程序附加到跟踪点以及内核和用户应用探针点的能力，使得应用程序和系统本身的 运行时行为具有前所未有的可见性 From:https://juejin.cn/post/7280746515525156918 安全 看到和理解所有系统调用的基础上，将其与所有网络操作的数据包和套接字级视图相结合，通 过检测来阻止恶意攻击行为，如 DDoS攻击等，实施网络策略、增强系统的安全性、稳定性。 From:https://zhuanlan.zhihu 挑战3：数据散落，工具多， 缺少上下文，排查效率低下 业务应用 应用框架 容器虚拟化 系统调用 内核 应用性能监控（APM） Kubernetes监控 Kubernetes组件异常： Scheduler, KCM， etcd，api-server, coredns… 系统调用异常：网络请 求，内存申请，文件操 作，CGroup… 内核异常：进程调度， 内存管理，文件管理， 任何应用代码，提供无侵入的应用无关、语言无关、 框架无关的应用可观测能力，提供如网络、虚拟内存、 系统调用等Otel无法获取的数据指标。 新版控制台体验升级 • 提供多语言的无侵入的应用CPU热点查看 • 监控网络异常，如TCP Drop、TCP 重传 • 监控应用异常事件，如OOM 黄金三指标 调用链查询与分析 拓扑/上下游 网络大盘 容器监控 智能告警 持续剖析 接口监控 数据来源

bind cilium的Host-Reachable 技术，利 用eBPF程序，拦截应用在内核connect 、 sendmsg、 recvmsg 、getpeername 、 bind等系统调用，实现 service 的地址解 析，并且伪装通信目的地址，让上层应用 无感知 DNAT 的发生 效果： • 集群内访问nodePort、LoadBalancer 的service时，能够减少数据包转发跳

the public terminal can properly act as a client to the door service. We can test this by running a Python gRPC client for the door service that exists in the terminal-87 container. We’ll invoke the ‘cc_door_client’ the door-id): $ kubectl exec terminal-87 -- python3 /cloudcity/cc_door_client.py GetName Door name is: Spaceport Door #1 $ kubectl exec terminal-87 -- python3 /cloudcity/cc_door_client.py GetLocat Door override the security and help the rebels escape. To see this, run: $ kubectl exec terminal-87 -- python3 /cloudcity/cc_door_client.py SetAcce Successfully set AccessCode to 999 Securing Access to a gRPC

the public terminal can properly act as a client to the door service. We can test this by running a Python gRPC client for the door service that exists in the terminal-87 container. We’ll invoke the ‘cc_door_client’ door-id): $ kubectl exec terminal-87 -- python3 /cloudcity/cc_door_client.py GetName 1 Door name is: Spaceport Door #1 $ kubectl exec terminal-87 -- python3 /cloudcity/cc_door_client.py GetLocation override the security and help the rebels escape. To see this, run: $ kubectl exec terminal-87 -- python3 /cloudcity/cc_door_client.py SetAccessCode 1 999 Successfully set AccessCode to 999 Securing Access

the public terminal can properly act as a client to the door service. We can test this by running a Python gRPC client for the door service that exists in the terminal-87 container. We’ll invoke the ‘cc_door_client’ door-id): $ kubectl exec terminal-87 -- python3 /cloudcity/cc_door_client.py GetName 1 Door name is: Spaceport Door #1 $ kubectl exec terminal-87 -- python3 /cloudcity/cc_door_client.py GetLocation override the security and help the rebels escape. To see this, run: $ kubectl exec terminal-87 -- python3 /cloudcity/cc_door_client.py SetAccessCode 1 999 Successfully set AccessCode to 999 Securing Access

the public terminal can properly act as a client to the door service. We can test this by running a Python gRPC client for the door service that exists in the terminal-87 container. We’ll invoke the ‘cc_door_client’ door-id): $ kubectl exec terminal-87 -- python3 /cloudcity/cc_door_client.py GetName 1 Door name is: Spaceport Door #1 $ kubectl exec terminal-87 -- python3 /cloudcity/cc_door_client.py GetLocation override the security and help the rebels escape. To see this, run: $ kubectl exec terminal-87 -- python3 /cloudcity/cc_door_client.py SetAccessCode 1 999 Successfully set AccessCode to 999 Securing Access

the public terminal can properly act as a client to the door service. We can test this by running a Python gRPC client for the door service that exists in the terminal-87 container. We’ll invoke the ‘cc_door_client’ door-id): $ kubectl exec terminal-87 -- python3 /cloudcity/cc_door_client.py GetName 1 Door name is: Spaceport Door #1 $ kubectl exec terminal-87 -- python3 /cloudcity/cc_door_client.py GetLocation override the security and help the rebels escape. To see this, run: $ kubectl exec terminal-87 -- python3 /cloudcity/cc_door_client.py SetAccessCode 1 999 Successfully set AccessCode to 999 Securing Access

the public terminal can properly act as a client to the door service. We can test this by running a Python gRPC client for the door service that exists in the terminal-87 container. We’ll invoke the ‘cc_door_client’ door-id): $ kubectl exec terminal-87 -- python3 /cloudcity/cc_door_client.py GetName 1 Door name is: Spaceport Door #1 $ kubectl exec terminal-87 -- python3 /cloudcity/cc_door_client.py GetLocation override the security and help the rebels escape. To see this, run: $ kubectl exec terminal-87 -- python3 /cloudcity/cc_door_client.py SetAccessCode 1 999 Successfully set AccessCode to 999 Securing Access

the public terminal can properly act as a client to the door service. We can test this by running a Python gRPC client for the door service that exists in the terminal-87 container. We’ll invoke the ‘cc_door_client’ door-id): $ kubectl exec terminal-87 -- python3 /cloudcity/cc_door_client.py GetName 1 Door name is: Spaceport Door #1 $ kubectl exec terminal-87 -- python3 /cloudcity/cc_door_client.py GetLocation override the security and help the rebels escape. To see this, run: $ kubectl exec terminal-87 -- python3 /cloudcity/cc_door_client.py SetAccessCode 1 999 Successfully set AccessCode to 999 Securing Access

process confinement from the ground up. 3 / 7 bpfbox Implementation ▶ Userspace daemon using the Python3 bcc framework ▶ Kernelspace components are all eBPF ▶ LSM probes (KRSI), kprobes, uprobes, tracepoints