Kernel Testing JIT Debugging Introspection Tracing pipe Miscellaneous Program Types XDP tc (traffic control) Further Reading Kernel Developer FAQ Projects using BPF XDP Newbies BPF Newsletter Podcasts Blog kernel technology called BPF, which enables the dynamic insertion of powerful security visibility and control logic within Linux itself. Because BPF runs inside the Linux kernel, Cilium security policies can have resolved a particular DNS name? Why Cilium & Hubble? BPF is enabling visibility into and control over systems and applications at a granularity and efficiency that was not possible before. It does

Kernel Testing JIT Debugging Introspection Tracing pipe Miscellaneous Program Types XDP tc (traffic control) Further Reading Kernel Developer FAQ Projects using BPF XDP Newbies BPF Newsletter Podcasts Blog technology called eBPF, which enables the dynamic insertion of powerful security visibility and control logic within Linux itself. Because eBPF runs inside the Linux kernel, Cilium security policies can have resolved a particular DNS name? Why Cilium & Hubble? eBPF is enabling visibility into and control over systems and applications at a granularity and efficiency that was not possible before. It does

Kernel Testing JIT Debugging Introspection Tracing pipe Miscellaneous Program Types XDP tc (traffic control) Further Reading Kernel Developer FAQ Projects using BPF XDP Newbies BPF Newsletter Podcasts Blog technology called eBPF, which enables the dynamic insertion of powerful security visibility and control logic within Linux itself. Because eBPF runs inside the Linux kernel, Cilium security policies can have resolved a particular DNS name? Why Cilium & Hubble? eBPF is enabling visibility into and control over systems and applications at a granularity and efficiency that was not possible before. It does

Kernel Testing JIT Debugging Introspection Tracing pipe Miscellaneous Program Types XDP tc (traffic control) Further Reading Kernel Developer FAQ Projects using BPF XDP Newbies BPF Newsletter Podcasts Blog technology called eBPF, which enables the dynamic insertion of powerful security visibility and control logic within Linux itself. Because eBPF runs inside the Linux kernel, Cilium security policies can have resolved a particular DNS name? Why Cilium & Hubble? eBPF is enabling visibility into and control over systems and applications at a granularity and efficiency that was not possible before. It does

kernel technology called BPF, which enables the dynamic insertion of powerful security visibility and control logic within Linux itself. Because BPF runs inside the Linux kernel, Cilium security policies can approaches to struggle to scale side by side with the application as load balancing tables and access control lists carrying hundreds of thousands of rules that need to be updated with a continuously growing and from external services Label based security is the tool of choice for cluster internal access control. In order to secure access to and from external services, traditional CIDR based security policies

Kernel Testing JIT Debugging Introspection Tracing pipe Miscellaneous Program Types XDP tc (traffic control) Further Reading Kernel Developer FAQ Projects using BPF XDP Newbies BPF Newsletter Podcasts Blog kernel technology called BPF, which enables the dynamic insertion of powerful security visibility and control logic within Linux itself. Because BPF runs inside the Linux kernel, Cilium security policies can approaches to struggle to scale side by side with the application as load balancing tables and access control lists carrying hundreds of thousands of rules that need to be updated with a continuously growing

kernel technology called BPF, which enables the dynamic inser�on of powerful security visibility and control logic within Linux itself. Because BPF runs inside the Linux kernel, Cilium security policies can approaches to struggle to scale side by side with the applica�on as load balancing tables and access control lists carrying hundreds of thousands of rules that need to be updated with a con�nuously growing and from external services Label based security is the tool of choice for cluster internal access control. In order to secure access to and from external services, tradi�onal CIDR based security policies

my mistake and welcome corrections! Sad Rabbit Has No Memory • A faulty client spammed “AMQP consumers” • RabbitMQ cluster runs out of memory • Need a way to limit the number of consumers • But love Rust! • For networking, RedBPF supports XDP and SocketFilter programs, however… Traffic Control for Real • XDP doesn’t seem would work (full TCP packet hasn’t been constructed yet - I could user-space program (e.g. for analyzing), does not affect original packets • `tc` can actually control packets! And use BPF! • Let’s add support for it in RedBPF `tc` Support in RedBPF • BPF programs

user space programming. Applications User space Kernel System calls Files Networking Process Memory Flying for years across the galaxy and back, The crew learned to modify their ship and adjust. They evolution of the kernel. Applications User space Kernel System calls Files Networking Process Module Memory One day, a concerned Captain Tux reviewed the crew And remembered that bees had long been aboard the required capabilities (privileges), the program does not crash the system or leak sensitive memory, and that the program always runs to completion (will not sit in a loop forever, holding up further

Deployment (2 replicas / HA mode in latest releases) on workers ● cilium-agent running on control plane to enable control/data plane connectivity ● Cilium state-keeping in shared cluster etcd Cilium in #1 cilium-agent Node #1 cilium-agent cilium-operator Node #1 cilium-agent cilium-operator Control Plane kube-api-server cilium-agent kube-controller- manager scheduler ….. etcd VPC digitalocean