demand. This results in a large number of application containers to be started in a short period of time. Typical container firewalls secure workloads by filtering on source IP addresses and destination Cluster Mesh With Kind we can simulate Cluster Mesh in a sandbox too. Kind Configuration This time we need to create (2) config.yaml, one for each kubernetes cluster. We will explicitly configure their In order for the entire system to come up, the following components have to be running at the same time: kube-dns or coredns cilium-xxx cilium-etcd-operator etcd-operator etcd-xxx All timeouts are configured

demand. This results in a large number of application containers to be started in a short period of time. Typical container firewalls secure workloads by filtering on source IP addresses and destination efficient service-to-backend translation right in the Linux kernel’s socket layer (e.g. at TCP connect time) such that per-packet NAT operations overhead can be avoided in lower layers. Bandwidth Management Management Cilium implements bandwidth management through efficient EDT-based (Earliest Departure Time) rate-limiting with eBPF for container traffic that is egressing a node. This allows to significantly reduce

demand. This results in a large number of application containers to be started in a short period of time. Typical container firewalls secure workloads by filtering on source IP addresses and destination Cluster Mesh With Kind we can simulate Cluster Mesh in a sandbox too. Kind Configuration This time we need to create (2) config.yaml, one for each kubernetes cluster. We will explicitly configure their In order for the entire system to come up, the following components have to be running at the same time: kube-dns or coredns cilium-xxx cilium-operator-xxx cilium-etcd-operator etcd-operator cilium-etcd-xxx

demand. This results in a large number of application containers to be started in a short period of time. Typical container firewalls secure workloads by filtering on source IP addresses and destination efficient service-to-backend translation right in the Linux kernel’s socket layer (e.g. at TCP connect time) such that per-packet NAT operations overhead can be avoided in lower layers. Bandwidth Management Management Cilium implements bandwidth management through efficient EDT-based (Earliest Departure Time) rate-limiting with eBPF for container traffic that is egressing a node. This allows to significantly reduce

demand. This results in a large number of application containers to be started in a short period of time. Typical container firewalls secure workloads by filtering on source IP addresses and destination In order for the entire system to come up, the following components have to be running at the same time: kube-dns or coredns cilium-xxx cilium-etcd-operator etcd-operator etcd-xxx All timeouts are configured CrashLoopBackoff, bootstrapping can be expedited by restarting the pods to reset the CrashLoopBackoff time. CoreDNS: Enable reverse lookups In order for the TLS certificates between etcd peers to work correctly

demand. This results in a large number of application containers to be started in a short period of time. Typical container firewalls secure workloads by filtering on source IP addresses and destination efficient service-to-backend translation right in the Linux kernel’s socket layer (e.g. at TCP connect time) such that per-packet NAT operations overhead can be avoided in lower layers. Bandwidth Management Management Cilium implements bandwidth management through efficient EDT-based (Earliest Departure Time) rate-limiting with eBPF for container traffic that is egressing a node. This allows to significantly reduce

terminal window for A-Wing, set A-wing’s coordinates: >>> client.set("awing-coord","4309.432,918.980",time=2400) True >>> client.get("awing-coord") '4309.432,918.980' In your main terminal window, have "0.0,0.0",time=2400) True >>> client.get("xwing-coord") '0.0,0.0' From A-Wing, set the X-Wing coordinates back to their proper posi�on: >>> client.set("xwing-coord","8893.34,234.3290",time=2400) True window: >>> client.get("xwing-coord") '8893.34,234.3290' >>> client.set("awing-coord","0.0,0.0",time=1200) Traceback (most recent call last): File "", line 1, in File "/usr/local/lib/python3

assembly language with a stable instruction set. eBPF programs can be loaded and upgraded in real time without the need to restart the kernel. System calls Bees of various talents took many roles in that the program always runs to completion (will not sit in a loop forever, holding up further processing). System calls Captain Tux soon heard of possible improvement options. eBee’s fellows were zealous the lead. SLOW 0 0 0 0 1 1 1 1 0 1 1 1 0 0 1 1 0 0 0 0 1 0 0 1 1 0 1 0 0 1 1 0 The Just-in-Time (JIT) compilation step translates the generic bytecode of the program into the machine-specific instruction

Attempt #1 - The result ● The default falco rules are not well suited for a dev platform ● The processing overhead is non-trivial ● Falco's eBPF module + ContainerOS was not very performant Attempt

2020 2 What will we be doing? 3 How are we going to do it? 4 Demo time 5 Tracing Go function with uprobes 6 Demo time 7 Conclusions ● eBPF programs can be attached to different events: ○