Key-Value store clang+LLVM iproute2 Firewall Rules Privileges Upgrade Guide Running pre-flight check (Required) Upgrading Cilium Step 3: Rolling Back Version Specific Notes Advanced Configuration Network 1/1 Running 0 13m Deploy the connectivity test You can deploy the “connectivity-check” to test connectivity between pods. kubectl apply -f https://raw.githubusercontent.com/cilium/cilium/v1 1/1 Running 0 13m Deploy the connectivity test You can deploy the “connectivity-check” to test connectivity between pods. kubectl apply -f https://raw.githubusercontent.com/cilium/cilium/v1

correctly, a DNS reverse lookup on a pod IP must map back to pod name. If you are using CoreDNS, check the CoreDNS ConfigMap and validate that in-addr.arpa and ip6.arpa are listed as wildcards for the create 2 separate CloudFormation stacks for cluster itself and th [ℹ] if you encounter any issues, check CloudFormation console or try 'eksc [ℹ] creating cluster stack "eksctl-ridiculous-gopher-1548608219-cluster" correctly, a DNS reverse lookup on a pod IP must map back to pod name. If you are using CoreDNS, check the CoreDNS ConfigMap and validate that in-addr.arpa and ip6.arpa are listed as wildcards for the

Key-Value store clang+LLVM iproute2 Firewall Rules Privileges Upgrade Guide Running pre-flight check (Required) Upgrading Micro Versions Upgrading Minor Versions Step 3: Rolling Back Version Specific 1/1 Running 0 13m Deploy the connectivity test You can deploy the “connectivity-check” to test connectivity between pods. kubectl apply -f https://raw.githubusercontent.com/cilium/cilium/v1 1/1 Running 0 13m Deploy the connectivity test You can deploy the “connectivity-check” to test connectivity between pods. kubectl apply -f https://raw.githubusercontent.com/cilium/cilium/v1

clang+LLVM iproute2 Firewall Rules Mounted eBPF filesystem Privileges Upgrade Guide Running pre-flight check (Required) Upgrading Cilium Version Specific Notes Advanced Configuration Core Agent Network Policy deploy the “connectivity-check” to test connectivity between pods. It is recommended to create a separate namespace for this. kubectl create ns cilium-test Deploy the check with: kubectl apply -n cilium-test p75 1/1 Running 0 68s Note If you deploy the connectivity check to a single node cluster, pods that check multi- node functionalities will remain in the Pending state. This is expected

clang+LLVM iproute2 Firewall Rules Mounted eBPF filesystem Privileges Upgrade Guide Running pre-flight check (Required) Upgrading Cilium Version Specific Notes Advanced Configuration Core Agent Network Policy com/cilium/cilium- cli/releases/latest/download/cilium-linux-amd64.tar.gz{,.sha256sum} sha256sum --check cilium-linux-amd64.tar.gz.sha256sum sudo tar xzvfC cilium-linux-amd64.tar.gz /usr/local/bin rm cilium-linux-amd64 detected, will skip some flow validation steps � [k8s-cluster] Creating namespace for connectivity check... (...) ----------------------------------------------------------------------- ----------------

clang+LLVM iproute2 Firewall Rules Mounted eBPF filesystem Privileges Upgrade Guide Running pre-flight check (Required) Upgrading Cilium Version Specific Notes Advanced Configuration Core Agent Network Policy deploy the “connectivity-check” to test connectivity between pods. It is recommended to create a separate namespace for this. kubectl create ns cilium-test Deploy the check with: kubectl apply -n cilium-test 7 1/1 Running 0 66s Note If you deploy the connectivity check to a single node cluster, pods that check multi- node functionalities will remain in the Pending state. This is expected

clang+LLVM iproute2 Firewall Rules Mounted eBPF filesystem Privileges Upgrade Guide Running pre-flight check (Required) Upgrading Cilium Version Specific Notes Advanced Configuration Core Agent Network Policy cli/releases/download/${CILIUM_CLI_VERSION}/cilium- linux-${CLI_ARCH}.tar.gz{,.sha256sum} sha256sum --check cilium-linux-${CLI_ARCH}.tar.gz.sha256sum sudo tar xzvfC cilium-linux-${CLI_ARCH}.tar.gz /usr/local/bin detected, will skip some flow validation steps � [k8s-cluster] Creating namespace for connectivity check... (...) ----------------------------------------------------------------------- ----------------

#[kfunc " foo" ] → Same thing, but for kernel functions #! [ profile "/sbin/mylogin"] #[ func " check_password "] #[ allow] { fs("/etc/passwd", read) fs("/etc/shadow", read) } #[ func "add_user"] #[ framework) This work was supported by NSERC through a Discovery Grant. github.com/willfindlay/bpfbox Check out the project on GitHub! 7 / 7

wakeup_events = 1; int i, nr_cpus = sysconf(_SC_NPROCESSORS_CONF); for (i=0; icheck_on_each_cpu(i, &attr, progfd, pid); } } … … enum bpf_prog_type prog_type = BPF_PROG_TYPE_PERF_EVENT; - kmemleak (161) 04 Output ● Incorporate comments ○ Add len as part of user parameter ○ Test check_on_each_cpu() is required or not ? ● symbols -> symbol address ○ manual right now ○ Can it be

users:(("nc",pid=1289,fd=3)) $ nc -4 127.0.0.1 7777 hello⏎ hello ^D Netcat + /bin/cat Test it! Check open ports on VM external IP vm $ ip -4 addr show eth0 2: eth0: done: 1 IP address (1 host up) scanned in 0.07 seconds scan first 1000 ports 7, 77, 777 are closed check VM IP What is socket lookup? raw PREROUTING filter INPUT conntrack routing decision mangle