Date post: | 11-Apr-2017 |
Category: |
Software |
Upload: | thomas-graf |
View: | 317 times |
Download: | 0 times |
Application Architectures
Delivery Frequency
Operational Complexity
Single Server App
Yearly
Low
Distributed Microservices App
10-100 x’s / day
Extreme
3-Tier App
Monthly
Moderate
CODE CONSISTENCY AT VELOCITY
Network Securityhas not evolved
$ iptables -A INPUT -p tcp \-s 15.15.15.3 --dport 80 \-m conntrack --ctstate NEW \-j ACCEPT
The world still runs on iptablesmatching IPs and ports:
L3/L4
Network Securityfor microservices
Pod“Frontend”
Pod“Store”
API
GET /store/myItem HTTP/1.1
FROM frontendALLOW tcp:80
L3/L4
Network Securityfor microservices
Pod“Frontend”
Pod“Store”
GET /store/{id}API
GET /store/myItem HTTP/1.1
FROM frontendALLOW tcp:80
L3/L4
Network Securityfor microservices
Pod“Frontend”
Pod“Store”
GET /healthz
GET /store/{id}
PUT /store/{id}
PUT /config
API
GET /store/myItem HTTP/1.1
FROM frontendALLOW tcp:80
L3/L4
Network Securityfor microservices
Pod“Frontend”
Pod“Store”
GET /healthz
GET /store/{id}
PUT /store/{id}
PUT /config
API
atta
ck s
urfa
ce
GET /store/myItem HTTP/1.1
FROM frontendALLOW tcp:80
L3/L4
Network Securityfor microservices
Pod“Frontend”
Pod“Store”
GET /healthz
GET /store/{id}
PUT /store/{id}
PUT /config
API
exposed
exposed
exposed
FROM frontendALLOW tcp:80
GET /store/myItem HTTP/1.1
OK
L3/L4
Network Securityfor microservices
Pod“Frontend”
Pod“Store”
GET /healthz
GET /store/{id}
PUT /store/{id}
PUT /config
API
GET /store/myItem HTTP/1.1
L3/L4
Network Securityfor microservices
Pod“Frontend”
Pod“Store”
GET /healthz
GET /store/{id}
PUT /store/{id}
PUT /config
APIFROM frontendALLOW GET /store/.*
GET /store/myItem HTTP/1.1
What is BPF?.insns = {
BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),BPF_LD_MAP_FD(BPF_REG_1, 0),BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -152),BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0),BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42),BPF_EXIT_INSN(),
}
What is BPF?SOURCE CODE [C]
</>BYTE CODE [BPF]
VERIFIER + JIT
USER SPACE
KERNEL
</>
SANDBOX
BPF
Process
Process
What is BPF?SOURCE CODE [C]
</>BYTE CODE [BPF]
VERIFIER + JIT
USER SPACE
KERNEL
</>
SANDBOX
BPF
Process
SANDBOX
BPFwrite()
Process
What is BPF?SOURCE CODE [C]
</>BYTE CODE [BPF]
VERIFIER + JIT
USER SPACE
KERNEL
</>
SANDBOX
BPF
Process
SANDBOX
BPFwrite()
Process
EACCESS
• Generate networking code at Container Startup
+ Tailored to each container+ Include Minimal Code Required
FasterSmaller Attack Surface
• Constant Config (IP, MAC, Ports, …), Compiler Optimization
• Regeneration at Runtime Without Breaking Connections
BPF CODE GENERATION ATCONTAINER STARTUP
75
140
205240
325365 370 365
410 412 425445 450 460 460
490 495 505 515 525545
565
0
100
200
300
400
500
600
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22
BPF redirect() performance[GBit per core]
Intel Xeon 3.5Ghz Sandy Bridge, 24 Cores,1 TCP GSO flow per core, netperf -t TCP_SENDFILE, 10K Cilium policies