Uploaded image for project: 'OpenShift Container Platform (OCP) Strategy'
  1. OpenShift Container Platform (OCP) Strategy
  2. OCPSTRAT-1235

bpfman for eBPF Program Security and Management - Tech Preview

XMLWordPrintable

    • BU Product Work
    • False
    • Hide

      None

      Show
      None
    • False
    • OCPSTRAT-1233eBPF Program Security and Management
    • 0% To Do, 17% In Progress, 83% Done
    • 0
    • Program Call
    • Red Hat OpenShift Networking

      Feature Overview (aka. Goal Summary)  

      bpfman is both an eBPF program gatekeeper and manager developed by Red Hat Office of the CTO (OCTO).

      The desired outcome of this work is to:

      • continue the tech transfer from OCTO to the OpenShift SDN team so the latter can continue to develop and support bpfman as the OCTO team disengages from the project
      • provide a Technical Preview of bpfman for OpenShift

      Goals (aka. expected user outcomes)

      Deliver a Technology Preview of bpfman in OpenShift to manage and secure OpenShift's own eBPF deployments and fully support its use for customers eBPF programs.

      Technology transfer from OCTO to OpenShift SDN the knowledge necessary to continue development of and provide support for bpfman.

      Requirements (aka. Acceptance Criteria):

      Anyone reviewing this Feature needs to know which deployment configurations that the Feature will apply to (or not) once it's been completed.  Describe specific needs (or indicate N/A) for each of the following deployment scenarios. For specific configurations that are out-of-scope for a given release, ensure you provide the OCPSTRAT (for the future to be supported configuration) as well.

      Deployment considerations List applicable specific needs (N/A = not applicable)
      Self-managed, managed, or both  
      Classic (standalone cluster)  
      Hosted control planes  
      Multi node, Compact (three node), or Single node (SNO), or all  
      Connected / Restricted Network  
      Architectures, e.g. x86_x64, ARM (aarch64), IBM Power (ppc64le), and IBM Z (s390x)  
      Operator compatibility  
      Backport needed (list applicable versions)  
      UI need (e.g. OpenShift Console, dynamic plugin, OCM)  
      Other (please specify)  

      Use Cases (Optional):

      • eBPF program gatekeeper (RBAC-like control on what programs can do and see in kernel space)
      • eBPF program manager
      • ensure the secure deployment of eBPF applications
      • provides insights on eBPF program utilization

      Questions to Answer (Optional):

      Out of Scope

      Background

      It is currently in a sandbox queue to become a CNCF incubator project and is going to be the default in Fedora 30 for this purpose. Currently, it is the only viable project with the goal of both ensuring the secure deployment of eBPF applications and providing insights on eBPF program utilization within an OpenShift cluster.

      At the time of this writing, OpenShift is using eBPF programs in 3 components of OpenShift:

      • ACS
      • Ingress Node Firewall
      • Network Observability Operator.

      Customer Considerations

      Documentation Considerations

      Interoperability Considerations

      bpfman is targeting management of eBPF use in existing OpenShift components:

      • Advanced Cluster Security (ACS)
      • Ingres Node Firewall
      • Network Observability Operator

              mcurry@redhat.com Marc Curry
              mcurry@redhat.com Marc Curry
              Andrew McDermott, Andrew Stoycos (Inactive), Dave Gordon, Dave Tucker, Mohamed Mahmoud
              Mohamed Mahmoud Mohamed Mahmoud
              Weibin Liang Weibin Liang
              Ashley Hardin Ashley Hardin
              Ben Bennett Ben Bennett
              Dave Tucker Dave Tucker
              Marc Curry Marc Curry
              Chris Fields Chris Fields
              Votes:
              0 Vote for this issue
              Watchers:
              9 Start watching this issue

                Created:
                Updated: