implemented using BPF using efficient hashtables allowing for almost unlimited scale and supports direct server return (DSR) if the loadbalancing operation is not performed on the source host. Note: load balancing destination IP of the packet, the tool provides the full label information of both the sender and receiver among a lot of other information. Policy decision tracing: Why is a packet being dropped or a request It will deploy a simple probe and echo server running with multiple replicas. The probe will only report readiness while it can successfully reach the echo server: kubectl get pods NAME

Golang Package Compatibility Guarantees API Reference Hubble internals Hubble Architecture Hubble server Hubble Relay Reference Command Cheatsheet Command utilities: Command examples: Kubernetes examples: optimized for maximum performance, can be attached to XDP (eXpress Data Path), and supports direct server return (DSR) as well as Maglev consistent hashing if the load balancing operation is not performed destination IP of the packet, the tool provides the full label information of both the sender and receiver among a lot of other information. Policy decision tracing: Why is a packet being dropped or a request

optimized for maximum performance, can be attached to XDP (eXpress Data Path), and supports direct server return (DSR) as well as Maglev consistent hashing if the load balancing operation is not performed destination IP of the packet, the tool provides the full label information of both the sender and receiver among a lot of other information. Policy decision tracing: Why is a packet being dropped or a request Configuration: Datapath IPAM Datastore Direct Routing (ENI) AWS ENI Kubernetes CRD For more information on AWS ENI mode, see AWS ENI. Tip If you want to chain Cilium on top of the AWS CNI, refer to

implemented using BPF using efficient hashtables allowing for almost unlimited scale and supports direct server return (DSR) if the loadbalancing operation is not performed on the source host. Note: load balancing destination IP of the packet, the tool provides the full label information of both the sender and receiver among a lot of other information. Policy decision tracing: Why is a packet being dropped or a request the master node using a node-token which can be found on the master node at /var/lib/rancher/k3s/server/node-token. Install K3s on agent nodes and join them to the master node making sure to replace the

optimized for maximum performance, can be attached to XDP (eXpress Data Path), and supports direct server return (DSR) as well as Maglev consistent hashing if the load balancing operation is not performed destination IP of the packet, the tool provides the full label information of both the sender and receiver among a lot of other information. Metrics export via Prometheus: Key metrics are exported via Prometheus Configuration: Datapath IPAM Datastore Direct Routing (ENI) AWS ENI Kubernetes CRD For more information on AWS ENI mode, see AWS ENI. Tip If you want to chain Cilium on top of the AWS CNI, refer to

Golang Package Compatibility Guarantees API Reference Hubble internals Hubble Architecture Hubble server Hubble Relay Reference Command Cheatsheet Command utilities: Command examples: Kubernetes examples: implemented using BPF using efficient hashtables allowing for almost unlimited scale and supports direct server return (DSR) if the loadbalancing operation is not performed on the source host. Note: load balancing destination IP of the packet, the tool provides the full label information of both the sender and receiver among a lot of other information. Policy decision tracing: Why is a packet being dropped or a request

implemented using BPF using efficient hashtables allowing for almost unlimited scale and supports direct server return (DSR) if the loadbalancing opera�on is not performed on the source host. Note: load balancing have kubectl installed then you can simply point it at the microk8s version of the kubernetes API server: export KUBECONFIG=/snap/microk8s/current/client.config Install etcd Install etcd as a StatefulSet link/etcd-config #ca-file: '/var/lib/etcd-secrets/etcd-client-ca.crt' # # In case you want client to server authentication, uncomment the following # lines and create a kubernetes secret by following the tutorial

Node L4LB Architecture XDP DPlane L3DSR with IPIP, Magrev Hashing, Session caching, etc… API Server FRR (bgpd) bcc-based CPlane Upstream Routers Advertise VIP with eBGP Configure with RPC Health Service Discovery Per-flow ECMP k8s CCM Frontend (dash board) To Backends User For More Information • Our motivation, detailed architecture, etc… (en) • https://www.youtube.com/watch?v=UE6rPA1Js2s&fe d040677a60e35c7aec eth VM1 VM2 VM3 SRv6 + iptables Security Policy VRF VRF VRF For More Information • Our SRv6 DC network architecture (en) • https://speakerdeck.com/line_developers/line-data-center-

twagent story Andrey Ignatov, Facebook October 28, 2020 1 ● a daemon ● runs on every Facebook server ● manages all Facebook containers ● a part of the bigger TW system, see the TW paper in OSDI'20 cgroup-bpf 3 Task IP assignment (aka IP-per-task) ● Facebook DC network is IPv6 only ● Every server has /64 IPv6 prefix ● Convenient to have a unique IPv6 per twagent task (e.g. for QoS tagging) ● sendmsg(2): bpf_bind(task_ip) Handle TCP client A connecting to TCP server B in same task by [::1]: ● listen(2): track server port by tracking BPF_TCP_LISTEN and BPF_TCP_CLOSE ● connect(2) to [::1]:

Code and instructions at https://github.com/jsitnicki/ebpf-summit-2020 We will need… a TCP echo server $ sudo dnf install nmap-ncat $ nc -4kle /bin/cat 127.0.0.1 7777 & [1] 1289 $ ss -4tlpn sport SK_DROP : SK_PASS; } is echo service configured on this port? get echo server socket dispatch the packet to echo server Load echo_dispatch program $ make echo_dispatch.bpf.o clang -I…/linux/usr/include