eCHO News 66
eCHO news is your bi-weekly wrap up of all things eBPF and Cilium. If you want to keep up on the latest in cloud native networking, observability, and security this is your quelle
8th October 2024
Spelunking through Reddit, I came across this interesting thread about Gateway API usage in the wild. First comment "Fired up my first Gateway API today with Cilium... Kinda digging it... The opportunity to replace so many infrastructure services with just Cilium is pretty compelling to me." Talking to a lot of Cilium end users, this sentiment is key to many of them choosing and adopting Cilium.
In infrastructure, I think we are moving away from point solutions towards more integrated approaches and Cilium is a perfect example of this, covering everything from L2-L7. When I posted the Reddit thread on LinkedIn, this same sentiment came across again "already replaced MetalLB with Cilium L2 Announcements and now looking forward to replace ingress nginx with Cilium's Gateway API implementation." I don't think this is anything against the projects Cilium is replacing (they are great pieces of technology too) it is more than people are looking to do more with less in their stack. Hear all the ways people are simplifying their stack with Cilium at KubeCon or let the project know how you are doing it in the User Survey. The company offsite is coming up and I need to pack so let’s 🐝 -gin.
The Technical
Kubernetes Traffic Engineering for Network Engineers: Cilium Best Practices - Inbound and outbound traffic, BGP for advanced traffic routing, application-specific design considerations, static route configurations, managing unmanaged pods and overlay coexistence, this white paper has it all
The eBPF Runtime in the Linux Kernel - Academic summary of eBPF, I think this paper will get a lot of citations
Hacking eBPF & LLVM for Fun and Profit - Everyone is trying to beat the verifier
eBPF Challenge 1: XDP Return Codes - Learn how to not get locked out of your system
eBPF Map Monitoring using eBPF Iterators - Do you know how full your eBPF Maps are?
takehaya/Sys-Ebpf - "perl-ebpf is a pure-perl library to read, modify and load eBPF programs and attach them to various hooks in the Linux kernel" with presentation in Japanese
furkanonder/DnsTrace - "Monitor DNS queries by host processes using eBPF!"
recontech404/Kairos - "Open Source eBPF Malware Analysis Framework"
SRodi/ebpf-file-delete-tracer - "demonstrates the use of eBPF to trace file deletion events on a Linux system"
🐝
The Ecosystem
Cilium User Survey - 2024 - Please fill it out to help us understand where the project should go next
Isovalent Enterprise for Tetragon 1.14: Persistent Enforcement, Memory Optimizations, Improved Child Process Visibility, and more! - 77% decrease in memory usage, customizing default rulesets, hard to pick a favorite feature improvement
Cilium Talks at KubeCon NA 2024 - Hard to choose which end user talk I'm most looking forward to, find all of them here
Case Study: SysEleven - "Cilium replaced everything that previously had anything to do with networking. In one sense, it’s just a CNI plugin, but on the other hand, it can also remove the need for so many other tools, like kube-proxy."
Adobe Achieves a Boring Network with Cilium for Cloud Native Platforms - "But boring is good!"
Unlocking the Power of eBPF: How Cilium enhances BMC Helix Innovation Suite - Great to see another platform supporting Cilium
Securing Kubernetes Workloads using LSM-BPF - Find out how eBPF came to tackle security too
OpenTelemetry Isn’t the Hero We Need: Here’s Why it’s Failing our Stack - "OpenTelemetry is only a support team player and eBPF is the real MVP"
Recommended by LinkedIn
Now let’s talk about Cilium and how it leverages eBPF - Find out why you should switch from AWS VPC CNI
Cilium: A Comprehensive Guide to Networking, Security, and Observability in Kubernetes - "Ultimately, Cilium offers a unique blend of simplicity, performance, and security"
eBPF- One Size Does Not Fit All - “Oh, you guys use computers? Well we use computers too!” - What really matters is how you leverage the technology
How Cloudflare auto-mitigated world record 3.8 Tbps DDoS attack - "Once an attack is qualified, dosd will push a mitigation rule inline as an eBPF program to surgically drop the attack traffic"
🐝
The How To
Optimizing Enterprise Networks: Addressing Overlapping CIDR with Cilium - Learn how packets traverse clusters and how to set it up
Cilium: IPv6 on EKS - Using prefix delegation, network policy (L3/L4/L7/DNS), encryption, & observability
Apply a Cilium eBGP Policy and redistribute it into an XRd ISIS topology - "I imagine it will take cross-functional IT Infrastructure teams to see this implemented and scaled out in production"
First eBPF program - Learn to write Hello World on the execve system call
🐝
The Video
Isovalent Bring your own CNI (Cilium) with AKS - Webinar to learn to set it up
Coping with Zero Days with Cilium Tetragon - Learn to stop the next CVE with Tetragon
🐝
The Events
eBPF Birds of a Feather - Open Source Summit Japan - October 28th in Tokyo
Cilium + eBPF Day - See you in Salt Lake! Schedule is out now!
🐝
The Tweet of the Week
Correction: In the previous episode, it was stated that both snake and DOOM moved into the kernel. In reality, snake use bpftrace userspace code to implement the main logic and DOOM is running in a userspace eBPF runtime.
--
2moYou're right quoting me there, we indeed are looking to replace ingress nginx with Ciliums gateway API to simplify our tech stack. Ingress nginx is a great piece of software and it works perfectly but having one less tool to install to get a basic k8s cluster ready simplifies our opentofu k8s deployment module. Less code that does the same or more is always a huge win in IaC in my books.
Backend Developer | DevOps Engineer @ International Systems Engineering & Automation (IRISA)
2moVery helpful thanks 🙏
Community @ Isovalent working on Cilium and eBPF
2moContent from: John Gallagher Amit Gupta Simardeep S. Shung-Hsi Yu Piotr Jablonski Jeremy C. Bob Adewusi Liz Rice prateek singh Teodor Podobnik Dean L. Simone Ferlin-Reiter Michael Fecher Mike M. Nadav Markus Simone Rodigari Takeru Hayasaka Daniel W. Furkan Taha Ö. Manish Arora Shawn Bohrer Omer Y. Alex Forster Michael B. Shedrack Akintayo