using a key-value store. Secure access to and from external services Label based security is the tool of choice for cluster internal access control. In order to secure access to and from external services Event monitoring with metadata: When a packet is dropped, the tool doesn’t just report the source and destination IP of the packet, the tool provides the full label information of both the sender and receiver 00/ to access the UI. Hubble UI is not the only way to get access to Hubble data. A command line tool, the Hubble CLI, is also available. It can be installed by following the instructions below: Linux

using a key-value store. Secure access to and from external services Label based security is the tool of choice for cluster internal access control. In order to secure access to and from external services Event monitoring with metadata: When a packet is dropped, the tool doesn’t just report the source and des�na�on IP of the packet, the tool provides the full label informa�on of both the sender and receiver 443/TCP 3m53 Each pod will be represented in Cilium as an Endpoint. We can invoke the cilium tool inside the Cilium pod to list them: $ kubectl -n kube-system get pods -l k8s-app=cilium NAME

using a key-value store. Secure access to and from external services Label based security is the tool of choice for cluster internal access control. In order to secure access to and from external services Event monitoring with metadata: When a packet is dropped, the tool doesn’t just report the source and destination IP of the packet, the tool provides the full label information of both the sender and receiver 443/TCP 3m53s Each pod will be represented in Cilium as an Endpoint. We can invoke the cilium tool inside the Cilium pod to list them: $ kubectl -n kube-system get pods -l k8s-app=cilium NAME

using a key-value store. Secure access to and from external services Label based security is the tool of choice for cluster internal access control. In order to secure access to and from external services Event monitoring with metadata: When a packet is dropped, the tool doesn’t just report the source and destination IP of the packet, the tool provides the full label information of both the sender and receiver network plugin will be replaced with Cilium by the installer. Limitations: All VMs and VM scale sets used in a cluster must belong to the same resource group. Adding new nodes to node pools might result

using a key-value store. Secure access to and from external services Label based security is the tool of choice for cluster internal access control. In order to secure access to and from external services Event monitoring with metadata: When a packet is dropped, the tool doesn’t just report the source and destination IP of the packet, the tool provides the full label information of both the sender and receiver network plugin will be replaced with Cilium by the installer. Limitations: All VMs and VM scale sets used in a cluster must belong to the same resource group. Adding new nodes to node pools might result

using a key-value store. Secure access to and from external services Label based security is the tool of choice for cluster internal access control. In order to secure access to and from external services Event monitoring with metadata: When a packet is dropped, the tool doesn’t just report the source and destination IP of the packet, the tool provides the full label information of both the sender and receiver svc/hubble-ui 12000:80 and then open http://localhost:12000/. Limitations All VMs and VM scale sets used in a cluster must belong to the same resource group. Troubleshooting If kubectl exec to a pod

using a key-value store. Secure access to and from external services Label based security is the tool of choice for cluster internal access control. In order to secure access to and from external services Event monitoring with metadata: When a packet is dropped, the tool doesn’t just report the source and destination IP of the packet, the tool provides the full label information of both the sender and receiver \ --set global.tunnel=disabled \ --set global.nodeinit.enabled=true Note This helm command sets global.eni=true and global.tunnel=disabled, meaning that Cilium will allocate a fully-routable AWS

https://blog.cloudflare.com/its-crowded-in-here/ ● Proof-of-concept tool for configuring BPF socket dispatch https://github.com/majek/inet-tool/ ● “Programmable socket lookup with BPF” presentation at Linux

+ ContainerOS was not very performant Attempt #1 - The Postmortem Iteration is key ● Built a tool to automatically reload falco on rule changes ● Rules: monitor well known IPs, binary names,

multi-kernel VM tests (qemu) ● Resource usage (CPU cycles, memlock) monitored across the fleet by bpf_tax tool → ● Alerts on program load and attach failures [0] https://github.com/libbpf/libbpf