check (Required) Upgrading Cilium Step 3: Rolling Back Version Specific Notes Advanced Configuration Network Policy Policy Enforcement Modes Rule Basics Layer 3 Examples Layer 4 Examples Layer 7 Examples stronger security isolation by operating at the HTTP-layer in addition to providing traditional Layer 3 and Layer 4 segmentation. The use of BPF enables Cilium to achieve all of this in a way that is highly modern application protocols such as REST/HTTP, gRPC and Kafka. Traditional firewalls operates at Layer 3 and 4. A protocol running on a particular port is either completely trusted or blocked entirely. Cilium

Versions Upgrading Minor Versions Step 3: Rolling Back Version Specific Notes Advanced Configuration Network Policy Policy Enforcement Modes Rule Basics Layer 3 Examples Layer 4 Examples Layer 7 Examples stronger security isolation by operating at the HTTP-layer in addition to providing traditional Layer 3 and Layer 4 segmentation. The use of BPF enables Cilium to achieve all of this in a way that is highly modern application protocols such as REST/HTTP, gRPC and Kafka. Traditional firewalls operates at Layer 3 and 4. A protocol running on a particular port is either completely trusted or blocked entirely. Cilium

Notes Advanced Configuration Core Agent Network Policy Policy Enforcement Modes Rule Basics Layer 3 Examples Layer 4 Examples Layer 7 Examples Host Policies Layer 7 Protocol Visibility Using Kubernetes stronger security isolation by operating at the HTTP-layer in addition to providing traditional Layer 3 and Layer 4 segmentation. The use of BPF enables Cilium to achieve all of this in a way that is highly modern application protocols such as REST/HTTP, gRPC and Kafka. Traditional firewalls operates at Layer 3 and 4. A protocol running on a particular port is either completely trusted or blocked entirely. Cilium

Notes Advanced Configuration Core Agent Network Policy Policy Enforcement Modes Rule Basics Layer 3 Examples Layer 4 Examples Layer 7 Examples Deny Policies Host Policies Layer 7 Protocol Visibility stronger security isolation by operating at the HTTP-layer in addition to providing traditional Layer 3 and Layer 4 segmentation. The use of eBPF enables Cilium to achieve all of this in a way that is highly modern application protocols such as REST/HTTP, gRPC and Kafka. Traditional firewalls operates at Layer 3 and 4. A protocol running on a particular port is either completely trusted or blocked entirely. Cilium

Notes Advanced Configuration Core Agent Network Policy Policy Enforcement Modes Rule Basics Layer 3 Examples Layer 4 Examples Layer 7 Examples Deny Policies Host Policies Layer 7 Protocol Visibility stronger security isolation by operating at the HTTP-layer in addition to providing traditional Layer 3 and Layer 4 segmentation. The use of eBPF enables Cilium to achieve all of this in a way that is highly modern application protocols such as REST/HTTP, gRPC and Kafka. Traditional firewalls operates at Layer 3 and 4. A protocol running on a particular port is either completely trusted or blocked entirely. Cilium

Notes Advanced Configuration Core Agent Network Policy Policy Enforcement Modes Rule Basics Layer 3 Examples Layer 4 Examples Layer 7 Examples Deny Policies Host Policies Layer 7 Protocol Visibility stronger security isolation by operating at the HTTP-layer in addition to providing traditional Layer 3 and Layer 4 segmentation. The use of eBPF enables Cilium to achieve all of this in a way that is highly modern application protocols such as REST/HTTP, gRPC and Kafka. Traditional firewalls operates at Layer 3 and 4. A protocol running on a particular port is either completely trusted or blocked entirely. Cilium

Version Specific Notes Advanced Configura�on Network Policy Policy Enforcement Modes Rule Basics Layer 3 Examples Layer 4 Examples Layer 7 Examples Kubernetes Endpoint Lifecycle Troubleshoo�ng Monitoring & provide stronger security isola�on by opera�ng at the HTTP-layer in addi�on to providing tradi�onal Layer 3 and Layer 4 segmenta�on. The use of BPF enables Cilium to achieve all of this in a way that is highly modern applica�on protocols such as REST/HTTP, gRPC and Ka�a. Tradi�onal firewalls operates at Layer 3 and 4. A protocol running on a par�cular port is either completely trusted or blocked en�rely. Cilium

Address:Port Process LISTEN 0 10 127.0.0.1:7777 0.0.0.0:* users:(("nc",pid=1289,fd=3)) $ nc -4 127.0.0.1 7777 hello⏎ hello ^D Netcat + /bin/cat Test it! Check open ports on VM external 77 777 echo_ports BPF HASH map Ncat socket echo_socket BPF SOCKMAP (2) is local port open? (3) pick echo service socket Ncat socket (1) (4) echo_dispatch.bpf.c - BPF sk_lookup program /* Declare fd=3))⏎ uid:1000 ino:22797 sk:1 <-> Get another socket file descriptor 1. pass FD with SCM_RIGHTS cmsg - see unix(7) man page 2. inherit FD from parent process - see systemd socket activation 3. use

�������������������� ������� request to nodeport 32000 of service pod3 worker node1 10.6.0.10 ������ ������������� ���������������������� worker node 3 10.6.0.30 worker node2 10.6.0.20 step1 pod1: pod1: 172.20.0.10:10000 —> node2: 10.6.0.20:32000 step2 node2: 10.6.0.20:20000 —> pod3: 172.20.0.30:80 step3 pod3: 172.20.0.30:80 —> node2: 10.6.0.20:20000 step4 node2: 10.6.0.20:32000 —> pod1: 172.20.0.10:10000 kube-proxy step1 pod1: 172.20.0.10:10000 —> pod3: 172.20.0.30:80 step2 pod3: 172.20.0.30:80 —> pod1: 172.20.0.10:10000 cgroup ebpf service DNAT connect

应用：微服务架构、多语言、多协议 挑战1：微服务、多语言、多协议环境下，端到端观测 复杂度上升，埋点成本居高不下 Kubernetes 容器 网络、操作系统、硬件 基础设施层复杂度日益增加 如何关联? 挑战3：数据散落，工具多， 缺少上下文，排查效率低下 业务应用 应用框架 容器虚拟化 系统调用 内核 应用性能监控（APM） Kubernetes监控 Kubernetes组件异常： Scheduler ./bpf/packetloss.c -- -I../../../../bpf/headers -D__TARGET_ARCH_x86 1、安装环境 2、写好bpf.c和bpf.h,放到指定目录 3、go generate 获取转换后的go文件 构建完整的应用可观测系统 第五部分 架构感知 JMeter testdemo1 testdemo2 Mysql Redis Kafka hcmine 点和关系异常，进一步提升问题发 现和定位的效率，通常在应用运行时整体链路梳理和特定问题节点上下游分析等场景使用。 关联分析 上游 自身 下游 节点 上游1 上游2 上游3 下游1 下游2 下游3 实例 实例 实例 … 关联分析，通过关联关系的切换，可以快速查看上游请求和下游依赖，以及自身服务实例的 运行情况，进一步提升问题定位能力，通常在已经定位到某个异常节点后使用。