������������������������ Cilium加速网络 性能提升的主要表现： • 不同场景下，不同程度地降低了 网络数据包的“转发延时” • 不同场景下，不同程度地提升了 网络数据包的“吞吐量” • 不同场景下，不同程度地降低了 转发数据包所需的“ CPU 开销” eBPF 简介 eBPF 技术 在 Linux kernel 3.19 开始被 引入，可在用户态进行 eBPF 方式安全运行，其能过通过 map 存储结 构存储数据，能通过 map 同用户态程序交互， 最终实现内核数据进行修改，或者影响内核处 理请求的结果，或者改变内核处理请求的流程。 极大提升了内核处理事件的效率。 截止 linux 5.14 版本，eBPF 有32种类型程序。而 cilium 主要使用了如下类型程序： • sched_cls 。cilium在内核 TC 处实现数据包转发、负载均衡、过滤 • xdp 。cilium在内核 。cilium在内核 XDP 处实现数据包的转发、负载均衡、过滤 • cgroup_sock_addr 。cilium在 cgroup 中实现对service解析 • sock_ops + sk_msg。记录本地应用之间通信的socket，实现本地数据包的加速转发 加速同节点pod间通信 cilium 使用 eBPF 程序，借助 bpf_redirect() 或 bpf_redirect_peer()

eBPF实现无侵入应用可观测 张海彬 阿里云 应用可观测技术专家 目 录 eBPF简介 01 eBPF在云原生场景下的应用 02 微服务可观测的挑战 03 Golang + eBPF实现数据采集 04 构建完整的应用可观测系统 05 eBPF简介 第一部分 eBPF简介 01. eBPF简介 eBPF = extended Berkeley Packet Filter Dynamically 身的 运行时行为具有前所未有的可见性 From:https://juejin.cn/post/7280746515525156918 安全 看到和理解所有系统调用的基础上，将其与所有网络操作的数据包和套接字级视图相结合，通 过检测来阻止恶意攻击行为，如 DDoS攻击等，实施网络策略、增强系统的安全性、稳定性。 From:https://zhuanlan.zhihu.com/p/507388164 应用：微服务架构、多语言、多协议 挑战1：微服务、多语言、多协议环境下，端到端观测 复杂度上升，埋点成本居高不下 Kubernetes 容器 网络、操作系统、硬件 基础设施层复杂度日益增加 如何关联? 挑战3：数据散落，工具多， 缺少上下文，排查效率低下 业务应用 应用框架 容器虚拟化 系统调用 内核 应用性能监控（APM） Kubernetes监控 Kubernetes组件异常： Scheduler

for a specific book. Check that the full REST API is currently accessible in v1 and returns valid JSON data: for APIPATH in /api/v1/products /api/v1/products/0 /api/v1/products/0/reviews /api/v1/products/0/ratings; authorization audit logging. On every user login or logout, it produces into Kafka topic authaudit a JSON-formatted message which contains the following information: event: login or logout username client "TCP"}] }] }] }] Save this JSON to a file named l3_l4_policy.json in your VM, and apply the policy by running: $ cilium policy import l3_l4_policy.json Revision: 1 Step 8: Test L3/L4 Policy

for a specific book. Check that the full REST API is currently accessible in v1 and returns valid JSON data: $ for APIPATH in /api/v1/products /api/v1/products/0 /api/v1/products/0/rev [{"descriptionHtml": authoriza�on audit logging. On every user login or logout, it produces into Ka�a topic authaudit a JSON-forma�ed message which contains the following informa�on: event: login or logout username client "TCP"}] }] }] }] Save this JSON to a file named l3_l4_policy.json in your VM, and apply the policy by running: $ cilium policy import l3_l4_policy.json Revision: 1 Step 8: Test L3/L4 Policy

for a specific book. Check that the full REST API is currently accessible in v1 and returns valid JSON data: for APIPATH in /api/v1/products /api/v1/products/0 /api/v1/products/0/reviews /api/v1/products/0/ratings; authorization audit logging. On every user login or logout, it produces into Kafka topic authaudit a JSON-formatted message which contains the following information: event: login or logout username client "TCP"}] }] }] }] Save this JSON to a file named l3_l4_policy.json in your VM, and apply the policy by running: $ cilium policy import l3_l4_policy.json Revision: 1 Step 8: Test L3/L4 Policy

principal for cilium-operator: az ad sp create-for-rbac --name cilium-operator > azure-sp.json The contents of azure-sp.json should look like this: { "appId": "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa", "displayName": id)" AZURE_CLIENT_ID="$(jq -r .appId < azure-sp.json)" AZURE_CLIENT_SECRET="$(jq -r .password < azure-sp.json)" AZURE_TENANT_ID="$(jq -r .tenant < azure-sp.json)" AZURE_NODE_RESOURCE_GROUP="$(az aks show --resource-group provider openshift-install will prompt for credentials and store them in ~/.azure/osServicePrincipal.json, it doesn’t simply pickup az login credentials. It’s recommended to setup a dedicated service principal

/subscriptions/${AZURE_SUBSCRIPTION_ID}/resourceGroups/${AZURE_NODE_RES OURCE_GROUP} --role Contributor --output json --only-show-errors) AZURE_TENANT_ID=$(echo ${AZURE_SERVICE_PRINCIPAL} | jq -r '.tenant') AZURE_CLIENT_ID=$(echo provider openshift-install will prompt for credentials and store them in ~/.azure/osServicePrincipal.json, it doesn’t simply pickup az login credentials. It’s recommended to setup a dedicated service principal has to be set using GOOGLE_CREDENTIALS environment variable (e.g. GOOGLE_CREDENTIALS=service-account.json). Follow Openshift Installer documentation [https://github.com/openshift/installer/blob/master/docs/user/gcp/iam

provider openshift-install will prompt for credentials and store them in ~/.azure/osServicePrincipal.json, it doesn’t simply pickup az login credentials. It’s recommended to setup a dedicated service principal has to be set using GOOGLE_CREDENTIALS environment variable (e.g. GOOGLE_CREDENTIALS=service-account.json). Follow Openshift Installer documentation [https://github.com/openshift/installer/blob/master/docs/user/gcp/iam -r < "${CLUSTER_NAME}/metadata.json" '.infraID')" aws_region="$(jq -r < "${CLUSTER_NAME}/metadata.json" '.aws.region')" cluster_tag="$(jq -r < "${CLUSTER_NAME}/metadata.json" '.aws.identifier[0] | to_entries

/subscriptions/${AZURE_SUBSCRIPTION_ID}/resourceGroups/${AZURE_NODE_RES OURCE_GROUP} --role Contributor --output json --only-show-errors) AZURE_TENANT_ID=$(echo ${AZURE_SERVICE_PRINCIPAL} | jq -r '.tenant') AZURE_CLIENT_ID=$(echo provider openshift-install will prompt for credentials and store them in ~/.azure/osServicePrincipal.json, it doesn’t simply pickup az login credentials. It’s recommended to setup a dedicated service principal has to be set using GOOGLE_CREDENTIALS environment variable (e.g. GOOGLE_CREDENTIALS=service-account.json). Follow Openshift Installer documentation [https://github.com/openshift/installer/blob/master/docs/user/gcp/iam