Identity Aware Threat Detection and Network Monitoring by using eBPF Natalia Reka Ivanko, Isovalent October 28, 2020 ● ● ○ ● ○ ○ ○ ○ ● ● ● ● ● ● ● ● ○ ● ○ ○ ○ ● ● ● ○ ● ○ ○ ● ●

Slack GitHub Security Bugs Integra�ons Kubernetes Introduc�on Concepts Requirements Configura�on Network Policy Endpoint CRD Kubernetes Compa�bility Troubleshoo�ng Is�o Ge�ng Started Using Is�o Docker Cilium Micro Versions Upgrading Minor Versions Rolling Back Version Specific Notes Advanced Configura�on Network Policy Policy Enforcement Modes Rule Basics Layer 3 Examples Layer 4 Examples Layer 7 Examples Kubernetes Introduction to Cilium What is Cilium? Cilium is open source so�ware for transparently securing the network connec�vity between applica�on services deployed using Linux container management pla�orms like Docker

GitHub Security Bugs Integrations Kubernetes Introduction Concepts Requirements Configuration Network Policy Endpoint CRD Kubernetes Compatibility Troubleshooting Istio Getting Started Using Istio Versions Upgrading Minor Versions Step 3: Rolling Back Version Specific Notes Advanced Configuration Network Policy Policy Enforcement Modes Rule Basics Layer 3 Examples Layer 4 Examples Layer 7 Examples Kubernetes Introduction to Cilium What is Cilium? Cilium is open source software for transparently securing the network connectivity between application services deployed using Linux container management platforms like

Cilium What is Cilium? Why Cilium? Functionality Overview Getting Started Guides Installation Network Policy Security Tutorials Advanced Networking Operations Istio Other Orchestrators Concepts Component GitHub Security Bugs Integrations Kubernetes Introduction Concepts Requirements Configuration Network Policy Endpoint CRD Kubernetes Compatibility Cilium CRD schema validation Troubleshooting Istio (Required) Upgrading Cilium Step 3: Rolling Back Version Specific Notes Advanced Configuration Network Policy Policy Enforcement Modes Rule Basics Layer 3 Examples Layer 4 Examples Layer 7 Examples Kubernetes

instructions for installing, configuring, and troubleshooting Cilium in different deployment modes. Network Policy : Detailed walkthrough of the policy language structure and the supported formats. Monitoring Started Guides Installation Network Policy Security Tutorials Advanced Networking Operations Istio Other Orchestrators Concepts Component Overview Terminology Networking Network Security eBPF Datapath Kubernetes pre-flight check (Required) Upgrading Cilium Version Specific Notes Advanced Configuration Core Agent Network Policy Policy Enforcement Modes Rule Basics Layer 3 Examples Layer 4 Examples Layer 7 Examples Host

instructions for installing, configuring, and troubleshooting Cilium in different deployment modes. Network Policy : Detailed walkthrough of the policy language structure and the supported formats. Monitoring Installation Observability Network Policy Security Tutorials Advanced Networking Cluster Mesh Operations Istio Concepts Component Overview Terminology Networking Network Security eBPF Datapath Observability pre-flight check (Required) Upgrading Cilium Version Specific Notes Advanced Configuration Core Agent Network Policy Policy Enforcement Modes Rule Basics Layer 3 Examples Layer 4 Examples Layer 7 Examples

instructions for installing, configuring, and troubleshooting Cilium in different deployment modes. Network Policy : Detailed walkthrough of the policy language structure and the supported formats. Monitoring Started Guides Installation Network Policy Security Tutorials Advanced Networking Operations Istio Other Orchestrators Concepts Component Overview Terminology Networking Network Security eBPF Datapath Observability pre-flight check (Required) Upgrading Cilium Version Specific Notes Advanced Configuration Core Agent Network Policy Policy Enforcement Modes Rule Basics Layer 3 Examples Layer 4 Examples Layer 7 Examples

instructions for installing, configuring, and troubleshooting Cilium in different deployment modes. Network Policy : Detailed walkthrough of the policy language structure and the supported formats. Monitoring Installation Observability Network Policy Security Tutorials Advanced Networking Cluster Mesh Operations Istio Concepts Component Overview Terminology Networking Network Security eBPF Datapath Observability pre-flight check (Required) Upgrading Cilium Version Specific Notes Advanced Configuration Core Agent Network Policy Policy Enforcement Modes Rule Basics Layer 3 Examples Layer 4 Examples Layer 7 Examples

image > Select file ❏ Secure Network Isolation ❏ Network Visibility and Auditing ❏ Minimize maintenance and performance overhead ❏ Scale past iptables limits ❏ … 4 Network Security and Auditing 5 Scalability on image > Replace image > Select file ❏ Pod network filtering uses eBPF rather than iptables ❏ More flexible network policies ❏ Tools to help with network troubleshooting and policies ❏ Additional features help with troubleshooting ❏ Features to expose network traffic flows to teams ❏ Hubble UI ❏ Network flow logs exported to logging stack ❏ Tracking network traffic to specific binaries 16 Durable Audit

或 bpf_redirect_peer() 等 helper 函数，快速帮助同宿主机间 的流量转发，节省了大量的内核协议栈 处理流程 pod 1 process kernel network stack raw PREROUTING mangle PREROUTING nat PREROUTING tc ingress conntrack filter FORWARD tailCall-> to-container: redirect kernel >= 5.10 redirect_peer routing veth veth kernel network stack node 加速跨节点pod间通信 pod在跨节点通 信的场景下， cilium 借助 eBPF redirect 能力，帮 助数据包在主机物 理网卡和pod虚拟 网卡之间快速转发， pod1 process kernel network stack tc ingress kernel network stack netfilter tc egress veth veth eth0 tc ingress tc egress redirect_peer redirect_neigh kernel network stack netfilter