these new eBPF powers. Hubble can answer questions such as: Service dependencies & communication map What services are communicating with each other? How frequently? What does the service dependency approaches such as HTB (Hierarchy Token Bucket) or TBF (Token Bucket Filter) as used in the bandwidth CNI plugin, for example. Monitoring and Troubleshooting The ability to gain visibility and to troubleshoot pods Observability Setting up Hubble Observability Inspecting Network Flows with the CLI Service Map & Hubble UI Network Policy Security Tutorials Identity-Aware and HTTP-Aware Policy Enforcement Locking

these new BPF powers. Hubble can answer questions such as: Service dependencies & communication map What services are communicating with each other? How frequently? What does the service dependency and alerting, and application and security visibility based on flow logs. Integrations Network plugin integrations: CNI [https://github.com/containernetworking/cni], libnetwork [https://github.com/docker/libnetwork] minikube start --network-plugin=cni --memory=4096 # Only available for minikube >= v1.12.1 minikube start --cni=cilium --memory=4096 Note From minikube v1.12.1+, cilium networking plugin can be enabled directly

these new eBPF powers. Hubble can answer questions such as: Service dependencies & communication map What services are communicating with each other? How frequently? What does the service dependency approaches such as HTB (Hierarchy Token Bucket) or TBF (Token Bucket Filter) as used in the bandwidth CNI plugin, for example. Monitoring and Troubleshooting The ability to gain visibility and to troubleshoot and alerting, and application and security visibility based on flow logs. Integrations Network plugin integrations: CNI [https://github.com/containernetworking/cni], libnetwork [https://github.com/docker/libnetwork]

these new eBPF powers. Hubble can answer questions such as: Service dependencies & communication map What services are communicating with each other? How frequently? What does the service dependency approaches such as HTB (Hierarchy Token Bucket) or TBF (Token Bucket Filter) as used in the bandwidth CNI plugin, for example. Monitoring and Troubleshooting The ability to gain visibility and to troubleshoot pods Observability Setting up Hubble Observability Inspecting Network Flows with the CLI Service Map & Hubble UI Network Policy Security Tutorials Identity-Aware and HTTP-Aware Policy Enforcement Locking

and alerting, and application and security visibility based on flow logs. Integrations Network plugin integrations: CNI [https://github.com/containernetworking/cni], libnetwork [https://github.com/docker/libnetwork] ca60a424ce69a4d79f502650199ca2b52f29e631 3. Create a minikube cluster: minikube start --network-plugin=cni --memory=4096 4. Mount the BPF filesystem minikube ssh -- sudo mount bpffs -t bpf /sys/fs/bpf into your new Kubernetes cluster. The DaemonSet will automatically install itself as Kubernetes CNI plugin. kubectl create -f https://raw.githubusercontent.com/cilium/cilium/v1.7/inst Validate the Installation

are exported via Prometheus for integration with your existing dashboards. Integrations Network plugin integrations: CNI [https://github.com/containernetworking/cni], libnetwork [https://github.com/docker/libnetwork] Services (beta) Kubernetes NodePort (beta) Kubernetes without kube-proxy (beta) Kata with Cilium on Google GCE Configuring IPAM modes Operations Running Prometheus & Grafana Limiting Identity-Relevant Labels ca60a424ce69a4d79f502650199ca2b52f29e631 3. Create a minikube cluster: minikube start --network-plugin=cni --memory=4096 4. Mount the BPF filesystem minikube ssh -- sudo mount bpffs -t bpf /sys/fs/bpf

metrics are exported via Prometheus for integra�on with your exis�ng dashboards. Integrations Network plugin integra�ons: CNI [h�ps://github.com/containernetworking/cni], libnetwork [h�ps://github.com/docker/libnetwork] minikube version minikube version: v0.33.1 Create a minikube cluster: minikube start --network-plugin=cni --memory=4096 Note that in case of installing Cilium for a specific Kubernetes version, the into your new Kubernetes cluster. The DaemonSet will automa�cally install itself as Kubernetes CNI plugin. K8s 1.15 K8s 1.14 K8s 1.13 K8s 1.12 K8s 1.11 K8s 1.10 kubectl create -f https://raw.githubusercontent

containers ● a part of the bigger TW system, see the TW paper in OSDI'20 [0] [0] https://sites.google.com/site/tangchq/papers/Twine-OSDI20.pdf twagent Container (aka “task”): ● namespaces: cgroup BPF_CGROUP_SOCK_OPS programs → ● In proxy on accept(2) learn orig_dst by connection’s src IP and port from BPF map. ● Encrypt, see [0] for details on proxy itself. [0] https://atscaleconference.com/videos/scale- orig_dst.ip = ctx->user_ip6 ● orig_dst.port = ctx->user_port ● Save in a map ● ctx->user_ip6 = proxy.ip ● ctx->user_port = proxy.port BPF_SOCK_OPS_TCP_CONNECT_CB: ● src.ip

__u32 local_port; /* ... */ }; /usr/include/linux/bpf.h 7 77 777 echo_ports BPF HASH map Ncat socket echo_socket BPF SOCKMAP (2) is local port open? (3) pick echo service socket Ncat bpf.c - BPF sk_lookup program /* Declare BPF maps */ struct bpf_map_def SEC("maps") echo_ports = { .type = BPF_MAP_TYPE_HASH, .max_entries = 1024, .key_size sizeof(__u16), .value_size = sizeof(__u8), }; struct bpf_map_def SEC("maps") echo_socket = { .type = BPF_MAP_TYPE_SOCKMAP, .max_entries = 1, .key_size

AMQP port • Extract source IP & port as BPF map key Extract AMQP Methods Use BPF Maps Use BPF Maps • Using the source IP & port as map key • Map is a counter for consumers per connection Use the source IP & port as map key • Map is a counter for consumers per connection • Increase when declare Use BPF Maps • Using the source IP & port as map key • Map is a counter for consumers Increase when declare • Decrease when cancel Use BPF Maps • Using the source IP & port as map key • Map is a counter for consumers per connection • Increase when declare • Decrease when cancel