►
From YouTube: CNCF Research End User Group: Cilium and eBPF, Raphaël Pinson, Isovalent (September 21, 2022)
Description
Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe in Amsterdam, The Netherlands from April 17-21, 2023. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
A
All
right
so
welcome
everyone.
We
are
finally
restarting
the
usual
the
regular
sessions
for
the
research
user
group,
and
this
was
a
topic
that
we
had
already
for
a
while
on
psyllium
and
evpf
that
had
been
suggested
before
and
we
got
Raphael
from
Isle
Island.
That
was
nice
enough
to
to
to
join
us
today.
So
we'll
have
a
presentation.
A
So
usually
the
format
is
like
half
an
hour
and
then
we
we
release
plenty
of
time
for
questions
but
I
guess
if
people
have
questions
during
the
presentation
that
should
be
also
Okay,
so
yeah
thanks
again
Rafael.
B
All
right
is
that
fine,
yep,
okay,
so
yeah.
Let's
talk
about
psyllium
I'll,
put
sodium
in
France
film
in
general,
sodium
evpf
and
the
tools
around
cellular.
So
my
name
is
Rafael,
so
I'm
a
Solutions
architect
at
isovan,
based
in
Switzerland
and
so
as
part
of
my
job
at
Solutions
Architects
that
you
customer
support
on
psyllium,
Hubble,
tetragon
and
I've
been
involved
with
with
chromatous
in
the
cncf,
where
several
years,
I
actually
co-organized,
as
cncf
Meetup
in
in
the
whole
monthly
part
of
Switzerland.
B
So
the
different
subjects
we
can
touch
on
today
are
silly
many
BPF
in
general,
then
different
features
of
psyllium
networking
cluster
mesh
security,
obserability
we've
been
on
service
mesh
and
I'll
leave
a
little
bit
on
tetragon
at
the
end,
which
is
not
extremely
related
to
selling,
but
we
usually
ship
it
together,
at
least
in
our
Enterprise
solution.
B
So
first
selling
many
BPF,
quick
introduction,
so
I'm
part
of
isoville
and
isovalent
is
the
main
contributor
to
psyllium
and
psyllium
is
part
of
the
CNC
ethics
and
incubating
project
at
the
moment
and
based
usually
on
ebpf
evpf
being
a
technology
that
has
been
in
the
Linux
kernel
for
years,
and
it's
now
actually
being
quoted
to
other
kernels
Microsoft
is
doing
some
work
to
import
it
to
Windows,
for
example.
B
So
what
is
Cillian
these
days
with
Cecilia
means,
first
and
foremost
the
cni,
though
it
actually
started
before
kubernetes
was
widespread
or
even
announced,
I
think
so.
It
provides
the
the
Pod
to
pod
pod
to
service,
to
part
communication
even
node,
to
node
communication,
but
it
can
also
Implement
kubernetes
services
or
replacement
for
Q
proxy,
as
well
as
extra
features
such
as
multi-cluster
or
VM
Gateway,
which
is
an
extension
of
the
multi-cluster
feature.
B
On
top
of
this,
it
implements
Network
policies
using
either
the
standard,
kubernetes,
Network
policies,
resource
type
or
specific
Network
policies.
Crd
is
provided
by
psyllium
for
advanced
features.
It
is
identity
based,
and
this
is
something
very
important.
There
is
a
duplication
of
identities
that
happen
in
psyllium
both
for
performance
and
improves
the
visibility,
the
observability
layer
it
supports
encryption,
but
about
encryption
using
ipsec
or
Warrior
guide
and
there's
also
observability,
mainly
linked
to
the
Hubble
components,
providing
metrics,
providing
flow
visibility
and
service
dependency
in
the
form
of
a
service
map.
All.
C
B
B
Currently,
in
our
case,
the
Linux
kernel
in
the
future,
in
my
extent,
to
other
os's,
and
so
the
idea
is
that
you
can
have
many
programs
that
are
typically
injected
into
the
kernel
as
byte
code,
so
BPF
bytecode
are
usually
written
in
some
form,
some
subset
of
C
like
the
example
here
that
is
compiled
into
bad
code
and
then
inject
into
a
kernel,
and
then
the
kernel
will
verify
that
this
program
is
acceptable.
So
there
is
a
strict
verifier
that
verifies
for
both
security
and
stability
of
that
program.
B
And
then,
once
the
program
is
accepted
into
the
kernel,
it
will
be
compiled
into
a
machine
code.
So
so
it's
as
performant
as
the
kernel
itself
and
you
can
attach
it
to
different
events
in
the
kernel,
which
is
it
makes
a
lot
of
sense.
Given
that
the
kernel
itself
is
essentially
an
even
driven
program.
So,
for
example,
with
rdbpf
a
process
would
call
an
execd
Cisco
to
start
a
new
process
and
that
Cisco
would
be
scheduled
with
the
BP
apps.
B
B
There's
several
filter
applications
that
are
quite
natural
for
ebpf
observability
is
obviously
one
of
them,
because
you
get
to
observe
anything
that
happens
in
the
chronologic
forms
of
ciscals
or
k
probes,
your
probes,
lots
of
different
things
or
Network
events.
Another
field
of
application
is
security.
Obviously,
if
you
can
act
like
analysis
calls
even
block
them.
That
makes
a
lot
of
sense
and
the
last
one
is
networking.
I
see
the
last
one,
although
in
the
case
of
the
ceiling
project,
this
is
where
the
project
started.
B
Actually,
with
networking
it's
a
little
bit
less
obvious,
but
where's
the
bpfs.
You
can
also
bypass
some
native
Native
networking
Stacks
in
a
kernel
and
actually
re-implement
them
so
different
ways
in
which
EPF
programs
can
act
on
events
in
a
kernel.
So
you
can
typically
add
yourself
attach
yourself
to
events
such
as
a
file
being
read
or
the
I
o
reads
directly
on
the
disk
and
do
some
observability
or
some
action
on
this.
B
B
Your
probes
system
calls
Trace
points
sockets
and
so
on
and
there's
even
ways
actually
to
interact
directly
with
with
the
the
hardware
using
XDP,
for
example,
so
Express
data
pass,
which
allows
to
program
Hardware
network
devices
to
do
load,
balancing,
for
example,
so
you
could
capture
packets,
arriving
on
an
interface
in
a
kernel
and
redirect
them
directly
to
to
a
network
card
for
load,
balancing
for
Hardware
load,
balancing,
which
can
give
amazing
performance
compared
to
what
the
kernel
itself
can
do.
B
So
sodium
is
look
used
by
a
lot
of
different
companies.
This
is
just
an
extract
from
users:
dot
MDM
in
the
repository
in
the
sodium
repository,
there's
lots
of
names
of
organizations
that
you
sell
them
and
what
they
do
with
it.
B
So,
at
the
moment,
when
we
talk
about
psyllium,
there's
essentially
three
products
that
are
part
of
the
psyllium
project
and
that
are
in
in
this
school
part
of
the
the
cncf
there's
psyllium
itself.
So
the
the
cni
and
networking
solution,
this
Hubble,
which
is
the
observability
component
and
tetragon,
which
is
the
most
recently
open
source
component
that
is
responsible
for
runtime
security
as
well
as
security
observability.
B
So
the
psyllium
networking
components,
the
cni
itself
is
responsible
for
the
networking
side
of
things,
ipv4
IPv6
integration
into
Cloud
providers
or
bgp,
if
you're
doing
on-premise,
typically
overlay,
so
there's
two
options:
either
direct
routing
using
bgp
or
overlay
using
vxlan
or
genev
srv6.
There's
special
features
such
as
egress
Gateway
and
multi-cluster,
the
possibility
of
doing
Nets,
4664
and
the
possibility
of
applying
Network
policies.
B
So
L3
L4
that's
kind
of
the
standard,
all
the
way
to
layer
7
using
Envoy
as
a
proxy
and
filtering
on
DNS
entries,
either
specific
DNS
entries
or
with
wildcards
encryption.
B
I
mentioned
this
a
bit
before
and
load
balancing,
which
can
be
done
actually
even
outside
of
kubernetes,
so
either
kubernetes
load,
balancing
as
a
replacement
for
Q,
proxy
or
even
outside
of
kubernetes
as
a
standalone
load
balancer
using
psyllium
as
a
container
in
Docker,
for
example,
and
on
top
of
this
because
we
see
all
the
traffic
going
through,
we
can
actually
add
a
lot
of
observability
so
observe
traffic
in
the
form
of
flows.
But
we
also
get
a
lot
of
metrics
from
all
these
components.
B
So
we
still
imagine
itself
the
ceiling
operator,
Hubble,
the
envoy,
proxy
tetragon
and
so
on.
B
I'll
talk
a
bit
about
tetragon
here.
Tetragon
allows
to
plug
to
a
lot
of
different
kernel
events
and
actually
observe
what's
happening
there.
You
can
get
a
lot
of
observability
flows
from
there,
which
can
be
exported
to
the
same
of
your
choice
same
for
Hubble.
So
essentially
you
get
a
flow
of
Json
events
that
you
can
export
and
process.
B
In
your
tool
of
choice
or
you
can
use
the
tools
that
are
provided
and
typically
in
the
Enterprise
solution
of
sodium
provided
by
asovalent,
we
have
ways
of
correlating
these
events
and
then
there's
the
service
mesh
layer
that
is
essentially
using
features
that
we
already
have
in
sodium
and
that
people
expect
in
a
service
match
such
as
encryption
such
as
cluster
mesh,
such
as
observability
and
adding
to
it
the
features
that
people
would
expect
as
well
in
service
matches,
chats
and
Ingress
controller
authentication,
traffic
management
and
there's
quite
a
bit
of
work.
B
That
is
still
done
on
this
layer
and
will
come
in
sodium
113n
and
following
so
next
next
release
and
following
so,
let's
dive
a
bit
into
the
networking
side
of
things.
Typically
on
kubernetes,
there
is
no
default
Network
layer,
there's
only
a
standard
which
is
cni,
and
so
here
psyllium
can
replace
both
the
cni
layer
as
well
as
Q
proxy.
So
the
cni
will
be
part
to
part
intranode
enter
node
communication
and
replacing
Q
proxy
will
actually
implement
the
services
which
are
usually
implemented
using
iptables
or
ipvs
in
Q
proxy.
B
So
we
can
have
psyllium
take
care
of
all
of
this,
and
typically
instead
of
iptables
on
every
node
sodium
will
inject
evpf
programs
and
maps
to
to
implement
the
same
features
except
they
they
might
be.
It
might
be
a
little
bit
more
featureful,
because
evpf
programs
are
have
more
possibilities
than
just
iptable
rules,
so
there
is
sorry
I'll
get
back
to
this.
B
There
is
an
agent
a
silly
magent
writing
on
each
node,
and
this
agent
is
responsible
for
injecting
ebpf
programs
and
ebpf
maps
that
are
used
either
to
configure
these
programs
or
to
retrieve
information
for
this
from
this
program.
It's
typically
for
observability,
for
example,
so.
B
And
the
possibility
to
replace
QT
proxy,
typically
on
kubernetes,
when
you
have
a
service,
you
have
a
virtual
IP
that
works
as
an
lcl4
load
balancer
to
pause
in
the
back
end
points,
and
this
is
typically
implemented
using
iptibles
in
Q,
proxy
or
ipvs
and
with
IP
tables.
What
you
get
is
essentially
a
system
of
sieve
where
you
will
go
through
all
the
rules
before
you
find
the
role
that
is
proper
for
you.
That
applies
in
your
case.
B
So
typically,
if
you
have
a
service
with
three
pods
and
in
the
back,
you'll
have
free
role
and
three
rules,
and
the
first
one
will
say
redirect
to
this
part,
to
this
IP
and
33
of
the
cases
and
then
redirect
to
the
second
IP
in
50
of
the
cases
and
then
redirect
to
this
IP
in
100
of
the
of
the
remaining
cases.
B
So
you
see,
this
is
a
very
an
approach
that
is
based
on
filtering
and
when
you
get
to
hundreds
or
thousands
of
services,
it
can
get
really
slow
to
get
to
the
rule
that
you
need
to
apply,
let
alone
just
applying
the
the
rules
whenever
there's
a
new
part
or
whenever
there's
a
new
service
or
whenever
there's
a
modification
Network
policy,
the
whole
stack.
B
The
whole
list
of
iptables
need
to
be
Rewritten,
whereas
with
an
evpf
based
approach,
we
can
have
hash
tables
that
will
link
directly
the
identity
instead
of
the
IP
address
the
identity
of
a
pod,
based
on
a
set
of
labels
that
are
known
from
kubernetes
by
the
edpf
program
and
based
on
this
identity,
you
can
link
directly
to
the
way
it
should
be
routed
to
another
Identity
or
if
this,
this
traffic
should
be
allowed
or
not.
So
typically,
both
routing
and
network
policies
can
be
implemented
in
a
much
more
performant
and
scalable
way.
B
One
of
the
examples
of
features
that
that
are
provided
in
psyllium,
that
is
interesting,
is
the
possibility
of
having
an
egress
gateway
to
access
a
workload
typically
a
database,
for
example
outside
of
the
kubernetes
cluster,
and
so
we
have
a
crd.
That's
called
egress
Network
policy,
psyllium,
not
policy.
Actually,
that
allows
you
to
Target
some
pods
in
the
comment
this
cluster
and
say
when
coming
from
the
spot
and
accessing
this
cider
outside
of
the
kubernetes
cluster.
B
I
want
to
go
through
this
specific
IP
or
this
specific
node
of
the
cluster,
and
this
allows
the
the
application
outside
of
the
cluster
to
know
to
to
recognize
the
IP
that
it's
coming
from.
So
typically,
if
you
have
a
firewall
in
front
of
this
application,
you
can
filter
on
this
IP.
Otherwise,
you
don't
know
exactly
which
IP
would
be
coming
out
right.
B
It
could
be
from
the
node
itself
or
it
could
be
directly
from
the
Pod,
if
you're
using
direct
routing,
but
it
would
be
really
hard
to
identify
which
application
is
reaching
out
to
this
external
application
outside
the
cluster
there's,
actually
a
mode
that
is
provided
in
the
isoville
NCM
Enterprise
distribution,
which
allows
for
high
availability,
egress
Gateway.
So,
instead
of
having
one
IP
to
exit
the
cluster,
we
have
several
and
sodium
can
load
balance
between
them
and
failover
as
well.
In
case
one
of
the
nodes
actually
is
not
available.
B
In
order
to
integrate
with
rules
as
well
like
security
groups
or
other
metadata
from
the
cloud,
so
typically,
we
have
a
component
called
the
sodium
operator,
and
while
the
agent
is
a
demon
set
running
on
every
node
in
the
cluster,
the
operator
is
a
deployment
that
has
a
credentials
to
connect
to
the
cloud,
and
it
will
allow
typically
to
play
a
role
in
the
ipam
for
cilium.
B
This
operator
also
has
a
role
to
do
some
garbage
quality
in
the
cluster.
In
the
case,
for
example,
one
node
is
removed.
Obviously
the
agent
on
this
node
is
not
there
anymore
to
remove
stuff
from
the
from
the
API
server,
so
the
operator
can
do
this,
there's
a
possibility
to
do
cni,
chaining,
so
using
one
cni
as
the
base
layer
and
then
deploying
psyllium
on
top.
Some
people
want
to
do
this.
B
It's
more
and
more
rare
I
would
say
the
typical
cases
because
they
don't
want
to
lose
possible
support
from
the
cloud
provider
by
using
something
else.
Fortunately,
psyllium
is
getting
more
and
more
common
and
supported
by
Cloud
providers,
so
it's
not
necessary
to
use
cni
chaining
anymore
in
a
lot
of
cases.
B
That's
what
the
networking
part
one
specific
feature
that
is
interesting
is
the
possibility
of
meshing,
different
clusters
at
l3l4.
B
So,
typically,
we
can
have
clusters
that
have
different
commences
distributions
different
versions
even
and
you
want
to
match
them
directly
at
the
l3l4
layer.
B
This
is
possible
using
psyllium,
and
the
way
this
is
done
is
that
when
you
activate
cluster
mesh
on
a
cluster,
psyllium
will
create
a
new
API
server
on
on
this
cluster,
and
this
CPA
server
will
be
used
by
the
agents
on
the
other
cluster
to
get
information
read
only
from
the
first
cluster,
so
typically
they'll
be
able
to
share
service
Discovery
information,
the
the
services
and
the
back
ends
the
the
end
points
for
the
services
and
to
perform
load
balancing
between
the
different
clusters.
B
You
can
also
share
Network
policies,
so
typically,
you
can
have
Network
policies
with
labels
that
labels
that
typically
Target
one
or
the
other
clusters.
So
you
can
say
this
backend
from
this
cluster
is
allowed
to
talk
to
this
front-end
or
the
other
way.
Actually,
this
runtime
from
this
cluster
is
allowed
to
talk
to
this
backend
on
the
other
cluster,
and
this
allows
for
cross-cluster
Network
policies.
Encryption
can
also
be
extended
between
the
two
clusters,
as
well
as
obviously
routing,
otherwise
it
wouldn't
work.
B
Another
option
is
to
have
several
clusters
with
shared
services,
so
here
I
have
a
service
that
is
global
between
the
three
clusters,
but
I
don't
actually
have
pods
on
cluster
one
and
cluster
2
to
implement
it.
The
pods
are
only
on
the
shared
services,
cluster
and
typically
one
use
of
this
is
using
a
stateful
cluster,
where
I
have
like
a
database
running
an
icon,
easily
scale
this
cluster,
so
I'm
keeping
it.
B
As
a
as
a
buff
in
my
architecture,
whereas
I
might
have
stateless
clusters
or
clusters
that
are
dedicated
to
stateless
applications,
that
I
can
scale
I
will
on
different
availability
zones,
for
example,
or
even
different
providers,
and
then
I'll
have
a
virtual
service
here
that
provides
access
to
my
database
and
this
service
will
be
made
Global
in
a
cluster
mesh
approach
so
that
it
actually
points
to
the
stateful
cluster
foreign.
B
It's
also
possible
to
integrate
with
service
mesh
so
typically
having
an
Ingress
in
front
of
each
cluster
and
then
making
sure
that
the
backend
service
is
always
accessible
using
either
the
local
pods
or
the
remote
pods,
and
in
the
latest
version
of
selenium
you
can
actually
specify
if
you
want
a
local
or
remote
Affinity.
So
if
you
have
a
local
Affinity,
you
will
say
preferably
one
access.
The
service
I
want
to
access
the
local
pods
on
my
cluster.
If
there's
no
such
bus
then
go
to
the
other
cluster
to
fulfill
the
service
access.
B
So
that's
the
case
for
remote.
It
looks
like
this:
it's
actually
a
normal
Service
definition,
except
it
has
annotations
for
Global
Service
and
for
service
Stephanie.
There's
actually
other
options
available
for
this.
Just
to
give
an
example,
let's
dive
into
security
like
I
said
security
is
very
important
in
psyllium
and
it's
clearly
based
on
identity
and
I've
shown
you
how
you
know.
Psyllium
can
use
a
concept
of
identities
that
is
native
to
it
and
that
Associates
labels
in
kubernetes
workloads
directly
to
their
identity.
B
This
identity
in
the
case
of
vxlan
can
actually
be
transmitted
encapsulated
into
the
the
network.
Packets
are
going
from
one
node
to
the
other,
so
that
the
identity
is
propagated
between
nodes,
typically
for
observability
and
network
policy
applications.
In
the
case
of
direct
routing,
it
works
a
little
bit
differently,
but
the
idea
is
that
every
time
something
a
network
flow
arrives
on
a
node,
there
is
a
knowledge
of
this
identity
which
allows
for
Advanced
observability
and
network
policy
enforcement
based
on
this
identity.
B
Based
on
this,
we
can
have
three
layers:
three
levels
of
Network
policy
application,
either
l3s
or
just
connection
between
two
pods
L4
connection,
plus
the
port
or
protocol
TCP,
UDP
and
L7,
which
allows
to
actually
parse
the
the
application
networking
layer
and
extract
the
the
protocol.
The
application
protocol
and
filter
on
this,
so
typically
you
can
allow
HTTP
get
on
slash
public.
That's
an
example,
and
in
this
case
it
will
actually
go
through
an
Envoy
proxy
provided
with
cilia
money
on
every
agent.
B
So
typically
when
traffic
is
exiting
the
cluster
at
the
moment
we
have
a
2fqdn
rule
and
you
can
actually
use
either
exact
DNS
names
or
even
wall
cards,
and
the
way
it
works
is
that
psyllium
will
cache
the
answers
from
Cube,
DNS
or
core
DNS
and
allow
connections
to
IPS
that
are
known
based
on
the
resolution
that
was
cached,
there's
an
aha
option
for
DNS
proxy
so
that
when
the
agent
gets
upgraded
or
if
the
agent
crashes,
which
shouldn't
happen,
the
DNS
proxy
continues
to
work
and
this
option
is
available
and
the
isoville
and
slim
Enterprise
distribution.
C
B
The
standard
things
like
pod
labels,
namespace
Services,
account
service
names,
cluster
names
as
well
when
using
a
cluster
mesh,
DNS
names
I
just
talked
about
this
ciders
either
external
Outsiders.
In
this
case,
Cloud
providers-
and
this
is
one
role
of
the
psyllium
operator-
is
to
actually
resolve
instance,
labels
or
subnets
or
security
group
names
into
ciders
and
and
logical
entities.
Logical
entities
can
be
the
host
on
which
the
Pod
is
running.
The
container
is
running.
Typically,
it
can
be
another
host
in
the
Clusters.
That
would
be
the
remote
node
entity.
B
B
We
can
have
great
observability
thanks
to
evpf
and
we
have
several
ways
of
accessing
it:
typically
through
a
CLI,
so
a
Hubble,
CLI
or
Hubble
UI,
and
both
of
them
use
a
company
that
we
call
Hubble
relay,
which
gathers
all
the
observability
flows
from
all
the
nodes
in
the
cluster
and
allow
you
to
filter
them
and
view
them
either.
B
On
CLI,
or
with
the
UI,
and
on
top
of
this,
every
one
of
the
components:
seal,
Imaging,
sodium
operator,
Hubble,
the
envoy
proxy,
the
DNS
proxy-
they
all
provide
metrics,
which
you
can
send
to
your
favorite,
to
your
favorite
observability
platform
right
because
they're
promises
metrics
essentially.
B
So
this
is
an
example
of
the
Hubble
CLI.
So
here
we
have
some
Buzz
running
and
with
the
Hubble
CLI,
you
can
see
traffic
going
through
your
cluster.
So
here
we
see
the
DNS
lookup
that
a
pod
is
doing
to
core
DNS.
We
see
the
reply
in
UDP
and
you
see
the
IDS
that
are
associated
the
https
requests,
and
here
we
see
we
have
DNS
visibility.
B
The
the
IPS
are
replaced
with
the
DNS
names
that
are
known
to
be
associated
in
the
cache,
and
we
can
even
see
here
when
traffic
is
blocked.
So
that's
a
network
policy
being
applied
and
here
the
traffic
is
dropped
at
the
same
request.
Tcp
request.
B
So
this
is
the
the
CLI.
This
is
the
UI
for
Hubble.
This
is
the
open
source
version
of
the
UI.
The
isoville
slim
Enterprise
has
a
slightly
different
version
of
it
with
a
few
more
features,
and
essentially
this
uses
the
same
source
of
information
as
the
CLI
except
it
actually
builds
a
graph
of
dependencies
between
the
Bots
between
the
pods,
the
services
that
shows
how
they
actually
communicate.
So
here
you
only
see
gray
lines,
they
could
be
red
lines
as
well.
B
If
traffic
has
been
dropped,
so
we
can
see
where
it's
being
dropped
and
you
can
actually
click
on
the
boxes
to
get
more
information,
and
here,
in
this
case
in
this
namespace,
you
can
see
that
HTTP
visibility
using
the
Android
proxy
has
been
activated
because
you
see
actually
which
HTTP
requests
were
performed
on
which
services-
and
here
you
have
the
flows,
and
you
can
click
on
the
flows
to
get
more
information
on
every
one
of
them.
B
I'll
finish
the
psyllium
side
with
service
mesh.
This
is
the
extension.
This
is
where
we're
going
at
the
moment,
because
we
know
that
people
are
interested
in
this
part
and
psyllium
is
quite
low
level,
but
a
lot
of
people
are
interested
in
features
that
are
a
bit
higher
level
and
the
idea
is
that
synonym
already
has
a
lot
of
the
features
that
people
expect
from
service
mesh.
B
So
one
thing
we've
added
in
stone:
112
is
the
possibility
of
programming
the
envoy
proxy
that
is
already
provided
with
the
psyllium
agent,
using
a
crd,
so
cm112
provides
a
psyllium,
Envoy
config
crd
that
allows
to
program
your
the
envoy
proxy
on
every
node
using
logical
identity.
So
you
can
see
from
the
spots
to
this
Parts
I
want
to
apply
this
as
Envoy
configuration
and
one
layer
of
control
plane
that
we've
added
in
cm112
is
an
Ingress
controller
that
bases
itself
on
it.
B
So,
essentially
now
you
can
use
the
psyllium
Ingress
glass
if
you've
activated
Ingress
control.
Obviously-
and
this
will
human
Breath
class,
we
will
essentially
implement
the
Ingress
by
creating
an
envoid
configuration
dynamically
for
the
Ingress
for
a
specific
pod
in
the
future.
What
we're
adding
what
we're
currently
working
on
is
support
for
the
Gateway
API
and
support
for
species
for
a
form
of
mutual
authentication
directly
implemented
in
psyllium.
This
is
planned
for
113
for
the
next
major
release
of
psyllium.
B
You
can
already
use
these
two
with
psyllium
as
a
yeah,
sorry
as
a
novelty
on
top
of
psyllium,
but
we're
also
planning
in
the
future
to
integrate.
Istio
Society
uses
the
envoys
crd
natively,
as
a
as
as
the
implementation
for
for
the
Easter
abstraction,
instead
of
injecting
an
Envoy
proxy
into
every
pod
like
it
does.
Currently.
B
All
of
these
actually
also
allow
to
get
metrics
and
to
get
observability
in
the
form
of
flows
and
isolation
price.
We
actually
provided
fluent
D
service,
which
allows
to
easily
export
all
the
the
flows
that
we
have
either
from
Hubble
or
from
tetragon
to
your
favorite
CM
platform.
B
B
So
the
way
we're
seeing
this
is
just
just
the
way
that
some
decades
ago,
TCP
went
down
from
being
an
external
Library
to
being
a
standard
library
to
being
emptied
in
the
kernel,
so
that
everyone
can
use
TCP
without
even
thinking
about
it.
B
We
think
that
a
lot
of
the
features
and
service
meshes
today
that
started
at
as
libraries
that
you
had
to
use
in
your
application
for
instrumentation
are
now
at
the
external
implementation
in
the
form
of
sidecar's
step,
and
we
think
it
could
go
even
lower
into
the
kernel,
obviously
not
patching
the
kernel.
The
way
it
was
done
for
TCP
back
in
the
day
by
using
ebpf
to
inject
this
feature,
so
it
becomes
totally
transparent
for
the
users
and
it's
just
there,
observability
encryption,
Mutual,
authentication
and
so
on.
B
We
also
gain
a
lot,
obviously
in
performance,
because
instead
of
having
one
one
proxy
one
avoid
proxy
per
pod,
which
means
a
lot
of
Android
proxies
running
on
your
nodes.
If
you
only
have
one
per
node,
you
gain
a
lot
in
CPUs
and
CPU
and
RAM.
Typically
so
the
The
View
that
the
idea
is
whatever
we
can
do,
natively
any
BPF
would
try
to
do.
Native
Laney.
C
B
Including
observability
security
traffic
management,
because
we
gain
a
lot
in
performance
and
whatever
we
can't
do
natively
in
BPF,
we
can
still
use
an
external
proxy
for
it,
and
evpf
can
still
allow
to
directly
route
into
this
Android
proxy
provided
per
node.
So
are
we
still
getting
performance
compared
to
a
sidecar,
the
performances?
This
is
graph
that
Compass
performances
based
on
a
proxy
or
the
visibility
directly
in
a
kernel
using
an
EPF
note
that
some
of
the
the
sodium
projects
actually
use
directly
eppf
based
HTTP
visibility.
B
This
is
the
case
of
tetragon,
for
example,
and
it's
totally
possible
in
the
future.
We
might
actually
use
these
libraries
that
already
exist
to
parse
HTTP
or
other
layer,
7
protocols
directly
in
the
kernel
to
gaining
performance
again
so
last
point
on
tetragon
and
system
observability
and
enforcement.
So
tetragon
is
kind
of
a
compliment.
B
The
the
really
nice
thing
about
this
is
that,
because
of
ebpf,
we
can
do
correlation
and
aggregation
of
events
directly
in
the
kernel
using
Maps
so
that
we
export
from
the
kernel
into
user
space
only
what
you
want
to
see
already
organized
already
aggregated-
and
this
is
a
huge
game
in
performance
and
then
based
on
this
in
user
space
you'll
have
the
tetragon
agent
agents,
sorry
that
will
read
from
the
different
structures
in
which
the
BPF
programs
have
written,
extract
the
information
and
make
them
available
as
metrics
or
as
flows
of
information
flows
of
events
logs
or
traces.
B
Based
on
this,
you
can
observe
a
lot
of
things:
our
file,
access
network,
namespace
escapes
privilege,
escalation,
access
to
data
on
disk
Network
protocols
and
so
on
and
so
forth.
B
One
of
the
users
that
we
have
this
is
an
example
from
isavilion
selum
Enterprise,
where
we
have
a
process
to
review
that
has
existed
for
many
years,
where
we
have
a
correlation
between
what's
actually
running
into
inside
a
container
and
the
network
flows
that
result
from
it.
So
maybe
you
see
in
Hubble
hey.
There
was
a
connection
to
this
weird
thing
here,
something
that
not
reverse
shell.com,
which
is
definitely
not
a
reverse
shell
right
and
you
want
to
see
where
it
came
from.
B
You
know
in
Hubble
that
it
came
from
this
pod
and
so
and
this
view
here,
you
can
actually
look
into
this
box,
see
exactly
what
was
executed
in
the
spot,
that
she's
a
citric
on,
and
you
can
see
that
five
minutes
after
this,
the
the
server.js
standard
application,
the
container
started.
There
was
a
shell
that
was
started
and
an
NC
and
then
a
curl
that
connected
to
elasticsearch-
and
you
can
say:
okay,
there's
something
fishy
here,
but
at
least
you
have
a
trace
of
what
was
executed
and
what
gave
what?
B
A
D
Have
any
specific
questions
but
I've
seen
that
before
and
it's
really
really
exciting.
We
are
planning
to
I,
think
you
probably
know
already
actually
in
gr
planet
to
use
it
usually
and
we've
had
to
Implement
some
very
basic
features
ourselves
previously,
and
this
will
allow
us
to
get
rid
of
all
of
that
sort
of
accumulated
sector
I
suppose
but
yeah
it
looks
really
really
powerful.
So
it's
done.
D
Well,
there's
a
few
things
we
want
it
for
I
mean
we
haven't
implemented
this
or
something
some
got
a
solution
for
it,
but
really
basic
stuff
like
it's
not
basically
but
being
able
to
see.
You
know
real
product,
real
Source,
IPS
and
that
kind
of
stuff
for
our
traffic
I
mean
it's
got:
clusters
the
tetrachon
stuff's
really
exciting,
because
we
can
use
that
we've
got
a
lot
of
requirements
around
that.
The
things
we
have
implemented
ourselves
are
more
around
the
sort
of
service,
meshy
kind
of
stuff.
D
So
the
concept
like
egress
gateways
and
that
kind
of
thing
with
we
use
Envoy
ourselves
and
figure
it
to
do
this
kind
of
thing
and
then
I've
also
seen
them
seen
them
over
the
whole.
Almost
like
a
sort
of
Global
Network
policy
thing
working
across
clusters,
which
is
really
exciting,
but
we've
had
to
come
up
with
I
guess:
we've
pieced,
This
Together
ourselves
as
existing
kubernetes,
Primitives
and
cncs
stuff,
and
having
something
like
this,
which
wraps
it
all
up
for
us
as
a
attractive
proposition.
D
We've
used
Calico
for
a
lot
of
times,
I
see
an
iron
again.
Really,
it's
been
okay,
but
it's
exciting
to
try
something.
Even
yeah
just
opens
up
a
whole
load
of
new
having
resource
I.
Don't
know
if
you
guys
record
anything
with
industry.
A
Yeah,
so
actually
we
we
discussed
with
Raphael
very
recently
about
this
as
well,
but
the
one
of
the
main
things
that
we've
been
looking
at
is
the
possibility
of
doing
cluster
mesh,
and
this
is
for
because
we
still
push
for
people
to
have
this
kind
of
disposable
clusters
and
to
have
applications
deployed
across
multiple
clusters
instead
of
having
clusters
that
need
to
be
upgraded
in
place,
and
things
like
this
and
for
stateful
workloads.
This
is
this
can
be
problematic.
A
So
we've
been
looking
at
cluster
mesh
to
kind
of
expand
the
boundaries
cross-cluster,
which
should
allow
us
to
potentially
do
to
use
this
model
even
for
things
that
have
staple
workloads,
running
like
databases
or
I.
Don't
know
we
have
some.
We
have
some,
even
even
for
like
batch
or
ml,
where
you
have
long
running
jobs.
B
As
you're,
considering
specifically
the
the
shared
service
model,
just
like
was
like
a
stateful
cluster
and
then
several
stateless
clusters
that
would
access
the
services
on
the
stateful
cluster
in
a
transparent
way
using
Global
Services.
A
So
yeah
yeah,
so
that's
that's
one
one
option
and
the
other
one
is
even
to
do
to
run
the
stateful
workloads
that
have
multiple
replicas
cross
across
multiple
clusters.
Even
if
we
have
no
connectivity
which.
C
A
Have
10
premises,
then
we
could
consider
even
having
replicas
in
multiple
clusters
and
and
eventually
just
just
make
them
also
kind
of
disposable.
As
we
add
more,
it.
A
On
work
well,
of
course,
how
easy
this
is
to
do,
but
but
by
having
a
mesh
for
the
pods
and
even
like
one
one
thing:
I,
don't
know
if
you
mentioned
or
not,
but
even
this
restriction
that
exists
today,
that
I
know
will
disappear
about
having
a
non-overlapping
subnets
across
multiple
clusters.
This.
E
A
Really
a
big
deal
for
us,
because
we
orchestrate
everything
centrally
but
yeah,
it
will
become
simpler.
A
E
Have
a
quick
question
around:
how
does
it
compare
to
admiralty
in
that
in
that
sort
of
feature,
space.
B
E
Able
to
just
it's
sort
of
like
yeah,
so
admiralty
sort
of
like
the
ability
to
Federate
clusters,
so
you
know,
run
one
workload
from
one
cluster
into
another.
What
sounded
like
that?
There
was
a
lot
of
those
types
of
features
to
provide
some
sort
of
federation.
The
use
case
I'm
looking
at
is,
is
sort
of
like
on-prem,
Cloud
bursting
type
things
where
you
know
you
have
an
on-prem
cluster,
and
then
you
provide
a
cloud
versing
capability
and
sort
of
Stitch,
those
together
in
in
some
sort
of
manner.
E
D
I'm
not
going
to
answer
that
actually
I
know
I.
Think
admiralty
was
more
around
sort
of
Federated
deployment
of
applications
rather
than
accessing
them.
So
that
would
be
your
single
pane
of
glass
to
deploy
something
that
replicated
and
lost
different
clusters.
Environments,
we're
sitting
there's
more
around
but
I
suppose
the
cni
and
the
network,
access
to
Publications
decisions
get
a
post
deployment.
I,
don't
think
silion
does
any
kind
of
deployment
of
applications
for
you.
E
But
you,
but
from
what
we're
trying
to
accomplish
you,
can
you
could
build?
Could
you
do
that
bursting
type
of
Federated
thing
across
multiple
clusters.
A
So
actually
that
was
the
other
point.
I
wanted
to
say
that
we
are
looking
at
and
I
already
mentioned
it
to
Raphael,
which
is
exactly
that.
It's
the
ability
to
do
sort
of
cluster
mesh
across
regions
or
data
centers,
which
means
that
you
won't
have
necessarily
no
do
not
connectivity,
because
you
might
not
have
a
VPN
or
something
that
will
allow
this.
The
way
admirati
I'm,
also
not
an
expert.
A
But
my
understanding
is
that
the
way
it
works,
it
kind
of
has
like
a
kind
of
Gateway
parts
that
then
communicate
to
the
remote
ones.
So
it's
kind
of
nice
similar
to
what.
A
Yeah
but
it,
but
it's
it's
really
targeting
not
only
the
services
but
also
the
kind
of
patch
workloads
where
you
can
submit
pods
to
a
cluster
that
then
the
actual
workloads
run
in
a
remote
cluster
and
they're
kind
of
attract
through
Parts
in
local
clusters
with
with
children.
Potentially
we
could
do
this
transparently
at
the
cluster
level,
like
we
do
with
cluster
mesh,
but
we
would
need
this
kind
of
cross-boundary
communication
without
necessarily
have
a
VPN
or
something
like
that.
I
think
that's
kind
of
Timothy
to
use
k0,
so
yeah.
E
A
Yeah
but,
but
maybe
we
take,
this
kind
of
I
had
one
more
question
to
Rafael,
but
maybe
we
take
this
as
a
kind
of
an
action
item
on
the
group
and
also
psyllium,
which
is
to
track
how
how
visible
this
this
model
is
with
psyllium,
which
is
to
kind
of
burst
more
than
just
across
clusters,
but
across
Network
boundaries.
A
C
A
The
the
other
question
I
had
was
like.
Jamie
also
mentioned
that
he's
they're
using
Calico.
Is
there
anything
that
is
worth
knowing?
If
people
would
move
from
from
Calico
to
psyllium?
Is
there
something
that
that
would
be
lost
or
to
to
be
considered.
A
D
D
B
C
D
B
No
at
the
moment,
it's
just
different
images:
different
Helm
charts,
but
there's
no
there's
no
license
per
se.
D
I've
seen
in
the
past
with
products
where
actually
it's
sometimes
the
most
annoying
thing
about
using
the
Enterprise
Edition,
even
though
you
beat
them
apart
from
paying,
for
it
is
oh
and
then
you
have
to
provide
license,
keys
and
set
up
some
complex
infrastructure,
especially
if
you're,
on-prem
and
don't
have
internet
access.
Then
it
all
gets
a
bit
difficult.
But
that's.
A
A
All
right
otherwise,
I
think
yeah,
I
guess
so:
yeah
Alex
yeah
it
was
a
late
late
announcement.
D
A
A
So
I
I
guess
I
was
just
trying
to
summarize
What
the
main
motivations
are
from
from
from
this
community
to
to
move
to
ceiling
and
I
guess
the
ones
we
we
got
here
were
the
ability
to
do
cluster
mesh,
potentially
doing
a
hybrid
bursting
things,
and
then
Jamie
you
mentioned,
because
you,
you
have
quite
a
lot
of
clusters
as
well.
Is
this
something
that
you're
also
looking
at.
D
A
D
D
How
usage
things
like
access
to
4.3,
more
Global
kind
of
network
policy
and
and
then
I
was
curious.
Other
things
are
attachable
stuff
right.
That's,
okay,.
C
Yeah
so
so,
and
just
to
note
something
on,
my
team
has
started
looking
at
that
directly
tetragon
psyllium
as
of
last
week
from
a
security
standpoint.
So.
A
Nice,
maybe
I
have
a
related
question,
which
is
regarding
so
for
for
our
load
balancers.
A
We
have
a
different
solution
because
you
mentioned
tracking
the
source
IP
and
we
always
have
this
issue
if
you
have
like
a
jealous
I
still
pass
through
across
the
load
bouncer
to
the
back
end
that
you
lose
the
the
initial
IP
and
we've
started,
enabling
the
this
proxy
protocol
to
to
be
able
to
to
propagate
the
source
that
pre
of
the
client
to
the
back
ends.
A
D
I've
tried
to
fail
to
do
that
actually
using
that
external
traffic
policy.
A
We,
okay,
that
that's
what
we
are
doing
and
actually
that
works.
What
we
were
losing
was
the
source
IP
in
the
lb,
because.
E
A
Of
TLS,
but
with
proxy
protocol
and
using
something
like
engine
X
for
for
the
Ingress.
This
is
all
working
and
for
dlbs
we're
actually
using
aha
proxy
with
a
kind
of
active,
passive.
D
B
With
the
external
beat
I
couldn't
I
couldn't
say
at
the
moment,
one
thing
I've
seen
was
keeping
the
Source
IQ,
but
that's
that's
kind
of
a
different
situation
that
what
you
have
is
the
possibility
of
actually
doing
routing
directly
or
keeping
the
IP
address
when
accessing
the
the
service
and
there's
two
ways
of
doing
this.
So
there's
either
a
DSR
or
what
was
the
other
one
I,
don't
remember.
B
Actually
so
there's
ways
to
so
so
DSR
will
make
it
so
that
the
backend
will
actually
reply
directly
to
the
to
the
source
safety
with
a
routing
without
doing
an
S9
so
going
back
through
the
node
in
which
and
entered,
but
that
doesn't
really
solve
your
situation
right
because
you
want
to
go
through
an
L7
proxy
right.
A
B
B
So
we
have
HTTP
or
https
visibility,
but
psyllium
and
itself
using
mbpf
as
far
as
I
know
doesn't
doesn't
do
L7
protocol,
but.
A
But
in
this
case
it
would
actually
be
enough
for
because
this
is
like
pure
PLS
and
and
this
proxy
protocol
is
actually
doing
just
a
blob
at
the
start
of
the
binary
packet.
And
this.
This
blob
is
understood
by
some
implementations
of
of.
A
E
C
A
A
Thank
you
all
right,
I,
don't
have
anything
else.
So,
let's
last
chance
for
a
couple,
more
questions
to
Raphael.
A
Otherwise,
thanks
a
lot
Rafael
again
and
especially
for
the
immediate
reaction
to
the
call,
so
that
was
pretty
awesome.
Yeah.
A
Yeah
and
we'll
keep
track
of
how
how
people
start
using
sodium,
also
in
the
research
departments.
A
We'll
have
the
next
meeting
in
two
weeks,
I
think
I'm,
always
confused
about
this
first
and
third
I
think
it's
two
weeks
so
yeah
we'll
we'll
circulate
the
topic
in
a
bit
and
then
maybe
next
time.
We
also
prepare
the
topics
for
at
least
the
rest
of
the
year.
D
Yeah,
we
need
to
refresh
the
backlogs
with
Robert
dry
recently.