Network security for microservices with eBPF

Several open-source Kubernetes tools are already using eBPF. Mainly related to networking, monitoring, and security.
The intention of this post is not to provide complete coverage of all eBPF aspects, but rather tries to be a informational starting point guide, from the understanding of Linux kernel BPF concept, through the advantages and features that brings to microservices environments, to some known tools that currently make use of it, such Cilium or Weave.

Understanding eBPF

Berkely Packet Filters, short BPF, is an instruction set architecture that was first introduced by Steven McCanne and Van Jacobso in 1992, as a generic packet filtering solution for applications such as tcpdump, that was the first use case, and is long present in Linux Kernels.

Image for post
Image for post
First BPF use case: tcpdump
Image for post
Image for post
Unofficial eBPF mascot

Creating a BPF program

One important aspect of eBPF is the possibility of implementing programs from high-level languages such C. LLVM has an eBPF back end for emitting ELF files that contain eBPF instructions, front ends like Clang can be used to craft programs.

Image for post
Image for post
Writing eBPF program example

Container security policies with IPTables

Historically containers runtimes such Docker, apply security policies and NAT rules per-container level by configuring IPTables rules in the docker hosts.

  1. construct the packet
  2. forward packet through vETH pair
  3. apply iptables in host
  4. drop or forward
Image for post
Image for post
Packet sent from container with IPTables policies

Container security policies with eBPF

Without the limitations of using iptables, eBPF policies can be applied on the system call, before entering the stack or construct the packet.
As eBPF attaches to the container network namespace, all the calls are intercepted and filtered on the spot.

Image for post
Image for post
Packet sent from container with eBPF policies

eBPF is replacing iptables

Learn from the hand of a linux kernel contributor why is the kernel community replacing iptables, problems face by Kubernetes kube-proxy or why the use of polices based on IP addresses and ports in the world of containers in which the IPs can change within seconds is not the right approach.

Cilium: dynamic network control and visibility

Cilium networking project makes heavy use of eBPF to route and filter network traffic for container-based systems. It can dynamically generate and apply rules without making changes to the kernel itself.

Image for post
Image for post
Cillium example scenario
[{
endpointSelector: {matchLabels:{id:app1}},
ingress:[{
fromEndpoints:[
{matchLabels:{id:app2}}
],
toPorts:[{
ports:[{ports:80, protocol:tcp}]
}]
}]
}]

This is how Cillium project works

The Agent runs on each host, translating network policy definitions to BPF programs, instead of managing iptables. These programs are loaded into the kernel and attached to the container’s virtual ethernet device. When they are executed, rules applied on each packet that is sent or received.

Image for post
Image for post
Cillium project

How Cillium enhances Istio

There are multiple levels of integration between Cilium and Istio that make sense for both projects.

Improving Istio datapath performance and latency

The following image from a last year post in Cillium Blog, shows latency measurements for most common high performing proxies present in microservices environments.

Image for post
Image for post
Common high performing proxies latency comparative

How else can Istio benefit from Cillium?

While the key aspect in which Istio can enrich from Cillium is the difference in datapath performance and latency, there are other aspects to consider.

A few more BPF use cases

Written by

IBMer, b3a.dev

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store