Sched 应用程式允许你建立你的日程表,但不能代替你的活动注册。你必须注册 2021年中国 KubeCon + CloudNativeCon + Open Source Summit - 线上峰会 才能参加会议。如果你还没有注册但想加入我们,请到活动注册页面购票注册。

请注意:此日程表自动显示为中国标准时间(UTC +8)。要想看到您选择的时区,请从右侧 「Filter by Date」上方的下拉菜单中选择。日程表可能会有变动。

December 9-10
Learn More and Register to Attend

The Sched app allows you to build your schedule but is not a substitute for your event registration. You must be registered for KubeCon + CloudNativeCon + Open Source Summit China 2021 - Virtual to participate in the sessions. If you have not registered but would like to join us, please go to the event registration page to purchase a registration.

Please note: This schedule is automatically displayed in China Standard Time (UTC +8). To see the schedule in your preferred timezone, please select from the drop-down menu to the right, above "Filter by Date." The schedule is subject to change.
Back To Schedule
Thursday, December 9 • 13:15 - 13:50
Envoy 网格加速从 iptables 到完全 BPF | Envoy Mesh Acceleration: From Iptables to Fully BPF - Xiyao Zhang & Xu Liu, Tencent

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
eBPF sockmap 已经成为一种为服务网格加速 Envoy 和容器之间本地进程通信的理想方法。然而,这一方法依赖于 iptables 来实现透明的流量劫持。这已经成为了系统性能的主要瓶颈。本次讨论将从针对当前解决方案、来自社区的 Cilium 以及我们去年在 KubeCon China 中引入的轻量级方法开始进行详细调查。我们将解释 iptables 重定向如何影响入站和出站流量上的 sockmap 匹配结果。然后我们将展示我们的第一个类决方案,此类方案根本不使用 iptables。此类解决方案:1. 通过挂钩绑定调用,使用 eBPF 定向入站流量到 envoy。2. 使用 eBPF 执行透明出站流量重定向。3. 为 Daemonset 部署和维护提供集成的控制面,并通过注释和配置地图进行完全控制。

eBPF sockmap has been a desirable approach to accelerate local process communication between Envoy and container for Service Mesh. This approach, however, relies on iptables for transparent traffic hijacking. This has become a major bottleneck of the system performance. This talk will start with a detailed survey on the current solutions, Cilium from the community and the lightweight approach we introduced in KubeCon China last year. We will explain how the iptables redirections influence the sockmap match results on both inbound and outbound traffic. We will then present our first-of-the-kind solution, that does not use iptables at all. The solution: 1.Uses eBPF to direct inbound traffic to envoy, by hooking bind calls. 2.Uses eBPF to implement transparent outbound traffic redirection. 3.Provides an integrated control plane, for Daemonset deployment and maintenance, and full control by annotation and configmap.


Xiyao Zhang

Tencent Cloud
avatar for Xu Liu

Xu Liu

Software Engineer, Tencent

Thursday December 9, 2021 13:15 - 13:50 CST
Kubecon + CloudNativeCon 演讲厅