 We shall start it? Let's do it. Thank you everyone for being here this afternoon. If you have got a seat next to you, raise your hand. I know there are some people outside. I think you've done an awesome job of packing yourselves in beautifully. Thank you for being here. Thank you everyone who's tried to come in. Hopefully you're going to watch on YouTube later. Capture up with all the latest updates from The Sillian Project. Can we start with a quick show of hands? ond y gallwn ni wedi'i gweithio sylwm. Rwy'n meddwl bod yn gwneud yn fwy. Rwy'n meddwl, rwy'n meddwl, rwy'n meddwl bod yna'r cyffredinol sylwm? Mae'r cyffredinol yn fwy, ond rwy'n meddwl i'r ffresiad yw'r ysgol. Rwy'n meddwl. Rwy'n meddwl i'r cyffredinol. Mae'r cyffredinol Llywodraeth. Rwy'n meddwl i'r cyffredinol, rwy'n meddwl i'r cyffredinol, ac yn dechrau sgwrs, rwy'n meddwl i'r ffresiad sylwm, y llunio'r llunio'n meddwl i'r gweithio, rwy'n meddwl i'r llunio'n meddwl i'r llunio, ac yn ddod yn ddweud y llunio'n meddwl i'r ffresiad, yn ddweud yn fawr ysgol yn ddechrau. Dyna'r unigfocir, ddweud yn ddweud yn y llunio'n meddwl i'r gweithio arall. Diolch i gael. Mae'r hubol yn meddwl i gael y ffaisiol ymddangos, ychydig i wneud i gael cyllideb siliam. Felly'r newydd yng nghaer iawn i chi'r ffaith siliam, ychydig i tetegrion. Gwyddo wnaeth y siobhans ffaith sydd ymddangos i tetegrion? Rwy'n argyfodd am wneud bod yn ei gael. Rwy'n meddwl am yw'r ffaith siliam. Mae'r ffaith yw'r dwy o'r cyfleoedd ymddangos mae'n bwysig i'r fan FFB. Rwy'n meddwl i'r fan FFB. Rwy'n meddwl i'r teitragon, a'r ystod yn ymgyrch, a'r holl hwnnw yw'r ffordd o'r ffordd ar y dyfodol. Y teitragon er mwyn o'r 1.0 datblygu a'r wych chi'n gweithio ar gyfer Cwbcon ystod yn Ysgrifennu North America. Felly mae'n gweithio o'r rhan o'r sicrwythau a'r ysgrifennu gyda allan o gwybod amgylcheddol yn y cernol, o bobl, gydag o gwybod, gydag o gwybod, gydag o gyda'r rhwng, o bobl hwn yn ein bod y cernol yn cael ei fod yn fawr, mae'n fawr o'r cyntaf o'r cernol yn y UBPF a'r gyfrifio'r ddim yn fawr i'r ddeallu pethau gydag yma o'r cyfrifio cyfaintau o'r gwybod. Rydych chi'n cael ei wneud sy'n ffordd yna yn cymryddiol. A steifio'r fforddau ym Nesaf yw'r bach yn ddechrau. We'r byth yn ddweud y gynhalu gyda'r fysgiau ar ystod yn grofeidio'r cychydigau o fe ddechrau Adoddorol yn ddechrau bod wedi'u gweld ffordd beth o'r ffordd a sydd i'n ddiwrnod fel y gallai ff educating. We have just released a few weeks ago, Cillium 1.15. There are a ton of great new features in that release, including the Gateway API support. Anyone here using Gateway API already? I think a pretty hot topic in the service mesh world. It's a really nice innovation, kind of replacing ingress with lots more flexibility and new features for routing ingress traffic. There's quite a few security improvements in 1.15, things like session authentication for BGP sessions. There have been a ton of contributions in Hubble helping you debug network problems. There's also a contribution of a new provider so that you can install Cillium with Terraform or OpenTofi. There are lots of scaling and performance improvements. One particular one that I think is nice is the ability for cluster mesh to handle more than 500 clusters, so that's very cool. I mentioned this already, the 1.0 release of Tetragon. I had this really nice little graph here showing how low the performance overhead is for Tetragon, even compared to other EBPF-based solutions because of the fact that we can filter inside the kernel. Another thing that happened this week that was new was our first ever in-person Cillium developer summit. We had participants, folks who were really active, committers and developers from, what's that, eight, nine different companies. Big thanks to Datadog for hosting us in their beautiful offices in Paris. I heard nothing but amazing feedback for how much that group of people were able to do during that one day. Can we give a round of applause for Datadog for supporting that? That's a very, very quick update on what's been happening in the Cillium project. I think it's now time to introduce the first of our guest speakers. Niko, from White Duck, I'm not going to attempt to say your surname, I've bottled it, to talk about using Cillium in the wild. Welcome, Niko. Hi, everyone. A short introduction of mine, so it's a Meisensal, so it's Niko Meisensal, I'm from Germany, sorry. So basically, I will not do a quick introduction, it's just about, so we are helping our customers building cloud native applications, running them, bringing them into the cloud, or even modernising applications. This is basically the context I'm planning to talk about today. So I have, I think, three slides with some examples where really Cillium can help you or help our customers to reduce complexity, which is every time a good thing, I guess. Yeah, so first one. This already mentioned a gateway API, and this is really great, so a gateway API, you know, it's basically the rising star to somehow get traffic routed to your applications or expose your application in a Kubernetes cluster. We are all used to Ingress, and Gateway API is really the next step, and basically I guess everyone of us will move there somehow in the soon and so on. Yeah, and as mentioned, application Ingress into a cluster is really a crucial component, so it's really good or a good thing to make sure that it's easy, maintainable, so that you don't bring in multiple tools, different integration and so on. And then, you know, I don't know, 10, 15 different tools doing something in your cluster. If you shrink down the number, it's just easier to maintain co-operator clusters of thinking about the two operations, for example. Yeah, and Cillium, with the support now for a gateway API going to 1.0, it's basically the perfect fit. So you have Cillium in your cluster anyway to do all the networking, the CNI stuff, so you can just use it for your interest of your application. You don't need a second tool, another deployment, you don't need to maintain different things, so just your Cillium and you're fine out of the box. It just makes things easier. Yeah, next one is, once again, Hedragon, also mentioned some minutes ago. It's all about container runtime security and the baseline for your container runtime. So if you talk about container security or container security or just security in common, to be honest, most companies out there do not care at all. It's basically the same like with testing. You need money to do it. You need people to maintain it and you don't get any features, which is basically a bad idea. So it's really, really important to at least get some baseline bespectors into your cluster. And Hedragon can really help you here to make sure that stuff running on your cluster is secure. Or even if something is running in your cluster, it shouldn't run in your cluster to be aware of it and possibly also plug it. Yeah, and on the other hand, security needs to be easy, otherwise nobody will invest into security. So it's really crucial to get the best practices into your cluster pretty easy. And this is really great with the last release. We got the default observability policies, but a real game changer. You have all the policies you need. You can just apply them to your cluster or you customize them on your need, but you have really a baseline to really start with. So it's getting really, really easy to secure your container runtime security. So we go shout out to this feature. We waited so long for it. Last but not least, as you saw on my introduction slides, I'm basically working in the cloud with mismanaged offerings, but still there updating and maintaining clusters can be a pain. So they have so complex dependencies. You need to think of an updating cluster. So it's a good idea to really treat your clusters like cattle and not pets like we did with virtual machines earlier, like we do with our container images or containers. So really, instead of dating them up, just delete them, bring up new ones. And so there's also a Celium, which can happen with that one. And here I'm talking about the Celium cluster mesh feature, which allows you to integrate different clusters. And then a routing traffic between those clusters. You can think about AB deployments, for example, blue-green deployments. So you have multiple clusters and the services can talk to each other. So with that in place, you can think about, in this example, building, for example, stateless clusters. Let's think about APIs running in your cluster or even front-ends, and you need a database. You can bring the database to a stateful cluster, which maybe doesn't need to be so flexible, like the cluster where other workloads run on it, and you can just then use stateless clusters and redeploy them all the time. And you just have one cluster with a state which might be more complex, but it's maybe also more stable than your workload clusters and then basically delete your clusters, bring in new ones and route the traffic to the stateful cluster. Also really, really helpful feature here. So just a quick overview of some of the things we're doing with Celium and our customers to make life easier for us and also for our customers. And with this, I would end my five minutes, hopefully, and get over to the next one. So, thank you for making. And our next speaker is from a company that has been a really long-time user of Celium, and Vlad has been a contributor, a committer and a user for quite some time. So I'm looking forward to hearing about his experiences with Celium. Please welcome Vlad from Palantir. Okay, does it work? Yep, perfect. So my name is Vlad. I'm an engineering lead at Palantir. I've been at Palantir for almost nine years now and a Celium committer for, I think, 2019. At Palantir, I mostly work with the teams that manage our Cates offerings. We deploy on commercial cloud, classified cloud, on-premise and edge. I won't spend much time on what Palantir is doing. You can Google that, but the one line is that we're developing software that helps commercial entities and governments make a better sense of their data. The stock is going to be our history on how we picked up Celium, how we are using Celium and how our journey evolved with the Celium community. So everything started around 2015 for Palantir when we launched our initial SaaS platform. That was basically built on top of VMs, managed with the puppet and a lot of old-school tech. In 2017 we decided we wanted the change so we swapped running everything on Cates. Now we're available on all the major hyperscalers and basically on-premise and edge as well. We picked up Celium in 2018. So the case journey for Palantir started in 2017 when we decided to re-architect everything. Initially, the journey with Celium started from a very simple premise and evolved over time organically. Our initial CNI that we deployed in our Cates clusters was Calico, but it had quite a few drawbacks. Two of them were first lack of network policy support and the second one was very hard to understand what's happening inside the cluster network layer for us. In 2018 we discovered Celium and at KubeCon North America in Seattle. We started talking with Thomas about how can we port over our platform to Celium. We wanted better observability from our platform, so Palantir and the Celium community decided together to build what evolved into being the Amazon E&I routing mode. This allowed basically each pod to get a VPC IP, like a native VPC IP, and the routing was handled by the club provider in our case. So we did that, we converted to using Celium and then it was time to flip the flag to enable policy support. So we started using L3, L4 policies and then we moved into DNS based filtering using like two FQDN policies. 2019 brought also like new challenges along with it. We did a few Celium upgrades and pretty quickly we found that Palantir, for better or worse, is like a very good distresser for the Celium agent itself. So to define our clusters I would use just the word entropy. We have a lot of node entropy, nodes coming go very fast, pods coming go very fast and also network policies coming go very fast. And either like in a very like high scale and a lot of like churn as well inside the cluster. So this quickly exposed a lot of hotpads in the Celium agent, Celium operator itself. So together Palantir and Celium committers worked on delivering fixes for these. 2019 was an interesting year for Palantir. We decided to embark on achieving our FedRAMP accreditation. I won't go into details like what FedRAMP is, but one piece of the accreditation procedure is that one requirement is that all your traffic needs to be encrypted with the FIPS validated cipher. So for those who would deal with FIPS like know how much trouble this is. Again we turned our eyes at Celium and decided to give the IPsec encryption feature a try. In the end it allowed us to pass the audits with flying colors and we didn't have to do any major rearchitecture of our platform like recompiling binaries to use FIPS version of OpenSSL and other things like deploying sidecars to encrypt the traffic. We gave a talk at KubeCon Chicago about this so just Google Palantir and FedRAMP compliance, KubeCon and you're going to find more details about it. 2020 we decided to take on a more ambitious project. Over time we realized that old school security tooling doesn't really work with Kubernetes. One tool that we make using our clusters is called OSGray. It's a tool open sourced by Meta and it's basically an endpoint detection and response tool. So if you look at the logs of OSGray to see like what activity or processes do on a host, you're going to see that they don't have any pod, container information. Everything seems to be coming from the same different prices ideas but the same binaries. So I don't have any case information associated with that. At that point in time ISOvalent internally was working on a tool called HubLift. Yes, that's basically the early name for Tetragon and the tool was designed to just give security teams a better overview into the activity that's happening into their clusters. Our goal was to have an end-to-end auditing process for the events happening in the cluster. One question we wanted to answer is for example what, if we see a process doing some malicious activity, what service account or like what image was running inside the cluster that was doing that activity. In 2021 we started expanding our footprint. We added support for other big hyperscalers like GCP and Azure into our offering. And we started to convert our on-premise fleet as well to Kate. So given how well the partnership with Cillium evolved over time, we're basically taking the CNI and its friends basically everywhere where we're heading. I want to take some time to explain into more detail like how we use HubLint and Tetragon at Palantir. So our platform is composed around like 100 plus microservices. And when we started our cloud journey we decided that we need to have a better way of deploying these things to production. So we created internally a way for products to declare how much CPU disk memory they need, but also we gave them a way of like declare what other services they need to talk to. So for example microservice A can say I need to talk to microservice B over some port. If you take this one step further you realize that soon you have a graph of like all the network communication that should happen inside your cluster. Using HubL, so before that, given how we have the graph we also decided to build a tool internally that automatically creates Cillium network policies to secure this traffic. So now with HubL you can observe all this traffic and if you see any drop in the data path you can assess two things. Either we have a bug in our tool that creates CNPs, we did something wrong over there, or there's malicious activity inside our cluster. So this covers the network observability piece. On the runtime observability piece we use Tetragon to observe syscall that are happening inside the cluster. So we're very interested in for example like open, close, connect, send, syscalls. We also observe socket activity that happens on our hosts. So with this our InfoSec team basically has superpowers to see like end-to-end tracing of what's happening inside the clusters. That's all for me and now we're going to Christine. All right. I'm not as tall as you are so. I'm going to be talking about Cillium's mutual authentication. So this was something that the Cillium team has introduced a couple of releases ago and a lot of work has gone into it and I'm going to go over what it is and what's beyond. So as a recap Cillium has this concept of Cillium identities. So a set of labels on pod group. They can actually group workloads together and using these identities is how Cillium makes policy decisions. And so before identity A workloads can communicate with identity B workloads, you want to address some of these concerns like are we authenticated? Are you who you say you are? Are we authorized? Are we even allowed to be communicating with each other? And lastly is our data protected or encrypted? So with mutual authentication it addresses the first concern. So now with mutual auth we have authorization there and then network policies are something that Cillium has always been performing really well with. And they're really robust and lastly encryption. So for example WireGuard. And so when you install Cillium with mutual auth installed, a Cillium S50 spire server is deployed in your cluster and a per node spire agent gets its own identity from the spire server. And so when a connection is initiated between Cillium's identity A to identity B, a policy check is completed for mutual authentication. And if that passes from the Cillium agents, communication can flow encrypted for example with WireGuard here. So what does it look like just to get started? So first off I'm showing you the Cillium CLI tools but this can also be enabled with Helm so very easy and lightweight. So first you got to install Cillium with version 1.15 and enable WireGuard encryption. And so once that's provisioned, you make sure you enable mutual authentication with these install flags either again through Helm or Cillium CLI. And then once that passes, you just have to create a Cillium network policy. So you can really see how transparent, easy, lightweight it is. You just have to add those two lines of YAML, their authentication mode required and you have mutual authentication. And so what's beyond what's next for mutual authentication? So this is where we need your help. So we'd like to improve and harden this feature as usual. Last year concerns of the community were raised on potential corner edge use cases, essentially IP cache manipulation spoofing. And so there's a CFP link here on this slide and it outlines mitigations on this potential threat and there are two proposals outlined here. So the first one is to use Cillium with 1.15, like I showed on the previous slide, where WireGuard encapsulate packets with VXLAN, adding the Cillium ID and the header source spoofing is not possible. And then the second one is to use a new per connection mode, which would leverage the contract table, adding two bits for auth required and auth completed. So please like read this, we need your help, we would like to make this feature better for you guys. So also if you'd like to keep just track on the issue, if you don't want to read the CFP per se, you can keep up to date with any new improvements on this one, the two, eight, nine, eight, six. And then there's also this new blog post that's been posted live today. So check that out if you'd like to read more about it and stay up to date. And last off, I'll hand it back to Liz. Yeah, everything in Cillium, we're always keen to get feedback, we're keen to hear about how things are working in your production environment. So yeah, we'd love feedback, particularly on how this mutual authentication is working for you and some of the mitigations that are laid out in that blog post, we'd love your feedback. OK, so I can't see what you've got. Yes, the slide is talking about developer meetings, that's good. We have a weekly meeting, we've been having a weekly developer meeting for a very long time on Wednesdays and probably about a year ago we started doing an Asia Pacific friendly time zone as well, which happens monthly. And we've just held the first of the monthly Techegon meetings, those happen on the second Monday of every month. You'll find the agendas, all the details about those information in the readme's for the Cillium project or the Techegon project. And if you want to come along, if there's a topic you want to add, simply add it into the document that you'll find linked from the readme. And you'll be on the agenda and it's a friendly crowd who would love to hear what it is that you are interested in developing or the problem that you think needs solving. And yeah, it's a friendly group. We also have the contributor ladder, so if you are new to the community and you want to get involved, particularly on the coding side, how to get involved on the steps towards becoming a committer. This is all laid out in the community repo within the organisation. We also very much appreciate when people have noncode contributions to make. So if you're interested in writing a blog post or you want to just tell us about a blog post or a talk that you've done that's related to Cillium, we'd love to support that. We'd love to help amplify your stories. I mean, as you can see, there's quite a lot of people who are interested in Cillium. So I think it's great if we can facilitate you kind of sharing those stories with each other. If you are using Cillium and you would like to write or be interviewed for a case study, then there's a form on Cillium.io. You can fill in or you can just reach out to us through the Slack channel to say, yeah, we'd love to do a case study because we really like to hear about how people are using Cillium in the wild. How you found it, what benefits you've had, maybe what problems you encountered along the way as well. So we want to hear those case studies and we'd be delighted to publish those on the website. So I think that is all the updates we had for today. If you're not already in the Cillium and EBPF Slack, then do join us there. You'll find everything in GitHub on Cillium or through Cillium.io. We'd love to hear about your thoughts on this session and I think we should just give a round of applause to all our speakers again. And we've probably got like a couple of minutes for questions if you have any, I think. Oh yes, I should mention, I have been reminded to mention that there is of course a Cillium booth in the Project Pavilion. So that's another great place to come and chat, meet the people who are working on the code, come and get involved. Thank you so much.