be displayed in the UI as service dependencies between the different pods: In the bottom of the interface, you may also inspect each recent Hubble flow event in your current namespace individually. Inspecting TLS-encrypted connections. This TLS-aware inspection allows Cilium API-aware visibility and policy to function even for connections where client to server communication is protected by TLS, such as when a client failure detection. This feature also relies on peer side’s configuration. protocol bfd { interface "{{ grains['node_mgnt_device'] }}" { min rx interval 100 ms; min tx interval

distributions use a different interface naming convention. If you use masquerading with the option egressMasqueradeInterfaces=eth0, remember to replace eth0 with the proper interface name. OpenShift To install be displayed in the UI as service dependencies between the different pods: In the bottom of the interface, you may also inspect each recent Hubble flow event in your current namespace individually. Inspecting TLS-encrypted connections. This TLS-aware inspection allows Cilium API-aware visibility and policy to function even for connections where client to server communication is protected by TLS, such as when a client

Cilium might not come up immediately on all nodes, since Flannel only sets up the bridge network interface that connects containers with the outside world when the first container is created on that node nodeEncryption=false \ > cilium.yaml Encryption interface If direct routing is being used an additional argument can be used to identify the network facing interface. If no interface is specified the default route link but depending on routing rules users may need to specify the encryption interface as follows: --set global.encryption.interface=ethX Node to node encryption In order to enable node-to-node encryption

TLS-encrypted connections. This TLS-aware inspection allows Cilium API-aware visibility and policy to function even for connections where client to server communication is protected by TLS, such as when a client can conflict with a DHCP agent running on the node and assigning the primary IP of the ENI to the interface of the node. A common scenario where this happens is if NetworkManager is running on the node and failure detection. This feature also relies on peer side’s configuration. protocol bfd { interface "{{ grains['node_mgnt_device'] }}" { min rx interval 100 ms; min tx interval

TLS-encrypted connections. This TLS-aware inspection allows Cilium API-aware visibility and policy to function even for connections where client to server communication is protected by TLS, such as when a client can conflict with a DHCP agent running on the node and assigning the primary IP of the ENI to the interface of the node. A common scenario where this happens is if NetworkManager is running on the node and failure detection. This feature also relies on peer side’s configuration. protocol bfd { interface "{{ grains['node_mgnt_device'] }}" { min rx interval 100 ms; min tx interval

TLS-encrypted connections. This TLS-aware inspection allows Cilium API-aware visibility and policy to function even for connections where client to server communication is protected by TLS, such as when a client can conflict with a DHCP agent running on the node and assigning the primary IP of the ENI to the interface of the node. A common scenario where this happens is if NetworkManager is running on the node and failure detection. This feature also relies on peer side’s configuration. protocol bfd { interface "{{ grains['node_mgnt_device'] }}" { min rx interval 100 ms; min tx interval

provides an interface for applications to interact with the underlying hardware). The kernel has visibility across the entire system and is highly performant, but needs to provide a stable interface to applications flexibility, eBPF programs are also composable with the concept of tail and function calls. eBPF programs can make function calls into a set of dedicated kernel functions (eBPF helpers/kfuncs) to help

MAC address and IP address which allows the genera�on dedicated BPF programs for those pods. # Interface to be used when running Cilium on top of a CNI plugin. # For flannel, use "cni0" flannel-master-device: policy enforcement enabled on top of a CNI plugi # the BPF programs will be installed on the network interface specified in # 'flannel-master-device' and on all network interfaces belonging to # a container Cilium might not come up immediately on all nodes, since Flannel only sets up the bridge network interface that connects containers with the outside world when the first container is created on that node

28, 2020 2 What will we be doing? 3 How are we going to do it? 4 Demo time 5 Tracing Go function with uprobes 6 Demo time 7 Conclusions ● eBPF programs can be attached to different events:

of rules ▶ Add additional context to a block of rules 5 / 7 Our Policy Language Policy at the Function Call Level ▶ #[func " foo" ] → Apply rules only within a call to foo() ▶ #[kfunc " foo" ] → Same