(netns is in-use) ○ transparent proxy (mostly for TLS) ○ container firewall ○ network faults injection ○ network counters (rack, datacenter, region) ● but not only: ○ sysctl access control Let’s by service name (dynamic set of IP:port endpoints) Container firewall (twfw) Network faults injection: ● Same per-packet firewall is used ● Attached to a task on-demand by API call ● Action can be

sidecar proxies when you deploy your application later: kubectl label namespace default istio-injection=enabled Step 3: Deploy the Bookinfo Application V1 Now that we have Cilium and Istio deployed microservice, specific to each service version. To deploy the application with manual sidecar injection, run: for service in productpage-service productpage-v1 details-v1 reviews-v1; do kubectl experience any problems. Network Security Introduction Identity-based Policy Enforcement Proxy Injection Introduction Cilium provides security on multiple levels. Each can be used individually or combined

sidecar proxies when you deploy your application later: kubectl label namespace default istio-injection=enabled Step 3: Deploy the Bookinfo Application V1 Now that we have Cilium and Istio deployed microservice, specific to each service version. To deploy the application with manual sidecar injection, run: for service in productpage-service productpage-v1 details-v1 reviews-v1; do kubectl experience any problems. Network Security Introduction Identity-based Policy Enforcement Proxy Injection Introduction Cilium provides security on multiple levels. Each can be used individually or combined

sidecar proxies when you deploy your application later: kubectl label namespace default istio-injection=enabled Step 3: Deploy the Bookinfo Application V1 Now that we have Cilium and Istio deployed experience any problems. Network Security Introduction Identity-based Policy Enforcement Proxy Injection Introduction Cilium provides security on multiple levels. Each can be used individually or combined L4 policy to an endpoint will block all connectivity to ports unless explicitly allowed. Proxy Injection Cilium is capable of transparently injecting a Layer 4 proxy into any network connection. This

sidecar proxies when you deploy your application later: kubectl label namespace default istio-injection=enabled Step 3: Deploy the Bookinfo Application V1 Now that we have Cilium and Istio deployed microservice, specific to each service version. To deploy the application with manual sidecar injection, run: for service in productpage-service productpage-v1 details-v1 reviews-v1; do kubectl experience any problems. Network Security Introduction Identity-based Policy Enforcement Proxy Injection Introduction Cilium provides security on multiple levels. Each can be used individually or combined

sidecar proxies when you deploy your application later: kubectl label namespace default istio-injection=enabled Step 3: Deploy the Bookinfo Application V1 Now that we have Cilium and Istio deployed microservice, specific to each service version. To deploy the application with manual sidecar injection, run: for service in productpage-service productpage-v1 details-v1 reviews-v1; do kubectl necessary but came with drawbacks as well such as needing to busy poll the NIC and expensive packet re-injection into the kernel’s stack. The migration over to eBPF and XDP combined best of both worlds by having

sidecar proxies when you deploy your application later: kubectl label namespace default istio-injection=enabled Step 3: Deploy the Bookinfo Application V1 Now that we have Cilium and Istio deployed microservice, specific to each service version. To deploy the application with manual sidecar injection, run: for service in productpage-service productpage-v1 details-v1 reviews-v1; do kubectl necessary but came with drawbacks as well such as needing to busy poll the NIC and expensive packet re-injection into the kernel’s stack. The migration over to eBPF and XDP combined best of both worlds by having

cilium-kube-inject.awk \ < ${ISTIO_HOME}/install/kubernetes/helm/istio/files/injection-templat > istio-cilium-helm/files/injection-template.yaml Create an Is�o deployment spec, which configures the Cilium-specific