Automatically run unit tests on code changes BPF and XDP Reference Guide BPF Architecture Instruction Set Helper Functions Maps Object Pinning Tail Calls BPF to BPF Calls JIT Hardening Offloads Toolchain template hubble \ --namespace $CILIUM_NAMESPACE \ --set metrics.enabled="{dns,drop,tcp,flow,port- distribution,icmp,http}" \ --set ui.enabled=true \ > hubble.yaml Deploy Hubble: kubectl apply template hubble \ --namespace $CILIUM_NAMESPACE \ --set metrics.enabled="{dns,drop,tcp,flow,port- distribution,icmp,http}" \ --set ui.enabled=true \ > hubble.yaml Deploy Hubble: kubectl apply

Automatically run unit tests on code changes BPF and XDP Reference Guide BPF Architecture Instruction Set Helper Functions Maps Object Pinning Tail Calls BPF to BPF Calls JIT Hardening Offloads Toolchain kube-system \ --set global.nodeinit.enabled=true \ --set global.kubeProxyReplacement=partial \ --set global.hostServices.enabled=false \ --set global.externalIPs.enabled=true \ --set global.nodePort nodePort.enabled=true \ --set global.hostPort.enabled=true \ --set config.bpfMasquerade=false \ --set global.pullPolicy=IfNotPresent \ --set config.ipam=kubernetes Validate the Installation

Automatically run unit tests on code changes BPF and XDP Reference Guide BPF Architecture Instruction Set Helper Functions Maps Object Pinning Tail Calls BPF to BPF Calls JIT Hardening Offloads Toolchain com/cilium/cilium/issues/15769]). If you experience Kubernetes service load-balancing issues, then set [https://minikube.sigs.k8s.io/docs/commands/config/] any other driver from the supported list [https://minikube --namespace $CILIUM_NAMESPACE \ --reuse-values \ --set hubble.listenAddress=":4244" \ --set hubble.relay.enabled=true \ --set hubble.ui.enabled=true On Cilium 1.9.1 and older, the Cilium

Automatically run unit tests on code changes BPF and XDP Reference Guide BPF Architecture Instruction Set Helper Functions Maps Object Pinning Tail Calls BPF to BPF Calls JIT Hardening Offloads Toolchain \ --set nodeinit.enabled=true \ --set nodeinit.reconfigureKubelet=true \ --set nodeinit.removeCbrBridge=true \ --set cni.binPath=/home/kubernetes/bin \ --set gke.enabled=true \ --set ipam.mode=kubernetes mode=kubernetes \ --set nativeRoutingCIDR=$NATIVE_CIDR The NodeInit DaemonSet is required to prepare the GKE nodes as nodes are added to the cluster. The NodeInit DaemonSet will perform the following

Automatically run unit tests on code changes BPF and XDP Reference Guide BPF Architecture Instruction Set Helper Functions Maps Object Pinning Tail Calls BPF to BPF Calls JIT Hardening Offloads Toolchain implications. Install Cilium: Install Cilium into the AKS cluster: cilium install --version 1.11.20 --set azure.resourceGroup="${AZURE_RESOURC AKS (Azure IPAM) To install Cilium on Azure Kubernetes Service clusters. Install Cilium: Install Cilium into the AKS cluster: cilium install |CHART_VERSION| --set azure.resourceGroup="${AZURE_RESOURCE_GROUP}" EKS To install Cilium on Amazon Elastic Kubernetes

or for environments which want to leverage the clustermesh functionality, a kvstore set up is required which can be set up using an Installation with external etcd or using the Installation with managed Running 0 75s Installation with managed etcd The standard Quick Installation guide will set up Cilium to use Kubernetes CRDs to store and propagate state between agents. Use of CRDs can impose etcd optimizes the propagation of state between agents. This guide explains the steps required to set up Cilium with a managed etcd where etcd is managed by an operator which maintains an etcd cluster

kubeadm/#pod-network]. Standard Installation This guides takes you through the steps required to set up Cilium on Kubernetes using the cilium-etcd-operator. The cilium-etcd-operator replaces the requirement more details. Installation with external etcd This guide walks you through the steps required to set up Cilium on Kubernetes using an external etcd. Use of an external etcd provides be�er performance with eksctl see the eksctl Documenta�on [h�ps://github.com/weaveworks/eksctl] for details on how to set creden�als, change region, VPC, cluster size, etc. eksctl create cluster You should see something

kernel or user applications. eBPF is a strictly-typed assembly language with a stable instruction set. eBPF programs can be loaded and upgraded in real time without the need to restart the kernel. System compilation step translates the generic bytecode of the program into the machine-specific instruction set to optimize execution speed. This makes eBPF programs run as efficiently as natively compiled kernel retrieve configuration options, and store state through eBPF maps to save and retrieve data in a wide set of data structures. These maps can be accessed from eBPF programs as well as from applications in

and don’t want to pay for it ● TCP and UDP is enough Solution: ● Make task use specified IP by a set of BPF_PROG_TYPE_CGROUP_SOCK_ADDR and BPF_CGROUP_SOCK_OPS programs Move TCP/UDP servers to task port, protocol, TCP flags ● Integrated with service discovery: can filter by service name (dynamic set of IP:port endpoints) Container firewall (twfw) Network faults injection: ● Same per-packet firewall

TCP packets with destination 10.0.0.10 # iptables -t raw -A OUTPUT -p tcp -d 10.0.0.10 -j MARK --set-mark 0xdeadbeef # ipft -m 0xdeadbeef • Network domain specific function call tracer • Trace “which