eBPF filesystem Privileges Upgrade Guide Running pre-flight check (Required) Upgrading Cilium Version Specific Notes Advanced Configuration Core Agent Network Policy Policy Enforcement Modes Rule Development in Vagrant Box Making Changes Add/update a golang dependency Add/update a new Kubernetes version Optional: Docker and IPv6 Debugging Building Container Images Developer images Official release Kernel Testing JIT Debugging Introspection Tracing pipe Miscellaneous Program Types XDP tc (traffic control) Further Reading Kernel Developer FAQ Projects using BPF XDP Newbies BPF Newsletter Podcasts Blog

eBPF filesystem Privileges Upgrade Guide Running pre-flight check (Required) Upgrading Cilium Version Specific Notes Advanced Configuration Core Agent Network Policy Policy Enforcement Modes Rule Kernel Testing JIT Debugging Introspection Tracing pipe Miscellaneous Program Types XDP tc (traffic control) Further Reading Kernel Developer FAQ Projects using BPF XDP Newbies BPF Newsletter Podcasts Blog kernel technology called BPF, which enables the dynamic insertion of powerful security visibility and control logic within Linux itself. Because BPF runs inside the Linux kernel, Cilium security policies can

eBPF filesystem Privileges Upgrade Guide Running pre-flight check (Required) Upgrading Cilium Version Specific Notes Advanced Configuration Core Agent Network Policy Policy Enforcement Modes Rule Development in Vagrant Box Making Changes Add/update a golang dependency Add/update a new Kubernetes version Optional: Docker and IPv6 Debugging Building Container Images Developer images Official release Kernel Testing JIT Debugging Introspection Tracing pipe Miscellaneous Program Types XDP tc (traffic control) Further Reading Kernel Developer FAQ Projects using BPF XDP Newbies BPF Newsletter Podcasts Blog

eBPF filesystem Privileges Upgrade Guide Running pre-flight check (Required) Upgrading Cilium Version Specific Notes Advanced Configuration Core Agent Network Policy Policy Enforcement Modes Rule Development in Vagrant Box Making Changes Add/update a golang dependency Add/update a new Kubernetes version Optional: Docker and IPv6 Debugging Building Container Images Developer images Official release Kernel Testing JIT Debugging Introspection Tracing pipe Miscellaneous Program Types XDP tc (traffic control) Further Reading Kernel Developer FAQ Projects using BPF XDP Newbies BPF Newsletter Podcasts Blog

Required Kernel Version Key-Value store clang+LLVM iproute2 Firewall Rules Privileges Upgrade Guide Running pre-flight check (Required) Upgrading Cilium Step 3: Rolling Back Version Specific Notes Advanced Kernel Testing JIT Debugging Introspection Tracing pipe Miscellaneous Program Types XDP tc (traffic control) Further Reading Kernel Developer FAQ Projects using BPF XDP Newbies BPF Newsletter Podcasts Blog kernel technology called BPF, which enables the dynamic insertion of powerful security visibility and control logic within Linux itself. Because BPF runs inside the Linux kernel, Cilium security policies can

Summary Linux Distribution Compatibility Matrix Linux Kernel Advanced Features and Required Kernel Version Key-Value store clang+LLVM iproute2 Firewall Rules Privileges Upgrade Guide Running pre-flight pre-flight check (Required) Upgrading Micro Versions Upgrading Minor Versions Step 3: Rolling Back Version Specific Notes Advanced Configuration Network Policy Policy Enforcement Modes Rule Basics Layer 3 Examples kernel technology called BPF, which enables the dynamic insertion of powerful security visibility and control logic within Linux itself. Because BPF runs inside the Linux kernel, Cilium security policies can

Guide Running a pre-flight DaemonSet Upgrading Micro Versions Upgrading Minor Versions Rolling Back Version Specific Notes Advanced Configura�on Network Policy Policy Enforcement Modes Rule Basics Layer 3 kernel technology called BPF, which enables the dynamic inser�on of powerful security visibility and control logic within Linux itself. Because BPF runs inside the Linux kernel, Cilium security policies can approaches to struggle to scale side by side with the applica�on as load balancing tables and access control lists carrying hundreds of thousands of rules that need to be updated with a con�nuously growing

Deployment (2 replicas / HA mode in latest releases) on workers ● cilium-agent running on control plane to enable control/data plane connectivity ● Cilium state-keeping in shared cluster etcd Cilium in #1 cilium-agent Node #1 cilium-agent cilium-operator Node #1 cilium-agent cilium-operator Control Plane kube-api-server cilium-agent kube-controller- manager scheduler ….. etcd VPC digitalocean

love Rust! • For networking, RedBPF supports XDP and SocketFilter programs, however… Traffic Control for Real • XDP doesn’t seem would work (full TCP packet hasn’t been constructed yet - I could user-space program (e.g. for analyzing), does not affect original packets • `tc` can actually control packets! And use BPF! • Let’s add support for it in RedBPF `tc` Support in RedBPF • BPF programs

Added in kernel v4.12 – Only for specific program types – Specify how many times to repeat – Control input data and/or context. Examine output data/context. – Use cases: – Unit testing – Debugging