Rule Basics Layer 3 Examples Layer 4 Examples Layer 7 Examples Deny Policies Host Policies Layer 7 Protocol Visibility Using Kubernetes constructs in policy Endpoint Lifecycle Troubleshooting Monitoring carrying hundreds of thousands of rules that need to be updated with a continuously growing frequency. Protocol ports (e.g. TCP port 80 for HTTP traffic) can no longer be used to differentiate between application at Layer 3 and 4. A protocol running on a particular port is either completely trusted or blocked entirely. Cilium provides the ability to filter on individual application protocol requests such as: Allow

Rule Basics Layer 3 Examples Layer 4 Examples Layer 7 Examples Deny Policies Host Policies Layer 7 Protocol Visibility Using Kubernetes constructs in policy Endpoint Lifecycle Troubleshooting Monitoring carrying hundreds of thousands of rules that need to be updated with a continuously growing frequency. Protocol ports (e.g. TCP port 80 for HTTP traffic) can no longer be used to differentiate between application at Layer 3 and 4. A protocol running on a particular port is either completely trusted or blocked entirely. Cilium provides the ability to filter on individual application protocol requests such as: Allow

Rule Basics Layer 3 Examples Layer 4 Examples Layer 7 Examples Deny Policies Host Policies Layer 7 Protocol Visibility Using Kubernetes constructs in policy Endpoint Lifecycle Troubleshooting Monitoring carrying hundreds of thousands of rules that need to be updated with a continuously growing frequency. Protocol ports (e.g. TCP port 80 for HTTP traffic) can no longer be used to differentiate between application at Layer 3 and 4. A protocol running on a particular port is either completely trusted or blocked entirely. Cilium provides the ability to filter on individual application protocol requests such as: Allow

carrying hundreds of thousands of rules that need to be updated with a con�nuously growing frequency. Protocol ports (e.g. TCP port 80 for HTTP traffic) can no longer be used to differen�ate between applica�on operates at Layer 3 and 4. A protocol running on a par�cular port is either completely trusted or blocked en�rely. Cilium provides the ability to filter on individual applica�on protocol requests such as: Allow can just use 1 region. The cluster NAME variable should end with k8s.local to use the gossip protocol. If crea�ng mul�ple clusters using the same kops user, then make the cluster name unique by adding

carrying hundreds of thousands of rules that need to be updated with a continuously growing frequency. Protocol ports (e.g. TCP port 80 for HTTP traffic) can no longer be used to differentiate between application at Layer 3 and 4. A protocol running on a particular port is either completely trusted or blocked entirely. Cilium provides the ability to filter on individual application protocol requests such as: Allow you can just use 1 region. The cluster NAME variable should end with k8s.local to use the gossip protocol. If creating multiple clusters using the same kops user, then make the cluster name unique by adding

Layer 3 Examples Layer 4 Examples Layer 7 Examples Kubernetes Endpoint Lifecycle Troubleshooting L7 Protocol Visibility API Rate Limiting Default Rate Limits Configuration Automatic Adjustment Metrics Understanding carrying hundreds of thousands of rules that need to be updated with a continuously growing frequency. Protocol ports (e.g. TCP port 80 for HTTP traffic) can no longer be used to differentiate between application at Layer 3 and 4. A protocol running on a particular port is either completely trusted or blocked entirely. Cilium provides the ability to filter on individual application protocol requests such as: Allow

Enforcement Modes Rule Basics Layer 3 Examples Layer 4 Examples Layer 7 Examples Host Policies Layer 7 Protocol Visibility Using Kubernetes constructs in policy Endpoint Lifecycle Troubleshooting Monitoring carrying hundreds of thousands of rules that need to be updated with a continuously growing frequency. Protocol ports (e.g. TCP port 80 for HTTP traffic) can no longer be used to differentiate between application at Layer 3 and 4. A protocol running on a particular port is either completely trusted or blocked entirely. Cilium provides the ability to filter on individual application protocol requests such as: Allow

2、写好bpf.c和bpf.h,放到指定目录 3、go generate 获取转换后的go文件 构建完整的应用可观测系统 第五部分 架构感知 JMeter testdemo1 testdemo2 Mysql Redis Kafka hcmine 节点 属性 关系 架构感知，节点和关系以及他们的属性，能够正确地反应当前运行的网络关系，帮助 用户感知架构，通过对比期望架构，发现问题，通常在新应用上线，新地区开服，整 全栈数据源，70+个告警模板开箱即用： 应用级别：Pod/Service/Deployment K8S控制面：apiserver/ETCD/Scheduler 基础设施：节点、网络、存储 云服务界别：Kafka/MySQL/Redis/ 告警 拓扑图排查 根因定位 修复 告警收敛，幸福感UP 指标 日志 Trace分析 黄金指标 网络指标 服务依赖 事后复盘 拓扑图高可用、依赖分 析 面向失败、高可用设计 全栈数据源，70+个告警模板开箱即用： 应用级别：Pod/Service/Deployment K8S控制面：apiserver/ETCD/Scheduler 基础设施：节点、网络、存储 云服务界别：Kafka/MySQL/Redis/ 告警 拓扑图排查 根因定位 修复 告警收敛，幸福感UP 指标 日志 Trace分析 黄金指标 网络指标 服务依赖 事后复盘 拓扑图高可用、依赖分 析 面向失败、高可用设计

decision mangle PREROUTING nat PREROUTING socket lookup socket receive buffer Application Protocol Network Driver XDP TC ingress alloc_skb Ring Buffer forward Wikipedia - Packet flow in Netfilter metadata BPF program lookup result 010 101 010 struct bpf_sk_lookup { __u32 family; __u32 protocol; __u32 remote_ip4; __u32 remote_port; __u32 local_ip4; __u32 local_port;

start ● Actions: pass, drop, log (via perf buffer) ● Filter by local/remote IP, IP prefix, port, protocol, TCP flags ● Integrated with service discovery: can filter by service name (dynamic set of IP:port