North-South Load Balancing of Kubernetes Services with eBPF/XDP Martynas Pumputis (Isovalent) October 28, 2020 10.0.0.1 10.0.0.2 10.0.0.3 httpd httpd “httpd” service 10.0.0.1:30000 10.0.0.2:30000 KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT -A KUBE-FORWARD -s 10.217.0.0/16 -m comment --comment "kubernetes forwarding conntrack pod source rule" --ctstate RELATED,ESTABLISHED -j ACCEPT -A KUBE-FORWARD -d 10.217.0.0/16 -m comment --comment "kubernetes forwarding conntrack pod destination rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

Concepts Component Overview Terminology Networking Network Security eBPF Datapath Observability Kubernetes Integration Multi-Cluster (Cluster Mesh) Getting Help FAQ Slack GitHub Training Enterprise support Layer 4 Examples Layer 7 Examples Deny Policies Host Policies Layer 7 Protocol Visibility Using Kubernetes constructs in policy Endpoint Lifecycle Troubleshooting Monitoring & Metrics Cilium Metrics Hubble Local Development in Vagrant Box Making Changes Add/update a golang dependency Add/update a new Kubernetes version Optional: Docker and IPv6 Debugging Building Container Images Developer images Official

the Cilium architecture and how these components integrate with existing architectures, such as Kubernetes. Installation : Details instructions for installing, configuring, and troubleshooting Cilium in Datapath Scale Kubernetes Integration Getting Help FAQ Slack GitHub Security Bugs Integrations Kubernetes Introduction Concepts Requirements Configuration Network Policy Endpoint CRD Kubernetes Compatibility Policy Policy Enforcement Modes Rule Basics Layer 3 Examples Layer 4 Examples Layer 7 Examples Kubernetes Endpoint Lifecycle Troubleshooting Monitoring & Metrics Installation cilium-agent cilium-operator

Concepts Component Overview Terminology Networking Network Security eBPF Datapath Observability Kubernetes Integration Multi-Cluster (Cluster Mesh) Getting Help FAQ Slack GitHub Training Enterprise support Layer 4 Examples Layer 7 Examples Deny Policies Host Policies Layer 7 Protocol Visibility Using Kubernetes constructs in policy Endpoint Lifecycle Troubleshooting Monitoring & Metrics Cilium Metrics Hubble Local Development in Vagrant Box Making Changes Add/update a golang dependency Add/update a new Kubernetes version Optional: Docker and IPv6 Debugging Building Container Images Developer images Official

Concepts Component Overview Terminology Networking Network Security eBPF Datapath Observability Kubernetes Integration Multi-Cluster (Cluster Mesh) Getting Help FAQ Slack GitHub Training Enterprise support Layer 4 Examples Layer 7 Examples Deny Policies Host Policies Layer 7 Protocol Visibility Using Kubernetes constructs in policy Endpoint Lifecycle Troubleshooting Monitoring & Metrics Cilium Metrics Hubble Local Development in Vagrant Box Making Changes Add/update a golang dependency Add/update a new Kubernetes version Optional: Docker and IPv6 Debugging Building Container Images Developer images Official

the Cilium architecture and how these components integrate with existing architectures, such as Kubernetes. Installation : Details instructions for installing, configuring, and troubleshooting Cilium in Datapath Scale Kubernetes Integration Getting Help FAQ Slack GitHub Security Bugs Integrations Kubernetes Introduction Concepts Requirements Configuration Network Policy Endpoint CRD Kubernetes Compatibility Policy Policy Enforcement Modes Rule Basics Layer 3 Examples Layer 4 Examples Layer 7 Examples Kubernetes Endpoint Lifecycle Troubleshooting L7 Protocol Visibility API Rate Limiting Default Rate Limits

Orchestrators Concepts Component Overview Terminology Networking Network Security eBPF Datapath Kubernetes Integration Multi-Cluster (Cluster Mesh) Getting Help FAQ Slack GitHub Security Bugs Operations Layer 3 Examples Layer 4 Examples Layer 7 Examples Host Policies Layer 7 Protocol Visibility Using Kubernetes constructs in policy Endpoint Lifecycle Troubleshooting Monitoring & Metrics Cilium Metrics Hubble server Hubble Relay Reference Command Cheatsheet Command utilities: Command examples: Kubernetes examples: Command Reference cilium-agent cilium cilium-health cilium-operator cilium-operator-aws

the Cilium architecture and how these components integrate with exis�ng architectures, such as Kubernetes. Installa�on : Details instruc�ons for installing, configuring, and troubleshoo�ng Cilium in different Datapath Scale Kubernetes Integra�on Ge�ng Help FAQ Slack GitHub Security Bugs Integra�ons Kubernetes Introduc�on Concepts Requirements Configura�on Network Policy Endpoint CRD Kubernetes Compa�bility Troubleshoo�ng Layer 3 Examples Layer 4 Examples Layer 7 Examples Kubernetes Endpoint Lifecycle Troubleshoo�ng Monitoring & Metrics Exported Metrics Cilium as a Kubernetes pod Cilium as a host-agent on a node Troubleshoo�ng

cross-host startup and monitoring DPU Management-plane processes libvirtd dockerd virsh client Kubernetes Server 011 openEuler OS Technical White Paper Innovation Projects eNFS Kernel SIG The operating system that can be centrally managed through Kubernetes. It enables unified management of both containers and node OS through Kubernetes, including atomic upgrades and API-based operations. Challenges In cloud-native scenarios, containers and Kubernetes are widely used. However, the management of OSs is affected. • With applications being containerized, new challenges arise for OSs. Traditional

scenarios, the OS is deployed and maintained in containers, allowing the OS to be managed based on Kubernetes, just as service containers. • Secure container solution: Compared with the traditional Docker+QEMU Technical White Paper 15 Container OS Cloud native is the next step in cloud computing evolution. Kubernetes has become the foundation for most modern, cloud- native software infrastructure. Major OS vendors cloud-native cluster OSs in containers. KubeOS has the following features: • OS containerization and Kubernetes interconnection for atomized lifecycle management • Lightweight OS cropping, which reduces unnecessary