Please note: This schedule is automatically displayed in China Standard Time (UTC +8). To see the schedule in your preferred timezone, please select from the drop-down menu to the right, above "Filter by Date." The schedule is subject to change.
eBPF sockmap has been a desirable approach to accelerate local process communication between Envoy and container for Service Mesh. This approach, however, relies on iptables for transparent traffic hijacking. This has become a major bottleneck of the system performance. This talk will start with a detailed survey on the current solutions, Cilium from the community and the lightweight approach we introduced in KubeCon China last year. We will explain how the iptables redirections influence the sockmap match results on both inbound and outbound traffic. We will then present our first-of-the-kind solution, that does not use iptables at all. The solution: 1.Uses eBPF to direct inbound traffic to envoy, by hooking bind calls. 2.Uses eBPF to implement transparent outbound traffic redirection. 3.Provides an integrated control plane, for Daemonset deployment and maintenance, and full control by annotation and configmap.
