Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Keeping it simple: Cilium Mesh - networking for...

Liz Rice
April 21, 2023
Programming
1
560

Keeping it simple: Cilium Mesh - networking for multi-cloud Kubernetes and beyond

From KubeCon Amsterdam 2023 (https://sched.co/1Hyaz)

Kubernetes promises that we can run containerized workloads in any cloud, and according to a recent article InfoWorld “2023 may [finally] be the year of multicloud Kubernetes”. For this to happen, we need seamless connectivity between workloads across clusters, regardless of the cloud they’re running on. From the perspective of a developer, shouldn’t connectivity across clouds be as simple as connectivity within a cluster? This talk shows how Cilium takes care of connectivity across multiple clusters in a cloud-agnostic way, and connectivity between Kubernetes and legacy workloads.

Liz Rice

April 21, 2023
Tweet

More Decks by Liz Rice

See All by Liz Rice
Unleashing the kernel with eBPF
lizrice
0
130
eBPF's Abilities and Limitations: The Truth
lizrice
0
220
Simplifying multi-cloud and multi-cluster Kubernetes deployments with Cilium
lizrice
0
130
When is a Secure Connection not encrypted? And other stories
lizrice
1
60
How Many Proxies Do You Need
lizrice
1
120
eBPF for Security Observability
lizrice
0
1.2k
Beginner's Guide to eBPF Programming for Networking
lizrice
1
2.2k
Contributing to Open Source - what's in it for my business?
lizrice
0
42
Cloud Native eBPF Superpowers
lizrice
0
240

Other Decks in Programming

See All in Programming
ピラミッド、アイスクリームコーン、SMURF: 自動テストの最適バランスを求めて / Pyramid Ice-Cream-Cone and SMURF
twada
PRO
9
990
Kotlin2でdataクラスの copyメソッドを禁止する/Data class copy function to have the same visibility as constructor
eichisanden
1
130
AWS IaCの注目アップデート 2024年10月版
konokenj
3
3.1k
Synchronizationを支える技術
s_shimotori
1
150
LLM生成文章の精度評価自動化とプロンプトチューニングの効率化について
layerx
PRO
2
130
カラム追加で増えるActiveRecordのメモリサイズ イメージできますか?
asayamakk
4
1.5k
hotwire_or_react
harunatsujita
8
4k
Java ジェネリクス入門 2024
nagise
0
600
Honoの来た道とこれから
yusukebe
19
3k
[PyCon Korea 2024 Keynote] 커뮤니티와 파이썬, 그리고 우리
beomi
0
110
macOS でできる リアルタイム動画像処理
biacco42
7
1.8k
色々なIaCツールを実際に触って比較してみる
iriikeita
0
270

Featured

See All Featured
Typedesign – Prime Four
hannesfritz
39
2.4k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
226
22k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
107
49k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
280
13k
Navigating Team Friction
lara
183
14k
Done Done
chrislema
181
16k
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
47
5k
Why Our Code Smells
bkeepers
PRO
334
57k
Product Roadmaps are Hard
iamctodd
PRO
48
10k
Raft: Consensus for Rubyists
vanstee
136
6.6k
Automating Front-end Workflow
addyosmani
1365
200k
Java REST API Framework Comparison - PWX 2021
mraible
PRO
28
7.9k

Transcript

  1. Keeping It Simple: Cilium Networking for Multi-cloud Kubernetes And Beyond

    Liz Rice | @lizrice Chief Open Source Officer, Isovalent CNCF and OpenUK Board

  2. @lizrice Cilium Mesh One Mesh to Connect Them All

  3. @lizrice Connect workloads in multiple clusters and non-Kubernetes environments in

    public clouds and on-prem securely: network policies and authenticated + encrypted Cilium Mesh

  4. @lizrice Image credit: HJ Media Studios on flickr

  5. Services and Endpoints are Kubernetes concepts

  6. @lizrice Services load balance to pods

  7. @lizrice ❯ k get svc NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S)

    AGE kubernetes ClusterIP 192.168.0.1 <none> 443/TCP 4h20m resistance ClusterIP 192.168.0.246 <none> 80/TCP 4h19m ❯ k exec -it r2-d2 -- nslookup resistance … Name: resistance-base.default.svc.cluster.local Address: 192.168.0.246 Service names resolve to an IP address

  8. @lizrice ❯ k get endpoints NAME ENDPOINTS AGE kubernetes 172.19.0.3:6443

    4h18m resistance 10.0.0.173:8080,10.0.0.244:8080,10.0.0.31:8080 4h17m ❯ k get pods -o wide NAME READY STATUS RESTARTS AGE IP bb-8 1/1 Running 0 5m48s 10.0.0.119 resistance-5f77df8c9c-56svw 1/1 Running 0 78m 10.0.0.173 resistance-5f77df8c9c-8vvvc 1/1 Running 0 78m 10.0.0.31 resistance-5f77df8c9c-ppxjp 1/1 Running 0 78m 10.0.0.244 Pods provide endpoints for services

  9. @lizrice Cilium knows about services and endpoints ❯ ks exec

    -it $CPOD -- cilium service list ID Frontend Service Type Backend … 7 192.168.0.246:80 ClusterIP 1 => 10.0.0.31:8080 (active) 2 => 10.0.0.244:8080 (active) 3 => 10.0.0.173:8080 (active) ❯ ks exec -it $CPOD -- cilium endpoint list ENDPOINT … IDENTITY LABELS (source:key[=value]) IPv6 IPv4 STATUS … 59 … 135505 k8s:app=resistance-base 10.0.0.173 ready k8s:io.cilium.k8s.policy.cluster=d-qar k8s:io.cilium.k8s.policy.serviceaccount=default k8s:io.kubernetes.pod.namespace=default k8s:org=resistance k8s:io.cilium.k8s.namespace.labels.kubernetes.io/metadata.name=default …

  10. Cilium ClusterMesh for multi-cluster services

  11. @lizrice

  12. @lizrice ClusterMesh - endpoints around the mesh ❯ ks exec

    -it $CPOD -- cilium service list ID Frontend Service Type Backend … 8 192.168.0.30:80 ClusterIP 1 => 10.0.0.31:8080 (active) 2 => 10.0.0.244:8080 (active) 3 => 10.0.0.173:8080 (active) 4 => 10.0.0.136@2:8080 (active) 5 => 10.0.0.4@2:8080 (active) 6 => 10.0.0.120@2:8080 (active) …

  13. Not all workloads run on Kubernetes… Cilium external endpoints

  14. @lizrice

  15. @lizrice ❯ k describe svc ahch-to Name: ahch-to Annotations: io.cilium/global-service:

    true io.cilium/portal: true Selector: jedi=luke Type: ClusterIP IP: 192.168.0.202 IPs: 192.168.0.202 Port: <unset> 80/TCP TargetPort: 80/TCP Endpoints: <none> ❯ ks exec -it $CPOD -- cilium endpoint add --name=ahch-to --labels=jedi=luke --ip=172.19.100.2 ❯ ks exec -it $CPOD -- cilium service list ID Frontend Service Type Backend … 9 192.168.0.202:80 ClusterIP 1 => 172.19.100.2:80 (active) Add Cilium endpoints for external workloads

  16. Migrate legacy workloads to Kubernetes

  17. @lizrice Migrate legacy workloads to Kubernetes

  18. Protected with CiliumNetworkPolicies

  19. @lizrice apiVersion: cilium.io/v2 kind: CiliumClusterwideNetworkPolicy metadata: name: resistance spec: endpointSelector:

    matchLabels: org: resistance ingress: - fromEndpoints: - matchLabels: org: resistance CiliumNetworkPolicies protect traffic to/from endpoints

  20. @lizrice

  21. Authenticated and encrypted using SPIFFE identities

  22. @lizrice More information: https://isovalent.com/blog/post/2022-05-03-servicemesh-security Cilium next-gen mutual authentication & encryption

    Datapath support in 1.13: https://github.com/cilium/cilium/pull/21822

  23. @lizrice Require authentication for connections to backends CiliumNetworkPolicy specifies authentication

    policy Auth PR: https://github.com/cilium/cilium/pull/24263 Encryption tracked under: https://github.com/cilium/cilium/issues/22215 apiVersion: "cilium.io/v2" kind: CiliumNetworkPolicy metadata: name: “auth-ingress” spec: endpointSelector: matchLabels: app: backend ingress: - fromEndpoints: - matchLabels: app: frontend auth: required: strict

  24. Cilium can advertise services over BGP

  25. @lizrice Advertise services over BGP networks

  26. @lizrice Connect workloads in multiple clusters and non-Kubernetes environments in

    public clouds and on-prem securely: network policies and authenticated + encrypted ✅ ✅ ✅ ✅ ✅ ✅ Cilium Mesh

  27. Thank you cilium/cilium @ciliumproject cilium.io @lizrice Download from isovalent.com isovalent.com/labs