Notes from lab Getting Started with Cilium:

  • Cilium provides:
    • Connectivity
    • Observability
    • Security capabilities in a Cloud Native World
  • Cilium is based on eBPF
  • Hubble is a fully distributed networking and security observability platform for Cloud Native workloads
  • Hubble is built on top of Cilium and eBPF
  • Cilium uses the labels assigned to pods to define security policies

Commands from lab Getting Started with Cilium:

cilium install
cilium status

kubectl apply -f https://raw.githubusercontent.com/cilium/cilium/HEAD/examples/minikube/http-sw-app.yaml
kubectl get pods,svc

### cep - Cilium Endpoint
kubectl get cep --all-namespaces

kubectl exec tiefighter -- curl -s -XPOST deathstar.default.svc.cluster.local/v1/request-landing
kubectl exec xwing -- curl -s -XPOST deathstar.default.svc.cluster.local/v1/request-landing

### https://docs.cilium.io/en/v1.12/policy/language/#simple-ingress-allow
kubectl apply -f https://raw.githubusercontent.com/cilium/cilium/HEAD/examples/minikube/sw_l3_l4_policy.yaml

kubectl exec tiefighter -- curl -s -XPOST deathstar.default.svc.cluster.local/v1/request-landing
kubectl exec xwing -- curl -s -XPOST deathstar.default.svc.cluster.local/v1/request-landing

kubectl exec tiefighter -- curl -s -XPUT deathstar.default.svc.cluster.local/v1/exhaust-port

kubectl apply -f https://raw.githubusercontent.com/cilium/cilium/HEAD/examples/minikube/sw_l3_l4_l7_policy.yaml

kubectl exec tiefighter -- curl -s -XPUT deathstar.default.svc.cluster.local/v1/exhaust-port

kubectl apply -f /root/policies/sneak.yaml

kubectl exec tiefighter -- curl -s -XPOST deathstar.default.svc.cluster.local/v1/request-landing
kubectl exec xwing -- curl -s -XPOST deathstar.default.svc.cluster.local/v1/request-landing

Kubernetes Network Policy:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: rule1
spec:
  podSelector:
    matchLabels:
      org: empire
      class: deathstar
  policyTypes:
    - Ingress
  ingress:
    - from:
        - podSelector:
            matchLabels:
              org: empire
      ports:
        - port: 80
          protocol: TCP

Cilium Network Policy:

apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
  name: rule1
spec:
  endpointSelector:
    matchLabels:
      org: empire
      class: deathstar
  ingress:
    - fromEndpoints:
        - matchLabels:
            org: empire
      toPorts:
        - ports:
            - port: "80"
              protocol: TCP
          rules:
            http:
              - method: POST
                path: /v1/request-landing

Other Cilium Network Policy example:

apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
  name: rule1
spec:
  endpointSelector:
    matchLabels:
      org: empire
      class: deathstar
  ingress:
    - fromEndpoints:
        - matchLabels:
            org: empire
            class: tiefighter
      toPorts:
        - ports:
            - port: "80"
              protocol: TCP
          rules:
            http:
              - method: POST
                path: /v1/request-landing

Commands from lab Getting started with eBPF:

cd ~/bcc/libbpf-tools
make opensnoop
./opensnoop

readelf --section-details --headers .output/opensnoop.bpf.o

bpftool prog list
bpftool map list

bpftool prog dump xlated id 48 linum

cat /sys/kernel/debug/tracing/trace_pipe

Own trace message in opensnoop.bpf.c:

   /* emit event */
   bpf_perf_event_output(ctx, &events, BPF_F_CURRENT_CPU,
                 &event, sizeof(event));

   bpf_printk("Hello world");

cleanup:
   bpf_map_delete_elem(&start, &pid);
   return 0;
}