CNCF-hosted Co-located Events North America 2024

Confluent Cloud is a data streaming platform built on thousands of Kubernetes clusters across AWS, Azure & GCP. Confluent migrated clusters to use Cilium for its advanced security features like transparent encryption and DNS name-based network policies, along with performance, scalability & observability improvements. The main challenge was executing a live migration without disrupting stateful workloads, complicated by the risks of replacing a low-level component like the CNI. The process required meticulous planning to ensure intra-cluster connectivity during migration, while accommodating each cloud provider's unique network config. This talk shares the journey of migrating to Cilium, highlighting obstacles and lessons learned. We will explore uninstalling pre-existing CNIs, setting up Cilium & addressing cloud-specific issues to maintain connectivity. Benefits like transparent encryption, policies, and Hubble observability, along with the challenges faced, will also be discussed.

eBay's cloud consists of thousands of microservices running on millions of containers across hundreds of Kubernetes clusters. In this dynamic & complex cloud environment, mapping dependencies between microservices is crucial. This session delves into how eBay innovatively and scalably uses Cilium, powered by eBPF, to monitor traffic flows, generate real-time traffic events and construct a comprehensive dependency graph of microservice interactions across hundreds of K8s clusters.

The presentation will cover:

• The innovative use of eBPF and Cilium to monitor traffic events in near real-time 
• How traffic events are mapped to different microservices
• The architecture and design of the scalable solution to handle the large volume data
• The integration of OpenTelemetry for efficient traffic event stream processing
• Key challenges and solutions in building and maintaining the dependency graph
• Insights and lessons learned from integrating eBPF and Cilium into eBay’s infrastructure

Seccomp has long been a critical security feature in the Linux kernel, as a powerful tool for access control. With the emergence of eBPF, the landscape of kernel security has started evolving rapidly. It offers opportunities for improving and extending security policies. In this talk we will show how to achieve some of seccomp's capabilities and extend them using eBPF and KRSI in security use cases. The talk will give an overview of Seccomp in general and in Kubernetes, focus on its importance in securing containerized workloads. We will review applicable eBPF capabilities, showing how it changes the way we can inspect and filter syscalls at runtime. We will introduce KRSI and LSM, showing how they can enhance kernel security. The session will end with a demo of our PoC that leverages eBPF and KRSI to create a modern alternative to seccomp. Illustrating a real-world option, will provide attendees with practical knowledge on how to reinvent Seccomp for enhanced security.

This talk will dive into five common configuration pitfalls that beginners encounter when using Tetragon for runtime observability on their workloads. We'll explore the implications of each gotcha and provide clear steps to avoid them. The talk will also cover best practices for configuring Tetragon in a Kubernetes environment.

Applications at edge environment can be platform dependent, complicated and distributed in regions, and the number of devices significantly increases. Our final goal is to create the infrastructure that can be applied to the entire environment crossing over the cloud and edge in common. Working with KubeEdge and Cilium, we are now successfully able to use Cilium with KubeEdge hosted nodes at edge environment. This means, enabling wireguard VPN with Cilium can provide the transparent network connectivity with the nodes running in the cloud infrastructure, so that edge nodes running at edge environment just appear to be a member of cluster system but with edge autonomy feature provided by KubeEdge. We would like to share our technical insights and experience with using Cilium at edge with KubeEdge, and what are the future development and contribution with Cilium community.