 I nek res mo mansam, da sem bilo kratil način, tudi to je Kuresh in sedaj po te glasimskeva vse odlične in in prijel電at, kot pai taj Kuresh. Zelo sem nekaj 200 nekaj CS, pomečite pa v komplicativni sest, da se način na Kuresh. Je tudi, da se vač je z vse glasim dve. Vse je bolj. Otej nekaj nekaj nekaj de in prijem se vse z veliko. Zelo se da se vedno sse vse odlučno. Tukaj je Silium workshop in mi je Christian Faketa. Tukaj bomo vsoživati v soli, kaj je inginir. Vse moj tvoj tvoj Twitter in e-mail odvršenje. Kaj je Silium? Silium je vse in open-source software. Vse možete vzvečati, da je vzvečaj, kaj je vzvečaj, kaj je vzvečaj, kaj je vzvečaj, kaj je vzvečaj, kaj je vzvečaj, kaj je vzvečaj vzvečaj. V mnohj deli se seči v SSC&I, in je bilo poprvnja čošnja v kubalitistih klustov. Silijum na tvoj fundacij, je izgleda nekaj tehnologij, nekaj nekaj tehnologij, nekaj DbPF, in to može, nekaj nekaj tehnologij, nekaj nekaj tehnologij, nekaj nekaj tehnologij, nekaj nekaj nekaj tehnologij, nekaj nekaj nekaj tehnologij, nekaj nekaj nekaj tehnologij, nekaj tehnologi, nekaj nekaj tehnologij, nekaj nekaj tehnologij, nekaj nekaj tehnologij, nekaj tehnologij, nekaj nekaj tehnologij, nekaj tehnologij, nekaj tehnologij, nekaj tehnologij, nekaj tehnologij, nekaj talo ga pridel? Nekaj škodaS smuzilje soожal toppiero ebpf, as 몰라 drawings, as idem kaj Freda do сделать政治, nekaj nekaj del poz Victor, Tudi na dve, da je BPF, in, kako jih, kako jih, kako jih jih, kako jih, jih, jih, jih, jih, jih, jih, jih, jih, jih, jih, jih, jih, jih, jih, jih, jih, jih, jih, jih, jih, jih, jih, jih, in at nativ speed. There are multiple use cases for EBPF. First, there is security. You can check actual syscalls happening in your system and implement and trigger custom logic when these syscalls are happening. You can use the same for file reads, file opens and other system calls as well. Then EBPF can be used for tracing and profiling. You can have detailed profiling information with EBPF, for example. There are projects utilizing EBPF to profile your code without touching the code itself. Then there are networking use cases. Celium is targeting these network use cases at some extent. And observatory monitoring is the last larger family of EBPF use cases. Celium also can help with observatory monitoring. You can have metrics, histograms, you can log events that are happening at certain kernel probes. And you can expose these from kernel space and access them in user space. That's the high level architecture of EBPF. You can see that there's a kernel run time running at the bottom section. That layer has the actual verifier and compiler. There are maps. These maps are basically the corridors between user space and kernel space. And you can put data in kernel space and take these data and the output out in user space. And there are many kernel helper APIs available as well to make your life easier when you are developing EBPF code. Then in the user space, there are multiple projects that can help you. For example, BCC. There are SDKs to make, for example, programming in Go easier. There's LibBPF, for example. So the ecosystem is growing bigger and bigger every day. And there are a few EBPF projects also out there, for example, Falko, that's security-related. They are still focusing on networking and observability. And there are other solutions as well. Basically, this is how the user space and kernel space interacts with each other. In user space, you can... First, you have a task in user space. And there you will need to handle the whole lifecycle of the EBPF code itself. You have to load it, attach it to Proves, and destroy it when your job is finished. And in the kernel, you have the verifier, I mentioned already, and you also have these K-Proves, U-Proves, trace points. These are the points in the kernel where you can create a trigger to attach custom logic to it. And there's the maps, which are, as I mentioned, basically the corridor for you to move data between these two spaces. Originally, what you would normally do would use BCC to create your EBPF programs. Basically, in this case, you are writing a single Python program, and you are injecting the EBPF logic as a string. And you also have the kernel program that's written in C. Everything is compiled at runtime, but it requires you to have the actual kernel headers installed in the system when you are building this logic. Another drawback of this traditional approach is that it will use a significant amount of resources when you are starting this program. Then there's a newer rendition to this. It's called Coree, means compile one once run everywhere. It's using the EBPF, and basically, with this approach you can write both kernel and user space in C, and you can compile them in advance. If you have the proper headers at runtime, you could execute it on any other system because you are following the Coree principles. What we did at solo is we tried to make this a bit easier. So what if you could only write the kernel program and forget about the user space logic? For this, we introduced Bumblebee, which is an open source project. It helps you to focus only on the kernel space logic, build your custom BPF scripts into OCI compatible images, push these into local or remote registries, and expose the outputs as metrics. So as you can see, the barrier to entries is quite low because you don't need to manage the whole lifecycle of your code. You just create your kernel logic, that's the most exciting part anyway, and load it as an OCI image into kernel, and you already have primitive metrics, which is quite nice. So after the EBPF introduction, let's move forward and start talking about Cilium. On this slide, you can see the evolution of Q-proxy replacement options. First, initially, in a traditional Kubernetes cluster, you have a Q-proxy, and it's using IP tables. IP tables were not really, and for this job, it was a great firewall, but there are some performance bottlenecks, bottlenecks when you scaled your cluster out. In some CNIs, there's an option to use IPvS, which can make your life a bit easier in terms of performance, because you can reach much nicer run-trip times, and you will know how you can scale your clusters, and how the performance will actually scale with your cluster size. And the most recent tradition is using EBPF for some of the tasks. And we will take a look at how Cilium is doing this. So let's start the actual lab. We will go back to this presentation at some point during the workshop, but now we are starting the actual lab. So I guess you have it up and running. As I mentioned, we have 200 licenses for this. After you click start, you can click launch, and I will zoom in a bit. Hopefully it will be, you can read it on the screen as well. What is happening in the background is that we are using this platform called Instruct. In this Instruct environment, we are building a three node Kubernetes cluster, and we will use this cluster to deploy Cilium, and we will interacilium through this environment. This is the QR code. This session will be available, this environment will be available until tomorrow afternoon ish. So if you just want to focus on the actual workshop, you can do that, and if you have this link with this QR code, you can try this at home or afternoon or tomorrow morning as well. Okay, and I have the environment ready. First, we will deploy Cilium. Let's zoom in a bit. Hopefully it won't break the actual interface. Okay, so the first step that we will do is to deploy, to install Cilium CLI. The first command will do that. You can click on it and paste on it on the other terminal window. After we have it, you can check Cilium and okay, we have the CLI. Let's check the pots that we have running in this cluster. Cube CTL get pots, and we can see that all these pots are in a pending state. If we check the details of these pots, Cube CTL describe the name of the pod, cube system. Yes, it's pod. We will see that the nodes are not available, and we have something on it. Let's check the actual nodes that we have. As I mentioned, we are running a three node cluster. The nodes are not ready. If we describe the nodes, Cube CTL describe nodes, for example, master, we will see that it's not really ready, the cube that is almost started, and if we scroll up a bit, we will see that cube that is actually not ready because the network plugin is not ready, and the network plugin is not ready because the CNI plugin is not initialized. We just installed the Cilium CLI, but we don't have an actual CNI running on these clusters, and that makes our nodes unavailable. So let's fix this and deploy Cilium. We are using the upstream Cilium helper repository, and we are using this latest version. It's 1.12.1. As you can see, we are passing a few arguments to this Helm install. We will go with partial cube proxy replacement, and we are also configuring a few options here. We will go through this in a bit. So let's hit Enter, and the Helm installation is currently happening. Partial cube proxy replacement means that you can cherry pick which features of the cube proxy you want to replace. We are using partial in this example, but there are other options as well. This Cilium docs has some detailed explanation about the different modes. It's quite detailed, and it's a pretty good documentation. If you want to go into the details of the various options that you can have here. Okay, let's check our pots again, and we can see that all of them is running, which is great, we have a CLI. After this, we can use Cilium status, and this will show us a little nice graphics, and it will report back that Cilium and the operator itself is running and are in the OK state. We also could have Hubble and cluster mesh. Cluster mesh is for multi-clusters, and Hubble is an observability component. We have these disabled at the moment, but we will deploy it at a future lab. As you could see, that's all the information that you can have regarding the Cilium that you have in your cluster. However, you can have more verbose Cilium CLI. For this, you can use the next command, which is basically executing the same command, Cilium status, but it passes the verbose option, and you can have much more details about your actual installment. We can also do that. We can also check the actual CLI that we have locally in this computer, but it won't have this verbose option. It's an unknown flag. But let's execute this command and we have pretty detailed configuration options here. We can see that Cilium is OK. These are reported by the CLI itself. We can check the allocated addresses. We have the control status for all the components. We have all of them in a healthy state. And we can also find details about the Q-proxy replacement. These are the configurations that we specified when we passed those set options to our Helm installation. OK, let's move forward to the next lab, because in this lab we just deployed Cilium and basically that's it. If you are ready, we can click check. This in the background will check all the previous steps that I just performed, and if everything is fine, we can move to the next lab. In the next lab we will deploy the famous Book Info demo application. You might have already know about this application if you use Istio. OK, if you are not really familiar with Book Info, let's take a quick look at what Book Info is. It's basically a demo application. It contains multiple microservices. For example, we have the product page. The product page is our front end. We will interact with this front end, and this front end will interact with the other microservices. We have three Java services. It's called Reviews version 1, version 2, and version 3. The only difference between these versions is the color of the stars that you can see for each book that's included in the platform. Version 2 has black stars, and version 3 has red stars, and version 1 has no stars at all. These Java services are also connected to an OGS service. It's called Ratings. As you can see, the ratings are important for the cases when you have the stars, because that's the actual rating. And we also have a detailed service that's written in Ruby. So let's deploy this set of microservices. We are creating a new namespace. It's called Bookinfo, and we are applying these YAML files. We will also access this product page ourselves. So we will need to patch the actual service and set its type to load balancer. Originally, it's cluster IP, so you cannot access it. But if you patch it with this config option, it will have a load balanced address. And if you go to this tab called Bookinfo, you will see the actual Bookinfo application. An important thing to mention is you should always use this refresh button during the workshop. This will reload, refresh your actual tab that you have here. Please do not use this, because that will reload instruct itself, and you will have to start from, well, not the beginning, but it's better to use this because that's really for this purpose to refresh the actual webpage. We have black stars currently, so that's version two. You can also check this update at the bottom. Okay, if we are ready, we can also hit check and go to the second, the third lab. Across these labs, we are still using the same environment that we initially created. So we just deployed the Cilium CNI, and we just deployed an application. The next section will be about load balancing. That's one of the use cases that Cilium can have it. So let's take a look at this. First, let's check the reviews service. As you can see, it's a cluster IP. It's called reviews. It has actually a cluster IP, and it's using this port. Now, let's take a look at the reviews spots. We can see three different pots, version one, version two, and version three. And these are the IPs of these pots. Behind the scenes, this cluster IP is being load balanced across these IPs. This is how Kubernetes is working by default under the hood. Normally, Qproxy is taking care of these, but you can also have Cilium to help you with load balancing across ports and services. So let's run the next command and check the Cilium load balancing list. As you can see, we are again using the Cilium pod and using that CLI. We have these options, Cilium, BPF, then LB. LB means load balancing. That's the load balancing configuration, and I also passed list to check the actual addresses that is load-balancing, that is performing load balance. If we go back a bit, we can see that that was the actual cluster IP of our service, and these are the actual IPs of the pots. Basically, in Cilium you have the service address, and you have all these backend addresses attached to it. Let's take a look at our nodes. If you pass the wide option, you will see the actual internal IP of each of your nodes. And if we execute the next command again, we can list all the BPF tunnels. It's similar than before, but now we are not listing the load balancing configuration, but the tunnels. Currently, in this setup, we are on the master. This is the actual master node, and we have the worker one and worker two machines. If you are on the actual master machine and you query the tunnel list, you will see that you have tunnel to the other nodes in your Kubernetes cluster. So you can see that 67 is the actual master, and we have 69 and 66 here, because that's needed for internal communication. If we finished everything, we can click next again, and move to the next session. This will be about main concepts. For this, let me quickly jump back to the presentation. For a side slide or two. One of the main concepts that we will introduce here are endpoints and identities. If you are using Silium, you have a single endpoint per Kubernetes ports, and you also have an identity ID for all of your endpoints, and this identity ID is derived from your actual Kubernetes labels that you have on your ports. You can find some examples on the slide, but basically the labels will decide the identity of your entity. If you have two ports in a single deployment, for example, if you are scaling out horizontally your application, then it will generate two endpoints, but the identity ID will remain the same. That's a quite elegant way to solve this, because as you may have already know, the actual pod names in your Kubernetes cluster are not that important, are not that unique. Actually they are unique, but they can contain random characters as well, and the labels provide a very nice way, and nice and elegant way to annotate your actual workload. So using labels is a very nice solution for this purpose. You can also check this Silium documentation here about the terminology. It has some other concepts introduced as well, but here we are just talking about the endpoints and identities, because these will be important for the next few labs that we will have here. So let's go back to the actual lab. If we execute the first command, that will scale our details version one deployment to two replicas. By default, all the booking for applications are running with a single replica. In the real world, you most probably have deployments running with multiple replica to have higher availability. So now that we have the details version one scaled to two pods, we can check the Silium endpoints in the booking for namespace. As you can see, booking for is the namespace that has our application. If we search for details version one, we will see that we have a pod here, and details version one is the first one. So we have these two different pods, and if you check the identity ID, you can see that it's the same. It's two, four, one, and 89. We also have these SVC-LB identities and points here. You don't need to care about them. Those are just there because behind the scene, those are used to port forward these applications in Instruct. So if this workshop current running on Instruct, you would only have the reviews, product page, and details applications. These are only needed for this particular environment. So back to the identity ID. As you can see, these are the same, but you have two different pods. We can scale it down to a single replica, and we can check the product page endpoint. Product page is our front end, as I mentioned earlier. We can use the celium endpoints. That's a Kubernetes CRD. So you can actually interact with your celium 2Ds, CRDs. If you use this and you filter for your product page application, then you can have all these details about your celium endpoint. As you can see, it's called product page. That's the actual application. You have the ID here, you have the identity ID here. And this identity, as I mentioned, is created from all these labels that you would have for your actual application. You can check the other identities in your cluster. You can do something like cube, CTL, get, celium identities. We also have auto-complete, so you don't need to type these out. You can just tab and execute the actual command. These are all the identities that we have in our current cluster. We can see that we have three in the cube system namespace and a few more in the booking for because we have multiple versions of certain services running. OK. We can also get these labels and details about the identity by checking each and every one of these by the actual identity. So we can do something like cube, CTL, get, celium identity. And if you use one of the IDs and choose your model, you can get the same set of data. So basically, you will see the labels that created this entity. We can click next after we finish this. The next part will be observality. For this, I have a slide, a single one, again. Observality in celium is basically done with Hubble. Hubble contains multiple components. We have the Hubble UI. That's the actual UI that you can see on this slide. And we also have relay components. We will talk about them in a bit. Hubble is created to give you detailed insight into the actual state of the cluster. You have celium running goal. And we will check exactly this in the next lab. So let's go back to the observatory lab. As I mentioned, we are still running the same environment, the same nodes, the same ports everywhere when we started. So to enable Hubble, we will need to upgrade the celium installation that we have. We can run celium status again and we will see that Hubble is disabled. To enable it, you can use the next snippet. We have a few things there, basically, we are just upgrading the existing celium, which is using the upstream celium time chart with the same version. And the important thing here is that we enable the metrics for DNS, drop packages, TCP, flows, ICMP, and HTTP. You can fine tune this list if you are not interested in all of these when you enable Hubble. Additionally, we are enabling the relay component and the Hubble UI and Prometheus. Let's hit Enter and perform this upgrade. If we check the ports in the cube system, celium is always in the cube system, namespace. Actually, that's an interesting issue that we just discovered. Originality, we created this workshop with one of the RC versions of celium. But last week, at the end of last week, we upgraded it to the latest proper release. But with this version in this instruct environment, we can get to the state. It seems like almost a race condition in celium itself. We don't have these Hubble pots coming up, which is weird because we have the actual celium pots running. So, too, I'm not sure. Maybe some of you have this on your local laptop as well. Yes, we have at least one place where we got this. To work around this, we can delete the pots in the cube system namespace. And that will fix the issue. So, we can do something like cube CTL, delete pots, cube system. And maybe that should be it. We can pass the hole. OK. These will be deleted. We are using a fairly new version. So, we will probably look into this and open a GitHub issue and maybe even try to solve this. Because we didn't have this with the latest RC version. The pots should be deleted soon. I should have my prompt back after it's finished. Maybe I can terminate this command and we will be fine. Cube CTL get all cube system. OK, the pots are still terminating and some of them are in the container creating state. It will work, I promise. We can use watch to watch these, get pots, cube system. How many of you got this in your local laptop? One, two, three. OK, three at least. OK, I have another workaround because it looks like it's not working because... Oh, maybe it's working. No. Container creating. OK, so the other workaround that we can do is to use skip. Please only skip if you are stuck with the same state that I am in. All the other attendees can wait a tiny bit. If you click skip, instruct in the background will resolve this state and after that we can go back to this lab and actually finish it. Ah, OK. So if we change names with the cube system and we render the command again, it should work. So if you haven't clicked skip yet, that's also a very nice way to get unstuck. Thank you for the information. If you already clicked skip, then please follow me. If we can go start, then we can close this. If you close this, you can jump back to observability. And if we are back to observability, we can list the pots in a cube system. Do we have the pots coming up? OK, OK. We have them up and running. And now I think I can perform the actual upgrade. Hopefully it should work. So we can, yes, it worked. We have the Hubble relay and the Hubble UI up and running. So sorry about this little incident. We can move forward with the workshop. So now basically we just upgraded Cilium in the cluster and now we have the Hubble components enabled. We will use the same method that we used earlier to patch the service of the Hubble UI. That's needed because we will access the actual UI. So execute the next command, which will patch the service to the load balancer type. And if you go to the Hubble UI, you should see the actual UI. After a little while, you will see all the namespaces in your cluster. You will see Book Info. You will see the cube system namespace. All of them will be here. We just need to wait a very little bit because, again, because of instruct by itself Cilium gets these pretty fast. What we will do after this is we will generate a small load in the cluster and we will check this load that we generated across the various components that we have in the cluster through the Hubble UI. This shouldn't take more than maybe one more minute. You will have all the namespaces that we set here and they will be also reset here. And yes, I have all the ports up and running. So I just checked that everything is working properly now. In the meantime, if you have questions, please feel free to ask those questions. While we are waiting, we can take a look at the load generator script that we have here. It's basically a for loop. It will create 25 requests and it's basically a curl and we will route these requests to the load balance port of product page on this port. OK, come on. Sorry. In system, they should already be there in the dood because traffic is already closed here as well. Yes, we are not waiting because of the, because we are waiting to check the load itself. We haven't run this script. We are just waiting because in this particular instruct environment, it takes a little time for Hubble to get all these data. But yes, you are right, if you were just waiting for the actual traffic that we generated, then we should have Q system there. So after it's ready, you should see something like this. You could see flows per second. You should see the number of the nodes that you have and your actual namespaces. So if you choose Book Info, we will see the content of Book Info. So this is a good time to run this script. We can go back to the first terminal and run this for loop. As you can see, these are the successful 200 response code requests that we generated. And if we refresh, there are some mosquito here. And if we check the actual load, we will see that the product page, which is our front end, that was the one that got our request, has other requests spanning out to the multiple review services. And some of the review services reached out to the details services. You can see all these data here. Let me quickly zoom a bit closer. You should see the destination service, the destination pod during the communication. We don't have L7 info here for layer 7. So this is basically a very nice way to quickly check the actual state of your cluster. These data are not, this data is not persisted. So you can just use this to check the actual state of your system that you have here. How you can get this data with the Hubble UI? The actual server part of Hubble is embedded into the Celium agent. The Celium agent is running as a demon set on every Kubernetes node that you have. And it's exposing all these metrics through GRPC. We can actually use GRPCer to check how this looks like. But basically, this is where the relay component comes into picture. Because, as I mentioned, the Celium agent is exposing all these metrics. It's running as a demon set everywhere. And because you have a distributed system running on multiple nodes, you need a relay component to consolidate all these into a single place to make it easier for the UI to expose all these data, to visualize all these data. So if you execute the next command, as you can see, it's the GRPCer image. And we will target this particular pass. It's called Get Flows. It will actually get all the flows that you currently have in your system. It will run for a while, because there are many communication happening in this given moment. But basically, in this format, it's exposed as GRPC. You can see the type of the connection. You can actually check the name of the nodes. You have timestamp there. So basically, that's what's behind all this Hubble visualization. You could also check all these by running the next command that will use the Celium CLI again. It will use the monitor sub command. And that's basically the same sets of data. We're just not accessing the raw GRPC interface. That's the CLI. So it's a nicer way to visualize all these data. But again, it's the same sets of data that's being visualized on the Hubble UI. What we could also do is that we can deploy a Prometheus. You can use the next command to do that. And if you have Prometheus exposed, we will have it exposed if we patch the service again to load balancer. We did this many time before. And if you check Grafana and check the dashboards, you should see, for example, the Hubble dashboard. And if you narrow it down and zoom in a bit, you can see the actual data visualized Prometheus metrics to Grafana. This is for Hubble. It can track the actual flows, spare nodes, the distribution of the traces. And it also has a few other components. For example, Celium operator. We don't need to save this. And this also exposes a few useful metrics about the actual operator. For example, we can see the CPUs each. And these are basically exposed as native Celium metrics, which is quite nice, because otherwise, without this, you would need to have, for example, a node exporter to get the same data. And that's an external dependency. So it's quite nice to expose the resources each metrics this way. If you were stuck with me with the previous step and you follow my worker end, then at this state, you wouldn't have the check button here. You only have the skip one. That's because if we skip to the lab, we cannot redo it. We can just view it, but we cannot actually skip again from it. So if you follow me, then click close. And if you didn't have an issue, then please click check. And you can follow the workshop that way. So I will close this. And we can move to the security lab, which is the next one. Response times. Or is there anything that is not possible in Celium here, which is probably just for the enterprise or something like that? Yes, that's basically you can get latency metrics as well with Celium. You can get these with EBPF. Another way to get this is using Layer 7 components, for example, ServiceMesh. And you can have all these data. Yes, the Layer 7 metrics are part of the Celium Enterprise package. We are just using the open source version here to showcase the power of the open source version. Thanks. OK, sorry, I didn't get the actual question. Yes. With Kiali, you are basically just leveraging the Prometheus metrics behind the scenes. So you have to have a Prometheus. And Kiali is just there to visualize all this in a nice way. It's basically like Hubble for Istio. We can sort of say that. OK, the next lab is about level 3 and level 4 security. And this is one of the greatest benefits of using EBPF-based CNI, like Celium, to have multi-layered security in your extra cluster. We will take a look at different levels, 3 and level 4 policies here. And in the next lab, we will check Layer 7. And we can compare them, what's the benefit, what's different with using these different policies. Again, I have a link to the upstream Celium documentation. There are many examples here. Basically, we can see label-based approaches. We have some examples, actual ML5s that you can execute for simple use cases. For example, if you just want to, let me quickly zoom a bit. If you just want to allow communication from the endpoints of the front end to the actual back end, you can do something like this. And this is Layer 3, because we didn't even specify the actual port here. Let me quickly go back to my presentation. I think I should have, or maybe I don't have it. If I don't have it, I can quickly get the OCI layers. Some of you may have already know about this, but let me quickly go on. Yes, so we have the physical layer at the bottom. Then we have the data link layer. And if we go up, we will reach the application layer. Application layer is layer 7. That's where the actual application-facing requests are happening. And Layer 3 and Layer 4 are there for transmission. The actual transmission of the package is using TCP and UDP. And at Layer 4, we can actually use the ports to route our traffic. So if we go back to our lab, we can check these examples in action. So let's use this first snippet. That will be a Layer 4 policy. We know that it's Layer 4, because we have the port here. Without this, if you don't specify the port, you can just limit the connection between the two services. And as the documentation mentions, it's a label-based. So you can use these match labels that you are most probably already familiar from Kubernetes and limit the actual, or set up the actual policy there. But here we are also defining the port and the protocol. Let's apply this. And at this point, if we try to run the next command, which will, again, occur call, and that will call the review service, if you execute it, you actually won't see anything happening. And that's because we are at Layer 4 and there's no real convenient way to report back that why it's failed. We are basically dropping the packages. So it's the expected result currently to see this, but you don't see any feedback of what happened. So if you are not familiar with what's happening behind the scene, it might be a bit hard to troubleshoot this particular case. But if you run the next command in the next terminal, we have two terminals, then this will call the CLEO monitor and it will, we edit this type, it's type drop. So when we have a dropped packet, we should be able to catch this terminal. So if we go back to terminal 1 and execute this request command again, we should see that in terminal 2 we have an info level message, it's xx drop, policy denied, because we have a policy denied and we can also see that this is the endpoint that got this request. We also can see that identity 2419 had a request to identity 8972. You can also have the IP addresses and it was a TCP scene. It was in the scene phase. So actually with this you can check where the packets are being dropped. And we have a few other communication happening in the background, so if you leave it like this, you can see some more connections or packets being dropped. If you want to check the actual identity of... Let's take this first because I know it's my identity. So let's copy this. You will have a different identity in your laptop, but I'm using this first one. And we can execute the second command, the next command, but replace it with our desired identity. It's the serial identity get. You could also get the same with using the CRD that we did earlier. 2419, in my case, 2419. And I made a mistake, 2419. Maybe that was a connection that was not related to... Oh, yeah, there's an 8, yes. And yes, we have it. It's the details application. Great. This is where we originated our request. Thank you. As I mentioned, you could also use the Serium CRDs. So here we use the Serium CLI running in the pod, but you can also use the Serium Endpoints and Serium Identities if you prefer that way of interacting with your Kubernetes resources. If you think that getting 403 response code would be much better in this case, then we can see what the level 7 policies can offer us to have. So let's click next and go to the final lab. OK, so in this lab, we will take a look at how Serium handles the level 7 natural policies because it might not be what you would expect by yourself, originally. So let's run the first command. That's a quite long command that will list the processes that is currently running in the Serium pods. You can see that we have... We got this two times because it's running on two different nodes in the system. We can see that we have the Serium agent, that's the actual Serium agent, and we have the Serium has responder, which is basically just there to report back based on the has of the actual components. So let's apply another policy, but this time a layer 7 policy. This is the policy that we will apply. As you will see, it's layer 7 because we are specifying pass and HTTP rules. If we didn't specify this and just use the port and protocol, then that's layer 4. And if we didn't specify the actual protocol and port and just reference the services based on labels, then that would be layer 3, as I mentioned earlier. But with this layer 7 example, it's quite nice to peel it back and check what makes it layer 7 or layer 4. So let's apply this policy. We have it applied, and let's run the command again that we run initially. The output here is a bit different because we can see that we have a Serium Envoy process running. And that's running there because Envoy is needed to enforce the layer 7 policies. Envoy is basically, Envoy can have filter chain. If you are familiar with Envoy, you may have already know that. You can have a filter chain and you can use these to get all these enforced quite elegantly. If we execute the next command, in this case, we should get a 4.0.3 because that's layer 7. And on layer 7, you are at that level on the OCI layers that you can get a response like this. The interesting thing to mention here, if we take a look at the actual natural policy that we applied, we had to create this fake rule here. It's called NoPersonLabd. That's currently needed because in Serium there's no real support for deny policies at layer 7. You can actually check the documentation and you can have these at lower layers, but at layer 7 you don't really have this. Deny policies are just on layer 4 and layer 3. So you can work this around by creating a rule like this to have denys, but it's not natively supported currently. We can run the next snippet. It's not even a command. We can call it a snippet because it's quite huge, but it will take a bit before it can actually run because it will need to download a few packages. But with this snippet we can take a look into the layer 7 policy under the hood, how the filter chains are put together in this example. If you are impatient, you can scroll a bit down and have the spoiler for the actual output, but it shouldn't take long. In the meantime, I'm being messaged on the tab where I opened the OCI model. Maybe there's some bot there, so I think I will close that tab. In the recommendation for... In the incubanet environment where pods go up and down easily, the identity could be mistaken? Yes, because it's, as I mentioned, it's an agent way to leverage the labels for identity, but there might be cases when you have, for example, you have a fresh deploy for your application and you have new pods coming up, and there might be edge cases when the identity can be mistaken because it's only based on the actual labels and it's not performed by... by a solution that can avoid to make this happen. So that's an edge case that it might be good to know about if you run it in production. OK, I think I might... Maybe there's some similar connection. Has the command ran for you? Yeah, OK, so maybe it's just my case, but basically, we can use this t-pad here and check how the policies are in voice bar by Envoy. If you are familiar with Envoy filters, most of this logic will be also familiar to you. You can see the... Ah, OK, I also... I also have it in the meantime. So you can see the actual endpoint IDs and endpoint IPs and you can see the policy per ingress in this case. If you run the next command, it's again, Celium Monitor, but here we are filtering for layer 7 communication. So this command will monitor the level 7 traffic. So if we go to the Book Info because we exposed this and hit a few refresh and go back to our terminal, we should see the flows. Yes, we have the flows here. To have more detailed insights into this layer 7 communication, you can also annotate your pods to have these detailed insights into. So let's use the next command and that will, as you can see, it will increase the visibility for your Celium proxy on this particular pass and port. So if you apply it and if you refresh Book Info, what should be different in this case is that you should have... where was my command? You should have events for the details from the details service as well. Let me quickly refresh this. OK, it might have been broken, but if I use this, OK, refresh. And if you look into it, you should see that we have the actual request forwarded to these details and this port. So it's actually working. I think basically that was all the workshop that we have for you today. We can quickly jump back to the presentation for a few final slides. We talked about network policies, how the default policy enforcement model is all communication allowed by default and if you have a single ingress rule, then it will be denied by default. So it's basically a low listing of your connections, which can add a nice layer to your security posture. And these are taken from the upstream Celium documentation. This can show how the local communication and the egress communication is working. You can explore these at your own convenience via the upstream documentation. And at the end, a few words about SOLO. Basically, we will have the 2.1 glumash version coming out soon. And basically, originally, we had the glue gateway, the glumash. But now we have this glue network, which basically can control and contain Celium as a CNI. So we can have the whole stack together. And we also have support for GraphQL specific use cases. But basically, this is a nice flow to manage the whole lifecycle of all of your networking components. The goal of glue network is basically to have defense in-damped. We have support for Celium and other CNIs. So we can have security and metrics on different layers to provide a better way of operating reliability reliably and efficiently your applications. Our UI will also include the Celium specific details. So we can see that our glue platform can discover your CNI that's running in your cluster. And we can also manage its lifecycle so you can actually migrate from a different CNI to Celium, let's say, for example, to have all of these components in your cluster. So thank you for joining this session. And let me show you this link because we have the academy.solo.io. We like doing workshops. We have many open source solutions that we are introducing through workshops. Some of these are instructor-led and some of these are on demand and you can basically execute them at your own planes. For example, we have the new ambient mesh workshop there. We have the Celium workshop. We have an EBPF workshop. We will have another one pretty soon. And we also have an envoy workshop. So make sure to check these out. And feel free to join our community structure and ask questions about the technologies we are working with and the products that we have. So thank you again for joining me today.