tldr - powered by Generative AI

• Cilium and its ClusterMesh feature can simplify connectivity across multiple clusters in a cloud-agnostic way
• Connectivity between services spread across clouds
• Load balancing requests across backends in multiple clusters
• Connectivity between Kubernetes and legacy workloads
• Mutually-authenticated, encrypted connections between services
• Multi-cluster network policies
• Challenges related to IP address management, scale, and observability of multi-cluster networks, and how Cilium can help

tldr - powered by Generative AI

• Psyllium and Hubble can provide observability and security in distributed systems
• Existing mechanisms such as traditional monitoring devices and VPC logs fall short in providing context and scalability
• Psyllium uses identity-based observability and security based on labels to secure and monitor traffic
• Hubble provides a surface mesh solution for monitoring workflows and exporting flows to other platforms
• Ready-to-use dashboards are available in Grafana marketplace for monitoring cluster and application performance

tldr - powered by Generative AI

• BPF is a powerful tool for network analysis, security, and observability in production environments.
• BPF allows for zero-instrumentation profiling of entire production clusters.
• BPF has some limitations, including performance issues and difficulty in interpreting raw data.
• Future developments in BPF may address these limitations, including increased support for programming languages and improved interpretability through machine learning.

tldr - powered by Generative AI

• Cilium is a popular networking and security solution for Kubernetes that uses eBPF and is becoming the CNI of choice in the industry.
• Cilium provides high-performance load balancing, network policy, transparent encryption, and the ability to integrate multiple Kubernetes clusters and external workloads.
• Hubble is the observability platform that gives visibility into individual network flows, aggregated metrics, service maps, and the ability to export all this metric information to various destinations.
• Tetragon is the security observability subproject in Cilium that uses eBPF to instrument the kernel and give insight into security-relevant events.
• Cilium is being adopted by all major cloud providers, including AWS, Azure, and Google Cloud.
• The presentation includes real-world use cases of Cilium from Isovalent, Grafana Labs, and Eficode.
• Grafana Labs has developed a new Grafana app that allows users to get all the power of Hubble directly from within Grafana.

tldr - powered by Generative AI

• Use Celium and eBPF features to achieve network security and observability
• Prioritize on the number of servers exposed through Ingress or Gateway API
• Focus on services reachable within the cluster across namespaces and services with access to external resources such as egress
• Start with an initial namespace policy and use global policies across the platform or even across clusters using cluster-wide network policies to define the guardrails
• Transition from per-namespace security with global policies as guardrails to more fine-grained policies
• Use CI/CD pipeline tools like Argo Flux and Github pipelines to manage network policies at scale
• Automatically check for CIDR blocks which are not approved to be allowed to access using a policy
• Unlock features in networking security and observability using eBPF

tldr - powered by Generative AI

• Tetragon is a daemon set that can run on virtual machines or other external entities directly
• It instruments the Linux kernel on every node in a cluster to detect events such as process executions, file access, TCP patterns, namespace escapes, and privileged escalations
• Tetragon can also expose metrics for HTTP, DNS, and TLS, making it easy to audit compliance controls
• Context is king in security observability, and Tetragon provides a lot of context by giving detailed information about the events it detects

tldr - powered by Generative AI

• Psyllium experiment started in 2016 with IPv6-only container networking using EBPF and XDP
• IPv6 adoption has progressed in Kubernetes and hyperscale environments
• IPv6 offers more IPAM flexibility and larger cluster scale
• IPv6-only clusters unlock new Linux kernel innovations in networking and EBPF for data intensive workloads
• Cilium's networking data plane enables a low-latency architecture suitable for BIG TCP-based workloads requiring IPv6 for 100Gbit/s transfers and beyond for a single socket
• Cilium developed a new veth driver replacement for the kernel to achieve host networking performance characteristics for Pods
• With the resulting EBPF forwarding architecture, most unneeded parts of the stack are bypassed, drastically improving networking

tldr - powered by Generative AI

• The presentation uses honeybees as a metaphor for distributed systems, particularly Kubernetes, to illustrate similarities in behavior and organization.
• Beekeeping practices, such as using signals and observability, can provide insights for managing and operating distributed systems.
• The role of the beekeeper in managing a hive is similar to that of an operator in managing a Kubernetes cluster.
• Beekeeping practices can benefit from automation and better observability, similar to how these practices are emphasized in managing distributed systems.

tldr - powered by Generative AI

• Psyllium and Kubernetes can be used to enforce network policies for microservices
• Least privilege security can be achieved by filtering HTTP requests and restricting API access
• L7 security policies can restrict access to required API resources
• Psyllium website provides resources and a helpful Slack community for beginners and contributors