-
Feature
-
Resolution: Done
-
Major
-
None
-
BU Product Work
-
False
-
-
False
-
-
50% To Do, 0% In Progress, 50% Done
-
0
-
Program Call
-
sufficiently covered in docs
-
-
Red Hat OpenShift Networking
Feature Overview (aka. Goal Summary)
bpfman is both an eBPF program gatekeeper and manager developed by Red Hat Office of the CTO (OCTO).
The desired outcome of this work is to:
- begin the tech transfer from OCTO to the OpenShift SDN team so the latter can continue to develop and support bpfman as the OCTO team disengages from the project
- provide a Developer Preview of bpfman for OpenShift
- being testing its use for targeted eBPF use in OpenShift components
Goals (aka. expected user outcomes)
Deliver a Developer's Preview of bpfman in OpenShift that is capable of managing and securing OpenShift's own eBPF deployments as well as customers eBPF programs.
Technology transfer from OCTO to OpenShift SDN the knowledge necessary to continue development of and provide support for bpfman.
Requirements (aka. Acceptance Criteria):
- Developer Preview at OCP 4.16
Anyone reviewing this Feature needs to know which deployment configurations that the Feature will apply to (or not) once it's been completed. Describe specific needs (or indicate N/A) for each of the following deployment scenarios. For specific configurations that are out-of-scope for a given release, ensure you provide the OCPSTRAT (for the future to be supported configuration) as well.
| Deployment considerations | List applicable specific needs (N/A = not applicable) |
| Self-managed, managed, or both | |
| Classic (standalone cluster) | |
| Hosted control planes | |
| Multi node, Compact (three node), or Single node (SNO), or all | |
| Connected / Restricted Network | |
| Architectures, e.g. x86_x64, ARM (aarch64), IBM Power (ppc64le), and IBM Z (s390x) | |
| Operator compatibility | |
| Backport needed (list applicable versions) | |
| UI need (e.g. OpenShift Console, dynamic plugin, OCM) | |
| Other (please specify) |
Use Cases (Optional):
- eBPF program gatekeeper (RBAC-like control on what programs can do and see in kernel space)
- eBPF program manager
- ensure the secure deployment of eBPF applications
- provides insights on eBPF program utilization
Questions to Answer (Optional):
- Resolve concern about is it’s ability to grow privilege from one node to another.
Out of Scope
- Technical Preview
- GA
Background
bpfman is currently in a sandbox queue to become a CNCF incubator project and is going to be the default in Fedora 30 for this purpose. Currently, it is the only viable project with the goal of both ensuring the secure deployment of eBPF applications and providing insights on eBPF program utilization within an OpenShift cluster.
At the time of this writing, OpenShift is using eBPF programs in 3 components of OpenShift:
- ACS
- Ingress Node Firewall
- Network Observability Operator.
Customer Considerations
Documentation Considerations
Interoperability Considerations
bpfman is targeting management of eBPF use in existing OpenShift components:
- Advanced Cluster Security (ACS)
- Ingres Node Firewall
- Network Observability Operator
- blocks
-
NETOBSERV-1535 [Documentation] Secondary bridge CNI interfaces not displayed by network observability
-
- Closed
-
- is related to
-
-
- New
-
- relates to
-
-
- In Progress
-
