Whether you are just starting to learn about eBPF, you're looking for further material or you're a seasoned contributor to major eBPF projects, the eBPF & Cilium Community is here to support you.
Join the community on Slack 24/7 for help with, and discussions about eBPF and Cilium: ebpf.io/slack
Пікірлер
Which ide is this?
So glad to see something like this. I came to the same conclusion as you but you’ve done something about it!
Why tc hookpoint don't work in python syntax
i want to use generated costimize BPF code(writen in C ) for develope cilium bpf, can I just use cilium tools like cilium-bpf or something like this to integrate C code to kernel(maybe cilium itself can automatically compile and load it to kernel hook)?
I love shedrack
Thanks Riham, it's a great talk helping to understand, what are current challenges with GPU profiling. Would be interesting to know, how the things have changed since then :)
I am waiting :)
what happens if the chained XDP programs return different actions?
nice demo
Great demo of the Cilium network policies! Couple suggestions to make it easier to follow the actions: - move the video feed from the camera into the upper right corner so it does not obscure the terminal input and output - split the screen in two, with one half showing the yaml file and other half where the commands are run
I understand that this a basic implementation, but for a large HTTP request, do we not need to forward all the packets to the same backend ? With this implementation, it will randomly distribute packets among the backends. So we need some stickiness to map a particular HTTP request to a particular backend server.
Hello y’all! Thanks for hosting ✌️😌
This is definitely very interesting and I got a lot of insights on things I did not know about. However I am wondering if eBPF based technologies like Grafana Beyla and/or Pyroscope and/or Agent/Alloy could not be used to compare flame graphs representations of sshd calls to potentially detect zero-day behavior change instead of using the info gathered after tampering was infered. That would be much more powerfull furthermore as I think that considering the fact that this cve was detected due to a timing issue, such flame graphs should really be able to put this into evidence quite easily
Very cool video. From Cilium 1.14 the default value for fqdns min ttl is 0 and not 3600s
amazing!
*Abstract* This video demonstrates how to detect and potentially prevent the exploitation of the "XZ" SSH vulnerability using Tetragon, an eBPF-based security tool. The video covers setting up a reproduction environment with a compromised SSH server, installing Tetragon, and creating a tracing policy to identify the vulnerability. Additionally, the video highlights the benefits of Tetragon's kernel-level operation and showcases a library of example policies for detecting common vulnerabilities and exploits (CVEs). Tetragon can when itself is running on a host and the vulnerability (sshd and xz) is present in a container that is running on the host. *Summary* *Introduction and Events* * 0:15: Introduction and welcome message. * 1:07: Announcement of the "Buzzing through Kubernetes" workshop series for network engineers. * 1:35: Upcoming events: Open Source Summit in Seattle, KCD New York, and Cloud Native Security Con in Seattle. * 2:30: Information on subscribing to the Isovalent newsletter for weekly news updates. *XZ Vulnerability and Detection* * 3:11: Discussion of the "XZ" SSH vulnerability and Isovalent's efforts in understanding and addressing it. * 3:23: Reference to a blog post by Jalal and Jeremy Covin that provides detailed information about the exploit. * 4:31: Introduction of a Tetragon tracing policy example for detecting the vulnerability. * 4:47: Explanation of how the policy works by hooking into the Linux kernel and watching for specific library versions used by the SSH daemon (sshd). * 6:42: Discussion on the potential response actions (notification vs. blocking) and their implications. *Reproduction Environment Setup* * 7:44: Setting up a reproduction environment using Kind to create a local Kubernetes cluster with a vulnerable SSH server. * 12:19: Troubleshooting Docker issues and restarting the cluster creation process. * 17:40: Installing Cilium and Tetragon on the Kind cluster. * 26:31: Addressing technical difficulties and switching to a different host for demonstration purposes. * 35:33: Creating a Kind cluster on a Google Cloud Compute instance. * 42:01: Verifying the initial state of the SSH server and confirming the presence of the vulnerable library. *Vulnerability Exploitation and Detection with Tetragon* * 49:24: Downloading and installing a compromised version of the "XZ" library to create a vulnerable SSH server. * 52:07: Verifying the vulnerability using the provided detection script. * 54:44: Accessing the Tetragon container and using the `tetra` command-line tool to observe events. * 57:09: Demonstrating that Tetragon detects the vulnerability when SSHing into the compromised server. * 59:58: Analyzing the detailed event information provided by Tetragon. * 1:00:12: Highlighting the specific event that triggers the tracing policy and confirms the use of the compromised library. *Conclusion and Resources* * 1:01:03: Introduction to the Tetragon policy library with examples for detecting various CVEs, including the "XZ" vulnerability. * 1:01:37: Encouragement for community contributions to the policy library. * 1:02:03: Closing remarks and thanks to the audience. i used gemini 1.5 pro to summarize the transcript with this prompt: Create an abstract and summarize the following video transcript as a bullet list. Prepend each bullet point with starting timestamp. Do not show the stopping timestamp. Also split the summary into sections and create section titles: Token count 8,196 / 1,048,576
A good point to say and show what task we are trying to do, what problem we’re trying to resolve? Ps: Oh I see, after 20 minutes of presentation 😂
Can we have a link to the slides?
😩 'promo sm'
Hi, thanks for this! Do you have the source code/prototype for this?
Looks like you have only 8 queues for the nic, that's why cilium does not use your 10 cores (perfectly fine if on purpose though) better to have a bit of spare CPU for the rest of the system ;)
Excellent video, packing wealth of information in 17mins.
Very useful video!
Hi, I'd like to clarify if AWS VPC CNI is needed for Prefix Delegation to work ? I thought that it's possible to remove AWS VPC CNI and install cilium witch would handle prefix delegation in the same way as AWS VPC CNI. Is there a way to not have AWS VPC CNI and still have working Prefix Delegation ?
Same question here
@@jorgelon3211 So far i wasnt able to make cilium operator change the maximum pod limit on the node resources, it was able to create prefixes on the single ENI; but not attach more also... I sorted it out by installing the vpc cni addon with the environment variable for prefix delegation and simply adding a node affinity to the vpc-cni deamonset so it doesnt run on my nodes, i believe cilium at least picks ups the secret/configmap used by vpc-cni addon; maybe i am missing something but so far it works well
@@jorgelon3211 It turnes out it is not needed. It's only needed briefly to be run like for 20s on nodes which were spawn before installing cilium. All new nodes after cilium is installed will have prefix delegation enabled. So what i do is during eks cluster installtion we enable prefix delegation in aws VPC CNI and let it run for 20 s on current nodes and ten we simply remove all components of aws vpc cni and kube-proxy
Thanks for update, i made it work without installing vpc eni, updated to 1.15.4
So happy this channel exists!
Very cool, thanks for making this available. Have a use case somewhat similar to Netflix but processing linear video on bare metal that this may be useful for helping to optimize the environment.
Please, where can I find the slides? Thanks.
Nice
absolutely fantastic
Wonderful!
so great!!! helped me a bunch, it is kinda tricky to onboard to ebpf and opentelemetry at once
Was trying to find a link to Dario's blog post referred around 41:42 but to no avail. Any hints as to where to find, it, please?
If this could have been recorded in a slightly higher resolution, that would be fantastic. HD is not easy to read/follow with small font :(
This a great idea, congratulations
How do I get the source code?
I've created a two part series video on what Wokload Identity, SPIFFE, and SPIRE are and how Cilium leverages these technologies to implement its mutual auth infrastructure: Workload Identity Part 1: Introduction to SPIFFE and SPIRE: kzread.info/dash/bejne/ooeEo9Z6eZXXY5M.html Workload Identity Part 2: How Cilium Implements Its Mutual Auth Leveraging SPIFFE and SPIRE: kzread.info/dash/bejne/gWd3m6hshZqnhps.html
This is really interesting! I wonder, what is the reason that you would use XDP generic over Linux TC in any case? I also understand you don't default to XDP Driver mode as the compatability with the NIC has to be taken into account, but would you always default to it if the option was available or are their downsides?
One reason to use the actual express data path as opposed to hooking via tc is processing speed because tc processes traffic after the socket buffer (skb) and the express data path is in earlier kernel space than skb
Very informative as always, Mark. Thanks Liz for setting this up
Nice video. Can you please post a more elaborate video showing how to configure the Cilium LBL4 load balancer?
I have no idea what I stumbled on at this hour of the night... It seems cool tho
Very Good gist on eBPF capabilities! Kudos!
Nice eBPF as the interface for programmable kernel, that has been the original vision, and finally starts to becoming reality
🎉Thanks a lot ❤
Hi Guys. I suggest that left upper corner echo livestream to be smaller... much smallser, and the same with right-lower corner because ti covers the commands you are writing.
So there is no concept while using cluster mesh of routing via gre/ipinip that would allow the abstraction of pod to pod communication via unique IPs assigned to the nodes? My only concern is scalability. And to clarify, I'm expecting to use a scalability schema that allows communications between clusters because the IP addressing of nodes is unique whereas the pod IP allocations per node are not. TIA
would there be a limit on the size of the policies that can be deployed?
Not really sure what you mean about the "size" of the policies, or is this maybe a question about the number of network policies that can be installed? If you're asking about how many workloads SPIFFE can generate identities for, this might help: spiffe.io/docs/latest/planning/scaling_spire/#deployment-sizing-considerations
Liz Rice thank very much and honor for 100 episode
Thank you for the kind words!
Great talk!
How to start hands on
If you're interested in the advertised content, start at 11:51