https://istio.io/latest/blog/2023/ambient-ebpf-redirection/
Mar 29, 2023 | By Iris Ding - Intel, Chun Li - Intel2023 年 3 月 29 日 |作者:Iris Ding - 英特尔、Chun Li - 英特尔
In Istio’s new ambient mode, the istio-cni component running on each Kubernetes worker node is responsible for redirecting application traffic to the zero-trust tunnel (ztunnel) on that node. By default it relies on iptables and Generic Network Virtualization Encapsulation (Geneve) overlay tunnels to achieve this redirection. We have now added support for an eBPF-based method of traffic redirection.在 Istio 的新环境模式中,每个 Kubernetes 工作节点上运行的 istio-cni 组件负责将应用程序流量重定向到该节点上的零信任隧道 (ztunnel)。默认情况下,它依赖 iptables 和通用网络虚拟化封装 (Geneve) 覆盖隧道来实现此重定向。我们现在添加了对基于 eBPF 的流量重定向方法的支持。
Although performance considerations are essential in the implementation of Istio ambient mode redirection, it’s also important to consider ease of programmability, to enable the implementation of versatile and customized requirements. With eBPF, you can leverage additional context in the kernel to bypass complex routing and simply send packets to their final destination.尽管性能考虑对于 Istio 环境模式重定向的实现至关重要,但考虑可编程性的易用性也很重要,以实现多功能和定制的需求。借助 eBPF,您可以利用内核中的附加上下文来绕过复杂的路由,并将数据包简单地发送到最终目的地。
Furthermore, eBPF enables deeper visibility and additional context for packets in the kernel, allowing for more efficient and flexible management of data flow compared with iptables.此外,与 iptables 相比,eBPF 可以为内核中的数据包提供更深入的可见性和附加上下文,从而实现更高效、更灵活的数据流管理。
An eBPF program, attached to the traffic control ingress and egress hook, has been compiled into the Istio CNI component. istio-cni will watch pod events and attach/detach the eBPF program to other related network interfaces when the pod is moved into or out of ambient mode.附加到流量控制入口和出口挂钩的 eBPF 程序已编译到 Istio CNI 组件中。当 pod 进入或退出环境模式时, istio-cni 将监视 pod 事件并将 eBPF 程序附加/分离到其他相关网络接口。
Using an eBPF program (instead of iptables) eliminates the need to encapsulate tasks (for Geneve), allowing the routing tasks to be customized in kernel space instead. This yields both gains in performance, and additional flexibility, in routing.使用 eBPF 程序(而不是 iptables)消除了封装任务(对于 Geneve)的需要,从而允许在内核空间中自定义路由任务。这既提高了性能,又提高了路由的灵活性。
ambient eBPF architecture环境 eBPF 架构
All traffic to/from the application pod will be intercepted by eBPF and redirected to the corresponding ztunnel pod. On the ztunnel side, proper redirection will be performed based on connection lookup results within the eBPF program. This provides more efficient control of the network traffic between the application and ztunnel.所有进出应用程序 pod 的流量都将被 eBPF 拦截并重定向到相应的 ztunnel pod。在 ztunnel 端,将根据 eBPF 程序内的连接查找结果执行正确的重定向。这可以更有效地控制应用程序和 ztunnel 之间的网络流量。
Follow the instructions in Getting Started with Ambient Mesh to set up your cluster, with a small change: when you install Istio, set the values.cni.ambient.redirectMode configuration parameter to ebpf.按照 Ambient Mesh 入门中的说明设置集群,并进行一些小的更改:安装 Istio 时,将 values.cni.ambient.redirectMode 配置参数设置为 ebpf 。
$ istioctl install --set profile=ambient --set values.cni.ambient.redirectMode="ebpf"
Check the istio-cni logs to confirm eBPF redirection is on:检查 istio-cni 日志以确认 eBPF 重定向已打开:
ambient Writing ambient config: {"ztunnelReady":true,"redirectMode":"eBPF"}
The latency and throughput (QPS) for eBPF redirection are somewhat better than using iptables. The following tests were run in a kind cluster with a Fortio client sending requests to a Fortio server, both running in ambient mode (with eBPF debug logging disabled) and on the same Kubernetes worker node.eBPF 重定向的延迟和吞吐量 (QPS) 比使用 iptables 稍好一些。以下测试在 kind 集群中运行,其中 Fortio 客户端向 Fortio 服务器发送请求,两者都在环境模式下运行(禁用 eBPF 调试日志记录)并且在同一 Kubernetes 工作节点上运行。
$ fortio load -uniform -t 60s -qps 0 -c <num_connections> http://<fortio-svc-name>:8080