Kubernetes Networking, Security, And Observability With eBPF And Cilium

Рет қаралды 13,978

Күн бұрын

Cilium is a networking and security solution for Kubernetes. It is based on eBPF and it is a replacement for service meshes based on sidecars. In this video, I will show you how to use Cilium to observe traffic, enforce network ingress policies, and enforce network egress policies.
#cilium #ebpf #kubernetes
▬▬▬▬▬▬ 😳 Sponsor 😳 ▬▬▬▬▬▬
🔗 Robusta: robusta.dev
Consider joining the channel: / devopstoolkit
▬▬▬▬▬▬ 🔗 Additional Info 🔗 ▬▬▬▬▬▬
➡ Gist with the commands: gist.github.com/32a7096b96ff9...
🔗 Cilium: cilium.io
🎬 Is eBPF The End Of Kubernetes Sidecar Containers?: • Is eBPF The End Of Kub...
🔗 Kubernetes ChatGPT Bot: github.com/robusta-dev/kubern...
▬▬▬▬▬▬ 💰 Sponsoships 💰 ▬▬▬▬▬▬
If you are interested in sponsoring this channel, please use calendly.com/vfarcic/meet to book a timeslot that suits you, and we'll go over the details. Or feel free to contact me over Twitter or LinkedIn (see below).
▬▬▬▬▬▬ 👋 Contact me 👋 ▬▬▬▬▬▬
➡ Twitter: / vfarcic
➡ LinkedIn: / viktorfarcic
▬▬▬▬▬▬ 🚀 Other Channels 🚀 ▬▬▬▬▬▬
🎤 Podcast: www.devopsparadox.com/
💬 Live streams: / devopsparadox
▬▬▬▬▬▬ ⏱ Timecodes ⏱ ▬▬▬▬▬▬
00:00 Introduction to Cilium
02:49 Robusta (sponsor)
03:37 Observe Traffic With Cilium Hubble
06:16 Enforce Network Ingress Policies With Cilium
11:28 Enforce Network Egrees Policies With Cilium
16:13 Other Notable Features
17:14 Cilium And Hubble Pros And Cons

Пікірлер: 40

@DevOpsToolkit Жыл бұрын

What do you use for networking in Kubernetes? Kube Proxy? Cilium? Something else?

@arieheinrich3457 Жыл бұрын

Fantastic seeing Viktor in warm weather walking outside and not stuck to the office :)

@dirien Жыл бұрын

I like this new way you did the video! With walking and talking! You can do more of this type! 😀

@DevOpsToolkit Жыл бұрын

It was an experiment in that and the next video. If people like it I'll do more in that style but only when it's warm.

@luboszima_orig Жыл бұрын

Hi I like this format walking and tech talkie 👌☺️

@fedefede843 Жыл бұрын

Istio with eBPF would be great. Thanks!

@lilbitsquishyv2613 Жыл бұрын

Amazing video and weather, can you send some of that sunshine over to me?

@DevOpsToolkit Жыл бұрын

It was temporary. I spent a week in Florida and now I'm back home and cold 😔

@thomaseckert5691 Жыл бұрын

Love your channel. I work on Consul and every time you said "Istio and Linkerd" I was like "... and Consul"?

@DevOpsToolkit Жыл бұрын

There are many others so instead of mentioning them all I tend to pick two most commonly used (adopted) and those are istio and linkerd. Consul is certainly there, as many others, but i feel that it's adoption is not as big as of the other two, at least when kubernetes is concerned.

@thomaseckert5691 Жыл бұрын

@@DevOpsToolkit oh of course! I’m just teasing. I’m also really interested in applications of eBPF. Thank you for making such great content!

@TheGriffender Жыл бұрын

Thank you Viktor for this great video. Just wondering, why are you so sure that the futur of service mesh is eBPF ? I mean, today, Linkerd is rather promoting the lightweight sidecar model. Istio released its new architecture called Ambiant wich relies on node agent. In my opinion, eBPF looks great for L4 network operation, which is the case with Cilium. But for example, implementing retry fonction or circuit breaking at the kernel level seems way to complicated or even impossible. What do you think of that ?

@DevOpsToolkit Жыл бұрын

We will see whether that's possible or not. If it is and we can get rid of sidecar containers, i will be slightly happier than i am today. The fact that istio is moving towards eBPF tells us that the direction is a good one but, as you said, we are yet to see how far it can get us.

@varunsonavne3344 Жыл бұрын

Nice one. Can you make a video for deploying a Kubernetes application with all the best practices like network policy, ingress, apigateway, container signing like that in your own way to deploy production cluster. It would be great for us.

@DevOpsToolkit Жыл бұрын

I should make something like that. Adding it to my to-do list...

@DevOpsToolkit Жыл бұрын

I almost forgot... You Choose kzbin.info/aero/PLyicRj904Z9-FzCPvGpVHgRQVYJpVmx3Z is going through everything required to run applications. Only a few episodes were released so it's not yet complete though.

@vn7057 Жыл бұрын

Such a nice weather 😂

@Sebastian-or4xw Жыл бұрын

Calico also seems to be going to eBPF now btw

@DevOpsToolkit Жыл бұрын

Yeah. Calico is the main "competitor" to Cilium in that space (networking).

@Sebastian-or4xw Жыл бұрын

The examples of CiliumNetworkPolicies you showed I think can (mostly?) be done with k8s builtin NetworkPolicies (via any compatible CNI). What would an example of what only Cilium can do?

@DevOpsToolkit Жыл бұрын

Those that I used in the demo can be done in, more or less, the same way with k8s Network Policies. Cilium provides a more extensive library of what can be done (and I should have picked a better example). Nevertheless, what makes Cilium "special" is not around specific features (there are many other ways to accomplish the same), but that it uses eBPF which provides better integration with the system, the ability to gather more (fine grained) data, and better performance. If eBPF is not something that matters to you, there is no strong reason to adopt Cilium.

@jurgen5557 Жыл бұрын

I'm curious about your statement (most serious Con), that Cilium might not be installable in an existing K8s cluster. Would you mind to elaborate on - why this would be the case - and maybe - which are the conditions, when it CAN be installed ?

@DevOpsToolkit Жыл бұрын

It all depends on provider-specific instructions. Often, worker nodes need to be created in a specific way and, if they are not, you might need to recreate them. You might not need to touch the control plane nodes but worked nodes do need to be created again. Double check the Cilium installation instructions for your provider.

@jemag Жыл бұрын

I still think Calico is more established at the moment for Network Policies but the landscape is changing

@DevOpsToolkit Жыл бұрын

Actually, I think that Cilium is better established, at least when adoption is concerned, especially since it joined CNCF.

@pier_x0 Жыл бұрын

Hi Victor, you're lucky you'r in Florida 🙂, in the UK there isn't the same weather 🤣😂 If I'd like to install Clium have I to spin up a cluster from scratch? 😠that's would be a great deal-breaker I hope they will remove this big constraint otherwise it will limiti the popularity

@DevOpsToolkit Жыл бұрын

Unfortunately, a cluster often needs to be created in a specific way to support Cilium. For example, GKE nodes need to have a specific taint to support Cilium. In some cases, you might be able to install Cilium in an existing cluster but performance might not be as good as it could. In any case, I suggest checking out the install instructions for your Kubernetes provider/flavor. You might end up having to just install Cilium. If that's not the case, you might use the opportunity of the next cluster upgrade to install Cilium. After all, upgrade results in eventual destruction of all nodes and creation of new ones (hopefully through rolling upgrades).

@pier_x0 Жыл бұрын

@@DevOpsToolkit Thanks buddy!!! Of course I'll keep an eye to the project, it's very promising and.... I hate ISTIO, it's too intrusive

@codezero6023 Жыл бұрын

Welcome to our state of FL Viktor !

@DevOpsToolkit Жыл бұрын

I love it. I had a great time and weather was fantastic. I'll do my best to find an excuse to come again.

@kauffmann101 2 ай бұрын

Can Cillium provide Service Mesh function and able to replace Isitio ?

@DevOpsToolkit 2 ай бұрын

That depends on the features you're looking for. Cilium does support some but not all of those available in Istio.

@myway6335 Жыл бұрын

What are you doing inFlorida? Did you relocate?

@DevOpsToolkit Жыл бұрын

No. I was there for a week only. I came for Civo Navigate event.

@lamnot. Жыл бұрын

Am waiting at 1:42 to see you pull a shell, and start typing, "this is what I did before,....instructions are in the gist below...."

@DevOpsToolkit Жыл бұрын

I wanted to do it outside, but it was so bright that i could not see the screen 😔

@lamnot. Жыл бұрын

Calico?

@DevOpsToolkit Жыл бұрын

It's coming....

@MykytaDemeshchenko Жыл бұрын

architecture wise "sidecar" is a terrible idea that got incorporated in lots of solutions unfortunately. just conceptually injection of additional workload in any pod you running... unbelievable how community adopted and accepted/tolerated it.

@DevOpsToolkit Жыл бұрын

I would not say that it is a terrible idea. It is better than what we did before by bundling those features into code. However, by being better does not mean it's great. eBPF can make it great by still not being bundled into the app but being less obtrusive than sidecars.