small Cilium setup on your laptop. Intended as an easy way to get your hands dirty applying Cilium security policies between containers. Concepts: Describes the components of Cilium, and the different models Installation Observability Network Policy Security Tutorials Advanced Networking Cluster Mesh Operations Istio Concepts Component Overview Terminology Networking Network Security eBPF Datapath Observability Kubernetes Kubernetes Integration Multi-Cluster (Cluster Mesh) Getting Help FAQ Slack GitHub Training Enterprise support Security Bugs Operations System Requirements Summary Architecture Support Linux Distribution

small Cilium setup on your laptop. Intended as an easy way to get your hands dirty applying Cilium security policies between containers. Concepts: Describes the components of Cilium, and the different models Installation Observability Network Policy Security Tutorials Advanced Networking Cluster Mesh Operations Istio Concepts Component Overview Terminology Networking Network Security eBPF Datapath Observability Kubernetes Kubernetes Integration Multi-Cluster (Cluster Mesh) Getting Help FAQ Slack GitHub Training Enterprise support Security Bugs Operations System Requirements Summary Linux Distribution Compatibility & Considerations

small Cilium setup on your laptop. Intended as an easy way to get your hands dirty applying Cilium security policies between containers. Concepts: Describes the components of Cilium, and the different models Installation Network Policy Security Tutorials Advanced Networking Operations Istio Other Orchestrators Concepts Component Overview Terminology Networking Network Security eBPF Datapath Observability Kubernetes Integration Multi-Cluster (Cluster Mesh) Getting Help FAQ Slack GitHub Training Enterprise support Security Bugs Operations System Requirements Summary Linux Distribution Compatibility Matrix

small Cilium setup on your laptop. Intended as an easy way to get your hands dirty applying Cilium security policies between containers. Concepts: Describes the components of Cilium, and the different models Guides Installation Security Tutorials Advanced Networking Operations Istio Other Orchestrators Concepts Component Overview Terminology Address Management Multi Host Networking Security Datapath Failure Failure Behavior Architecture Datapath Scale Kubernetes Integration Getting Help FAQ Slack GitHub Security Bugs Integrations Kubernetes Introduction Concepts Requirements Configuration Network Policy

small Cilium setup on your laptop. Intended as an easy way to get your hands dirty applying Cilium security policies between containers. Concepts: Describes the components of Cilium, and the different models Installation Network Policy Security Tutorials Advanced Networking Operations Istio Other Orchestrators Concepts Component Overview Terminology Address Management Multi Host Networking Security Datapath Failure Failure Behavior Architecture Datapath Scale Kubernetes Integration Getting Help FAQ Slack GitHub Security Bugs Integrations Kubernetes Introduction Concepts Requirements Configuration Network Policy

small Cilium setup on your laptop. Intended as an easy way to get your hands dirty applying Cilium security policies between containers. Concepts: Describes the components of Cilium, and the different models Guides Installa�on Security Tutorials Advanced Networking Opera�ons Is�o Other Orchestrators Concepts Component Overview Assurances Terminology Address Management Mul� Host Networking Security Architecture Datapath Datapath Scale Kubernetes Integra�on Ge�ng Help FAQ Slack GitHub Security Bugs Integra�ons Kubernetes Introduc�on Concepts Requirements Configura�on Network Policy Endpoint CRD Kubernetes Compa�bility

small Cilium setup on your laptop. Intended as an easy way to get your hands dirty applying Cilium security policies between containers. Concepts: Describes the components of Cilium, and the different models Installation Network Policy Security Tutorials Advanced Networking Operations Istio Other Orchestrators Concepts Component Overview Terminology Networking Network Security eBPF Datapath Kubernetes Integration Integration Multi-Cluster (Cluster Mesh) Getting Help FAQ Slack GitHub Security Bugs Operations System Requirements Summary Linux Distribution Compatibility Matrix Linux Kernel Required Kernel Versions

Building a Secure and Maintainable PaaS Leveraging eBPF to Scale Security and Improve Platform Support Bradley Whitfield October 28, 2020 2 Dragon - Internal Platform as a Service TIP: To change Auditing ❏ Minimize maintenance and performance overhead ❏ Scale past iptables limits ❏ … 4 Network Security and Auditing 5 Scalability and Maintainability Source: https://commons.wikimedia.org/wiki/F change picture:Right click on image > Replace image > Select file ❏ Durable log storage and enterprise Security Information and Event Management (SIEM) integration ❏ hubble observe command to help with

Packet Filter Dynamically program the kernel for efficient networking, observability, tracing, and security. • 稳定 • 高性能 • 安全（内核verifier机制） • 动态可编程（无需重启） eBPF程序加载和校验 02. eBPF程序加载和校验 eBPF事件驱动 Kprobe/Kretprobe 2、写好bpf.c和bpf.h,放到指定目录 3、go generate 获取转换后的go文件 构建完整的应用可观测系统 第五部分 架构感知 JMeter testdemo1 testdemo2 Mysql Redis Kafka hcmine 节点 属性 关系 架构感知，节点和关系以及他们的属性，能够正确地反应当前运行的网络关系，帮助 用户感知架构，通过对比期望架构，发现问题，通常在新应用上线，新地区开服，整 全栈数据源，70+个告警模板开箱即用： 应用级别：Pod/Service/Deployment K8S控制面：apiserver/ETCD/Scheduler 基础设施：节点、网络、存储 云服务界别：Kafka/MySQL/Redis/ 告警 拓扑图排查 根因定位 修复 告警收敛，幸福感UP 指标 日志 Trace分析 黄金指标 网络指标 服务依赖 事后复盘 拓扑图高可用、依赖分 析 面向失败、高可用设计

more than 150 engineers Reduce operational complexity Scalability Availability Observability Security Reliability Messaging Analytics Multi-tenancy caveats ● Single underlying infrastructure ● operational complexity ○ Infrastructure is operated by a team of 3 engineers ● Reduce costs ● Security issues ● Scalability issues Namespaces +400 Pods +10k Services +3k CPU +2k Mem +5TB kube-proxy replacement NetworkPolicy logging Multi-cluster DNS Aware NetworkPolicy Increased Istio security External Services TLS visibility Performance Kafka policies by labels