your Kubernetes environment. For CoreDNS: Enable reverse lookups In order for the TLS cer�ficates between etcd peers to work correctly, a DNS reverse lookup on a pod IP must map back to pod name. If you upstream fallthrough in-addr.arpa ip6.arpa } prometheus :9153 proxy . /etc/resolv.conf cache 30 } The contents can look different than the above. The specific automa�cally get ini�alized as well. For CoreDNS: Enable reverse lookups In order for the TLS cer�ficates between etcd peers to work correctly, a DNS reverse lookup on a pod IP must map back to pod name. If you

Encryption (beta) Host-Reachable Services (beta) Kubernetes NodePort (beta) Kubernetes without kube-proxy (beta) Kata with Cilium on Google GCE Configuring IPAM modes Operations Running Prometheus & Grafana reset the CrashLoopBackoff time. CoreDNS: Enable reverse lookups In order for the TLS certificates between etcd peers to work correctly, a DNS reverse lookup on a pod IP must map back to pod name. If upstream fallthrough in-addr.arpa ip6.arpa } prometheus :9153 proxy . /etc/resolv.conf cache 30 } The contents can look different than the above. The specific

Networking (beta) Transparent Encryption (stable/beta) Host-Reachable Services Kubernetes without kube-proxy Kata Containers with Cilium Configuring IPAM modes Operations Networking and security observability reset the CrashLoopBackoff time. CoreDNS: Enable reverse lookups In order for the TLS certificates between etcd peers to work correctly, a DNS reverse lookup on a pod IP must map back to pod name. If upstream fallthrough in-addr.arpa ip6.arpa } prometheus :9153 proxy . /etc/resolv.conf cache 30 } The contents can look different than the above. The specific

application containers and to external services and is able to fully replace components such as kube-proxy. The load balancing is implemented in eBPF using efficient hashtables allowing for almost unlimited external access using AWS metadata Creating policies from verdicts Host Firewall (beta when using kube-proxy) Advanced Networking Setting Up Cilium in AlibabaCloud ENI Mode (beta) Using kube-router to run IPVLAN based Networking (beta) Transparent Encryption Host-Reachable Services Kubernetes Without kube-proxy Bandwidth Manager (beta) Kata Containers with Cilium Configuring IPAM modes Local Redirect Policy

application containers and to external services and is able to fully replace components such as kube-proxy. The load balancing is implemented in eBPF using efficient hashtables allowing for almost unlimited Networking (beta) Transparent Encryption (stable/beta) Host-Reachable Services Kubernetes Without kube-proxy Bandwidth Manager (beta) Kata Containers with Cilium Configuring IPAM modes Local Redirect Policy Note If minikube is deployed as a container (that is if docker is the configured driver), then kube-proxy replacement features like host-reachable services may not work (GitHub issue [https://github.com/

Networking (beta) Transparent Encryption (stable/beta) Host-Reachable Services Kubernetes without kube-proxy Kata Containers with Cilium Configuring IPAM modes Operations Running Prometheus & Grafana Limiting reset the CrashLoopBackoff time. CoreDNS: Enable reverse lookups In order for the TLS certificates between etcd peers to work correctly, a DNS reverse lookup on a pod IP must map back to pod name. If upstream fallthrough in-addr.arpa ip6.arpa } prometheus :9153 proxy . /etc/resolv.conf cache 30 } The contents can look different than the above. The specific

application containers and to external services and is able to fully replace components such as kube-proxy. The load balancing is implemented in eBPF using efficient hashtables allowing for almost unlimited BGP Using BIRD to run BGP Transparent Encryption Host-Reachable Services Kubernetes Without kube-proxy Bandwidth Manager (beta) Kata Containers with Cilium Configuring IPAM modes Local Redirect Policy pullPolicy=IfNotPresent \ --set ipam.mode=kubernetes Note To fully enable Cilium’s kube-proxy replacement (Kubernetes Without kube- proxy), cgroup v2 needs to be enabled by setting the kernel systemd.unified_cgroup_hierarchy=1

@cloudflare October 28-29, 2020 Who am I? ● Software Engineer at Cloudflare Spectrum TCP/UDP reverse proxy, Linux kernel, ... ● Contributor to Linux kernel networking & BPF subsystems Goal Run a TCP

node Flash DoS DoS in reverse! 9 Compute node CPU Network Storage node Flash DoS in reverse! 10 Compute node CPU Network Storage node Flash Data DoS in reverse! 11 Compute node CPU Network

assignment (when netns is not in-use) ○ host services connector (netns is in-use) ○ transparent proxy (mostly for TLS) ○ container firewall ○ network faults injection ○ network counters (rack, datacenter same task 4 Transparent Proxy ● Facebook traffic has to be encrypted ● Transparent TLS helps some services encrypt easily ● How to send task TCP traffic to TLS forward proxy transparently for a service and BPF_CGROUP_SOCK_OPS programs → ● In proxy on accept(2) learn orig_dst by connection’s src IP and port from BPF map. ● Encrypt, see [0] for details on proxy itself. [0] https://atscaleconference.