eBPF - Getting Started with eBPF & Cilium | Sebastian Czech

Books:
Labs:
- Getting started with eBPF
- Getting Started with Cilium

Notes from lab Getting Started with Cilium:

Cilium provides:
- Connectivity
- Observability
- Security capabilities in a Cloud Native World
Cilium is based on eBPF
Hubble is a fully distributed networking and security observability platform for Cloud Native workloads
Hubble is built on top of Cilium and eBPF
Cilium uses the labels assigned to pods to define security policies

Commands from lab Getting Started with Cilium:

cilium install
cilium status

kubectl apply -f https://raw.githubusercontent.com/cilium/cilium/HEAD/examples/minikube/http-sw-app.yaml
kubectl get pods,svc

### cep - Cilium Endpoint
kubectl get cep --all-namespaces

kubectl exec tiefighter -- curl -s -XPOST deathstar.default.svc.cluster.local/v1/request-landing
kubectl exec xwing -- curl -s -XPOST deathstar.default.svc.cluster.local/v1/request-landing

### https://docs.cilium.io/en/v1.12/policy/language/#simple-ingress-allow
kubectl apply -f https://raw.githubusercontent.com/cilium/cilium/HEAD/examples/minikube/sw_l3_l4_policy.yaml

kubectl exec tiefighter -- curl -s -XPOST deathstar.default.svc.cluster.local/v1/request-landing
kubectl exec xwing -- curl -s -XPOST deathstar.default.svc.cluster.local/v1/request-landing

kubectl exec tiefighter -- curl -s -XPUT deathstar.default.svc.cluster.local/v1/exhaust-port

kubectl apply -f https://raw.githubusercontent.com/cilium/cilium/HEAD/examples/minikube/sw_l3_l4_l7_policy.yaml

kubectl exec tiefighter -- curl -s -XPUT deathstar.default.svc.cluster.local/v1/exhaust-port

kubectl apply -f /root/policies/sneak.yaml

kubectl exec tiefighter -- curl -s -XPOST deathstar.default.svc.cluster.local/v1/request-landing
kubectl exec xwing -- curl -s -XPOST deathstar.default.svc.cluster.local/v1/request-landing

Kubernetes Network Policy:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: rule1
spec:
  podSelector:
    matchLabels:
      org: empire
      class: deathstar
  policyTypes:
    - Ingress
  ingress:
    - from:
        - podSelector:
            matchLabels:
              org: empire
      ports:
        - port: 80
          protocol: TCP

Cilium Network Policy:

apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
  name: rule1
spec:
  endpointSelector:
    matchLabels:
      org: empire
      class: deathstar
  ingress:
    - fromEndpoints:
        - matchLabels:
            org: empire
      toPorts:
        - ports:
            - port: "80"
              protocol: TCP
          rules:
            http:
              - method: POST
                path: /v1/request-landing

Other Cilium Network Policy example:

apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
  name: rule1
spec:
  endpointSelector:
    matchLabels:
      org: empire
      class: deathstar
  ingress:
    - fromEndpoints:
        - matchLabels:
            org: empire
            class: tiefighter
      toPorts:
        - ports:
            - port: "80"
              protocol: TCP
          rules:
            http:
              - method: POST
                path: /v1/request-landing

Commands from lab Getting started with eBPF:

cd ~/bcc/libbpf-tools
make opensnoop
./opensnoop

readelf --section-details --headers .output/opensnoop.bpf.o

bpftool prog list
bpftool map list

bpftool prog dump xlated id 48 linum

cat /sys/kernel/debug/tracing/trace_pipe

Own trace message in opensnoop.bpf.c:

   /* emit event */
   bpf_perf_event_output(ctx, &events, BPF_F_CURRENT_CPU,
                 &event, sizeof(event));

   bpf_printk("Hello world");

cleanup:
   bpf_map_delete_elem(&start, &pid);
   return 0;
}