On May 25 2019, a security relevant bug has been reported to us via the documented security disclosure channel. It was soon identified that multiple vendors are affected by this vulnerability. This lead to an embargo period which is being lifted today. The bug allows, under certain circumstances, to bypass network security policies. See below for details on the vulnerability and the mitigation.
We have covered Facebook's BPF-based load balancer with DDoS protection in a previous blog post. This post provides further details on Facebook's BPF use by covering Anant Deepak's talk at the BPF/networking microconference on Facebook's BPF-based edge firewall running in production.
Kubernetes clusters are used by multiple tenants to run their containerized workloads. Often, the tenant workloads are mapped to namespaces and strict access control is required for inter-namespace communications. The access control could be needed for separation of concerns such as monitoring namespace vs application namespace; for compliance such as PCI vs non-PCI workloads; or to meet requirements of serving different end customers such as workloads serving Pepsi vs Coke. In this post, we will look at namespace based segmentation of traffic along with examples of allowing specific inter-namespace communications.
Istio 1.0 was released last week. From the Cilium community, we would like to congratulate all Istio contributors for this massive effort. We have been fortunate to participate in the community by contributing to Istio and by helping several users moving towards production with Istio and Cilium.
To celebrate the Cilium project hitting 1.0, we wanted to take a moment to share the broader story behind how BPF and Cilium are driving the biggest change in the past two decades of Linux networking and security, and invite you to join in on the fun. We're just getting started!
The Linux kernel community recently announced bpfilter, which will replace the long-standing in-kernel implementation of iptables with high-performance network filtering powered by Linux BPF, all while guaranteeing a non-disruptive transition for Linux users.
The Cilium team is happy to announce tech preview support for gRPC-aware filtering!
There is a lot of excitement around Istio this week at KubeCon. We are getting pinged multiple times a day now with questions on how exactly Cilium and Istio relate to each other. Istio abstracts away a lot of networking specific complexity and provides visibility and control to application teams. We couldn't agree more with the moving networking to Layer 7 and provide the necessary instruments for efficient operation at the layer where it makes sense:the application protocol. This blog post serves to answer a simple question:How is Istio related to Cilium? Can I use both together? Will one benefit from the other?
The v4.15 merge window is open and LWN.net already has a summary on part 1 out. Which contains a BPF section listing some of the new things
For live conversation and quick questions, join the Cilium Slack workspace. Don’t forget to say hi!
Join slack workspace
