蓝维洲 2021.10.16 cilium的网络加速秘诀 蓝维洲 网络组研发负责人 演讲人 cilium介绍 https://cilium.io https://github.com/cilium cilium是 kubernetes 的 CNI 网络解决方案，创新采用了 eBPF datapath，为 kubernetes网络和 linux 社区的 eBPF 发展，启动了 最要的推动作用。 最要的推动作用。 截止 2021.10 ，cilium github 项目已有 9.3K star，Contributors 316位 cilium的特色功能： • 网络功能 • 负载均衡 • 网络安全 • 可观察性 • 多集群连通 注：本 PPT 基于 cilium v1.10.4 进行分析 ��������������� ��������������� �������������������� �������������������� ���������������� ������������������������ Cilium加速网络 性能提升的主要表现： • 不同场景下，不同程度地降低了 网络数据包的“转发延时” • 不同场景下，不同程度地提升了 网络数据包的“吞吐量” • 不同场景下，不同程度地降低了 转发数据包所需的“ CPU 开销” eBPF 简介 eBPF 技术 在 Linux

eBPF事件驱动 Kprobe/Kretprobe Uprobe/Uretprobe XDP Tracepoint Perf 01. eBPF事件驱动 eBPF在云原生场景下的应用 第二部分 网络加速 01.网络加速 From:https://istio.io/latest/zh/blog/2022/merbridge/ eBPF 的可编程能力使其能够内核中完成包的处理和转发，而且可以添加额外扩展能力。 From:https://juejin.cn/post/7280746515525156918 安全 看到和理解所有系统调用的基础上，将其与所有网络操作的数据包和套接字级视图相结合，通 过检测来阻止恶意攻击行为，如 DDoS攻击等，实施网络策略、增强系统的安全性、稳定性。 From:https://zhuanlan.zhihu.com/p/507388164 微服务可观测的挑战 第三部分 容器 网络、操作系统、硬件 基础设施层复杂度日益增加 如何关联? 挑战3：数据散落，工具多， 缺少上下文，排查效率低下 业务应用 应用框架 容器虚拟化 系统调用 内核 应用性能监控（APM） Kubernetes监控 Kubernetes组件异常： Scheduler, KCM， etcd，api-server, coredns… 系统调用异常：网络请 求，内存申请，文件操

transparently insert security visibility + enforcement, but does so in a way that is based on service / pod / container identity (in contrast to IP address identification in traditional systems) and can filter paths include with and without service load- balancing and various network policy combinations. The pod name indicates the connectivity variant and the readiness and liveness gate indicates success or failure 65s pod-to-a-79546bc469-rl2qq 1/1 Running 0 66s pod-to-a-allowed-cnp-58b7f7fb8f-lkq7p 1/1 Running 0 66s pod-to-a-de

transparently insert security visibility + enforcement, but does so in a way that is based on service / pod / container identity (in contrast to IP address identification in traditional systems) and can filter this: ♻ Restarted unmanaged pod kube-system/event-exporter-gke-564fb97f9- rv8hg ♻ Restarted unmanaged pod kube-system/kube-dns-6465f78586-hlcrz ♻ Restarted unmanaged pod kube-system/kube-dns-autoscaler- Restarted unmanaged pod kube-system/l7-default-backend-7fd66b8b88- qqhh5 ♻ Restarted unmanaged pod kube-system/metrics-server-v0.3.6- 7b5cdbcbb8-kjl65 ♻ Restarted unmanaged pod kube-system/stackdr

transparently insert security visibility + enforcement, but does so in a way that is based on service / pod / container identity (in contrast to IP address identification in traditional systems) and can filter paths include with and without service load- balancing and various network policy combinations. The pod name indicates the connectivity variant and the readiness and liveness gate indicates success or failure 67s pod-to-a-allowed-cnp-87b5895c8-bfw4x 1/1 Running 0 68s pod-to-a-b76ddb6b4-2v4kb 1/1 Running 0 68s pod-to-a-denie

transparently insert security visibility + enforcement, but does so in a way that is based on service / pod / container identity (in contrast to IP address identification in traditional systems) and can filter this: ♻ Restarted unmanaged pod kube-system/event-exporter-gke-564fb97f9- rv8hg ♻ Restarted unmanaged pod kube-system/kube-dns-6465f78586-hlcrz ♻ Restarted unmanaged pod kube-system/kube-dns-autoscaler- Restarted unmanaged pod kube-system/l7-default-backend-7fd66b8b88- qqhh5 ♻ Restarted unmanaged pod kube-system/metrics-server-v0.3.6- 7b5cdbcbb8-kjl65 ♻ Restarted unmanaged pod kube-system/stackdr

transparently insert security visibility + enforcement, but does so in a way that is based on service / pod / container identity (in contrast to IP address identification in traditional systems) and can filter paths include with and without service load- balancing and various network policy combinations. The pod name indicates the connectivity variant and the readiness and liveness gate indicates success or failure 4m50s pod-to-a-59b5fcb7f6-gq4hd 1/1 Running 0 4m50s pod-to-a-allowed-cnp-55f885bf8b-5lxzz 1/1 Running 0 4m50s pod-to-a-ext

transparently insert security visibility + enforcement, but does so in a way that is based on service / pod / container identity (in contrast to IP address identification in traditional systems) and can filter for the TLS certificates between etcd peers to work correctly, a DNS reverse lookup on a pod IP must map back to pod name. If you are using CoreDNS, check the CoreDNS ConfigMap and validate that in-addr.arpa listed as wildcards next to cluster.local. You can validate this by looking up a pod IP with the host utility from any pod: host 10.60.20.86 86.20.60.10.in-addr.arpa domain name pointer cilium-etcd- 972nprv9dp

Kubernetes Endpoint Lifecycle Troubleshoo�ng Monitoring & Metrics Exported Metrics Cilium as a Kubernetes pod Cilium as a host-agent on a node Troubleshoo�ng Component & Cluster Health Connec�vity Problems Policy transparently insert security visibility + enforcement, but does so in a way that is based on service / pod / container iden�ty (in contrast to IP address iden�fica�on in tradi�onal systems) and can filter on official Kubernetes documenta�on [h�ps://kubernetes.io/docs/setup/independent/create-cluster- kubeadm/#pod-network]. Standard Installation This guides takes you through the steps required to set up Cilium

forwarding conntrack pod source rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A KUBE-FORWARD -d 10.217.0.0/16 -m comment --comment "kubernetes forwarding conntrack pod destination rule" -m lookup mangle FORWARD filter FORWARD mangle POSTROUTING nat POSTROUTING TC egress host httpd pod lxc0 eth0 XDP httpd httpd 1010101010111 1010101010111 1010101010111 DSR httpd httpd 1010101010111