Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Keeping it simple: Cilium Mesh - networking for...

Liz Rice
April 21, 2023
Programming
1
570

Keeping it simple: Cilium Mesh - networking for multi-cloud Kubernetes and beyond

From KubeCon Amsterdam 2023 (https://sched.co/1Hyaz)

Kubernetes promises that we can run containerized workloads in any cloud, and according to a recent article InfoWorld “2023 may [finally] be the year of multicloud Kubernetes”. For this to happen, we need seamless connectivity between workloads across clusters, regardless of the cloud they’re running on. From the perspective of a developer, shouldn’t connectivity across clouds be as simple as connectivity within a cluster? This talk shows how Cilium takes care of connectivity across multiple clusters in a cloud-agnostic way, and connectivity between Kubernetes and legacy workloads.

Liz Rice

April 21, 2023
Tweet

More Decks by Liz Rice

See All by Liz Rice
Unleashing the kernel with eBPF
lizrice
0
130
eBPF's Abilities and Limitations: The Truth
lizrice
0
240
Simplifying multi-cloud and multi-cluster Kubernetes deployments with Cilium
lizrice
0
140
When is a Secure Connection not encrypted? And other stories
lizrice
1
63
How Many Proxies Do You Need
lizrice
1
120
eBPF for Security Observability
lizrice
0
1.2k
Beginner's Guide to eBPF Programming for Networking
lizrice
1
2.2k
Contributing to Open Source - what's in it for my business?
lizrice
0
43
Cloud Native eBPF Superpowers
lizrice
0
240

Other Decks in Programming

See All in Programming
.NET のための通信フレームワーク MagicOnion 入門 / Introduction to MagicOnion
mayuki
1
1.6k
とにかくAWS GameDay!AWSは世界の共通言語! / Anyway, AWS GameDay! AWS is the world's lingua franca!
seike460
PRO
1
870
Make Impossible States Impossibleを 意識してReactのPropsを設計しよう
ikumatadokoro
0
170
Nurturing OpenJDK distribution: Eclipse Temurin Success History and plan
ivargrimstad
0
920
watsonx.ai Dojo #4 生成AIを使ったアプリ開発、応用編
oniak3ibm
PRO
1
130
Jakarta EE meets AI
ivargrimstad
0
630
みんなでプロポーザルを書いてみた
yuriko1211
0
260
Outline View in SwiftUI
1024jp
1
330
色々なIaCツールを実際に触って比較してみる
iriikeita
0
330
どうして僕の作ったクラスが手続き型と言われなきゃいけないんですか
akikogoto
1
120
Duckdb-Wasmでローカルダッシュボードを作ってみた
nkforwork
0
130
アジャイルを支えるテストアーキテクチャ設計/Test Architecting for Agile
goyoki
9
3.3k

Featured

See All Featured
10 Git Anti Patterns You Should be Aware of
lemiorhan
654
59k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
28
2k
Build your cross-platform service in a week with App Engine
jlugia
229
18k
Visualization
eitanlees
145
15k
We Have a Design System, Now What?
morganepeng
50
7.2k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
364
24k
Building a Scalable Design System with Sketch
lauravandoore
459
33k
The Power of CSS Pseudo Elements
geoffreycrofte
73
5.3k
Automating Front-end Workflow
addyosmani
1366
200k
The Pragmatic Product Professional
lauravandoore
31
6.3k
Become a Pro
speakerdeck
PRO
25
5k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
226
22k

Transcript

  1. Keeping It Simple: Cilium Networking for Multi-cloud Kubernetes And Beyond

    Liz Rice | @lizrice Chief Open Source Officer, Isovalent CNCF and OpenUK Board

  2. @lizrice Cilium Mesh One Mesh to Connect Them All

  3. @lizrice Connect workloads in multiple clusters and non-Kubernetes environments in

    public clouds and on-prem securely: network policies and authenticated + encrypted Cilium Mesh

  4. @lizrice Image credit: HJ Media Studios on flickr

  5. Services and Endpoints are Kubernetes concepts

  6. @lizrice Services load balance to pods

  7. @lizrice ❯ k get svc NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S)

    AGE kubernetes ClusterIP 192.168.0.1 <none> 443/TCP 4h20m resistance ClusterIP 192.168.0.246 <none> 80/TCP 4h19m ❯ k exec -it r2-d2 -- nslookup resistance … Name: resistance-base.default.svc.cluster.local Address: 192.168.0.246 Service names resolve to an IP address

  8. @lizrice ❯ k get endpoints NAME ENDPOINTS AGE kubernetes 172.19.0.3:6443

    4h18m resistance 10.0.0.173:8080,10.0.0.244:8080,10.0.0.31:8080 4h17m ❯ k get pods -o wide NAME READY STATUS RESTARTS AGE IP bb-8 1/1 Running 0 5m48s 10.0.0.119 resistance-5f77df8c9c-56svw 1/1 Running 0 78m 10.0.0.173 resistance-5f77df8c9c-8vvvc 1/1 Running 0 78m 10.0.0.31 resistance-5f77df8c9c-ppxjp 1/1 Running 0 78m 10.0.0.244 Pods provide endpoints for services

  9. @lizrice Cilium knows about services and endpoints ❯ ks exec

    -it $CPOD -- cilium service list ID Frontend Service Type Backend … 7 192.168.0.246:80 ClusterIP 1 => 10.0.0.31:8080 (active) 2 => 10.0.0.244:8080 (active) 3 => 10.0.0.173:8080 (active) ❯ ks exec -it $CPOD -- cilium endpoint list ENDPOINT … IDENTITY LABELS (source:key[=value]) IPv6 IPv4 STATUS … 59 … 135505 k8s:app=resistance-base 10.0.0.173 ready k8s:io.cilium.k8s.policy.cluster=d-qar k8s:io.cilium.k8s.policy.serviceaccount=default k8s:io.kubernetes.pod.namespace=default k8s:org=resistance k8s:io.cilium.k8s.namespace.labels.kubernetes.io/metadata.name=default …

  10. Cilium ClusterMesh for multi-cluster services

  11. @lizrice

  12. @lizrice ClusterMesh - endpoints around the mesh ❯ ks exec

    -it $CPOD -- cilium service list ID Frontend Service Type Backend … 8 192.168.0.30:80 ClusterIP 1 => 10.0.0.31:8080 (active) 2 => 10.0.0.244:8080 (active) 3 => 10.0.0.173:8080 (active) 4 => 10.0.0.136@2:8080 (active) 5 => 10.0.0.4@2:8080 (active) 6 => 10.0.0.120@2:8080 (active) …

  13. Not all workloads run on Kubernetes… Cilium external endpoints

  14. @lizrice

  15. @lizrice ❯ k describe svc ahch-to Name: ahch-to Annotations: io.cilium/global-service:

    true io.cilium/portal: true Selector: jedi=luke Type: ClusterIP IP: 192.168.0.202 IPs: 192.168.0.202 Port: <unset> 80/TCP TargetPort: 80/TCP Endpoints: <none> ❯ ks exec -it $CPOD -- cilium endpoint add --name=ahch-to --labels=jedi=luke --ip=172.19.100.2 ❯ ks exec -it $CPOD -- cilium service list ID Frontend Service Type Backend … 9 192.168.0.202:80 ClusterIP 1 => 172.19.100.2:80 (active) Add Cilium endpoints for external workloads

  16. Migrate legacy workloads to Kubernetes

  17. @lizrice Migrate legacy workloads to Kubernetes

  18. Protected with CiliumNetworkPolicies

  19. @lizrice apiVersion: cilium.io/v2 kind: CiliumClusterwideNetworkPolicy metadata: name: resistance spec: endpointSelector:

    matchLabels: org: resistance ingress: - fromEndpoints: - matchLabels: org: resistance CiliumNetworkPolicies protect traffic to/from endpoints

  20. @lizrice

  21. Authenticated and encrypted using SPIFFE identities

  22. @lizrice More information: https://isovalent.com/blog/post/2022-05-03-servicemesh-security Cilium next-gen mutual authentication & encryption

    Datapath support in 1.13: https://github.com/cilium/cilium/pull/21822

  23. @lizrice Require authentication for connections to backends CiliumNetworkPolicy specifies authentication

    policy Auth PR: https://github.com/cilium/cilium/pull/24263 Encryption tracked under: https://github.com/cilium/cilium/issues/22215 apiVersion: "cilium.io/v2" kind: CiliumNetworkPolicy metadata: name: “auth-ingress” spec: endpointSelector: matchLabels: app: backend ingress: - fromEndpoints: - matchLabels: app: frontend auth: required: strict

  24. Cilium can advertise services over BGP

  25. @lizrice Advertise services over BGP networks

  26. @lizrice Connect workloads in multiple clusters and non-Kubernetes environments in

    public clouds and on-prem securely: network policies and authenticated + encrypted ✅ ✅ ✅ ✅ ✅ ✅ Cilium Mesh

  27. Thank you cilium/cilium @ciliumproject cilium.io @lizrice Download from isovalent.com isovalent.com/labs