understanding-the-buzz-around-cilium-introduction-and-in-production-at-alibaba-ji-ciliumdie-zha-daepnanoqiang-tang-zha-tao-rechang-bo-kang-li-alibabacloud-liyi-huang-cisco-1.pdf

1、Understanding the Buzz Around Cilium:Introduction and in Production at AlibabaLiyi Huang,Isovalent&Bokang Li,Alibaba Cloud AgendaCilium general introductionShallow dive from network policy with ACKHow CNI looks like at Alibaba CloudScalability on Alibaba CloudWhat can you get from a full blown ciliu

2、m on AlibabaSome highlights on cilium 1.16 releaseQ&A-Networking-Security-Observability-Service Mesh&Ingress-based:FoundationTechnology4Over 120 USERS.md entries -Networking-Security-Observability-Service Mesh&Ingress-based:FoundationTechnology5 Makes the Linux kernel programmable in a secure and ef

3、ficient way.“What JavaScript is to the browser,eBPF is to the Linux KernelProcessSchedulerexecve()LinuxKernelSyscallKubernetes Network policyPods within the same Kubernetes cluster can communicate with each other without restriction.If you want to limit the traffic between pods,you will need to use

4、a network policy.You can enable it by ticking the checkbox when creating the ACK cluster,as shown in the following picture.Kubernetes Network policyCan pod A talk to pod B?A example of the basic network policyKubernetes Network policyWhat does this really mean to the Linux host?You start to chase th

5、e iptables tables/rules and ipset on the host.I found there are around 300 rules(including rules for kube-proxy)with just 2 pods and 3 nodes(1 controller and 2 workers)and no user defined service on it on my KIND cluster.How do I know if there is a drop with iptables rules?You need to other non stan

6、dard network policy implementation to log the flow to a fileIptables lookup performance is O(n).Kubernetes Network policySame policy for ciliumKubernetes Network policyNetwork policy lookup from cilium is O1.You can easily observe it with cilium toolMore advanced Cilium network policy will be discus