Supercharging OpenShift with Cilium and eBPF

Apr 06, 2022Isovalent

The power of OpenShift

Red Hat OpenShift is a Kubernetes container platform that helps rapidly build and deploy cloud native applications. It offers rich self-service capabilities for application developers and a stable platform underneath, supporting Kubernetes operators. And with Cilium and eBPF, you can supercharge OpenShift!

openshift UI

The ongoing adoption of cloud native approaches introduces new challenges for the operators of OpenShift platforms and the teams developing apps on top of it. There is demand for a tight integration with traditional IT environments. Often multiple clusters are used and need to be connected with each other. With OpenShift, these clusters can be deployed across a variety of infrastructure targets, both in the cloud and on premises.

Application Developers and Site Reliability Engineers need granular application metrics and a more profound insight into the behavior of their applications.

This also affects the security architecture. How can Security Operations (SecOps) teams effectively separate multiple app developer teams while still providing the low-level insight they demand? How can SecOps transparently encrypt traffic across multiple clusters and clouds? And overall, how can SecOps effectively gain insight into what external resources our applications are accessing in legacy environments?

How to supercharge OpenShift with eBPF & Cilium

Networking

openshift architecture

OpenShift provides a default networking model leveraging Open vSwitch. OpenShift also enables the use of third-party container network solutions like Cilium and Isovalent Cilium Enterprise. When business-critical applications are migrated to OpenShift, there is an increased need for a cloud native networking approach. Identity- and application-aware policy enforcement become standard requirements. Isovalent Cilium Enterprise addresses these requirements with eBPF.

eBPF is the new standard to program Linux kernel capabilities in a safe and efficient manner without requiring to change kernel source code or loading kernel modules. It has enabled a new generation of high performance tooling to be developed covering networking, security, and observability use cases. Building on eBPF’s capabilities, Cilium, as the Kubernetes data plane, provides cloud native insights and control. Enabling better integrations with existing environments, Cilium offers a high degree of flexibility. It can integrate with hybrid cloud environments like existing cloud CNIs, complex network topologies that require BGP, and provide capabilities like static egress gateway that will help solve some of the challenges of legacy environments that require firewalls between resources. This flexibility is also the reason cloud providers choose Cilium as a key component of the cloud native networking offering:

Thanks to Cilium, OpenShift can be integrated into traditional environments on both ends, north and south. When legacy services protected by traditional firewalls need to be connected to Cilium, static egress gateway IPs allow Kubernetes nodes to act as gateways for cluster-egress traffic, always contacting the external service via the same IP. This greatly simplifies the management of the traditional firewall policies. Additionally, Cilium can also be installed on traditional VMs or bare-metal servers that are connected to OpenShift. This allows the VMs or bare-metal servers to join the Cilium cluster, allowing OpenShift platform teams to apply label-based policies on the traffic between application pods and external nodes. The external nodes, on the other hand, will get access to cluster services and can resolve cluster names.

OpenShift enables the deployment and management of multiple clusters. Running multiple clusters is also becoming more common across all businesses, and with it comes the demand to route traffic in between them. When combining multiple OpenShift clusters, Cilium Cluster Mesh provides pod IP routing and service discovery across clusters and with other Kubernetes-based platforms, becoming a unified data plane for all cloud native workloads.

As the use cases grow, Cilium also offers advanced networking capabilities like SRv6 and NAT46. Cilium has also integrated, sidecar-less service mesh capabilities, enabling platform teams to take advantage of service mesh approaches without the need for large performance impacts or complex architectural changes.

Observability

openshift golden signals

App developers need insights into their application behavior and performance. OpenShift offers platform-level hardware utilization reporting and network transmission rates, which helps onboarding the first apps quickly. However, as the deployments get more complex, advanced observability capabilities are needed. This is a use case for which eBPF is well-suited. Sitting in the Kernel space, it has a direct view of everything that happens on the machine, from networking to the operating system and app performance up to security details. This view is enriched by extensive context information which Cilium then extends to cloud native identity information. This state-of-the-art insight allows OpenShift developer and platform teams to gain an unrivaled insight into what is happening in their nodes and workloads, with a very low overhead.

In leveraging eBPF, Cilium provides application developers running workloads on OpenShift flow visibility including traffic details between the pods displayed in the service graph or available in the CLI. Additionally, Cilium collects extensive metrics for developers to monitor TCP, UDP and HTTP golden signals like HTTP return codes, latency, requests per second, and used TLS ciphers. Since cloud native is all about APIs, developers running their apps on OpenShift can take advantage of API visibility. Cilium has insight into L7 traffic, making it possible to track the API endpoints being used and the ones that are not reachable. Leveraging Cilium Network Policy you can also define access to these L7 services by path or verb. Everything you can observe you can also enforce.

This is backed by role-based access controls (RBAC), enabling different teams to access only their data, complementing Openshift’s multi-team approach.

OpenShift platform teams can use the enhanced visibility provided by eBPF to build self-service observability platforms for app teams, based on the capabilities mentioned above.

Security

openshift-servicemap-external-visibility

OpenShift allows for rapid deployment of apps, supporting a shorter time to market for new ideas. But how do SecOps teams maintain security and compliance in a fast-moving world with dozens of tenants involved? OpenShift adds container image scanning to the picture to remediate vulnerable or misconfigured images. Audit logs help operators to keep an overview of what changes are made to the OpenShift API, helping them to quickly secure workloads on OpenShift. Basic network policies help keep work loads confined based.

Cilium brings these policies to the next level, offering DNS and L7 transparency and a UI that enables the definition of network policies intuitively. This allows for fine-grained policies based on the namespaces and labels of the workloads, providing easy enforcement of micro segmentation where needed.

To better manage and secure traffic, Cilium also offers FQDN-aware policies. Operators and app developers can restrict communication with external services based on the domain names, ensuring that communication is really only happening with intended domains instead of IP addresses or ranges. Cilium’s L7 transparency provides an even finer-grained control. With insights into the specific aspects of a URL that a service is talking to, Cilium enables security operators to investigate the API endpoints that are contacted. OpenShift security operators can use it to fine-tune network policies at HTTP level, denying access to certain API endpoints while allowing access to others.

Encrypting traffic can be tricky, even more so when multiple OpenShift clusters are about to be connected. However, effective encryption is a ‘must’ for any enterprise following FIPS guidelines. Cilium provides transparent encryption based on IPSec or Wireguard that encrypts traffic between nodes and between clusters, thereby securing hybrid cloud workloads.

openshift process DNS transparency

This is complemented by eBPF’s unique security runtime visibility: by observing network and runtime behavior with full Kubernetes identities, Cilium provides OpenShift platform teams with a single source of data for cloud native forensics, threat detection and compliance monitoring. Cilium exports this data to a SecOps team’s existing security information and event management (SIEM). It provides the deep security visibility needed to predict breaches, hunt threats, investigate possible attacks, follow lateral movement, and audit the environment’s security compliance.

Delivering value for developers and operators alike

OpenShift is a critical platform for being successful with cloud native workloads. Isovalent Cilium Enterprise brings eBPF to OpenShift, supporting platform teams in running OpenShift, providing secure and scalable connectivity for the hybrid cloud with ops-centric connectivity, security, and observability. It enables developers to get a more profound insight into their application’s behavior and enables them to track metrics critical for their services. As part of the CNCF, Cilium is the default CNI and default data plane for cloud native stacks, and as such completes OpenShift as a major cloud native platform.

Cilium can be installed via the OpenShift operator framework. If you want to see Cilium and OpenShift in action, schedule a demo with our technical experts or watch the demo Cilium & eBPF, Cloud Native Networking, Security & Observability.

If you want to learn more about Isovalent Cilium Enterprise or eBPF, check out the following resources:

We have also regular calls you can attend to discuss Cilium and related topics in more detail:

AuthorDuffie CooleyField CTO Isovalent & CNCF Ambassador