the template Release Candidate Process GitHub template process Reference steps for the template Feature Release Process On Freeze date For the final release Testing CI / Jenkins Jobs Overview Triggering Guarantees API Reference Internals Hubble internals Hubble Architecture Cilium Operator Highly Available Cilium Operator CRD Registration IPAM KVStore operations Identity garbage collection CiliumEndpoint examples: Command Reference cilium-agent cilium cilium-health cilium-operator cilium-operator-aws cilium-operator-azure cilium-operator-generic Key-Value Store Key-Value Store Layout Leases Debugging

Release Process GitHub template process Reference steps for the template Release Candidate Process Feature Release Process On Freeze date For the final release Testing CI / Jenkins Jobs Overview Triggering Guarantees API Reference Internals Hubble internals Hubble Architecture Cilium Operator Highly Available Cilium Operator CRD Registration IPAM KVStore operations Identity garbage collection CiliumEndpoint examples: Command Reference cilium-agent cilium cilium-health cilium-operator cilium-operator-aws cilium-operator-azure cilium-operator-generic Key-Value Store Key-Value Store Layout Leases Debugging

Release Process GitHub template process Reference steps for the template Release Candidate Process Feature Release Process On Freeze date For the final release Testing CI / Jenkins Jobs Overview Triggering examples: Command Reference cilium-agent cilium cilium-health cilium-operator cilium-operator-aws cilium-operator-azure cilium-operator-generic Key-Value Store Key-Value Store Layout Leases Debugging packets emitted by the application containers, allowing to validate the identity at the receiving node. Security identity management is performed using a key-value store. Secure access to and from external

Release Process GitHub template process Reference steps for the template Release Candidate Process Feature Release Process On Freeze date For the final release Testing CI / Jenkins Jobs Overview Triggering examples: Command Reference cilium-agent cilium cilium-health cilium-operator cilium-operator-aws cilium-operator-azure cilium-operator-generic Key-Value Store Key-Value Store Layout Leases Debugging packets emitted by the application containers, allowing to validate the identity at the receiving node. Security identity management is performed using a key-value store. Secure access to and from external

the log output Configuration Core Agent Monitoring & Metrics Installation cilium-agent cilium-operator Troubleshooting Component & Cluster Health Connectivity Problems Policy Troubleshooting Symptom process Backport Criteria Backporting guide Generic Release Process Release Candidate Process Feature Release Process On Freeze date For the final release Testing CI / Jenkins Jobs Overview Triggering Command examples: Kubernetes examples: Command Reference cilium-agent cilium cilium-health cilium-operator Key-Value Store Key-Value Store Layout Leases Debugging Further Reading Related Material Presentations

Troubleshoo�ng Monitoring & Metrics Exported Metrics Cilium as a Kubernetes pod Cilium as a host-agent on a node Troubleshoo�ng Component & Cluster Health Connec�vity Problems Policy Troubleshoo�ng Automa�c Diagnosis network packets emi�ed by the applica�on containers, allowing to validate the iden�ty at the receiving node. Security iden�ty management is performed using a key-value store. Secure access to and from external This means that each host can allocate IPs without any coordina�on between hosts. The following mul� node networking models are supported: Overlay: Encapsula�on based virtual network spawning all hosts.

Kubernetes Endpoint Lifecycle Troubleshooting Monitoring & Metrics Installation cilium-agent cilium-operator Troubleshooting Component & Cluster Health Connectivity Problems Policy Troubleshooting Symptom Command examples: Kubernetes examples: Command Reference cilium-agent cilium cilium-health cilium-operator Key-Value Store Key-Value Store Layout Leases Debugging Further Reading Related Material Presentations packets emitted by the application containers, allowing to validate the identity at the receiving node. Security identity management is performed using a key-value store. Secure access to and from external

decided to move to Cilium in late 2018 for a couple of reasons: ○ support for NetworkPolicies ○ feature-rich CNI implementation ○ actively maintained project ○ healthy, supportive community ● Today clusters run on Cilium digitalocean.com ● cilium-agent managed as DaemonSet on each worker node ● cilium-operator managed as Deployment (2 replicas / HA mode in latest releases) on workers ● cilium-agent etcd Cilium in the DOKS Architecture Data Plane Node #1 cilium-agent Node #1 cilium-agent cilium-operator Node #1 cilium-agent cilium-operator Control Plane kube-api-server cilium-agent kube-controller-

service since 2017 • 5100 private, 760 public VIPs • k8s CCM integration (Type: LoadBalancer) L4LB Node L4LB Architecture XDP DPlane L3DSR with IPIP, Magrev Hashing, Session caching, etc… API Server Upstream Routers Advertise VIP with eBGP Configure with RPC Health check daemon etc… Service Discovery Per-flow ECMP k8s CCM Frontend (dash board) To Backends User For More Information • Our motivation

not host ● Rules auto-cleanup on task stop is important ● Has to be integrated with service discovery, etc Solution: ● Use BPF_CGROUP_INET_{EGRESS,INGRESS} ● If use-case allows, filter on socket ● Filter by local/remote IP, IP prefix, port, protocol, TCP flags ● Integrated with service discovery: can filter by service name (dynamic set of IP:port endpoints) Container firewall (twfw) Network