from the Data Deluge? A case for file filtering in eBPF Giulia Frascaria October 28, 2020 1 The data deluge on modern storage 2 Compute node CPU Network Storage node Flash The data deluge on on modern storage 3 Compute node 3 CPU Network Storage node Flash 16-lane PCIe, 16GB/s 64 SSDs, 128GB/s 8x throughput gap https://cacm.acm.org/magazines/2019/6/237002-programmable-solid-state-stora CPU Network Storage node Flash Data DoS in reverse! 11 Compute node CPU Network Storage node Flash Data So similar yet so different ● DoS is malicious ● Data transfer is business-critical ● We

Versions Upgrading Minor Versions Step 3: Rolling Back Version Specific Notes Advanced Configuration Network Policy Policy Enforcement Modes Rule Basics Layer 3 Examples Layer 4 Examples Layer 7 Examples stronger security isolation by operating at the HTTP-layer in addition to providing traditional Layer 3 and Layer 4 segmentation. The use of BPF enables Cilium to achieve all of this in a way that is highly modern application protocols such as REST/HTTP, gRPC and Kafka. Traditional firewalls operates at Layer 3 and 4. A protocol running on a particular port is either completely trusted or blocked entirely. Cilium

Version Specific Notes Advanced Configura�on Network Policy Policy Enforcement Modes Rule Basics Layer 3 Examples Layer 4 Examples Layer 7 Examples Kubernetes Endpoint Lifecycle Troubleshoo�ng Monitoring & provide stronger security isola�on by opera�ng at the HTTP-layer in addi�on to providing tradi�onal Layer 3 and Layer 4 segmenta�on. The use of BPF enables Cilium to achieve all of this in a way that is highly modern applica�on protocols such as REST/HTTP, gRPC and Ka�a. Tradi�onal firewalls operates at Layer 3 and 4. A protocol running on a par�cular port is either completely trusted or blocked en�rely. Cilium

check (Required) Upgrading Cilium Step 3: Rolling Back Version Specific Notes Advanced Configuration Network Policy Policy Enforcement Modes Rule Basics Layer 3 Examples Layer 4 Examples Layer 7 Examples stronger security isolation by operating at the HTTP-layer in addition to providing traditional Layer 3 and Layer 4 segmentation. The use of BPF enables Cilium to achieve all of this in a way that is highly modern application protocols such as REST/HTTP, gRPC and Kafka. Traditional firewalls operates at Layer 3 and 4. A protocol running on a particular port is either completely trusted or blocked entirely. Cilium

Notes Advanced Configuration Core Agent Network Policy Policy Enforcement Modes Rule Basics Layer 3 Examples Layer 4 Examples Layer 7 Examples Deny Policies Host Policies Layer 7 Protocol Visibility Cilium Hubble Important common packages Debugging toFQDNs and DNS Debugging Mutexes / Locks and Data Races Hubble Bumping the vendored Cilium dependency Release Management Organization Release tracking stronger security isolation by operating at the HTTP-layer in addition to providing traditional Layer 3 and Layer 4 segmentation. The use of eBPF enables Cilium to achieve all of this in a way that is highly

Notes Advanced Configuration Core Agent Network Policy Policy Enforcement Modes Rule Basics Layer 3 Examples Layer 4 Examples Layer 7 Examples Host Policies Layer 7 Protocol Visibility Using Kubernetes Cilium Hubble Important common packages Debugging toFQDNs and DNS Debugging Mutexes / Locks and Data Races Release Management Organization Release tracking Release Cadence Backporting process Backport stronger security isolation by operating at the HTTP-layer in addition to providing traditional Layer 3 and Layer 4 segmentation. The use of BPF enables Cilium to achieve all of this in a way that is highly

Notes Advanced Configuration Core Agent Network Policy Policy Enforcement Modes Rule Basics Layer 3 Examples Layer 4 Examples Layer 7 Examples Deny Policies Host Policies Layer 7 Protocol Visibility Cilium Hubble Important common packages Debugging toFQDNs and DNS Debugging Mutexes / Locks and Data Races Hubble Bumping the vendored Cilium dependency Release Management Organization Release tracking stronger security isolation by operating at the HTTP-layer in addition to providing traditional Layer 3 and Layer 4 segmentation. The use of eBPF enables Cilium to achieve all of this in a way that is highly

Notes Advanced Configuration Core Agent Network Policy Policy Enforcement Modes Rule Basics Layer 3 Examples Layer 4 Examples Layer 7 Examples Deny Policies Host Policies Layer 7 Protocol Visibility Cilium Hubble Important common packages Debugging toFQDNs and DNS Debugging Mutexes / Locks and Data Races Hubble Bumping the vendored Cilium dependency Documentation Style Header Titles Body Code stronger security isolation by operating at the HTTP-layer in addition to providing traditional Layer 3 and Layer 4 segmentation. The use of eBPF enables Cilium to achieve all of this in a way that is highly

Yutaro Hayakawa October 28, 2020 • Messaging & many family services • 185 million global MAU • 3Tbps+ network traffic in total LINE Verda: LINE’s Private Cloud Service IaaS LB NAT … PaaS FaaS public VIPs • k8s CCM integration (Type: LoadBalancer) L4LB Node L4LB Architecture XDP DPlane L3DSR with IPIP, Magrev Hashing, Session caching, etc… API Server FRR (bgpd) bcc-based CPlane Upstream gso_type: tcpv4) Functions the packets have gone through CPU ID Time Stamp User defined tracing data (with Lua script) … Use case • Multi tenant HV networking using SRv6 + VRF • Contributed to find

language for eBPF Performance Co-Pilot system performance analysis toolkit Performance Co-Pilot 3 Toolkit for collecting, analyzing, visualizing and responding to the status and performance of applications and networks. 92 6000+ Agents Performance Metrics Domain Agents export performance data from the kernel, services (e.g. PostgreSQL) and other instrumented applications Metrics Metrics