Operations Istio Other Orchestrators Concepts Component Overview Terminology Address Management Multi Host Networking Security Datapath Failure Behavior Architecture Datapath Scale Kubernetes Integration clusters connects all application containers. IP allocation is kept simple by using host scope allocators. This means that each host can allocate IPs without any coordination between hosts. The following multi hosts which is typically already given. Native Routing: Use of the regular routing table of the Linux host. The network is required to be capable to route the IP addresses of the application containers. When

Operations Istio Other Orchestrators Concepts Component Overview Terminology Address Management Multi Host Networking Security Datapath Failure Behavior Architecture Datapath Scale Kubernetes Integration clusters connects all application containers. IP allocation is kept simple by using host scope allocators. This means that each host can allocate IPs without any coordination between hosts. The following multi hosts which is typically already given. Native Routing: Use of the regular routing table of the Linux host. The network is required to be capable to route the IP addresses of the application containers. When

Network Policy Policy Enforcement Modes Rule Basics Layer 3 Examples Layer 4 Examples Layer 7 Examples Host Policies Layer 7 Protocol Visibility Using Kubernetes constructs in policy Endpoint Lifecycle Troubleshooting clusters connects all application containers. IP allocation is kept simple by using host scope allocators. This means that each host can allocate IPs without any coordination between hosts. The following multi hosts which is typically already given. Native Routing: Use of the regular routing table of the Linux host. The network is required to be capable to route the IP addresses of the application containers. When

Policy Enforcement Modes Rule Basics Layer 3 Examples Layer 4 Examples Layer 7 Examples Deny Policies Host Policies Layer 7 Protocol Visibility Using Kubernetes constructs in policy Endpoint Lifecycle Troubleshooting clusters connects all application containers. IP allocation is kept simple by using host scope allocators. This means that each host can allocate IPs without any coordination between hosts. The following multi hosts which is typically already given. Native Routing: Use of the regular routing table of the Linux host. The network is required to be capable to route the IP addresses of the application containers. When

Policy Enforcement Modes Rule Basics Layer 3 Examples Layer 4 Examples Layer 7 Examples Deny Policies Host Policies Layer 7 Protocol Visibility Using Kubernetes constructs in policy Endpoint Lifecycle Troubleshooting clusters connects all application containers. IP allocation is kept simple by using host scope allocators. This means that each host can allocate IPs without any coordination between hosts. The following multi hosts which is typically already given. Native Routing: Use of the regular routing table of the Linux host. The network is required to be capable to route the IP addresses of the application containers. When

Policy Enforcement Modes Rule Basics Layer 3 Examples Layer 4 Examples Layer 7 Examples Deny Policies Host Policies Layer 7 Protocol Visibility Using Kubernetes constructs in policy Endpoint Lifecycle Troubleshooting clusters connects all application containers. IP allocation is kept simple by using host scope allocators. This means that each host can allocate IPs without any coordination between hosts. The following multi hosts which is typically already given. Native Routing: Use of the regular routing table of the Linux host. The network is required to be capable to route the IP addresses of the application containers. When

Is�o Other Orchestrators Concepts Component Overview Assurances Terminology Address Management Mul� Host Networking Security Architecture Datapath Scale Kubernetes Integra�on Ge�ng Help FAQ Slack GitHub Lifecycle Troubleshoo�ng Monitoring & Metrics Exported Metrics Cilium as a Kubernetes pod Cilium as a host-agent on a node Troubleshoo�ng Component & Cluster Health Connec�vity Problems Policy Troubleshoo�ng clusters connects all applica�on containers. IP alloca�on is kept simple by using host scope allocators. This means that each host can allocate IPs without any coordina�on between hosts. The following mul�

2563sec preferred_lft 2563sec host $ nmap -sT -p 1-1000 192.168.122.221 … Not shown: 999 closed ports PORT STATE SERVICE 22/tcp open ssh Nmap done: 1 IP address (1 host up) scanned in 0.07 seconds Re-scan open ports on VM host $ nmap -sT -p 1-1024 192.168.122.221 Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-24 21:56 CEST Nmap scan report for 192.168.122.221 Host is up (0.00014s latency). 22/tcp open ssh 77/tcp open priv-rje 777/tcp open multiling-http Nmap done: 1 IP address (1 host up) scanned in 0.09 seconds Test echo service on ports 7, 77, 777 $ { echo 'Hip'; sleep 0.1;

pod1: 172.20.0.10:10000 cgroup ebpf service DNAT connect sendmsg recvmsg getpeername bind cilium的Host-Reachable 技术，利 用eBPF程序，拦截应用在内核connect 、 sendmsg、 recvmsg 、getpeername 、 bind等系统调用，实现 service 的地址解 implement policy selecting pod1 implement policy selecting pod2 implement host policy selecting node1 implement host policy selecting node2 Thanks ������������

cgroup-bpf features enabled: ● mostly networking: ○ IP assignment (when netns is not in-use) ○ host services connector (netns is in-use) ○ transparent proxy (mostly for TLS) ○ container firewall local storage for auto-cleanup 5 ● IP firewall is still useful ● Should affect only task state, not host ● Rules auto-cleanup on task stop is important ● Has to be integrated with service discovery, etc