Software Defined Networking

Replacing iptables with eBPF in Kubernetes with Cilium

H.1308 (Rolin)
Michal Rostecki is a Software Engineer working at SUSE. He's working on Cilium, both upstream and on integrating it with openSUSE Kubic Project and SUSE CaaS Platform. Swaminathan Vasudevan is a Software Engineer working at SUSE. Worked on Neutron Networking Upstream and currently migrating to Cilium and openSUSE Kubic Project and SUSE CaaS Platform.
Cilium is an open source project which provides networking, security and load balancing for application services that are deployed using Linux container technologies by using the native eBPF technology in the Linux kernel. In this presentation we would talk about: - The evolution of the BPF filters and will explain the advantages of eBPF Filters and its use cases today in Linux especially on how Cilium networking utilizes the eBPF Filters to secure the Kubernetes workload with increased performance when compared to legacy iptables. - How Cilium uses SOCKMAP for layer 7 policy enforcement - How Cilium integrates with Istio and handles L7 Network Policies with Envoy Proxies. - The new features since the last release such as running Kubernetes cluster without kube-proxy, providing clusterwide NetworkPolicies, providing fully distributed networking and security observability platform for cloud native workloads etc.

Additional information

Type devroom

More sessions

2/1/20
Software Defined Networking
Magnus Karlsson
H.1308 (Rolin)
Many people and companies are betting that cloud-native networking will be the preferred way of implementing network functions in an easy and scalable way. It is based around the tenants of modularity, high availability, scalability, low-overhead networking, and ease of deployment. And a number of companies such as Google has shown that it is really possible to achieve these properties with it. But the architectural basis of cloud-native is quite different from the ones of virtualization-based ...
2/1/20
Software Defined Networking
H.1308 (Rolin)
Skydive is an open source real-time network topology and protocols analyzer providing a comprehensive way of understanding what is happening in your network infrastructure.
2/1/20
Software Defined Networking
H.1308 (Rolin)
As CoSP’s accelerate their adoption of SDN and NFV technologies, the increased need for metrics, performance measurement and benchmarking becomes a focus, to ensure the continued delivery of “best in class” services. As NFV environments have grown in size and complexity, the tools required to gain this greater visibility into the NFVi need to continue to evolve to meet the requirements for manageability, serviceability and resiliency. Using Collectd as a metrics collection tool, OPNFV ...
2/1/20
Software Defined Networking
Quentin Monnet
H.1308 (Rolin)
The Linux kernel networking capabilities have been undergoing major changes over the last years. At the heart of the performance gain, eBPF (extended Berkeley Packet Filter) and XDP (eXpress Data Path) have brought new possibilities in terms of tracing and network packet processing. eBPF is a trendy topic in the Linux world, and today it needs little introduction among the SDN and NFV community. But the technology is still under heavy development, bringing new features, more flexibility, and ...
2/1/20
Software Defined Networking
Stephen Hemminger
H.1308 (Rolin)
One of the challenges of doing software network applications is observing the inputs, outputs, and what the application is doing with them. Linux provides a rich tool set with eBPF but integrating this into a DPDK application is challenging. The DPDK libraries for capturing is incomplete which leads to lots of time debugging the tools. This talk addresses these issues, recommends solutions and proposes enhancements to make developers live easier.
2/1/20
Software Defined Networking
H.1308 (Rolin)
XDP support is an increasing trend on the network devices. XDP main goal is processing packets at the lowest point in the software stack avoiding overheads. Memory recycling of received buffers achieved through the in kernel pagepool API plays a fundamental role in the increased performance. Adding XDP support on a driver can be non-trivial. In this talk we'll demonstrate how porting a standard ethernet driver (mvneta/netsec) to XDP and the pagepool API can boost performance. Part of the ...
2/1/20
Software Defined Networking
Bryan Boreham
H.1308 (Rolin)
A tour of the internals of Weave Net, one of the most popular container networks: design challenges and lessons learned from five years in the wild. Including Kubernetes integration and how CNI was born. Weave Net is written in Go, using many Linux kernel features such as veths, bridges and iptables. Aimed at developers rather than network engineers, Weave Net tries to be self-configuring and find the best available transport between nodes. The control plane operates via gossip, with no central ...