## Accelerate Istio-CNI with ebpf Xu Yizhou & Guo Ruijing ## Agenda • Istio-CNI • tcp/ip stack overhead between sidecar and service • Background knowledge of ebpf • Acceleration for Inbound/Outbound/Envoy Inbound/Outbound/Envoy to Envoy ## I stio-CNI - The Istio CNI plugin performs the Istio mesh pod traffic redirection in the Kubernetes pod life-cycle’s network setup phase. - Removing the requirement for the the NET_ADMIN and NET_RAW capabilities for users deploying pods into the Istio mesh. The Istio CNI plugin replaces the functionality provided by the istio-init container. ![Image](/uploads/documents/5/

## Istio Meetup China 服务网格安全—— 理解 Istio CNI 张之晗 Tetrate 工程师/Istio 社区 Release Manager ## About me Istio 1.10 Release Manager, Istio Community, 2021-Present GetMesh(GetIstio) core contributor, Istio ## Agenda • CNI and Networking basics • Introduction to Istio Networking and CNI • Race Condition issues in istio CNI during Node bootstrap • Community Solutions to Istio CNI ## CNI Basics - Kube into Pod IP addresses • CNI plugins: allocate ip addresses for workloads exist in nodes Load Balancer Node Port Ip table pods kube-proxy kube-apiserver CNI plugins ## CNI interface • Calico •

your existing dashboards. ## I ntegrations • Network plugin integrations: CNI [https://github.com/containernetworking/cni], libnetwork [https://github.com/docker/libnetwork] • Container runtime events: Sandbox environment • Self-Managed Kubernetes • Managed Kubernetes • Installer Integrations • CNI Chaining ## Security Tutorials • HTTP/REST API call authorization • Locking down external access ca60a424ce69a4d79f502650199ca2b52f29e631 3. Create a minikube cluster: minikube start --network-plugin=cni --memory=4096 4. Mount the BPF filesystem minikube ssh -- sudo mount bpffs -t bpf /sys/fs/bpf ##

126 16.8. INGRESS IP 的高可用性 127 16.9. 删除 IP 故障切换 127 第17章 配置接口级别网络 SYSCTL 130 17.1. 配置调优 CNI 130 17.2. 其他资源 133 第18章 在裸机集群中使用流控制传输协议 (SCTP) 134 18.1. 支持 OPENSHIFT CONTAINER PLATFORM 上的流控制传输协议 少其自然复杂性。 以下列表重点介绍集群中可用的一些最常用的 Red Hat OpenShift Networking 功能： 由以下 Container Network Interface (CNI) 插件之一提供的主要集群网络： ☐ OVN-Kubernetes 网络插件，默认插件 OpenShift SDN 网络插件 经认证的第三方替代主网络插件 - 用于网络插件管理的 Cluster Ingress Operator ● 用于名称分配的 DNS Operator ● 用于裸机集群上的流量负载均衡的 MetalLB Operator ● 对高可用性的 IP 故障转移支持 ● 通过多个 CNI 插件支持额外的硬件网络，包括 macvlan、ipvlan 和 SR-IOV 硬件网络 IPv4、IPv6 和双堆栈寻址 - 用于基于 Windows 的工作负载的混合 Linux-Windows

Envoy to Envoy(in the same node) and back (envoy to envoy) ● Works with Istio $ \geq $ 1.10 ● CNI agnostic and should work with all CNIs (wo/ eBPF) ● Latency: 11~17% improvement ## Thank you! luyao

RDMA 200 14.10. 卸载 SR-IOV NETWORK OPERATOR 209 第 15 章 OPENSHIFT SDN 默认 CNI 网络供应商 211 15.1. 关于 OPENSHIFT SDN 默认 CNI 网络供应商 211 15.2. 为项目配置出口 IP 212 15.3. 为项目配置出口防火墙 216 15.4. 为项目编辑出口防火墙 220 配置网络隔离 237 15.15. 配置 KUBE-PROXY 238 第 16 章 OVN-KUBERNETES 默认 CNI 网络供应商 241 16.1. 关于 OVN-KUBERNETES 默认 CONTAINER NETWORK INTERFACE (CNI) 网络供应商 241 16.2. 从 OPENSHIFT SDN 集群网络供应商迁移 243 16.3. 回滚到 OPENSHIFT Operator(CNO)在 OpenShift Container Platform 集群中部署和管理集群网络组件。这包括在安装过程中为集群选择的 Container Network Interface(CNI)默认网络供应商插件部署。 ## 配置映射 配置映射提供将配置数据注入 pod 的方法。您可以在类型为 ConfigMap 的卷中引用存储在配置映射中的数据。在 pod 中运行的应用程序可以使用这个数据。

Network Operator 配置对象 ..... 16 defaultNetwork 对象配置 ..... 17 配置 OpenShift SDN CNI 集群网络供应商 ..... 17 配置 OVN-Kubernetes CNI 集群网络供应商 ..... 18 kubeProxyConfig 对象配置 ..... 18 4.5.2. Cluster Network Operator Operator ..... 138 第 13 章 OPENSHIFT SDN 默认 CNI 网络供应商 ..... 140 13.1. 关于 OPENSHIFT SDN 默认 CNI 网络供应商 ..... 140 13.1.1. OpenShift SDN 网络隔离模式 ..... 140 13.1.2. 支持的默认 CNI 网络供应商功能列表 140 13.2. 为项目配置出口 IP 140 167 第 14 章 OVN-KUBERNETES 默认 CNI 网络供应商 169 14.1. 关于 OVN-KUBERNETES 默认 CONTAINER NETWORK INTERFACE (CNI) 网络供应商 169 14.1.1. OVN-Kubernetes 特性 169 14.1.2. 支持的默认 CNI 网络供应商功能列表 169 14.1.3. OVN-Kubernetes

Metrics Example Prometheus & Grafana Deployment Metrics Reference Performance & Scalability Tuning Guide CNI Performance Benchmark Scalability Troubleshooting Component & Cluster Health Observing Flows with Hubble approaches such as HTB (Hierarchy Token Bucket) or TBF (Token Bucket Filter) as used in the bandwidth CNI plugin, for example. Monitoring and Troubleshooting The ability to gain visibility and to troubleshoot Kubernetes cluster using Azure Kubernetes Service [https://docs.microsoft.com/en-us/azure/aks/] with no CNI plugin pre-installed (BYOCNI). See Azure Cloud CLI [https://docs.microsoft.com/en-us/cli/azure/install-azure-cli

Deployment • Metrics Reference • Performance & Scalability • Tuning Guide • CNI Performance Benchmark • Scalability • Troubleshooting • Component & Cluster Health approaches such as HTB (Hierarchy Token Bucket) or TBF (Token Bucket Filter) as used in the bandwidth CNI plugin, for example. ## Monitoring and Troubleshooting The ability to gain visibility and to troubleshoot Kubernetes cluster using Azure Kubernetes Service [https://docs.microsoft.com/en-us/azure/aks/] with no CNI plugin pre-installed (BYOCNI). See Azure Cloud CLI [https://docs.microsoft.com/en-us/cli/azure/install-azure-cli

security visibility based on flow logs. Integrations Network plugin integrations: CNI [https://github.com/containernetworking/cni], libnetwork [https://github.com/docker/libnetwork] Container runtime events: Installation Creating a Sandbox environment Self-Managed Kubernetes Managed Kubernetes Installer Integrations CNI Chaining Network Policy Security Tutorials Identity-Aware and HTTP-Aware Policy Enforcement Locking ca60a424ce69a4d79f502650199ca2b52f29e631 3. Create a minikube cluster: minikube start --network-plugin=cni --memory=4096 4. Mount the BPF filesystem minikube ssh -- sudo mount bpffs -t bpf /sys/fs/bpf Note