platform healthy Ramiro Berrelleza October 28, 2020 ● Co-founder of Okteto ● Former architect @ Atlassian, Software Engineer @ Azure ● @rberrelleza Hey everyone! ● Developer platform, powered by + ContainerOS was not very performant Attempt #1 - The Postmortem Iteration is key ● Built a tool to automatically reload falco on rule changes ● Rules: monitor well known IPs, binary names,

using a key-value store. Secure access to and from external services Label based security is the tool of choice for cluster internal access control. In order to secure access to and from external services Event monitoring with metadata: When a packet is dropped, the tool doesn’t just report the source and des�na�on IP of the packet, the tool provides the full label informa�on of both the sender and receiver 443/TCP 3m53 Each pod will be represented in Cilium as an Endpoint. We can invoke the cilium tool inside the Cilium pod to list them: $ kubectl -n kube-system get pods -l k8s-app=cilium NAME

using a key-value store. Secure access to and from external services Label based security is the tool of choice for cluster internal access control. In order to secure access to and from external services Event monitoring with metadata: When a packet is dropped, the tool doesn’t just report the source and destination IP of the packet, the tool provides the full label information of both the sender and receiver 00/ to access the UI. Hubble UI is not the only way to get access to Hubble data. A command line tool, the Hubble CLI, is also available. It can be installed by following the instructions below: Linux

using a key-value store. Secure access to and from external services Label based security is the tool of choice for cluster internal access control. In order to secure access to and from external services Event monitoring with metadata: When a packet is dropped, the tool doesn’t just report the source and destination IP of the packet, the tool provides the full label information of both the sender and receiver 443/TCP 3m53s Each pod will be represented in Cilium as an Endpoint. We can invoke the cilium tool inside the Cilium pod to list them: $ kubectl -n kube-system get pods -l k8s-app=cilium NAME

using a key-value store. Secure access to and from external services Label based security is the tool of choice for cluster internal access control. In order to secure access to and from external services Event monitoring with metadata: When a packet is dropped, the tool doesn’t just report the source and destination IP of the packet, the tool provides the full label information of both the sender and receiver 443/TCP 3m53s Each pod will be represented in Cilium as an Endpoint. We can invoke the cilium tool inside the Cilium pod to list them: $ kubectl -n kube-system get pods -l k8s-app=cilium NAME

using a key-value store. Secure access to and from external services Label based security is the tool of choice for cluster internal access control. In order to secure access to and from external services Event monitoring with metadata: When a packet is dropped, the tool doesn’t just report the source and destination IP of the packet, the tool provides the full label information of both the sender and receiver 443/TCP 3m53s Each pod will be represented in Cilium as an Endpoint. We can invoke the cilium tool inside the Cilium pod to list them: $ kubectl -n kube-system get pods -l k8s-app=cilium NAME

using a key-value store. Secure access to and from external services Label based security is the tool of choice for cluster internal access control. In order to secure access to and from external services Event monitoring with metadata: When a packet is dropped, the tool doesn’t just report the source and destination IP of the packet, the tool provides the full label information of both the sender and receiver 443/TCP 3m53s Each pod will be represented in Cilium as an Endpoint. We can invoke the cilium tool inside the Cilium pod to list them: $ kubectl -n kube-system get pods -l k8s-app=cilium NAME

using a key-value store. Secure access to and from external services Label based security is the tool of choice for cluster internal access control. In order to secure access to and from external services Event monitoring with metadata: When a packet is dropped, the tool doesn’t just report the source and destination IP of the packet, the tool provides the full label information of both the sender and receiver 443/TCP 3m53s Each pod will be represented in Cilium as an Endpoint. We can invoke the cilium tool inside the Cilium pod to list them: $ kubectl -n kube-system get pods -l k8s-app=cilium NAME

https://blog.cloudflare.com/its-crowded-in-here/ ● Proof-of-concept tool for configuring BPF socket dispatch https://github.com/majek/inet-tool/ ● “Programmable socket lookup with BPF” presentation at Linux

multi-kernel VM tests (qemu) ● Resource usage (CPU cycles, memlock) monitored across the fleet by bpf_tax tool → ● Alerts on program load and attach failures [0] https://github.com/libbpf/libbpf