Thomas Graf on Cilium, the 1.6 Release, eBPF Security, & the Road ahead
Thomas Graf discusses the recent 1.6 release, some of the security questions/concerns around eBPF, and the future roadmap for the project
Technology
External
Technology
CVE-2019-13119: Policy bypass via nested encapsulation
On May 25 2019, a security relevant bug has been reported to us via the documented security disclosure channel. It was soon identified that multiple vendors are affected by this vulnerability. This lead to an embargo period which is being lifted today. The bug allows, under certain circumstances, to bypass network security policies. See below for details on the vulnerability and the mitigation.
Technology
Deep Dive into Facebook's BPF edge firewall
We have covered Facebook's BPF-based load balancer with DDoS protection in a previous blog post. This post provides further details on Facebook's BPF use by covering Anant Deepak's talk at the BPF/networking microconference on Facebook's BPF-based edge firewall running in production.
Technology
Kubernetes Network Policies Using Cilium - Controlling Ingress/Egress from Namespaces
Kubernetes clusters are used by multiple tenants to run their containerized workloads. Often, the tenant workloads are mapped to namespaces and strict access control is required for inter-namespace communications. The access control could be needed for separation of concerns such as monitoring namespace vs application namespace; for compliance such as PCI vs non-PCI workloads; or to meet requirements of serving different end customers such as workloads serving Pepsi vs Coke. In this post, we will look at namespace based segmentation of traffic along with examples of allowing specific inter-namespace communications.
Technology
Istio 1.0: How Cilium enhances Istio with socket-aware BPF programs
Istio 1.0 was released last week. From the Cilium community, we would like to congratulate all Istio contributors for this massive effort. We have been fortunate to participate in the community by contributing to Istio and by helping several users moving towards production with Istio and Cilium.
Technology
Cilium - Rethinking Linux Networking and Security for the Age of Microservices
To celebrate the Cilium project hitting 1.0, we wanted to take a moment to share the broader story behind how BPF and Cilium are driving the biggest change in the past two decades of Linux networking and security, and invite you to join in on the fun. We're just getting started!
Technology
Why is the kernel community replacing iptables with BPF?
The Linux kernel community recently announced bpfilter, which will replace the long-standing in-kernel implementation of iptables with high-performance network filtering powered by Linux BPF, all while guaranteeing a non-disruptive transition for Linux users.
Technology
Cilium Now Speaks gRPC!
The Cilium team is happy to announce tech preview support for gRPC-aware filtering!
Technology
What Cilium and BPF will bring to Istio
There is a lot of excitement around Istio this week at KubeCon. We are getting pinged multiple times a day now with questions on how exactly Cilium and Istio relate to each other. Istio abstracts away a lot of networking specific complexity and provides visibility and control to application teams. We couldn't agree more with the moving networking to Layer 7 and provide the necessary instruments for efficient operation at the layer where it makes sense:the application protocol. This blog post serves to answer a simple question:How is Istio related to Cilium? Can I use both together? Will one benefit from the other?
Technology
Community
Slack
For live conversation and quick questions, join the Cilium Slack workspace. Don’t forget to say hi!
Join slack workspace