Advanced Features Key-Value store clang+LLVM iproute2 Firewall Rules Mounted eBPF filesystem Privileges Upgrade Guide Running pre-flight check (Required) Upgrading Cilium Version Specific Notes Advanced the application as load balancing tables and access control lists carrying hundreds of thousands of rules that need to be updated with a continuously growing frequency. Protocol ports (e.g. TCP port 80 for flag when creating the cluster, as this will cause the Azure CNI plugin to install unwanted iptables rules. EKS The following command creates a Kubernetes cluster with eksctl using Amazon Elastic Kubernetes

Advanced Features Key-Value store clang+LLVM iproute2 Firewall Rules Mounted eBPF filesystem Privileges Upgrade Guide Running pre-flight check (Required) Upgrading Cilium Version Specific Notes Advanced the application as load balancing tables and access control lists carrying hundreds of thousands of rules that need to be updated with a continuously growing frequency. Protocol ports (e.g. TCP port 80 for deploy the “connectivity-check” to test connectivity between pods. It is recommended to create a separate namespace for this. kubectl create ns cilium-test Deploy the check with: kubectl apply -n cilium-test

Advanced Features Key-Value store clang+LLVM iproute2 Firewall Rules Mounted eBPF filesystem Privileges Upgrade Guide Running pre-flight check (Required) Upgrading Cilium Version Specific Notes Advanced the application as load balancing tables and access control lists carrying hundreds of thousands of rules that need to be updated with a continuously growing frequency. Protocol ports (e.g. TCP port 80 for deploy the “connectivity-check” to test connectivity between pods. It is recommended to create a separate namespace for this. kubectl create ns cilium-test Deploy the check with: kubectl apply -n cilium-test

and Required Kernel Version Key-Value store clang+LLVM iproute2 Firewall Rules Privileges Upgrade Guide Running pre-flight check (Required) Upgrading Micro Versions Upgrading Minor Versions Step 3: Rolling the application as load balancing tables and access control lists carrying hundreds of thousands of rules that need to be updated with a continuously growing frequency. Protocol ports (e.g. TCP port 80 for 1/1 Running 0 13m Deploy the connectivity test You can deploy the “connectivity-check” to test connectivity between pods. kubectl apply -f https://raw.githubusercontent.com/cilium/cilium/v1

Advanced Features Key-Value store clang+LLVM iproute2 Firewall Rules Mounted eBPF filesystem Privileges Upgrade Guide Running pre-flight check (Required) Upgrading Cilium Version Specific Notes Advanced the application as load balancing tables and access control lists carrying hundreds of thousands of rules that need to be updated with a continuously growing frequency. Protocol ports (e.g. TCP port 80 for flag when creating the cluster, as this will cause the Azure CNI plugin to install unwanted iptables rules. EKS The following commands create a Kubernetes cluster with eksctl using Amazon Elastic Kubernetes

and Required Kernel Version Key-Value store clang+LLVM iproute2 Firewall Rules Privileges Upgrade Guide Running pre-flight check (Required) Upgrading Cilium Step 3: Rolling Back Version Specific Notes the application as load balancing tables and access control lists carrying hundreds of thousands of rules that need to be updated with a continuously growing frequency. Protocol ports (e.g. TCP port 80 for 1/1 Running 0 13m Deploy the connectivity test You can deploy the “connectivity-check” to test connectivity between pods. kubectl apply -f https://raw.githubusercontent.com/cilium/cilium/v1

Summary Linux Distribu�on Compa�bility Matrix Linux Kernel Key-Value store clang+LLVM iproute2 Firewall Rules Privileges Upgrade Guide Running a pre-flight DaemonSet Upgrading Micro Versions Upgrading Minor Versions the applica�on as load balancing tables and access control lists carrying hundreds of thousands of rules that need to be updated with a con�nuously growing frequency. Protocol ports (e.g. TCP port 80 for correctly, a DNS reverse lookup on a pod IP must map back to pod name. If you are using CoreDNS, check the CoreDNS ConfigMap and validate that in-addr.arpa and ip6.arpa are listed as wildcards for the

Policy Language Rules and Directives Rules specify access to system objects: ▶ fs(file, access) ▶ net(socket, access) ▶ signal(prog, sig) ▶ etc. Directives augment blocks of rules: ▶ #[directive] actions to be taken on a block of rules ▶ Add additional context to a block of rules 5 / 7 Our Policy Language Policy at the Function Call Level ▶ #[func " foo" ] → Apply rules only within a call to foo() #[kfunc " foo" ] → Same thing, but for kernel functions #! [ profile "/sbin/mylogin"] #[ func " check_password "] #[ allow] { fs("/etc/passwd", read) fs("/etc/shadow", read) } #[ func "add_user"] #[

Configured it with the default rules plus our own ● Sent notifications to a slack channel Attempt #1 - We were young and naive Attempt #1 - The result ● The default falco rules are not well suited for The Postmortem Iteration is key ● Built a tool to automatically reload falco on rule changes ● Rules: monitor well known IPs, binary names, forbidden k8s actions ● Action: Notify to slack for human Implementation Iteration is key ● Move back to eBPF module to reduce our OS footprint ● Smarter rules based on user behavior ● Automatically respond to malicious actions without requiring human intervention

Upgrades have been pretty smooth ○ moved from Cilium 1.4 initially to 1.8 today ○ retain old RBAC rules across certain cluster upgrades to avoid disruptions ● (Health checking) tooling really helpful in