Mesh using ebpf ambient
‣
Mar 29, 2023 | By Iris Ding - Intel, Chun Li - Intel2023 年 3 月 29 日 |作者:Iris Ding - 英特尔、Chun Li - 英特尔
In Istio’s new ambient mode, the
istio-cni
component running on each Kubernetes worker node is responsible for redirecting application traffic to the zero-trust tunnel (ztunnel) on that node. By default it relies on iptables and Generic Network Virtualization Encapsulation (Geneve) overlay tunnels to achieve this redirection. We have now added support for an eBPF-based method of traffic redirection.在 Istio 的新环境模式中,每个 Kubernetes 工作节点上运行的 istio-cni
组件负责将应用程序流量重定向到该节点上的零信任隧道 (ztunnel)。默认情况下,它依赖 iptables 和通用网络虚拟化封装 (Geneve) 覆盖隧道来实现此重定向。我们现在添加了对基于 eBPF 的流量重定向方法的支持。Why eBPF 为什么选择 eBPF
Although performance considerations are essential in the implementation of Istio ambient mode redirection, it’s also important to consider ease of programmability, to enable the implementation of versatile and customized requirements. With eBPF, you can leverage additional context in the kernel to bypass complex routing and simply send packets to their final destination.尽管性能考虑对于 Istio 环境模式重定向的实现至关重要,但考虑可编程性的易用性也很重要,以实现多功能和定制的需求。借助 eBPF,您可以利用内核中的附加上下文来绕过复杂的路由,并将数据包简单地发送到最终目的地。
Furthermore, eBPF enables deeper visibility and additional context for packets in the kernel, allowing for more efficient and flexible management of data flow compared with iptables.此外,与 iptables 相比,eBPF 可以为内核中的数据包提供更深入的可见性和附加上下文,从而实现更高效、更灵活的数据流管理。
How it works 怎么运行的
An eBPF program, attached to the traffic control ingress and egress hook, has been compiled into the Istio CNI component.
istio-cni
will watch pod events and attach/detach the eBPF program to other related network interfaces when the pod is moved into or out of ambient mode.附加到流量控制入口和出口挂钩的 eBPF 程序已编译到 Istio CNI 组件中。当 pod 进入或退出环境模式时, istio-cni
将监视 pod 事件并将 eBPF 程序附加/分离到其他相关网络接口。Using an eBPF program (instead of iptables) eliminates the need to encapsulate tasks (for Geneve), allowing the routing tasks to be customized in kernel space instead. This yields both gains in performance, and additional flexibility, in routing.使用 eBPF 程序(而不是 iptables)消除了封装任务(对于 Geneve)的需要,从而允许在内核空间中自定义路由任务。这既提高了性能,又提高了路由的灵活性。
ambient eBPF architecture环境 eBPF 架构
All traffic to/from the application pod will be intercepted by eBPF and redirected to the corresponding ztunnel pod. On the ztunnel side, proper redirection will be performed based on connection lookup results within the eBPF program. This provides more efficient control of the network traffic between the application and ztunnel.所有进出应用程序 pod 的流量都将被 eBPF 拦截并重定向到相应的 ztunnel pod。在 ztunnel 端,将根据 eBPF 程序内的连接查找结果执行正确的重定向。这可以更有效地控制应用程序和 ztunnel 之间的网络流量。
How to enable eBPF redirection in Istio ambient mode如何在 Istio 环境模式下启用 eBPF 重定向
Follow the instructions in Getting Started with Ambient Mesh to set up your cluster, with a small change: when you install Istio, set the
values.cni.ambient.redirectMode
configuration parameter to ebpf
.按照 Ambient Mesh 入门中的说明设置集群,并进行一些小的更改:安装 Istio 时,将 values.cni.ambient.redirectMode
配置参数设置为 ebpf
。$ istioctl install --set profile=ambient --set values.cni.ambient.redirectMode="ebpf"
Check the
istio-cni
logs to confirm eBPF redirection is on:检查 istio-cni
日志以确认 eBPF 重定向已打开:ambient Writing ambient config: {"ztunnelReady":true,"redirectMode":"eBPF"}
Performance gains 性能提升
The latency and throughput (QPS) for eBPF redirection are somewhat better than using iptables. The following tests were run in a
kind
cluster with a Fortio client sending requests to a Fortio server, both running in ambient mode (with eBPF debug logging disabled) and on the same Kubernetes worker node.eBPF 重定向的延迟和吞吐量 (QPS) 比使用 iptables 稍好一些。以下测试在 kind
集群中运行,其中 Fortio 客户端向 Fortio 服务器发送请求,两者都在环境模式下运行(禁用 eBPF 调试日志记录)并且在同一 Kubernetes 工作节点上运行。$ fortio load -uniform -t 60s -qps 0 -c <num_connections> http://<fortio-svc-name>:8080
Max QPS, with varying number of connections最大 QPS,具有不同的连接数
$ fortio load -uniform -t 60s -qps 8000 -c <num_connections> http://<fortio-svc-name>:8080
P75 Latency (ms) for QPS 8000 with varying number of connectionsP75 具有不同连接数量的 QPS 8000 的延迟(毫秒)
Wrapping up 包起来
Both eBPF and iptables have their own advantages and disadvantages when it comes to traffic redirection. eBPF is a modern, flexible, and powerful alternative that allows for more customization in rule creation and offers better performance. However, it does require a modern kernel version (4.20 or later for redirection case) which may not be available on some systems. On the other hand, iptables is widely used and compatible with most Linux distributions, even those with older kernels. However, it lacks the flexibility and extensibility of eBPF and may have lower performance.在流量重定向方面,eBPF 和 iptables 都有各自的优点和缺点。 eBPF 是一种现代、灵活且强大的替代方案,允许在规则创建中进行更多自定义并提供更好的性能。但是,它确实需要现代内核版本(用于重定向情况的 4.20 或更高版本),这在某些系统上可能不可用。另一方面,iptables 被广泛使用并且与大多数 Linux 发行版兼容,甚至是那些具有较旧内核的发行版。但它缺乏 eBPF 的灵活性和可扩展性,并且性能可能较低。
Ultimately, the choice between eBPF and iptables for traffic redirection will depend on the specific needs and requirements of the system, as well as the user’s level of expertise in using each tool. Some users may prefer the simplicity and compatibility of iptables, while others may require the flexibility and performance of eBPF.最终,选择 eBPF 和 iptables 进行流量重定向将取决于系统的具体需求和要求,以及用户使用每种工具的专业水平。一些用户可能更喜欢 iptables 的简单性和兼容性,而另一些用户可能需要 eBPF 的灵活性和性能。
There is still plenty of work to be done, including integration with various CNI plugins, and contributions to improve the ease of use would be greatly welcomed. Please join us in #ambient on the Istio slack.仍有大量工作要做,包括与各种 CNI 插件的集成,并且非常欢迎为提高易用性做出贡献。请在 Istio slack 上加入#ambient。
Loading...