Linux / Networking / Security

Isovalent Harnesses eBPF for Cloud Native Security, Visibility

3 Dec 2020 3:00am, by

Veteran networking pros at Isovalent are building on the promise of Extended Berkeley Packet Filter (eBPF) technology, which makes the Linux kernel programmable, to address the ephemeral challenges of Kubernetes and microservices.

“If you think about the Linux kernel, traditionally, it’s a static set of functionality that some Linux kernel developer over the course of the last 20 or 30 years decided to build and they compiled it into the Linux kernel. And it works the way that kernel developer thought about, but may not be applicable to the use case that we need to do today,” said Isovalent CEO Dan Wendlandt.

Adding something new to the kernel was a painstaking process that took years.

“That’s why the networking and firewalling technologies we have in the Linux kernel are still basically the same ones we’ve had for the last 20 years, things like IP tables, for doing security policies,” he said.

“These technologies were designed literally for a world where we thought about a Linux router that was deployed on a physical box that was configured by a human and that changed very rarely. That’s extremely different than the demands of our customers like Adobe and Capital One and users of the Google Kubernetes offerings that have these highly dynamic cloud native environments where IP addresses don’t even mean anything.

“So how do you kind of make Linux able to understand Kubernetes identity, understand your microservices to be able to achieve, for example, firewalling and other security use cases? eBPF lets us inject that intelligence into the Linux kernel.”

Wendlandt started his career at Nicira, which developed Open vSwitch, a software networking layer for virtualized data centers. It was acquired by VMware in 2012 and the technology morphed into VMware NSX.

CTO Thomas Graf , co-founder of the open source Cilium project, has deep roots in the Linux kernel networking community at Red Hat and Cisco. He and Daniel Borkmann, also at Isovalent, are among the world’s top authorities on the Linux kernel.

“We’d seen the first wave of software-defined networking. And yet, it was very limited in terms of being able to do what matters for this new cloud native world in environments like Kubernetes,” said Wendlandt.

He called Kubernetes and eBPF “kind of the perfect storm in terms of technology that lets us make Linux natively understand Kubernetes in a way that lets you do all kinds of networking-related things better.”

The Mountain View, California-based company recently emerged from stealth, announcing a $29 million Series A round led by Andreessen Horowitz and Google as well as an enterprise version of Cilium.

Programmable Computer

Traditional networking involved point-to-point connections on physical hardware, Martin Casado, the founder of Nicira and now general partner at Andreessen Horowitz and an Isovalent board member, explained in a blog post. And while early software-defined networking took its cues from physical hardware, now it’s all about connecting microservices, cloud services, APIs, and the higher-level protocols and systems used to connect them.

“The past was IP addresses, ports, vNICs and VLANS. Now, it is service identity, gRPC, Kafka, distributed data stores, remote APIs, etc.,” he wrote.

He cites the need for a new networking and security layer that provides cloud native visibility, security, and control of these high-level abstractions, calling Cilium this new layer.

SAP Labs’ developer Gaurav Gupta, called eBPF “Linux’s newest superpower” at KubeCon in Copenhagen two years ago.

With Linux the operating system for many Kubernetes nodes, eBPF provides the ability to run any sandboxed programs within the kernel space, without changing kernel source code or loading modules.

Casado notes the analogy that eBPF brings to the Linux kernel what JavaScript brought to the browser.

We previously explained the technology this way:

“With eBPF, developers write the code in a subset of C, which is compiled into BPF bytecode to run on the BPF virtual machine. After safety-checking the code, a just-in-time compiler converts, the bytecode into architecture-specific machine code. …

Successfully compiled machine code is then attached to a kernel’s code path, which, when traversed, executes any attached eBPF programs. State can be accessible to all users through a shared memory map.”

“There’s a set of logic for networking and security that’s kind of hardcoded and baked into the Linux kernel,” Wendlandt said. “eBPF lets us write our own logic, but run it inside the Linux kernel in a way that’s very high performance, but also safe. It can’t crash your kernel; it won’t do bad things to your kernel. … It’s fast and it’s secure. And we’re able to extend the functionality of the kernel without kind of undermining those core properties of the kernel.”

In The Field

Using eBPF and Cilium as the basis for its GKE Dataplane, Google referred to Cilium as “the most mature eBPF implementation for Kubernetes out there.”

In an effort to track the ephemeral goings-on amid microservices, application performance management vendor Instana employs eBPF to detect abnormal process crashes, even ones that you may never know about because Kubernetes instantaneously boots up a replacement.

Other customers include Alibaba Cloud, Adobe, Datadog, GitLab and SAP SE.

Kubernetes, doesn’t care about IP addresses at all, with containers are coming and going very dynamically, Wendlandt pointed out.

“So if your security team comes to you and says, ‘Hey, this IP address did something suspicious two weeks ago, what application was running there?’ There’s no way to answer that question,” he said.

So you need something that dynamically that understands Kubernetes workload identity to be able to achieve these security use cases. Cilium uses eBPF to inject Kubernetes identity into the Linux kernel networking layer.

“The high-level takeaway is to achieve your compliance goals. For example, Capital One just talked recently publicly about how they need to be able to do audit and forensics and workload isolation in Kubernetes. They can’t do that with their traditional firewalling mechanisms,” he said. “Google needs to be able to give security teams visibility into what workloads are talking to each other. So you can’t use traditional kind of IP-based mechanisms to do that. That’s one of the baby drivers for adoption of Cilium. It’s really helping enterprises achieve their security requirements as they move to Kubernetes and cloud native.”

As a company, Isovalen contributes to the upstream eBPF project and the open source Cilium project, which he described as making eBPF “human consumable” to solve these Kubernetes networking and security use cases, then offers enterprise features as well.

“What really makes us stand apart is our use of eBPF as just a fundamentally game-changing technology that lets us provide deeper security, deeper visibility, better scalability. Instead of trying to take the old technologies and kind of bolt-on Kubernetes awareness to them, were able to kind of natively implement that inside the Linux kernel,” he said.

Sec ops teams who now can get very fine levels of detail about what’s going on for a workload inside their environment have been enthusiastic about the technology, he said.

“The way people are building API-driven services, suddenly the network is in the middle of every app, right? Because every API call is going over the network,” he said. “That observability aspect is something that eBPF is really well-suited for, because we can basically have deep observability turned on 100% of the time with extremely low overhead.”

That’s one area the company plans to expand upon, he said. The technology isn’t specific to Kubernetes, though, and the company recently announced VM support because companies need flexibility, whether they’ve moved workloads to Kubernetes or not.

A newsletter digest of the week’s most important stories & analyses.