Networking Opera�ons Is�o Other Orchestrators Concepts Component Overview Assurances Terminology Address Management Mul� Host Networking Security Architecture Datapath Scale Kubernetes Integra�on Ge�ng between microservices. Tradi�onal Linux network security approaches (e.g., iptables) filter on IP address and TCP/UDP ports, but IP addresses frequently churn in dynamic microservices environments. The highly enforcement, but does so in a way that is based on service / pod / container iden�ty (in contrast to IP address iden�fica�on in tradi�onal systems) and can filter on applica�on-layer (e.g. HTTP). As a result,

Advanced Networking Operations Istio Other Orchestrators Concepts Component Overview Terminology Address Management Multi Host Networking Security Datapath Failure Behavior Architecture Datapath Scale between microservices. Traditional Linux network security approaches (e.g., iptables) filter on IP address and TCP/UDP ports, but IP addresses frequently churn in dynamic microservices environments. The highly enforcement, but does so in a way that is based on service / pod / container identity (in contrast to IP address identification in traditional systems) and can filter on application-layer (e.g. HTTP). As a result

Advanced Networking Operations Istio Other Orchestrators Concepts Component Overview Terminology Address Management Multi Host Networking Security Datapath Failure Behavior Architecture Datapath Scale between microservices. Traditional Linux network security approaches (e.g., iptables) filter on IP address and TCP/UDP ports, but IP addresses frequently churn in dynamic microservices environments. The highly enforcement, but does so in a way that is based on service / pod / container identity (in contrast to IP address identification in traditional systems) and can filter on application-layer (e.g. HTTP). As a result

between microservices. Traditional Linux network security approaches (e.g., iptables) filter on IP address and TCP/UDP ports, but IP addresses frequently churn in dynamic microservices environments. The highly enforcement, but does so in a way that is based on service / pod / container identity (in contrast to IP address identification in traditional systems) and can filter on application-layer (e.g. HTTP). As a result Networking.ServiceSubnet = "10.96.0.0/12" If any of these subnets conflicts with your local network address range, update the networking section of the kind configuration file to specify different subnets

between microservices. Traditional Linux network security approaches (e.g., iptables) filter on IP address and TCP/UDP ports, but IP addresses frequently churn in dynamic microservices environments. The highly enforcement, but does so in a way that is based on service / pod / container identity (in contrast to IP address identification in traditional systems) and can filter on application-layer (e.g. HTTP). As a result the UI locally on a browser: kubectl port-forward -n $CILIUM_NAMESPACE svc/hubble-ui --address 0.0.0.0 --address :: 12000:80 And then open http://localhost:12000/ to access the UI. Hubble UI is not

/bin/cat 127.0.0.1 7777 & [1] 1289 $ ss -4tlpn sport = 7777 State Recv-Q Send-Q Local Address:Port Peer Address:Port Process LISTEN 0 10 127.0.0.1:7777 0.0.0.0:* users:(("nc",pid=1289 122.221 … Not shown: 999 closed ports PORT STATE SERVICE 22/tcp open ssh Nmap done: 1 IP address (1 host up) scanned in 0.07 seconds scan first 1000 ports 7, 77, 777 are closed check VM IP What /bin/cat 127.0.0.1 7777 & [1] 1289 $ ss -tlpne 'sport = 7777' State Recv-Q Send-Q Local Address:Port Peer Address:Port Process LISTEN 0 10 127.0.0.1:7777 0.0.0.0:* users:(("nc",pid=1289

between microservices. Traditional Linux network security approaches (e.g., iptables) filter on IP address and TCP/UDP ports, but IP addresses frequently churn in dynamic microservices environments. The highly enforcement, but does so in a way that is based on service / pod / container identity (in contrast to IP address identification in traditional systems) and can filter on application-layer (e.g. HTTP). As a result enabled=true and tunnel=disabled, meaning that Cilium will allocate a fully-routable AWS ENI IP address for each pod, similar to the behavior of the Amazon VPC CNI plugin [https://docs.aws.amazon.com

between microservices. Traditional Linux network security approaches (e.g., iptables) filter on IP address and TCP/UDP ports, but IP addresses frequently churn in dynamic microservices environments. The highly enforcement, but does so in a way that is based on service / pod / container identity (in contrast to IP address identification in traditional systems) and can filter on application-layer (e.g. HTTP). As a result enabled=true and tunnel=disabled, meaning that Cilium will allocate a fully-routable AWS ENI IP address for each pod, similar to the behavior of the Amazon VPC CNI plugin [https://docs.aws.amazon.com

counts.lookup_or_init(&key, &zero); (*val)++; bpf_trace_printk("Hello, World! Here I accessed am address!\\n"); return 0; } """ b = BPF(text=bpf_text) symbol_addr = input() pid = input() bp_type = input() as part of user parameter ○ Test check_on_each_cpu() is required or not ? ● symbols -> symbol address ○ manual right now ○ Can it be made as part of implementation? 05 To-do list Any Questions

BPF code (bpf/rbperf.c) Read frame Driver (rbperf.py) 1. Adds info (pid to profile, thread address) 3. Receives stacktrace 4. Serialisation and persistence BPF tail-calls Bounded loop Challenges