后，动态加载到内核指定的 hook 点上，以 VM 方式安全运行，其能过通过 map 存储结 构存储数据，能通过 map 同用户态程序交互， 最终实现内核数据进行修改，或者影响内核处 理请求的结果，或者改变内核处理请求的流程。 极大提升了内核处理事件的效率。 截止 linux 5.14 版本，eBPF 有32种类型程序。而 cilium 主要使用了如下类型程序： • sched_cls 。cilium在内核 return）实现，有效减 少了网络转发的跳数，极大提升了 nodePort的转发性能，降低访问延时。 相关测试表明： • kube proxy iptables模式下，请求完 成时间 1.6ms ，connect 时间 0.9 ms • Cilium DSR模式下，请求完成时间 1ms，connect时间0.4ms node2 pod2 process kernel network stack

small independent services that communicate with each other via APIs using lightweight protocols like HTTP. Microservices applications tend to be highly dynamic, with individual containers getting started that need to be updated with a continuously growing frequency. Protocol ports (e.g. TCP port 80 for HTTP traffic) can no longer be used to differentiate between application traffic for security purposes contrast to IP address identification in traditional systems) and can filter on application-layer (e.g. HTTP). As a result, Cilium not only makes it simple to apply security policies in a highly dynamic environment

small independent services that communicate with each other via APIs using lightweight protocols like HTTP. Microservices applications tend to be highly dynamic, with individual containers getting started that need to be updated with a continuously growing frequency. Protocol ports (e.g. TCP port 80 for HTTP traffic) can no longer be used to differentiate between application traffic for security purposes contrast to IP address identification in traditional systems) and can filter on application-layer (e.g. HTTP). As a result, Cilium not only makes it simple to apply security policies in a highly dynamic environment

communicating with each other? How frequently? What does the service dependency graph look like? What HTTP calls are being made? What Kafka topics does a service consume from or produce to? Network monitoring Is it an application or network problem? Is the communication broken on layer 4 (TCP) or layer 7 (HTTP)? Which services have experienced a DNS resolution problem in the last 5 minutes? Which services monitoring What is the rate of 5xx or 4xx HTTP response codes for a particular service or across all clusters? What is the 95th and 99th percentile latency between HTTP requests and responses in my cluster

communicating with each other? How frequently? What does the service dependency graph look like? What HTTP calls are being made? What Kafka topics does a service consume from or produce to? Network monitoring Is it an application or network problem? Is the communication broken on layer 4 (TCP) or layer 7 (HTTP)? Which services have experienced a DNS resolution problem in the last 5 minutes? Which services monitoring What is the rate of 5xx or 4xx HTTP response codes for a particular service or across all clusters? What is the 95th and 99th percentile latency between HTTP requests and responses in my cluster

communicating with each other? How frequently? What does the service dependency graph look like? What HTTP calls are being made? What Kafka topics does a service consume from or produce to? Network monitoring Is it an application or network problem? Is the communication broken on layer 4 (TCP) or layer 7 (HTTP)? Which services have experienced a DNS resolution problem in the last 5 minutes? Which services monitoring What is the rate of 5xx or 4xx HTTP response codes for a particular service or across all clusters? What is the 95th and 99th percentile latency between HTTP requests and responses in my cluster

communicating with each other? How frequently? What does the service dependency graph look like? What HTTP calls are being made? What Kafka topics does a service consume from or produce to? Network monitoring Is it an application or network problem? Is the communication broken on layer 4 (TCP) or layer 7 (HTTP)? Which services have experienced a DNS resolution problem in the last 5 minutes? Which services monitoring What is the rate of 5xx or 4xx HTTP response codes for a particular service or across all clusters? What is the 95th and 99th percentile latency between HTTP requests and responses in my cluster

small independent services that communicate with each other via APIs using lightweight protocols like HTTP. Microservices applica�ons tend to be highly dynamic, with individual containers ge�ng started or that need to be updated with a con�nuously growing frequency. Protocol ports (e.g. TCP port 80 for HTTP traffic) can no longer be used to differen�ate between applica�on traffic for security purposes as contrast to IP address iden�fica�on in tradi�onal systems) and can filter on applica�on-layer (e.g. HTTP). As a result, Cilium not only makes it simple to apply security policies in a highly dynamic environment