is to the browser, eBPF is to the Linux Kernel” @raphink | @raphink@mastodon.social

16. @raphink | @raphink@mastodon.social

17. eBPF Superpowers A dynamic Kernel ⬢ What is eBPF? ⬢ Principles ⬢ Observability ⬢ Networking ⬢ Security ⬢ The Future ⬢ Practical Labs

18. How does it work? @raphink | @raphink@mastodon.social

26. eBPF Helpers @raphink | @raphink@mastodon.social

27. Stacks & hooks @raphink | @raphink@mastodon.social

28. BPF / user-space communication @raphink | @raphink@mastodon.social

29. SDK (cilium/ebpf) @raphink | @raphink@mastodon.social

33. Safety @raphink | @raphink@mastodon.social

34. Performance @raphink | @raphink@mastodon.social

35. @raphink | @raphink@mastodon.social Cloud Native Identities

36. eBPF Projects & SDKs @raphink | @raphink@mastodon.social

37. Cilium & Friends - performance gains (no need for iptables, bypass TCP/IP) - simpler architecture (e.g. no sidecar proxy for Service Mesh) Cilium @raphink | @raphink@mastodon.social

38. Cilium & Friends Hubble - fine-grained network observability - exports to SIEM - support for OpenTelemetry - performance gains (no need for iptables, bypass TCP/IP) - simpler architecture (e.g. no sidecar proxy for Service Mesh) Cilium @raphink | @raphink@mastodon.social

39. Cilium & Friends Tetragon - observe & export kernel events - act on events (e.g. SIGKILL) - performance gains (no need for iptables, bypass TCP/IP) - simpler architecture (e.g. no sidecar proxy for Service Mesh) Cilium Hubble - fine-grained network observability - exports to SIEM - support for OpenTelemetry @raphink | @raphink@mastodon.social

41. Observability Observe directly in the kernel - Low-overhead tracing/observability - Example: network performance / SRTT / micro-bursts - HTTP / TLS in-kernel visibility - Troubleshooting prod on the fly (see bpftrace) @raphink | @raphink@mastodon.social

42. Observability Example software - BCC - bpftrace - Pixie - Cilium (network) - Cilium Tetragon (system) @raphink | @raphink@mastodon.social Observe directly in the kernel - Low-overhead tracing/observability - Example: network performance / SRTT / micro-bursts - HTTP / TLS in-kernel visibility - Troubleshooting prod on the fly (see bpftrace)

43. Observability: bpftrace @raphink | @raphink@mastodon.social

44. Observability: Hubble (CLI) @raphink | @raphink@mastodon.social $ kubectl get pods NAME READY STATUS RESTARTS AGE tiefighter 1/1 Running 0 2m34s xwing 1/1 Running 0 2m34s deathstar-5b7489bc84-crlxh 1/1 Running 0 2m34s deathstar-5b7489bc84-j7qwq 1/1 Running 0 2m34s $ hubble observe --follow -l class=xwing # DNS lookup to coredns default/xwing:41391 (ID:16092) -> kube-system/coredns-66bff467f8-28dgp:53 (ID:453) to-proxy FORWARDED (UDP) kube-system/coredns-66bff467f8-28dgp:53 (ID:453) -> default/xwing:41391 (ID:16092) to-endpoint FORWARDED (UDP) # ... # Successful HTTPS request to www.disney.com default/xwing:37836 (ID:16092) -> www.disney.com:443 (world) to-stack FORWARDED (TCP Flags: SYN) www.disney.com:443 (world) -> default/xwing:37836 (ID:16092) to-endpoint FORWARDED (TCP Flags: SYN, ACK) www.disney.com:443 (world) -> default/xwing:37836 (ID:16092) to-endpoint FORWARDED (TCP Flags: ACK, FIN) default/xwing:37836 (ID:16092) -> www.disney.com:443 (world) to-stack FORWARDED (TCP Flags: RST) # ... # Blocked HTTP request to deathstar backend default/xwing:49610 (ID:16092) -> default/deathstar:80 (ID:16081) Policy denied DROPPED (TCP Flags: SYN)

45. Observability: Hubble (UI) @raphink | @raphink@mastodon.social

46. Observability: Cilium + Grafana ❤️ @raphink | @raphink@mastodon.social

47. Observability: Network Metrics (Hubble) @raphink | @raphink@mastodon.social

48. Observability: HTTP Metrics (Hubble) @raphink | @raphink@mastodon.social

49. Observability: Network Policy Verdicts @raphink | @raphink@mastodon.social

50. Observability: TLS (Tetragon) @raphink | @raphink@mastodon.social

51. Observability: Combined Network & Runtime @raphink | @raphink@mastodon.social

53. Networking Bypass native kernel network stack: - eXpress Data Path (XDP) - TCP improvements (bandwidth manager, BBR, Big TCP) - NAT64/NAT46 - Performant load-balancing algorithms (Maglev) - Network Policies - Cluster Mesh - Egress Gateway - Sidecar-free service mesh - etc. @raphink | @raphink@mastodon.social

54. Networking: XDP Drop packets before they reach the kernel - E.g. packet of death, DDOS - XDP allows to drop packets before they reach the kernel routing stack @raphink | @raphink@mastodon.social

55. Networking: XDP Efficient Cloud Native LB - E.g. Socket Load Balancer @raphink | @raphink@mastodon.social Drop packets before they reach the kernel - E.g. packet of death, DDOS - XDP allows to drop packets before they reach the kernel routing stack

56. Networking: IPtables vs eBPF kube-proxy / iptables - Linear list / sieve - All rules have to be replaced as a whole eBPF based - Per-CPU hash table ⇒ more performant - Native metadata (e.g. Pod labels) ⇒ Cloud Native routing 🏆 @raphink | @raphink@mastodon.social

57. Networking: BBR (TCP Congestion) @raphink | @raphink@mastodon.social https://isovalent.com/blog/post/accelerate-network-performance-with-cilium-bbr/

58. Networking: NAT46/NAT64 IPv6 / IPv4 bridge DNS64 NAT64 [64:ff9b::<z>] -> [<z>] IPv6 Single Stack K8s cluster bar.com A 4.3.2.1 DNS bar.com AAAA 64:ff9b::4.3.2.1 SYN 64:ff9b::4.3.2.1 IPv4 / Internet SYN 4.3.2.1 ext. node (Dual Stack) https://www.youtube.com/watch?v=Kvdh78TURck @raphink | @raphink@mastodon.social

59. Networking: BIG TCP https://www.youtube.com/watch?v=Kvdh78TURck Back to back: AMD Ryzen 9 3950X @ 3.5 GHz, 128G RAM @ 3.2 GHz, PCIe 4.0, ConnectX-6 Dx, mlx5 driver netperf -t TCP_RR -H <remote pod> -- -r 80000,80000 -O MIN_LATENCY,P90_LATENCY,P99_LATENCY,THROUGHPUT 2.2x lower p99 latency @raphink | @raphink@mastodon.social

60. Networking: Sidecar-free Service Mesh @raphink | @raphink@mastodon.social

62. Security Observe and manipulate kernel events in real time - Performant and transparent process visibility - Metadata - Fix kernel bugs on the fly - Catch & kill @raphink | @raphink@mastodon.social

63. Security Visibility & Enforcement Traditional approaches - App instrumentation / LD_PRELOAD ⇒ bypassed by statically linked executables - ptrace(2) ⇒ TOCTTOU with syscalls - Existing Kernel Runtime Enforcement ⇒ can benefit from BPF (BPF LSM with kernel 5.7+) - Kernel module ⇒ stability & maintenance @raphink | @raphink@mastodon.social

64. Security Visibility & Enforcement with eBPF @raphink | @raphink@mastodon.social

65. Security: Catch & Kill @raphink | @raphink@mastodon.social

67. To Infinity… … and beyond 🚀 - Improved device I/O perf with eBPF (XRP) - Support for 100% of C (in a safe way) - Cross-platform: - archs - compilers (LLVM/gcc) - platforms (Linux, Windows, etc.) - Towards a micro-kernel approach? @raphink | @raphink@mastodon.social

68. All major cloud providers have picked -based Networking & Security for their Kubernetes platforms @raphink | @raphink@mastodon.social How about you?

69. eBPF resources eCHO eBPF YouTube podcast: https://www.youtube.com/channel/UCJFUxkVQTBJh3LD1wYB WvuQ eBPF & Cilium Slack http://slack.cilium.io/ eCHO News Bi-weekly eBPF newsletter: https://cilium.io/newsletter/ @raphink | @raphink@mastodon.social

71. Practical Labs … to become a Cilium & eBPF Jedi 📅 Come tomorrow 2023-02-08, 09:00–13:00 🏛️ In room B.2.015 💻 Bring your laptop (web-based labs) Get badges 🏅 and goodies 👕! @raphink | @raphink@mastodon.social

72. Thank you!

Cfgmgmtcamp 2023 — eBPF Superpowers

Esté a ler uma amostra.

Confira estes a seguir

Cfgmgmtcamp 2023 — eBPF Superpowers

Mais Conteúdo rRelacionado

Semelhante a Cfgmgmtcamp 2023 — eBPF Superpowers (20)

Mais de Raphaël PINSON (18)

Mais recentes (20)