v1.3.1 commit: ca60a424ce69a4d79f502650199ca2b52f29e631 3. Create a minikube cluster: minikube start --network-plugin=cni --memory=4096 Note If minikube is deployed as a container (that is if docker any other driver from the supported list [https://minikube.sigs.k8s.io/docs/drivers/]. minikube start --cni=cilium --memory=4096 # Only available for minikube >= v1.12.1 Note From minikube v1.12.1+ 1+, cilium networking plugin can be enabled directly with -- cni=cilium parameter in minikube start command. With this flag enabled, minikube will not only mount eBPF file system but also deploy quick- install

cilium. minikube start --network-plugin=cni --cni=false Note From minikube v1.12.1+, cilium networking plugin can be enabled directly with -- cni=cilium parameter in minikube start command. However, Network Plugin Requirements [https://kubernetes.io/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/#network- plugin-requirements]) Linux kernel >= 4.9.17 Tip See System Requirements install --version 1.11.20 k3s To install Cilium on k3s [https://rancher.com/docs/k3s/latest/en/quick-start/], perform the following steps: Default Configuration: Datapath IPAM Datastore Encapsulation Cluster

documentation: Install Minikube [https://kubernetes.io/docs/tasks/tools/install-minikube/]. minikube start --network-plugin=cni Install the Cilium CLI Install the latest version of the Cilium CLI. The Cilium Network Plugin Requirements [https://kubernetes.io/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/#network- plugin-requirements]) Linux kernel >= 4.9.17 Tip See System Requirements cluster: cilium install k3s To install Cilium on k3s [https://rancher.com/docs/k3s/latest/en/quick-start/], perform the following steps: Default Configuration: Datapath IPAM Datastore Encapsulation Cluster

52f29e631 3. Create a minikube cluster: minikube start --network-plugin=cni --memory=4096 # Only available for minikube >= v1.12.1 minikube start --cni=cilium --memory=4096 Note From minikube v1.12 cilium networking plugin can be enabled directly with -- network-plugin=cilium parameter in minikube start command. With this flag enabled, minikube will not only mount eBPF file system but also deploy quick- specific Kubernetes version, the --kubernetes- version vx.y.z parameter can be appended to the minikube start command for bootstrapping the local cluster. By default, minikube will install the most recent version

l-minikube/]. minikube version minikube version: v0.33.1 Create a minikube cluster: minikube start --network-plugin=cni --memory=4096 Note that in case of installing Cilium for a specific Kubernetes Kubernetes version, the --kubernetes-version vx.y.z parameter can be appended to the minikube start command for bootstrapping the local cluster. By default, minikube will install the most recent version of export AWS_DEFAULT_REGION="zzz" Configure Terraform Variables Configure Terraform Variables We will start by specifying the infrastructure needed for the Kubernetes cluster. $ cd contrib/terraform/aws $

v1.3.1 commit: ca60a424ce69a4d79f502650199ca2b52f29e631 3. Create a minikube cluster: minikube start --network-plugin=cni --memory=4096 4. Mount the BPF filesystem minikube ssh -- sudo mount bpffs specific Kubernetes version, the --kubernetes- version vx.y.z parameter can be appended to the minikube start command for bootstrapping the local cluster. By default, minikube will install the most recent version export AWS_SSH_KEY_NAME="yyy" export AWS_DEFAULT_REGION="zzz" Configure Terraform Variables We will start by specifying the infrastructure needed for the Kubernetes cluster. $ cd contrib/terraform/aws $

v1.3.1 commit: ca60a424ce69a4d79f502650199ca2b52f29e631 3. Create a minikube cluster: minikube start --network-plugin=cni --memory=4096 4. Mount the BPF filesystem minikube ssh -- sudo mount bpffs specific Kubernetes version, the --kubernetes- version vx.y.z parameter can be appended to the minikube start command for bootstrapping the local cluster. By default, minikube will install the most recent version See the Node Configration [https://kind.sigs.k8s.io/docs/user/configuration/#nodes] documentation. Start Kind Pass the kind-config.yaml you created with the --config flag of kind. kind create cluster

20.pdf twagent Container (aka “task”): ● namespaces: cgroup, mount, pid and optionally: ipc, net, user, uts ● cgroup v2 ● ... other usual building blocks ... ● cgroup-bpf programs 2 Vast majority firewall is still useful ● Should affect only task state, not host ● Rules auto-cleanup on task stop is important ● Has to be integrated with service discovery, etc Solution: ● Use BPF_CGROUP_INET_{EGRESS use-case allows, filter on socket level by BPF_CGROUP_INET6_{CONNECT,SENDMSG} ● Attached on task start ● Actions: pass, drop, log (via perf buffer) ● Filter by local/remote IP, IP prefix, port, protocol

- Enable debugging symbols under Kernel Hacking -> compile options git clone git://git.buildroot.net/buildroot /source/buildroot cd buildroot make menuconfig make -j16 Rootfs Remember to: - Select -append "root=/dev/sda rw console=ttyS0,115200 acpi=off nokaslr" \ -serial stdio -display none Start the test VM cd /source/linux gdb build/vmlinux (gdb) target remote localhost:1234 (gdb) bpf/syscall

ink bpf(BPF_OBJ_GET, {pathname="/sys/fs/bpf/echo_dispatch_prog", …) = 3 openat(…, "/proc/self/ns/net", …) = 4 bpf(BPF_LINK_CREATE, {link_create={prog_fd=3, target_fd=4, netns_ino 4026531992 attach_type sk_lookup $ ls -l /proc/self/ns/net lrwxrwxrwx. 1 vagrant vagrant 0 Oct 23 13:35 /proc/self/ns/net -> 'net:[4026531992]' prog attached to netns syscall trace Enable echo