to use ClusterConfig [https://eksctl.io/usage/creating- and-managing-clusters/#using-config-files] file to create the cluster: apiVersion: eksctl.io/v1alpha5 kind: ClusterConfig ... managedNodeGroups: For the Cilium CLI to access the cluster in successive steps you will need to use the kubeconfig file stored at /etc/rancher/k3s/k3s.yaml by setting the KUBECONFIG environment variable: export KUBEC to use ClusterConfig [https://eksctl.io/usage/creating- and-managing-clusters/#using-config-files] file to create the cluster: apiVersion: eksctl.io/v1alpha5 kind: ClusterConfig ... managedNodeGroups:

to use ClusterConfig [https://eksctl.io/usage/creating- and-managing-clusters/#using-config-files] file to create the cluster: apiVersion: eksctl.io/v1alpha5 kind: ClusterConfig ... managedNodeGroups: For the Cilium CLI to access the cluster in successive steps you will need to use the kubeconfig file stored at /etc/rancher/k3s/k3s.yaml by setting the KUBECONFIG environment variable: export KUBEC to use ClusterConfig [https://eksctl.io/usage/creating- and-managing-clusters/#using-config-files] file to create the cluster: apiVersion: eksctl.io/v1alpha5 kind: ClusterConfig ... managedNodeGroups:

cni=cilium parameter in minikube start command. With this flag enabled, minikube will not only mount eBPF file system but also deploy quick- install.yaml automatically. However, this may not install the latest you may seek help on Slack. Tip Hubble CLI configuration can be persisted using a configuration file or environment variables. This avoids having to specify options specific to a particular environment you may seek help on Slack. Tip Hubble CLI configuration can be persisted using a configuration file or environment variables. This avoids having to specify options specific to a particular environment

network-plugin=cilium parameter in minikube start command. With this flag enabled, minikube will not only mount eBPF file system but also deploy quick- install.yaml automatically. 4. Mount the eBPF filesystem minikube creation is done using a YAML configuration file. This step is necessary in order to disable the default CNI and replace it with Cilium. Create a kind-config.yaml file based on the following template. It will conflicts with your local network address range, update the networking section of the kind configuration file to specify different subnets that do not conflict or you risk having connectivity issues when deploying

generic -n kube-system cilium-etcd-secrets \ --from-file=etcd-client-ca.crt=ca.crt \ --from-file=etcd-client.key=client.key \ --from-file=etcd-client.crt=client.crt In case you are not using want to use TLS in etcd, uncomment the 'ca-file' line # and create a kubernetes secret by following the tutorial in # https://cilium.link/etcd-config #ca-file: '/var/lib/etcd-secrets/etcd-client-ca.crt' secret by following the tutorial in # https://cilium.link/etcd-config #key-file: '/var/lib/etcd-secrets/etcd-client.key' #cert-file: '/var/lib/etcd-secrets/etcd-client.crt' Deploy Cilium kubectl create

prepare generating the deployment artifacts based on the Helm templates. Generate the required YAML file and deploy it: helm template cilium \ --namespace kube-system \ --set global.etcd.enabled=true generic -n kube-system cilium-etcd-secrets \ --from-file=etcd-client-ca.crt=ca.crt \ --from-file=etcd-client.key=client.key \ --from-file=etcd-client.crt=client.crt Adjust the helm template generation prepare generating the deployment artifacts based on the Helm templates. Generate the required YAML file and deploy it: helm template cilium \ --namespace kube-system \ --set global.cni.chainingMode=aws-cni

Instead it uses YAML configuration that is very similar to Kubernetes. Create a kind-config.yaml file based on the following template. The template will create 3 node + 1 apiserver cluster with the latest generic -n kube-system cilium-etcd-secrets \ --from-file=etcd-client-ca.crt=ca.crt \ --from-file=etcd-client.key=client.key \ --from-file=etcd-client.crt=client.crt Adjust the helm template generation Ready agent 8m26s v1.13.10 Create an AKS + Cilium CNI configuration Create a chaining.yaml file based on the following template to specify the desired CNI chaining configuration: apiVersion: v1

picture:Right click on image > Replace image > Select file 3 Requirements for Scaling Up TIP: To change picture:Right click on image > Replace image > Select file ❏ Secure Network Isolation ❏ Network Visibility Security and Auditing 5 Scalability and Maintainability Source: https://commons.wikimedia.org/wiki/File:Pictofigo-Scalability.png 6 Evaluating eBPF CNI Offerings 7 8 9 10 Evaluating Cilium and Hubble 11 Cilium Benefits TIP: To change picture:Right click on image > Replace image > Select file ❏ Pod network filtering uses eBPF rather than iptables ❏ More flexible network policies ❏ Tools

8 4 / 7 Our Policy Language Rules and Directives Rules specify access to system objects: ▶ fs(file, access) ▶ net(socket, access) ▶ signal(prog, sig) ▶ etc. Directives augment blocks of rules: ▶

Can eBPF save us from the Data Deluge? A case for file filtering in eBPF Giulia Frascaria October 28, 2020 1 The data deluge on modern storage 2 Compute node CPU Network Storage node Flash