Identity Aware Threat Detection and Network Monitoring by using eBPF Natalia Reka Ivanko, Isovalent October 28, 2020 ● ● ○ ● ○ ○ ○ ○ ● ● ● ● ● ● ● ● ○ ● ○ ○ ○ ● ● ● ○ ● ○ ○ ● ●

installing, configuring, and troubleshooting Cilium in different deployment modes. Network Policy : Detailed walkthrough of the policy language structure and the supported formats. Monitoring & Metrics : Instructions Installation Observability Network Policy Security Tutorials Advanced Networking Cluster Mesh Operations Istio Concepts Component Overview Terminology Networking Network Security eBPF Datapath Observability check (Required) Upgrading Cilium Version Specific Notes Advanced Configuration Core Agent Network Policy Policy Enforcement Modes Rule Basics Layer 3 Examples Layer 4 Examples Layer 7 Examples Deny Policies

installing, configuring, and troubleshooting Cilium in different deployment modes. Network Policy : Detailed walkthrough of the policy language structure and the supported formats. Monitoring & Metrics : Instructions Started Guides Installation Network Policy Security Tutorials Advanced Networking Operations Istio Other Orchestrators Concepts Component Overview Terminology Networking Network Security eBPF Datapath Kubernetes Core Agent Network Policy Policy Enforcement Modes Rule Basics Layer 3 Examples Layer 4 Examples Layer 7 Examples Host Policies Layer 7 Protocol Visibility Using Kubernetes constructs in policy Endpoint

configuring, and troubleshooting Cilium in different deployment modes. Policy Enforcement Modes : Detailed walkthrough of the policy language structure and the supported formats. Monitoring & Metrics : Instructions Cilium What is Cilium? Why Cilium? Functionality Overview Getting Started Guides Installation Network Policy Security Tutorials Advanced Networking Operations Istio Other Orchestrators Concepts Component GitHub Security Bugs Integrations Kubernetes Introduction Concepts Requirements Configuration Network Policy Endpoint CRD Kubernetes Compatibility Cilium CRD schema validation Troubleshooting Istio Getting

installing, configuring, and troubleshooting Cilium in different deployment modes. Network Policy : Detailed walkthrough of the policy language structure and the supported formats. Monitoring & Metrics : Instructions Started Guides Installation Network Policy Security Tutorials Advanced Networking Operations Istio Other Orchestrators Concepts Component Overview Terminology Networking Network Security eBPF Datapath Observability check (Required) Upgrading Cilium Version Specific Notes Advanced Configuration Core Agent Network Policy Policy Enforcement Modes Rule Basics Layer 3 Examples Layer 4 Examples Layer 7 Examples Deny Policies

installing, configuring, and troubleshooting Cilium in different deployment modes. Network Policy : Detailed walkthrough of the policy language structure and the supported formats. Monitoring & Metrics : Instructions Installation Observability Network Policy Security Tutorials Advanced Networking Cluster Mesh Operations Istio Concepts Component Overview Terminology Networking Network Security eBPF Datapath Observability check (Required) Upgrading Cilium Version Specific Notes Advanced Configuration Core Agent Network Policy Policy Enforcement Modes Rule Basics Layer 3 Examples Layer 4 Examples Layer 7 Examples Deny Policies

configuring, and troubleshooting Cilium in different deployment modes. Policy Enforcement Modes : Detailed walkthrough of the policy language structure and the supported formats. Monitoring & Metrics : Instructions GitHub Security Bugs Integrations Kubernetes Introduction Concepts Requirements Configuration Network Policy Endpoint CRD Kubernetes Compatibility Troubleshooting Istio Getting Started Using Istio Docker Upgrading Minor Versions Step 3: Rolling Back Version Specific Notes Advanced Configuration Network Policy Policy Enforcement Modes Rule Basics Layer 3 Examples Layer 4 Examples Layer 7 Examples Kubernetes

configuring, and troubleshoo�ng Cilium in different deployment modes. Policy Enforcement Modes : Detailed walkthrough of the policy language structure and the supported formats. Monitoring & Metrics : Slack GitHub Security Bugs Integra�ons Kubernetes Introduc�on Concepts Requirements Configura�on Network Policy Endpoint CRD Kubernetes Compa�bility Troubleshoo�ng Is�o Ge�ng Started Using Is�o Docker Cilium Versions Upgrading Minor Versions Rolling Back Version Specific Notes Advanced Configura�on Network Policy Policy Enforcement Modes Rule Basics Layer 3 Examples Layer 4 Examples Layer 7 Examples Kubernetes

或 bpf_redirect_peer() 等 helper 函数，快速帮助同宿主机间 的流量转发，节省了大量的内核协议栈 处理流程 pod 1 process kernel network stack raw PREROUTING mangle PREROUTING nat PREROUTING tc ingress conntrack filter FORWARD tailCall-> to-container: redirect kernel >= 5.10 redirect_peer routing veth veth kernel network stack node 加速跨节点pod间通信 pod在跨节点通 信的场景下， cilium 借助 eBPF redirect 能力，帮 助数据包在主机物 理网卡和pod虚拟 网卡之间快速转发， pod1 process kernel network stack tc ingress kernel network stack netfilter tc egress veth veth eth0 tc ingress tc egress redirect_peer redirect_neigh kernel network stack netfilter

image > Select file ❏ Secure Network Isolation ❏ Network Visibility and Auditing ❏ Minimize maintenance and performance overhead ❏ Scale past iptables limits ❏ … 4 Network Security and Auditing 5 Scalability on image > Replace image > Select file ❏ Pod network filtering uses eBPF rather than iptables ❏ More flexible network policies ❏ Tools to help with network troubleshooting and policies ❏ Additional features Filtering Outbound to DNS Name Clusterwide Policy 14 Cilium CLI commands Listing Endpoints on a Node Traffic Denied by Policy Traffic Allowed by Policy 15 Hubble Benefits TIP: To change picture:Right