Policy Enforcement Modes Rule Basics Layer 3 Examples Layer 4 Examples Layer 7 Examples Deny Policies Host Policies Layer 7 Protocol Visibility Using Kubernetes constructs in policy Endpoint Lifecycle DNS? Is it an application or network problem? Is the communication broken on layer 4 (TCP) or layer 7 (HTTP)? Which services have experienced a DNS resolution problem in the last 5 minutes? Which services X-Token: [0-9]+ to be present in all REST calls. See the section Layer 7 Policy [http://docs.cilium.io/en/stable/policy/#layer-7] in our documentation for the latest list of supported protocols and examples

Enforcement Modes Rule Basics Layer 3 Examples Layer 4 Examples Layer 7 Examples Kubernetes Endpoint Lifecycle Troubleshooting L7 Protocol Visibility API Rate Limiting Default Rate Limits Configuration X-Token: [0-9]+ to be present in all REST calls. See the section Layer 7 Policy [http://docs.cilium.io/en/stable/policy/#layer-7] in our documentation for the latest list of supported protocols and examples 0 8s cilium-s8w5m 0/1 PodInitializing 0 7s coredns-86c58d9df4-4g7dd 0/1 ContainerCreating 0 8m57s coredns-86c58d9df4-4l6b2

Policy Enforcement Modes Rule Basics Layer 3 Examples Layer 4 Examples Layer 7 Examples Deny Policies Host Policies Layer 7 Protocol Visibility Using Kubernetes constructs in policy Endpoint Lifecycle DNS? Is it an application or network problem? Is the communication broken on layer 4 (TCP) or layer 7 (HTTP)? Which services have experienced a DNS resolution problem in the last 5 minutes? Which services X-Token: [0-9]+ to be present in all REST calls. See the section Layer 7 Policy [http://docs.cilium.io/en/stable/policy/#layer-7] in our documentation for the latest list of supported protocols and examples

Policy Enforcement Modes Rule Basics Layer 3 Examples Layer 4 Examples Layer 7 Examples Deny Policies Host Policies Layer 7 Protocol Visibility Using Kubernetes constructs in policy Endpoint Lifecycle DNS? Is it an application or network problem? Is the communication broken on layer 4 (TCP) or layer 7 (HTTP)? Which services have experienced a DNS resolution problem in the last 5 minutes? Which services X-Token: [0-9]+ to be present in all REST calls. See the section Layer 7 Policy [http://docs.cilium.io/en/stable/policy/#layer-7] in our documentation for the latest list of supported protocols and examples

Configuration Network Policy Policy Enforcement Modes Rule Basics Layer 3 Examples Layer 4 Examples Layer 7 Examples Kubernetes Endpoint Lifecycle Troubleshooting Monitoring & Metrics Installation cilium-agent X-Token: [0-9]+ to be present in all REST calls. See the section Layer 7 Policy [http://docs.cilium.io/en/stable/policy/#layer-7] in our documentation for the latest list of supported protocols and examples 0 8s cilium-s8w5m 0/1 PodInitializing 0 7s coredns-86c58d9df4-4g7dd 0/1 ContainerCreating 0 8m57s coredns-86c58d9df4-4l6b2

Policy Policy Enforcement Modes Rule Basics Layer 3 Examples Layer 4 Examples Layer 7 Examples Host Policies Layer 7 Protocol Visibility Using Kubernetes constructs in policy Endpoint Lifecycle Troubleshooting DNS? Is it an application or network problem? Is the communication broken on layer 4 (TCP) or layer 7 (HTTP)? Which services have experienced a DNS resolution problem in the last 5 minutes? Which services X-Token: [0-9]+ to be present in all REST calls. See the section Layer 7 Policy [http://docs.cilium.io/en/stable/policy/#layer-7] in our documentation for the latest list of supported protocols and examples

Configura�on Network Policy Policy Enforcement Modes Rule Basics Layer 3 Examples Layer 4 Examples Layer 7 Examples Kubernetes Endpoint Lifecycle Troubleshoo�ng Monitoring & Metrics Exported Metrics Cilium as X-Token: [0-9]+ to be present in all REST calls. See the sec�on Layer 7 Policy [h�p://docs.cilium.io/en/stable/policy/#layer-7] in our documenta�on for the latest list of supported protocols and examples cilium-s8w5m 0/1 PodInitializing 0 coredns-86c58d9df4-4g7dd 0/1 ContainerCreating 0 coredns-86c58d9df4-4l6b2 0/1

● Contributor to Linux kernel networking & BPF subsystems Goal Run a TCP echo service on ports 7, 77, and 777 … using one TCP listening socket. Fun? We will need… ❏ VM running Linux kernel 5.9+ 22/tcp open ssh Nmap done: 1 IP address (1 host up) scanned in 0.07 seconds scan first 1000 ports 7, 77, 777 are closed check VM IP What is socket lookup? raw PREROUTING filter INPUT conntrack remote_port; __u32 local_ip4; __u32 local_port; /* ... */ }; /usr/include/linux/bpf.h 7 77 777 echo_ports BPF HASH map Ncat socket echo_socket BPF SOCKMAP (2) is local port open? (3)

BPF programs to LSM hooks ▶ Integrates userspace and kernelspace state into policy decisions 1 / 7 Motivation ▶ Existing process confinement mechanisms are complex seccomp-bpf Unix DAC Namespaces confinement mechanisms are difficult to use SELinux AppArmor TOMOYO ▶ Can we do any better? 2 / 7 eBPF Changes the Game eBPF enables: ▶ Fine-grained system introspection ▶ Integration of cross-layer security solutions We have an opportunity to rethink process confinement from the ground up. 3 / 7 bpfbox Implementation ▶ Userspace daemon using the Python3 bcc framework ▶ Kernelspace components

https://commons.wikimedia.org/wiki/File:Pictofigo-Scalability.png 6 Evaluating eBPF CNI Offerings 7 8 9 10 Evaluating Cilium and Hubble 11 Cilium Benefits TIP: To change picture:Right click IPSec, Cluster Mesh, and more 12 Reduced iptables Complexity 13 CiliumNetworkPolicies Layer 7 HTTP Filtering Outbound to DNS Name Clusterwide Policy 14 Cilium CLI commands Listing Endpoints