application containers and to external services and is able to fully replace components such as kube-proxy. The load balancing is implemented in eBPF using efficient hashtables allowing for almost unlimited external access using AWS metadata Creating policies from verdicts Host Firewall (beta when using kube-proxy) Advanced Networking Setting Up Cilium in AlibabaCloud ENI Mode (beta) Using kube-router to run IPVLAN based Networking (beta) Transparent Encryption Host-Reachable Services Kubernetes Without kube-proxy Bandwidth Manager (beta) Kata Containers with Cilium Configuring IPAM modes Local Redirect Policy

application containers and to external services and is able to fully replace components such as kube-proxy. The load balancing is implemented in eBPF using efficient hashtables allowing for almost unlimited Networking (beta) Transparent Encryption (stable/beta) Host-Reachable Services Kubernetes Without kube-proxy Bandwidth Manager (beta) Kata Containers with Cilium Configuring IPAM modes Local Redirect Policy Note If minikube is deployed as a container (that is if docker is the configured driver), then kube-proxy replacement features like host-reachable services may not work (GitHub issue [https://github.com/

Networking (beta) Transparent Encryption (stable/beta) Host-Reachable Services Kubernetes without kube-proxy Kata Containers with Cilium Configuring IPAM modes Operations Networking and security observability upstream fallthrough in-addr.arpa ip6.arpa } prometheus :9153 proxy . /etc/resolv.conf cache 30 } The contents can look different than the above. The specific etc. Kops offers several out-of-the-box configurations of Cilium including Kubernetes without kube-proxy, AWS ENI, and dedicated etcd cluster for Cilium. This guide will just go through a basic setup. Prerequisites

application containers and to external services and is able to fully replace components such as kube-proxy. The load balancing is implemented in eBPF using efficient hashtables allowing for almost unlimited BGP Using BIRD to run BGP Transparent Encryption Host-Reachable Services Kubernetes Without kube-proxy Bandwidth Manager (beta) Kata Containers with Cilium Configuring IPAM modes Local Redirect Policy pullPolicy=IfNotPresent \ --set ipam.mode=kubernetes Note To fully enable Cilium’s kube-proxy replacement (Kubernetes Without kube- proxy), cgroup v2 needs to be enabled by setting the kernel systemd.unified_cgroup_hierarchy=1

Networking (beta) Transparent Encryption (stable/beta) Host-Reachable Services Kubernetes without kube-proxy Kata Containers with Cilium Configuring IPAM modes Operations Running Prometheus & Grafana Limiting upstream fallthrough in-addr.arpa ip6.arpa } prometheus :9153 proxy . /etc/resolv.conf cache 30 } The contents can look different than the above. The specific etc. Kops offers several out-of-the-box configurations of Cilium including Kubernetes without kube-proxy, AWS ENI, and dedicated etcd cluster for Cilium. This guide will just go through a basic setup. Prerequisites

Encryption (beta) Host-Reachable Services (beta) Kubernetes NodePort (beta) Kubernetes without kube-proxy (beta) Kata with Cilium on Google GCE Configuring IPAM modes Operations Running Prometheus & Grafana upstream fallthrough in-addr.arpa ip6.arpa } prometheus :9153 proxy . /etc/resolv.conf cache 30 } The contents can look different than the above. The specific requried to be set to exactly these values: - --run-router=true - --run-firewall=false - --run-service-proxy=false - --enable-cni=false - --enable-pod-egress=false The following arguments are optional and may

upstream fallthrough in-addr.arpa ip6.arpa } prometheus :9153 proxy . /etc/resolv.conf cache 30 } The contents can look different than the above. The specific upstream fallthrough in-addr.arpa ip6.arpa } prometheus :9153 proxy . /etc/resolv.conf cache 30 } The contents can look different than the above. The specific q 1/1 Running 0 kube-proxy-l47rx 1/1 Running 0 kube-proxy-zj6v5 1/1 Running 0

assignment (when netns is not in-use) ○ host services connector (netns is in-use) ○ transparent proxy (mostly for TLS) ○ container firewall ○ network faults injection ○ network counters (rack, datacenter same task 4 Transparent Proxy ● Facebook traffic has to be encrypted ● Transparent TLS helps some services encrypt easily ● How to send task TCP traffic to TLS forward proxy transparently for a service and BPF_CGROUP_SOCK_OPS programs → ● In proxy on accept(2) learn orig_dst by connection’s src IP and port from BPF map. ● Encrypt, see [0] for details on proxy itself. [0] https://atscaleconference.

30:80 —> node2: 10.6.0.20:20000 step4 node2: 10.6.0.20:32000 —> pod1: 172.20.0.10:10000 kube-proxy step1 pod1: 172.20.0.10:10000 —> pod3: 172.20.0.30:80 step2 pod3: 172.20 ncer 的service时，能够减少数据包转发跳 数，极大提高网络性能 • 相比传统 iptables 等 技术，降低了访 问延时。例如在相同环境下，service 数量达到3K，kube-proxy iptables下 的的延时为0.6ms，而cilium的延时为 0.3ms XDP 加速南北向 nodePort 访问 cilium 借助 eBPF 程序 ，能快速完 成 nodePort nodePort 、 LoadBalancer service 的解析和转发，其转发性能能比肩 DPDK 技术，且能节省大量CPU资源 当 PPS 压力越大，提升效果越发显 著，相比 kube-proxy，测量得出以下 效果： 1. TC 转发方式，在10Mpps input压 力下提升 1 倍的吞吐量，在2Mpps 压力下，节省了30%的CPU利用率 2. XDP的性能上限极高，可能是 TC 的 10 倍左右

Scalability issues Namespaces +400 Pods +10k Services +3k CPU +2k Mem +5TB Nodes +300 kube-proxy replacement NetworkPolicy logging Multi-cluster DNS Aware NetworkPolicy Increased Istio security