Hubble can answer questions such as: Service dependencies & communication map What services are communicating with each other? How frequently? What does the service dependency graph look like? What HTTP HTTP calls are being made? What Kafka topics does a service consume from or produce to? Network monitoring & alerting Is any network communication failing? Why is communication failing? Is it DNS? Is it requests? Application monitoring What is the rate of 5xx or 4xx HTTP response codes for a particular service or across all clusters? What is the 95th and 99th percentile latency between HTTP requests and responses

Hubble can answer questions such as: Service dependencies & communication map What services are communicating with each other? How frequently? What does the service dependency graph look like? What HTTP HTTP calls are being made? What Kafka topics does a service consume from or produce to? Network monitoring & alerting Is any network communication failing? Why is communication failing? Is it DNS? Is it requests? Application monitoring What is the rate of 5xx or 4xx HTTP response codes for a particular service or across all clusters? What is the 95th and 99th percentile latency between HTTP requests and responses

Hubble can answer questions such as: Service dependencies & communication map What services are communicating with each other? How frequently? What does the service dependency graph look like? What HTTP HTTP calls are being made? What Kafka topics does a service consume from or produce to? Network monitoring & alerting Is any network communication failing? Why is communication failing? Is it DNS? Is it requests? Application monitoring What is the rate of 5xx or 4xx HTTP response codes for a particular service or across all clusters? What is the 95th and 99th percentile latency between HTTP requests and responses

Hubble can answer questions such as: Service dependencies & communication map What services are communicating with each other? How frequently? What does the service dependency graph look like? What HTTP HTTP calls are being made? What Kafka topics does a service consume from or produce to? Network monitoring & alerting Is any network communication failing? Why is communication failing? Is it DNS? Is it requests? Application monitoring What is the rate of 5xx or 4xx HTTP response codes for a particular service or across all clusters? What is the 95th and 99th percentile latency between HTTP requests and responses

container configura�on. Why Cilium? The development of modern datacenter applica�ons has shi�ed to a service- oriented architecture o�en referred to as microservices, wherein a large applica�on is split into to transparently insert security visibility + enforcement, but does so in a way that is based on service / pod / container iden�ty (in contrast to IP address iden�fica�on in tradi�onal systems) and can requests with method GET and path /public/.* . Deny all other requests. Allow service1 to produce on Ka�a topic topic1 and service2 to consume on topic1 . Reject all other Ka�a messages. Require the HTTP

configuration. Why Cilium? The development of modern datacenter applications has shifted to a service-oriented architecture often referred to as microservices, wherein a large application is split into to transparently insert security visibility + enforcement, but does so in a way that is based on service / pod / container identity (in contrast to IP address identification in traditional systems) and requests with method GET and path /public/.*. Deny all other requests. Allow service1 to produce on Kafka topic topic1 and service2 to consume on topic1. Reject all other Kafka messages. Require the HTTP header

services encrypt easily ● How to send task TCP traffic to TLS forward proxy transparently for a service? Solution: ● Redirect client on connect(2) by BPF_CGROUP_INET6_CONNECT and BPF_CGROUP_SOCK_OPS state, not host ● Rules auto-cleanup on task stop is important ● Has to be integrated with service discovery, etc Solution: ● Use BPF_CGROUP_INET_{EGRESS,INGRESS} ● If use-case allows, filter on socket Filter by local/remote IP, IP prefix, port, protocol, TCP flags ● Integrated with service discovery: can filter by service name (dynamic set of IP:port endpoints) Container firewall (twfw) Network faults

configuration. Why Cilium? The development of modern datacenter applications has shifted to a service-oriented architecture often referred to as microservices, wherein a large application is split into to transparently insert security visibility + enforcement, but does so in a way that is based on service / pod / container identity (in contrast to IP address identification in traditional systems) and requests with method GET and path /public/.*. Deny all other requests. Allow service1 to produce on Kafka topic topic1 and service2 to consume on topic1. Reject all other Kafka messages. Require the HTTP header

total LINE Verda: LINE’s Private Cloud Service IaaS LB NAT … PaaS FaaS … Verda and XDP Based L4 Load Balancer Service • Part of our private cloud service since 2017 • 5100 private, 760 public VIPs Upstream Routers Advertise VIP with eBGP Configure with RPC Health check daemon etc… Service Discovery Per-flow ECMP k8s CCM Frontend (dash board) To Backends User For More Information • Our

Fellow bcc contributors (an awesome eBPF framework) This work was supported by NSERC through a Discovery Grant. github.com/willfindlay/bpfbox Check out the project on GitHub! 7 / 7