eBPF - Calico

-

eBPF is a Linux kernel feature that allows fast yet safe mini-programs to be loaded into the kernel in order to customize its operation.

eBPF stands for “extended Berkeley Packet Filter”. The Berkeley Packet Filter was an earlier, more specialized virtual machine that was tailored for filtering packets. Tools such as tcpdump use this “classic” BPF VM to select packets that should be sent to userspace for analysis. eBPF is a considerably extended version of BPF that is suitable for general purpose use inside the kernel. While the name has stuck, eBPF can be used for a lot more than just packet filtering.

eBPF is a virtual machine embedded within the Linux kernel. It allows small programs to be loaded into the kernel, and attached to hooks, which are triggered when some event occurs. This allows the behaviour of the kernel to be (sometimes heavily) customised. While the eBPF virtual machine is the same for each type of hook, the capabilities of the hooks vary considerably. Since loading programs into the kernel could be dangerous; the kernel runs all programs through a very strict static verifier; the verifier sandboxes the program, ensuring it can only access allowed parts of memory and ensuring that it must terminate quickly.

Calico’s eBPF dataplane

Calico’s eBPF dataplane is an alternative to our standard Linux dataplane (which is iptables based). While the standard dataplane focuses on compatibility by inter-working with kube-proxy, and your own iptables rules, the eBPF dataplane focuses on performance, latency and improving user experience with features that aren’t possible in the standard dataplane. As part of that, the eBPF dataplane replaces kube-proxy with an eBPF implementation. The main “user experience” feature is to preserve the source IP of traffic from outside the cluster when traffic hits a NodePort; this makes your server-side logs and network policy much more useful on that path.


Comments

Post a Comment

Popular posts from this blog

DevOps Interview Questions

-
Questions from GIT, Jenkins, Ansible, Dockers & Containers, Kubernetes, OpenShift, AWS, CI/CD, Scripting, Linux (RHEL), Monitoring, Python GIT ########### * What is GIT ? * What is difference between GIT & Github ? * Why we use GIT ? * What is SCM & VCS ? * What are the process of pushing the code to Github Repository ? * Why do we commit ? * What are the commands of GIT to push the code ? * How you can merge a git repository with another ?  * What is branching in git ? * Different types of branching in GIT ? * What is merge conflict in git ? * How you can resolve merge conflict if you are merging same    project and in the same branch ?    Jenkins ########## * What is Jenkins ? * Why we use Jenkins ? * What are the other tools/technologies present in market other than    Jenkins for CI/CD ? * How to move Jenkins from one server to another ?    * How to create Jenkins backup ?  * What are plugins in Jenkins ? * What are
Read more

Calico Certified Operator: AWS Expert Questions & Answers

-
Section 1 Which one of the following is NOT an AWS networking concept? 1 point possible (graded, results hidden) AWS Region Virtual Private Cloud Elastic Network Interface Cloud NAT submitted Which of the following are network configuration options for the Calico CNI in BYOC clusters? 1 point possible (graded, results hidden) Select all that apply: VLAN based segmentation VXLAN encapsulation IP-IP encapsulation CrossSubnet mode submitted Why does AWS-CNI networking make use of source based routing on the nodes? 1 point possible (graded, results hidden) To provide more available IP addresses To allow the utilisation of all ENIs attached to the node To secure the node’s compute resources To ensure all pods use the same ENI submitted Which of the following are true when using the CrossSubnet mode in Calico CNI on BYOC clusters? 1 point possible (graded, results hidden) Select all that apply: It is recommended that for best performanc
Read more

CKAD Certification Exam Preparation Guide and Tips

-
Image
Kubernetes is an open-source system for automating deployment, scaling, and management of containerized applications. The CNCF/Linux Foundation offers this performance-based exam which targets the developer aspect of Kubernetes skills such as deploying apps, configuring apps, rolling out the application, creating persistent volumes, etc. CKAD (Certified Kubernetes Application Developer) is designed for software developers who would like to develop and deploy their containerized applications in Kubernetes. The curriculum includes the following general domains with the associated weights: Core Concepts – 13% Configuration – 18% Multi-Container Pods – 10% Observability – 18% Pod Design – 20% Services & Networking – 13% State Persistence – 8% ------------------------------------------------------------------------- After my successful achievement of CKAD Certification, I would love to share my experience and tips to clear the exam. I have  practiced a lot on kubectl  commands and
Read more