BPF updates 08

Linux 4.12 was released and net-next is closed. The Kernel Newbies release notes is still under construction but worth checking out for the BPF commits in 4.12.

Most of the new patches from the lists should show up in the next release candidate for 4.13. Some highlights from the recent activity are

  • i40e gets XDP support for drop, pass and tx actions.
  • Iterations of the alignment tracking work. The main changes; dropped RFC tag and added more tests.
  • NFP flag for XDP offload mode to offer more flexibility for programs that can be offloaded.
  • The new BPF_PROG_TYPE_SOCKET_OPS series got merged.

More interesting topics

  • iproute gets support for IFLA_XDP_PROG_ID. Also cls_bpf and act_bpf start using the BPF program id.
  • BPF program id available for i40e via XDP_QUERY_PROG.
  • A new function helper bpf_skb_adjust_room for adjusting net headroom.

One issue reoccurring is the header asm issue. While BPF can mix and match headers from kernel and userspace, the asm headers seem to be causing pain. Will one more hack be added on top of BPF, or will we see a clean / nice solution emerge from the disccusions?

Tutorial: Applying HTTP security rules with Kubernetes

This blog post focuses on Layer 7 (HTTP) policy rules and how to apply them for both outgoing and incoming connections in the context of a Kubernetes cluster using a ThirdPartyResource. This is a first step in integrating L7 policies into the Kubernetes world, next steps will involve integration with Istio and the Envoy proxy. We will talk about our plans and the details how Cilium empowers both of them in one of the next blog posts.


The Cilium 0.9 release (Release Notes) was a big step towards awesome Kubernetes integration. One of the many things that we added is a new ThirdPartyResource named CiliumNetworkPolicy. The purpose of CiliumNetworkPolicy is to extend the standardized NetworkPolicy resource and make all of the Cilium functionality available that is not yet accessible via the standard NetworkPolicy.

Step by Step Guide

This step by step guide shows how to apply HTTP security rules in three easy steps.

Step1: Deploy demo app

We start out with a standard Kubernetes cluster with three worker nodes:

$ kubectl get nodes
NAME      STATUS    AGE
worker0   Ready     115d
worker1   Ready     115d
worker2   Ready     115d

Cilium is deployed as DaemonSet:

$ kubectl -n kube-system get pods
NAME                                    READY     STATUS    RESTARTS   AGE
cilium-0srz0                            1/1       Running   0          10h
cilium-153hp                            1/1       Running   0          10h
cilium-5pk5c                            1/1       Running   2          10h
cilium-consul-0kf04                     1/1       Running   1          17h

We deploy a simple demo application in the form of Kubernetes deployments. This will create three deployments: app1, app2, and app3. It will also make app1 available via a service app1-service.

$ kubectl create -f https://raw.githubusercontent.com/cilium/cilium/master/examples/minikube/demo.yaml
service "app1-service" created
deployment "app1" created
deployment "app2" created
deployment "app3" created

We can now check the status of these deployments:

$ kubectl get pods
   NAME                       READY     STATUS              RESTARTS   AGE
   po/app1-2741898079-66lz0   0/1       ContainerCreating   0          40s
   po/app1-2741898079-jwfmk   1/1       Running             0          40s
   po/app2-2889674625-wxs08   0/1       ContainerCreating   0          40s
   po/app3-3000954754-fbqtz   0/1       ContainerCreating   0          40s

Step 2: Create L7/HTTP security policy

We want to define a Layer7 (HTTP) policy to protect app1. app1 has two API endpoints which can be called: GET /public and GET /private. We want to continue allowing GET /public but prohibit all calls to GET /private. The following policy achieves this:

apiVersion: "cilium.io/v1"
kind: CiliumNetworkPolicy
description: "L7 policy for getting started using Kubernetes guide"
metadata:
  name: "rule1"
spec:
  endpointSelector:
    matchLabels:
      id: app1
  ingress:
  - fromEndpoints:
    - matchLabels:
        id: app2
  - toPorts:
    - ports:
      - port: "80"
        protocol: TCP
      rules:
        HTTP:
        - method: "GET"
          path: "/public"

We can now import this Layer 7 (HTTP) policy using kubectl:

$ kubectl create -f https://raw.githubusercontent.com/cilium/cilium/master/examples/minikube/l3_l4_l7_policy.yaml

Step 3: Test the policy

app1 is now protected. While we can still access app1/public from app2...

$ kubectl exec $APP2_POD -- curl -s http://${SVC_IP}/public
{ 'val': 'this is public' }

... and we can no longer access app1/private.

$ kubectl exec $APP2_POD -- curl -s http://${SVC_IP}/private
Access denied

Next Steps

This is just a first preview into our first step to integrate HTTP layer policies into Kubernetes. We will cover more of our upcoming next steps in follow-up blog posts:

  • Adding L7/HTTP security rules definitions to the Kubernetes NetworkPolicy to no longer require a ThirdPartyResource or CustomResourceDefinition.
  • Integration with Envoy proxy to enable protocols beyond HTTP (gRPC, MongoDB, ...)
  • The difference between a shared proxy vs a side car proxy model and how Cilium can provide to run a hybrid model where this decision can be made per pod.
  • Tight cooperation with the Envoy proxy where Cilium can share the existing context information is has, e.g. source security identity for ingress rules, existing service loadbalancing/routing decision.
  • Kernel-assisted acceleration of the Envoy proxy
  • Adding support for CustomResoureDefinition as ThirdPartyResource will be deprecated with Kubernetes 1.8

Stay tuned for more blog posts but feel free to ask questions or provide feedback on our journey so far.

BPF updates 07

Linux 4.12-rc5 was recently released. No BPF changes where included, but a usual [GIT] Networking pull request was made afterwards. You can see the changes in 15th June.

There were also several other patches to netdev and related lists. Most of them are fixes. The highlights are

  • New program type BPF_PROG_TYPE_SOCKET_OPS is in the works.
  • Reporting XDP program ids via netlink.
  • Improvements to the bpf tests.
  • MIPS eBPF JIT got applied.

BPF updates 06

Linux 4.12-rc4 was released this week. No new BPF changes were in this release, but several patches were applied on netdev. The highlights are

  • The BPF id patches which were ready last week but had to be re-spin because of merge conflicts.
  • All perf events now have BPF support.

Other interesting topics

  • VF XDP support for the qede driver.
  • Better alignment tracking and improvements to the verifier.

BPF updates 05

Linux 4.12-rc3 was released last week. One usual [GIT] Networking pull request with some BPF fixes made it in. You can read all the highlights in 26th May. Also the release email briefly mentions BPF

Anyway, rc3 has a little bit of everything. The biggest single change is actually just a documentation update (the intel pstate docs were converted to rst format), so the diffstat actually looks a bit odd with a wuarter just being documentation. There's also some tooling updates (perf and some bpf selftest).

More interesting highlights

Cilium v0.9 Released: Hello Kubernetes!

The team is excited to announce the v0.9 release of Cilium.

We've received a lot of great feedback since we released Cilium v0.8 at the end of March with support for L7 HTTP-aware network security.   By far the biggest requests have been: 

  • Making it easier to deploy and use Cilium in Kubernetes environments
  • Testing and hardening Cilium to enable production deployments.  

Cilium @ GlueCon 2017 this Week!

 

The Cilium team is excited to be at GlueCon 2017 Wed + Thurs this week, just outside Denver, CO.   GlueCon is a great developer-focused conference focused on APIs, containers, microservices, serverless, etc. We've enjoyed attending as individuals in the past, and are excited to be sponsoring this year!

We will be presenting "Cilium + BPF: Least Privilege Security on API Call Level for Microservices" on Wed from 2:50-3:20pm .  This talk is on Track 1.   Come on by!

And all conference we'll be available at our Cilium booth to answer questions about API-aware network security, give demos, and of course, give away our Cilium t-shirts.  See you there!