owned this note changed 5 years ago
Linked with GitHub

議程5 - 用 Cilium 的 Envoy Go Extension 提升 Kubernetes 環境的應用程式開發體驗 - Ruian

tags: GopherCon TW 2020 Agenda

歡迎來到 https://hackmd.io/@Golang-Taipei/GopherCon2020 共筆

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

點擊本頁上方的 開始用 Markdown 一起寫筆記!
手機版請點選上方 按鈕展開議程列表。

[投影片連結]

https://speakerdeck.com/rueian/ciliums-envoy-filter-and-vs-bridge-to-kubernetes

Outline

  • Cilium Overview
    • k8s CNI

What is Cilium

eBPF-based K8s CNI, providing Networking, Obervability, and Security (by Custom Network Policy)

建立 network policy,對流量做即時調整

Why Cilium

  • Google Cloud GKE use it

  • eBPF Network Acceleration & kube-proxy replacement

    • Local Socket Redirect
    • K8s Service Endpoint Loadbalance & NAT on connect(2) syscall
    • K8s NodePort Forward & Direct Server Return on XDP
    • Veth Optimization

kube-proxy 可以少做很多事

Security

Cilium Network Policy

Any L7 Protocol can be supported

How Cilium L7 Network Policy Works?

  1. Cilium eBPF datapath identifies L4 traffic that is required advance L7 protocol parsing from user's network policies
  2. And then send those traffic to the local Envoy managed by Cilium
  3. The Golang shared module (libcilium.so) running by the local Envoy then performs L7 protocol parsing and L7 policy matching on the redirected traffic to make the decision.

FULL control of L7 traffic

  • no need to inject sidecars
  • no need to restart pods
  • Do whatever you want to the traffic, for example:
    • L7 access control
    • L7 redirection
    • L7 modification

Microservice Development Pain Points

For Developing

  • Hard to prepare other service dependancies
  • Need to re-deploy container to reflect code changes

For Debugging

  • Hard to target specific L7 traffic in k8s
  • Hard to inspect memory of running container (maybe uprobe)

Microsoft Bridge to Kubernetes

Solve above Microservice Development Pain Points

Microsoft Bridge to Kubernetes Limitations

However its current implementation has following limitations:

  • Can't have multiple pods behind a k8s service
  • Can't have multiple containers in a pod
  • Can't have TLS between pods

These limitations can be solved by the power of full control of L7 traffic provided by cilium.

How to build Bridge to Kubernetes with Cilium?

Example: https://github.com/rueian/aerial

Select a repo