isovalent.com
Open in
urlscan Pro
199.232.194.22
Public Scan
Submitted URL: https://t.sidekickopen07.com/s3t/c/5/f18dQhb0V1-gmb8bWDXdW1j7hvX59hl3kW7_k2841CX6NGW35QNv_7x3sjHW2RpvRt3TS15Cf197v5Y04?te=W3R...
Effective URL: https://isovalent.com/blog/post/2022-03-openshift/
Submission: On April 13 via api from NL — Scanned from NL
Effective URL: https://isovalent.com/blog/post/2022-03-openshift/
Submission: On April 13 via api from NL — Scanned from NL
Form analysis 0 forms found in the DOM
Text Content
Isovalent Logo
* Product
* Solutions
* Security
eBPF-based enforcement, visibility & forensics
* Networking
eBPF-based networking & load-balancing
* Observability
eBPF-based network & application visibility
REQUEST A DEMO
See Isovalent Cilium Enterprise in action
Request a demo
* Resources
* Resources
* Resource Library
* Open source
* Get Cilium from AWS Marketplace
* Whitepapers
* Cilium Overview
* Multi-cluster eBook
* Isovalent Enterprise Security
* Books
* What is eBPF?
* Security Observability
with eBPF
* Learning eBPF
AMA WITH THOMAS GRAF
Join an “ask me anything” session with Thomas Graf, creator of Cilium,
co-founder of Isovalent
Add to calendar
START A HANDS-ON LAB
Learn about Isovalent Cilium Enterprise with our interactive labs
Start hands-on lab
* Events
* Company
* Company
* About us
* Careers
* Partners
* Open Source
* Cilium
Software for providing, securing and observing network connectivity
* eBPF
Revolutionary technology with origins in the Linux kernel
* Social media
* GitHub
* Twitter
* YouTube
* LinkedIn
* Slack
CONTACT US
We look forward to engaging with you around all things Cilium and eBPF
Get in touch
* Blog
GitHubContact SalesTry Cilium
SUPERCHARGING OPENSHIFT WITH CILIUM AND EBPF
Apr 06, 2022Isovalent
TABLE OF CONTENTS
* The power of OpenShift
* How to supercharge OpenShift with eBPF & Cilium
* Delivering value for developers and operators alike
THE POWER OF OPENSHIFT
Red Hat OpenShift is a Kubernetes container platform that helps rapidly build
and deploy cloud native applications. It offers rich self-service capabilities
for application developers and a stable platform underneath, supporting
Kubernetes operators. And with Cilium and eBPF, you can supercharge OpenShift!
The ongoing adoption of cloud native approaches introduces new challenges for
the operators of OpenShift platforms and the teams developing apps on top of it.
There is demand for a tight integration with traditional IT environments. Often
multiple clusters are used and need to be connected with each other. With
OpenShift, these clusters can be deployed across a variety of infrastructure
targets, both in the cloud and on premises.
Application Developers and Site Reliability Engineers need granular application
metrics and a more profound insight into the behavior of their applications.
This also affects the security architecture. How can Security Operations
(SecOps) teams effectively separate multiple app developer teams while still
providing the low-level insight they demand? How can SecOps transparently
encrypt traffic across multiple clusters and clouds? And overall, how can SecOps
effectively gain insight into what external resources our applications are
accessing in legacy environments?
HOW TO SUPERCHARGE OPENSHIFT WITH EBPF & CILIUM
NETWORKING
OpenShift provides a default networking model leveraging Open vSwitch. OpenShift
also enables the use of third-party container network solutions like Cilium and
Isovalent Cilium Enterprise. When business-critical applications are migrated to
OpenShift, there is an increased need for a cloud native networking approach.
Identity- and application-aware policy enforcement become standard requirements.
Isovalent Cilium Enterprise addresses these requirements with eBPF.
eBPF is the new standard to program Linux kernel capabilities in a safe and
efficient manner without requiring to change kernel source code or loading
kernel modules. It has enabled a new generation of high performance tooling to
be developed covering networking, security, and observability use cases.
Building on eBPF’s capabilities, Cilium, as the Kubernetes data plane, provides
cloud native insights and control. Enabling better integrations with existing
environments, Cilium offers a high degree of flexibility. It can integrate with
hybrid cloud environments like existing cloud CNIs, complex network topologies
that require BGP, and provide capabilities like static egress gateway that will
help solve some of the challenges of legacy environments that require firewalls
between resources. This flexibility is also the reason cloud providers choose
Cilium as a key component of the cloud native networking offering:
* AWS picks Cilium for Networking & Security on EKS Anywhere
* Google announces Cilium & eBPF as the new networking data plane for GKE
* How Alibaba Cloud uses Cilium for High-Performance Cloud-Native Networking.
Thanks to Cilium, OpenShift can be integrated into traditional environments on
both ends, north and south. When legacy services protected by traditional
firewalls need to be connected to Cilium, static egress gateway IPs allow
Kubernetes nodes to act as gateways for cluster-egress traffic, always
contacting the external service via the same IP. This greatly simplifies the
management of the traditional firewall policies. Additionally, Cilium can also
be installed on traditional VMs or bare-metal servers that are connected to
OpenShift. This allows the VMs or bare-metal servers to join the Cilium cluster,
allowing OpenShift platform teams to apply label-based policies on the traffic
between application pods and external nodes. The external nodes, on the other
hand, will get access to cluster services and can resolve cluster names.
OpenShift enables the deployment and management of multiple clusters. Running
multiple clusters is also becoming more common across all businesses, and with
it comes the demand to route traffic in between them. When combining multiple
OpenShift clusters, Cilium Cluster Mesh provides pod IP routing and service
discovery across clusters and with other Kubernetes-based platforms, becoming a
unified data plane for all cloud native workloads.
As the use cases grow, Cilium also offers advanced networking capabilities like
SRv6 and NAT46. Cilium has also integrated, sidecar-less service mesh
capabilities, enabling platform teams to take advantage of service mesh
approaches without the need for large performance impacts or complex
architectural changes.
OBSERVABILITY
App developers need insights into their application behavior and performance.
OpenShift offers platform-level hardware utilization reporting and network
transmission rates, which helps onboarding the first apps quickly. However, as
the deployments get more complex, advanced observability capabilities are
needed. This is a use case for which eBPF is well-suited. Sitting in the Kernel
space, it has a direct view of everything that happens on the machine, from
networking to the operating system and app performance up to security details.
This view is enriched by extensive context information which Cilium then extends
to cloud native identity information. This state-of-the-art insight allows
OpenShift developer and platform teams to gain an unrivaled insight into what is
happening in their nodes and workloads, with a very low overhead.
In leveraging eBPF, Cilium provides application developers running workloads on
OpenShift flow visibility including traffic details between the pods displayed
in the service graph or available in the CLI. Additionally, Cilium collects
extensive metrics for developers to monitor TCP, UDP and HTTP golden signals
like HTTP return codes, latency, requests per second, and used TLS ciphers.
Since cloud native is all about APIs, developers running their apps on OpenShift
can take advantage of API visibility. Cilium has insight into L7 traffic, making
it possible to track the API endpoints being used and the ones that are not
reachable. Leveraging Cilium Network Policy you can also define access to these
L7 services by path or verb. Everything you can observe you can also enforce.
This is backed by role-based access controls (RBAC), enabling different teams to
access only their data, complementing Openshift’s multi-team approach.
OpenShift platform teams can use the enhanced visibility provided by eBPF to
build self-service observability platforms for app teams, based on the
capabilities mentioned above.
SECURITY
OpenShift allows for rapid deployment of apps, supporting a shorter time to
market for new ideas. But how do SecOps teams maintain security and compliance
in a fast-moving world with dozens of tenants involved? OpenShift adds container
image scanning to the picture to remediate vulnerable or misconfigured images.
Audit logs help operators to keep an overview of what changes are made to the
OpenShift API, helping them to quickly secure workloads on OpenShift. Basic
network policies help keep work loads confined based.
Cilium brings these policies to the next level, offering DNS and L7 transparency
and a UI that enables the definition of network policies intuitively. This
allows for fine-grained policies based on the namespaces and labels of the
workloads, providing easy enforcement of micro segmentation where needed.
To better manage and secure traffic, Cilium also offers FQDN-aware policies.
Operators and app developers can restrict communication with external services
based on the domain names, ensuring that communication is really only happening
with intended domains instead of IP addresses or ranges. Cilium’s L7
transparency provides an even finer-grained control. With insights into the
specific aspects of a URL that a service is talking to, Cilium enables security
operators to investigate the API endpoints that are contacted. OpenShift
security operators can use it to fine-tune network policies at HTTP level,
denying access to certain API endpoints while allowing access to others.
Encrypting traffic can be tricky, even more so when multiple OpenShift clusters
are about to be connected. However, effective encryption is a ‘must’ for any
enterprise following FIPS guidelines. Cilium provides transparent encryption
based on IPSec or Wireguard that encrypts traffic between nodes and between
clusters, thereby securing hybrid cloud workloads.
This is complemented by eBPF’s unique security runtime visibility: by observing
network and runtime behavior with full Kubernetes identities, Cilium provides
OpenShift platform teams with a single source of data for cloud native
forensics, threat detection and compliance monitoring. Cilium exports this data
to a SecOps team’s existing security information and event management (SIEM). It
provides the deep security visibility needed to predict breaches, hunt threats,
investigate possible attacks, follow lateral movement, and audit the
environment’s security compliance.
DELIVERING VALUE FOR DEVELOPERS AND OPERATORS ALIKE
OpenShift is a critical platform for being successful with cloud native
workloads. Isovalent Cilium Enterprise brings eBPF to OpenShift, supporting
platform teams in running OpenShift, providing secure and scalable connectivity
for the hybrid cloud with ops-centric connectivity, security, and observability.
It enables developers to get a more profound insight into their application’s
behavior and enables them to track metrics critical for their services. As part
of the CNCF, Cilium is the default CNI and default data plane for cloud native
stacks, and as such completes OpenShift as a major cloud native platform.
Cilium can be installed via the OpenShift operator framework. If you want to see
Cilium and OpenShift in action, schedule a demo with our technical experts or
watch the demo Cilium & eBPF, Cloud Native Networking, Security & Observability.
Schedule a Cilium-OpenShift demo
If you want to learn more about Isovalent Cilium Enterprise or eBPF, check out
the following resources:
* Introduction to Isovalent Cilium Enterprise – Overview & Features
* List of Cilium & eBPF Resources & Reading Material
We have also regular calls you can attend to discuss Cilium and related topics
in more detail:
* Weekly Cilium Community AMA session (Information and registration)
AuthorDuffie CooleyField CTO Isovalent & CNCF Ambassador
TABLE OF CONTENTS
* The power of OpenShift
* How to supercharge OpenShift with eBPF & Cilium
* Delivering value for developers and operators alike
Isovalent Logo
Isovalent, Inc
20830 Stevens Creek Blvd #1047
Cupertino, CA 95014 USAIsovalent GmbH
Hönggerstrasse 65
8037 Zürich, Switzerland
Solutions
SecurityNetworkingObservabilityRequest a demo
Resources
BlogResource LibraryOpen sourceEventsIsovalent Cilium Enterprise AMAInteractive
LabsGet Cilium from AWS Marketplace
Whitepapers
Cilium EnterpriseMulti-cluster eBookCilium Enterprise MatrixIsovalent Enterprise
Security
Company
ProductAbout usCareersPartnersContact usCiliumeBPF
Isovalent, Inc
20830 Stevens Creek Blvd #1047
Cupertino, CA 95014 USAIsovalent GmbH
Hönggerstrasse 65
8037 Zürich, Switzerland
© 2023 Isovalent. All Rights Reserved.Privacy Policy
* Product
* Solutions
Solutions
Security
eBPF-based enforcement, visibility & forensics
Networking
eBPF-based networking & load-balancing
Observability
eBPF-based network & application visibility
REQUEST A DEMO
See Isovalent Cilium Enterprise in action
Request a demo
* Resources
Resources
Resources
Resource Library
Open source
Get Cilium from AWS Marketplace
Whitepapers
Cilium Overview
Multi-cluster eBook
Isovalent Enterprise Security
Books
What is eBPF?
Security Observability
with eBPF
Learning eBPF
AMA WITH THOMAS GRAF
Join an “ask me anything” session with Thomas Graf, creator of Cilium,
co-founder of Isovalent
Add to calendar
START A HANDS-ON LAB
Learn about Isovalent Cilium Enterprise with our interactive labs
Start hands-on lab
* Events
* Company
Company
Company
About us
Careers
Partners
Open Source
Cilium
Software for providing, securing and observing network connectivity
eBPF
Revolutionary technology with origins in the Linux kernel
Social media
GitHub
Twitter
YouTube
LinkedIn
Slack
CONTACT US
We look forward to engaging with you around all things Cilium and eBPF
Get in touch
* Blog
GitHubContact SalesTry Cilium