to secure access to and from external services, tradi�onal CIDR based security policies for both ingress and egress are supported. This allows to limit access to and from applica�on containers to par�cular [h�ps://kubernetes.io/docs/concepts/overview/working-with- objects/labels/], Ingress [h�ps://kubernetes.io/docs/concepts/services- networking/ingress/], Service [h�ps://kubernetes.io/docs/concepts/services- networking/service/] 3m19s $ kubectl -n kube-system exec cilium-1c2cz -- cilium endpoint list ENDPOINT POLICY (ingress) POLICY (egress) IDENTITY LABELS (source: ENFORCEMENT ENFORCEMENT 108

to secure access to and from external services, traditional CIDR based security policies for both ingress and egress are supported. This allows to limit access to and from application containers to particular [https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/], Ingress [https://kubernetes.io/docs/concepts/services-networking/ingress/], Service [https://kubernetes.io/docs/concepts/services-networking/service/] 3m19s $ kubectl -n kube-system exec cilium-1c2cz -- cilium endpoint list ENDPOINT POLICY (ingress) POLICY (egress) IDENTITY LABELS (source:key[=value]) IPv6 IPv4

to secure access to and from external services, traditional CIDR based security policies for both ingress and egress are supported. This allows to limit access to and from application containers to particular [https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/], Ingress [https://kubernetes.io/docs/concepts/services-networking/ingress/], Service [https://kubernetes.io/docs/concepts/services-networking/service/] 3m19s $ kubectl -n kube-system exec cilium-1c2cz -- cilium endpoint list ENDPOINT POLICY (ingress) POLICY (egress) IDENTITY LABELS (source:key[=value]) IPv6 IPv4

to secure access to and from external services, traditional CIDR based security policies for both ingress and egress are supported. This allows to limit access to and from application containers to particular [https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/], Ingress [https://kubernetes.io/docs/concepts/services-networking/ingress/], Service [https://kubernetes.io/docs/concepts/services-networking/service/] Values=${infraID}-master-sg" | jq -r '.SecurityGroups[0].GroupId')" aws ec2 authorize-security-group-ingress --region "${aws_region}" \ --ip-permissions \ "IpProtocol=udp,FromPort=8472,ToPort=8472,UserIdGroupPairs=

to secure access to and from external services, traditional CIDR based security policies for both ingress and egress are supported. This allows to limit access to and from application containers to particular [https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/], Ingress [https://kubernetes.io/docs/concepts/services-networking/ingress/], Service [https://kubernetes.io/docs/concepts/services-networking/service/] Values=${infraID}-master-sg" | jq -r '.SecurityGroups[0].GroupId')" aws ec2 authorize-security-group-ingress --region "${aws_region}" \ --ip-permissions \ "IpProtocol=udp,FromPort=8472,ToPort=8472,UserIdGroupPairs=

to secure access to and from external services, traditional CIDR based security policies for both ingress and egress are supported. This allows to limit access to and from application containers to particular Values=${infraID}-master-sg" | jq -r '.SecurityGroups[0].GroupId')" aws ec2 authorize-security-group-ingress --region "${aws_region}" \ --ip-permissions \ "IpProtocol=udp,FromPort=8472,ToPort=8472,UserIdGroupPairs= [{GroupId=${worker_sg}},{GroupId=${master_sg}}]" \ --group-id "${worker_sg}" aws ec2 authorize-security-group-ingress --region "${aws_region}" \ --ip-permissions \ "IpProtocol=udp,FromPort=8472,ToPort=8472,UserIdGroupPairs=

to secure access to and from external services, traditional CIDR based security policies for both ingress and egress are supported. This allows to limit access to and from application containers to particular 3m19s $ kubectl -n kube-system exec cilium-1c2cz -- cilium endpoint list ENDPOINT POLICY (ingress) POLICY (egress) IDENTITY LABELS (source:key[=value]) IPv6 IPv4 namespace=default k8s:org=alliance Both ingress and egress policy enforcement is still disabled on all of these pods because no network policy has

Traefik 在⼜拍云的应⽤和改造 陈卓 ⼜拍云系统开发⼯程师 公开课 分享内容 • Traefik 简介 • Traefik 跟 Ingress-Nginx 比较 • 我们为什么使用 Traefik • Traefik 改造之路 Traefik 简介 Traefik 简介 Edge Router Auto Service Discovery Traefik 简介 Traefik 配置提供者 —Provider Ingress-Nginx 介绍 • Ingress-Nginx: K8S 官方的 Http 网关产品 • Ingress 配置: 指的是 K8S 的 Ingress 的 configmap Ingress Controller Ingress Nginx Ingress 配置 Ingress-Nignx 流程 为什么选择 Traefik，不⽤其它产品 Traefik，不⽤其它产品 ingress-nginx/kong/apisix controller 使用 go，网关使用基于 openresty 的软件 性能有保障，但增加修改，kong/apisix 需要额外的存储 envoy/getambassador envoy 成熟，但是 c++ 的 controller getambassador 使用度不高

Handles actual traffic Can be standalone or sidecar Other Container Istio Sidecar Proxy Istio Ingress Gateway Istio Egress Gateway @rytswd Istio Operator istio-operator Manages Istio installation Demo What’s next? Control Plane Data Plane istiod Some container Istio Sidecar Proxy Istio Ingress Gateway Istio Egress Gateway @rytswd DestinationRule ServiceEntry Gateway VirtualService Some Demo What’s next? Control Plane Data Plane istiod Some container Istio Sidecar Proxy Istio Ingress Gateway Istio Egress Gateway @rytswd DestinationRule ServiceEntry Gateway VirtualService Some

pod 1 process kernel network stack raw PREROUTING mangle PREROUTING nat PREROUTING tc ingress conntrack filter FORWARD mangle POSTROUING nat POSTROUING tc egress veth woker node1 pod1 process kernel network stack tc ingress kernel network stack netfilter tc egress veth veth eth0 tc ingress tc egress redirect_peer redirect_neigh kernel network netfilter pod2 process kernel network stack tc ingress kernel network stack netfilter tc egress veth veth eth0 tc ingress tc egress redirect_peer redirect_neigh kernel network