Cilium with Docker & libnetwork Mesos Cilium with Mesos/Marathon Envoy Envoy Go Extensions Administration System Requirements Summary Linux Distribution Compatibility Matrix Linux Kernel Advanced Features TPROXY requirements of Cilium >= 1.6.0. minikube version minikube version: v1.3.1 commit: ca60a424ce69a4d79f502650199ca2b52f29e631 3. Create a minikube cluster: minikube start --network-plugin=cni --memory=4096 0/1 PodInitializing 0 7s coredns-86c58d9df4-4g7dd 0/1 ContainerCreating 0 8m57s coredns-86c58d9df4-4l6b2 0/1 ContainerCreating 0 8m57s

Cilium with Docker & libnetwork Mesos Cilium with Mesos/Marathon Envoy Envoy Go Extensions Administration System Requirements Summary Linux Distribution Compatibility Matrix Linux Kernel Advanced Features TPROXY requirements of Cilium >= 1.6.0. minikube version minikube version: v1.3.1 commit: ca60a424ce69a4d79f502650199ca2b52f29e631 3. Create a minikube cluster: minikube start --network-plugin=cni --memory=4096 0/1 PodInitializing 0 7s coredns-86c58d9df4-4g7dd 0/1 ContainerCreating 0 8m57s coredns-86c58d9df4-4l6b2 0/1 ContainerCreating 0 8m57s

TPROXY requirements of Cilium >= 1.6.0. minikube version minikube version: v1.3.1 commit: ca60a424ce69a4d79f502650199ca2b52f29e631 3. Create a minikube cluster: minikube start --network-plugin=cni --memory=4096 0/1 PodInitializing 0 7s coredns-86c58d9df4-4g7dd 0/1 ContainerCreating 0 8m57s coredns-86c58d9df4-4l6b2 0/1 ContainerCreating 0 8m57s 1/1 Running 0 4m12s coredns-86c58d9df4-4g7dd 1/1 Running 0 13m coredns-86c58d9df4-4l6b2 1/1 Running 0 13m Deploy

TPROXY requirements of Cilium >= 1.6.0. minikube version minikube version: v1.3.1 commit: ca60a424ce69a4d79f502650199ca2b52f29e631 3. Create a minikube cluster: minikube start --network-plugin=cni --memory=4096 0/1 PodInitializing 0 7s coredns-86c58d9df4-4g7dd 0/1 ContainerCreating 0 8m57s coredns-86c58d9df4-4l6b2 0/1 ContainerCreating 0 8m57s 1/1 Running 0 4m12s coredns-86c58d9df4-4g7dd 1/1 Running 0 13m coredns-86c58d9df4-4l6b2 1/1 Running 0 13m Deploy

kubectl delete pod pod "event-exporter-v0.2.3-f9c896d75-cbvcz" deleted pod "fluentd-gcp-scaler-69d79984cb-nfwwk" deleted pod "heapster-v1.6.0-beta.1-56d5d5d87f-qw8pv" deleted pod "kube-dns-5f8689dbc9-2nzft" "kube-dns-autoscaler-76fcd5f658-22r72" deleted pod "kube-state-metrics-7d9774bbd5-n6m5k" deleted pod "l7-default-backend-6f8697844f-d2rq2" deleted pod "metrics-server-v0.3.1-54699c9cc8-7l5w2" deleted Note 0/1 PodInitializing 0 7s coredns-86c58d9df4-4g7dd 0/1 ContainerCreating 0 8m57s coredns-86c58d9df4-4l6b2 0/1 ContainerCreating 0 8m57s

kubectl delete pod pod "event-exporter-v0.2.3-f9c896d75-cbvcz" deleted pod "fluentd-gcp-scaler-69d79984cb-nfwwk" deleted pod "heapster-v1.6.0-beta.1-56d5d5d87f-qw8pv" deleted pod "kube-dns-5f8689dbc9-2nzft" "kube-dns-autoscaler-76fcd5f658-22r72" deleted pod "kube-state-metrics-7d9774bbd5-n6m5k" deleted pod "l7-default-backend-6f8697844f-d2rq2" deleted pod "metrics-server-v0.3.1-54699c9cc8-7l5w2" deleted Note 0/1 PodInitializing 0 7s coredns-86c58d9df4-4g7dd 0/1 ContainerCreating 0 8m57s coredns-86c58d9df4-4l6b2 0/1 ContainerCreating 0 8m57s

systems are using IP addresses as primary iden�fica�on vehicle which may have a dras�cally reduced life�me of just a few seconds in microservices architectures. By leveraging Linux BPF, Cilium retains the demand. This results in a large number of applica�on containers to be started in a short period of �me. Typical container firewalls secure workloads by filtering on source IP addresses and des�na�on ports [h�ps://github.com/containernetworking/cni], libnetwork [h�ps://github.com/docker/libnetwork] Container run�me events: containerd [h�ps://github.com/containerd/containerd] Kubernetes: NetworkPolicy [h�ps://kubernetes

eBPF Summit October 28, 2020 Debugging Go in production using eBPF ABOUT ME ? i’m Zain @zainasgar Co-Founder/CEO Pixie (@pixie_run) & Adjunct Professor of CS @ Stanford DEVELOPER PROBLEM You’re } return res } What if we just want to log the iterations? Use Case fmt.Printf("iterations: %d\n”, iterations) YOUR OPTIONS Option 1: Add a log to your program, re-compile and re-deploy. ○ This computeE 00000000006609a0 g F .text 000000000000004b main.computeE [0] % objdump -d app | less 00000000006609a0 : 6609a0: 48 8b 44 24 08 mov 0x8(%rsp)

• Use BPF maps to make stateful decisions • Load the program and protect the Rabbit(MQ)! About Me • Software Engineer @ CCP Games • @aquarhead on GitHub, Twitter… • Rust (and Elixir) • Disclaimer: try! Contributions welcome! Takk! Code: https://github.com/aquarhead/protect-the-rabbit Talk to me: aquarhead@gmail.com / @aquarhead https://aqd.is

ACCEPT -A KUBE-FORWARD -d 10.217.0.0/16 -m comment --comment "kubernetes forwarding conntrack pod destination rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A KUBE-SERVICES -d 10.99.38.155/32 -p -A KUBE-SERVICES -d 10.96.61.252/32 -p tcp -m comment --comment "default/nginx-64: has no endpoints" -m tcp --dport 80 -j REJECT --reject-with icmp-port-unreachable -A KUBE-SERVICES -d 10.104.166.10/32 -A KUBE-SERVICES -d 10.98.85.41/32 -p tcp -m comment --comment "default/nginx-9: has no endpoints" -m tcp --dport 80 -j REJECT --reject-with icmp-port-unreachable -A KUBE-SERVICES -d 10.97.138.144/32 -p