In this AKS-focused workshop, you will work with Azure and Calico Cloud to learn about Calico's ebpf dataplane and how to examine and debug Calico Network Policies to secure workloads in Calico Cloud.
AKS provides a Bring your own CNI plugin option where each pod gets networked by a third-party CNI getting a private IP from configured POD CIDR. This mode can be leveraged to take full advantage of Calico's eBPF dataplane for networking.
eBPF is a feature available in Linux kernels that allows you to run a virtual machine inside the kernel. This virtual machine allows you to safely load programs into the kernel, to customize its operation. Why is this important?
In the past, making changes to the kernel was difficult: there were APIs you could call to get data, but you couldn’t influence what was inside the kernel or execute code. Instead, you had to submit a patch to the Linux community and wait for it to be approved. With eBPF, you can load a program into the kernel and instruct the kernel to execute your program if, for example, a certain packet is seen or another event occurs.
With eBPF, the kernel and its behavior become highly customizable, instead of being fixed. This can be extremely beneficial, when used under the right circumstances.
Calico Cloud offers an eBPF data plane as an alternative to our standard Linux dataplane (which is iptables/nftables based). While the standard data plane focuses on compatibility by working together with kube-proxy and your own iptables rules, the eBPF data plane focuses on performance, latency, and improving user experience with features that aren’t possible with the standard data plane.
If you enable eBPF within Calico Cloud but have existing iptables flows, we won’t touch them. Because maybe you want to use connect-time load balancing, but leave iptables as is. With Calico Cloud, it’s not an all-or-nothing deal—we allow you to easily load and unload our eBPF data plane to suit your needs, which means you can quickly try it out before making a decision.
- XDP
- Connect-time Load Balancing
- Better routing to proxies like Envoy
The eBPF dataplane mode has several advantages over standard Linux networking pipeline mode:
- It scales to higher throughput.
- It uses less CPU per GBit.
- It has native support for Kubernetes services (without needing kube-proxy) that:
- Reduces first packet latency for packets to services.
- Preserves external client source IP addresses all the way to the pod.
- Supports DSR (Direct Server Return) for more efficient service routing.
- Uses less CPU than kube-proxy to keep the dataplane in sync.
The estimated time to complete this workshop is 60-90 minutes.
- Cloud Professionals
- DevSecOps Professional
- Site Reliability Engineers (SRE)
- Solutions Architects
- Anyone interested in Calico Cloud :)
Module 1 - Getting Started
Module 2 - Deploy an Azure AKS Cluster
Module 3 - Connect the cluster to Calico Cloud
Module 4 - Install Demo Apps
Module 5 - Policy Debugging with nftables
Module 6 - Switching to ebpf Dataplane
Module 7 - Policy Debugging with ebpf
Module 8 - Cleanup
Follow us on social media:
Note
The examples and sample code provided in this workshop are intended to be consumed as instructional content. These will help you understand how Calico Cloud can be configured to build a functional solution. These examples are not intended for use in production environments.