program the kernel for efficient networking, observability, tracing, and security. • 稳定 • 高性能 • 安全（内核verifier机制） • 动态可编程（无需重启） eBPF程序加载和校验 02. eBPF程序加载和校验 eBPF事件驱动 Kprobe/Kretprobe Uprobe/Uretprobe 运行时行为具有前所未有的可见性 From:https://juejin.cn/post/7280746515525156918 安全 看到和理解所有系统调用的基础上，将其与所有网络操作的数据包和套接字级视图相结合，通 过检测来阻止恶意攻击行为，如 DDoS攻击等，实施网络策略、增强系统的安全性、稳定性。 From:https://zhuanlan.zhihu.com/p/507388164 微服务可观测的挑战 Golang + eBPF实现数据采 集 第四部分 eBPF在可观测领域的优势 无侵入 多语言/多协议/多框架 全栈覆盖 无侵入性 • 无需修改代码 • 无需重启应用 • Verifier保证运行安全 多协议、多框架、多语言 • 捕获网络字节流 • 无需适配编程语言 • 无需适配协议框架 • 同时支持用户态插桩 全栈覆盖 ✅ uprobe ✅ kprobe ✅ tracepoint

最要的推动作用。 截止 2021.10 ，cilium github 项目已有 9.3K star，Contributors 316位 cilium的特色功能： • 网络功能 • 负载均衡 • 网络安全 • 可观察性 • 多集群连通 注：本 PPT 基于 cilium v1.10.4 进行分析 ��������������� ��������������� �������������������� 开销” eBPF 简介 eBPF 技术 在 Linux kernel 3.19 开始被 引入，可在用户态进行 eBPF 程序编程，编译 后，动态加载到内核指定的 hook 点上，以 VM 方式安全运行，其能过通过 map 存储结 构存储数据，能通过 map 同用户态程序交互， 最终实现内核数据进行修改，或者影响内核处 理请求的结果，或者改变内核处理请求的流程。 极大提升了内核处理事件的效率。

hyperthreading: Enabled name: master platform: {} replicas: 3 metadata: creationTimestamp: null name: cluster-1 networking: clusterNetwork: - cidr: 10.128.0.0/14 hostPrefix: 23 machineNetwork: system:serviceaccount:cilium-test:default priority: null readOnlyRootFilesystem: false runAsUser: type: MustRunAsRange seLinuxContext: type: MustRunAs volumes: null allowHostDirVolumePlugin: false allowHostIPC: : false allowPrivilegedContainer: false allowedCapabilities: null defaultAddCapabilities: null requiredDropCapabilities: null groups: null EOF Deploy the connectivity test You can deploy the “connectivity-check”

hyperthreading: Enabled name: master platform: {} replicas: 3 metadata: creationTimestamp: null name: cluster-1 networking: clusterNetwork: - cidr: 10.128.0.0/14 hostPrefix: 23 machineNetwork: system:serviceaccount:cilium-test:default priority: null readOnlyRootFilesystem: false runAsUser: type: MustRunAsRange seLinuxContext: type: MustRunAs volumes: null allowHostDirVolumePlugin: false allowHostIPC: : false allowPrivilegedContainer: false allowedCapabilities: null defaultAddCapabilities: null requiredDropCapabilities: null groups: null EOF Deploy the connectivity test You can deploy the “connectivity-check”

hyperthreading: Enabled name: master platform: {} replicas: 3 metadata: creationTimestamp: null name: cluster-1 networking: clusterNetwork: - cidr: 10.128.0.0/14 hostPrefix: 23 machineNetwork: system:serviceaccount:cilium-test:default priority: null readOnlyRootFilesystem: false runAsUser: type: MustRunAsRange seLinuxContext: type: MustRunAs volumes: null allowHostDirVolumePlugin: false allowHostIPC: : false allowPrivilegedContainer: false allowedCapabilities: null defaultAddCapabilities: null requiredDropCapabilities: null groups: null EOF Deploy the connectivity test You can deploy the “connectivity-check”

hyperthreading: Enabled name: master platform: {} replicas: 3 metadata: creationTimestamp: null name: cluster-1 networking: clusterNetwork: - cidr: 10.128.0.0/14 hostPrefix: 23 machineNetwork: system:serviceaccount:cilium-test:default priority: null readOnlyRootFilesystem: false runAsUser: type: MustRunAsRange seLinuxContext: type: MustRunAs volumes: null allowHostDirVolumePlugin: false allowHostIPC: : false allowPrivilegedContainer: false allowedCapabilities: null defaultAddCapabilities: null requiredDropCapabilities: null groups: null EOF Deploy the connectivity test You can deploy the “connectivity-check”

empire-announce >>[2018-04-10 23:50:34,638] ERROR Error when sending message to topic empire-announce with key: null, value: 27 bytes with error: (org.apache.kafka.clients.producer.internals.ErrorLoggingCallback) org ys\":\"$((($KEYID+1))) "rfc4106\(gcm\ (aes\)\)" $(echo $(dd if=/dev/urandom count=20 bs=1 2> /dev/null| xxd - p -c 64)) 128\"}}") kubectl patch secret -n cilium cilium-ipsec-keys -p="${data}" -v=1 Then test message [2017-12-07 02:13:47,020] ERROR Error when sending message to topic authaudit with key: null, value: 12 bytes with error: (org.apache.kafka.clients.producer.internals.ErrorLoggingCallback) org

empire-announce >>[2018-04-10 23:50:34,638] ERROR Error when sending message to topic empire-announce with key: null, value: 27 bytes with error: (org.apache.kafka.clients.producer.internals.ErrorLoggingCallback) org ys\":\"$((($KEYID+1))) "rfc4106\(gcm\ (aes\)\)" $(echo $(dd if=/dev/urandom count=20 bs=1 2> /dev/null| xxd - p -c 64)) 128\"}}") kubectl patch secret -n kube-system cilium-ipsec-keys -p="${data}" -v=1 test message [2017-12-07 02:13:47,020] ERROR Error when sending message to topic authaudit with key: null, value: 12 bytes with error: (org.apache.kafka.clients.producer.internals.ErrorLoggingCallback) org

cert-file: '/var/lib/etcd-secrets/etcd-client.crt' kind: ConfigMap metadata: creationTimestamp: null name: cilium-config selfLink: /api/v1/namespaces/kube-system/configmaps/cilium-config In the cert-file: '/var/lib/etcd-secrets/etcd-client.crt' kind: ConfigMap metadata: creationTimestamp: null name: cilium-config selfLink: /api/v1/namespaces/kube-system/configmaps/cilium-config Apply following: Host runtime HostName 127.0.0.1 User vagrant Port 2222 UserKnownHostsFile /dev/null StrictHostKeyChecking no PasswordAuthentication no IdentityFile /home/eloy/.go/src/github