-
Feature
-
Resolution: Unresolved
-
Major
-
None
-
None
-
BU Product Work
-
False
-
-
False
-
-
100% To Do, 0% In Progress, 0% Done
-
0
-
-
07/25 Needs technical Enablement; Tech Preview in 4.17 and GA in 4.19
-
-
Red Hat OpenShift Networking
Feature Overview (aka. Goal Summary)
bpfman is both an eBPF program gatekeeper and manager developed by Red Hat Office of the CTO (OCTO).
The desired outcome of this work is to:
- complete the tech transfer from OCTO to the OpenShift SDN team so the latter can continue to develop and support bpfman as the OCTO team disengages from the project
- enable it for targeted OpenShift components that use eBPF programs
- fully support bpfman in OpenShift for customers to secure and manage their own eBPF programs
Goals (aka. expected user outcomes)
Deliver bpfman in OpenShift to manage and secure OpenShift's own eBPF deployments and fully support its use for customers eBPF programs.
Complete the technology transfer from OCTO to OpenShift SDN the knowledge necessary to continue development of and provide support for bpfman.
Requirements (aka. Acceptance Criteria):
Anyone reviewing this Feature needs to know which deployment configurations that the Feature will apply to (or not) once it's been completed. Describe specific needs (or indicate N/A) for each of the following deployment scenarios. For specific configurations that are out-of-scope for a given release, ensure you provide the OCPSTRAT (for the future to be supported configuration) as well.
| Deployment considerations | List applicable specific needs (N/A = not applicable) |
| Self-managed, managed, or both | |
| Classic (standalone cluster) | |
| Hosted control planes | |
| Multi node, Compact (three node), or Single node (SNO), or all | |
| Connected / Restricted Network | |
| Architectures, e.g. x86_x64, ARM (aarch64), IBM Power (ppc64le), and IBM Z (s390x) | |
| Operator compatibility | |
| Backport needed (list applicable versions) | |
| UI need (e.g. OpenShift Console, dynamic plugin, OCM) | |
| Other (please specify) |
Use Cases (Optional):
- eBPF program gatekeeper (RBAC-like control on what programs can do and see in kernel space)
- eBPF program manager
ensure the secure deployment of eBPF applications- provides insights on eBPF program utilization
Questions to Answer (Optional):
Out of Scope
Background
It is currently in a sandbox queue to become a CNCF incubator project and is going to be the default in Fedora 30 for this purpose. Currently, it is the only viable project with the goal of both ensuring the secure deployment of eBPF applications and providing insights on eBPF program utilization within an OpenShift cluster.
At the time of this writing, OpenShift is using eBPF programs in 3 components of OpenShift:
- ACS
- Ingress Node Firewall
- Network Observability Operator.
Customer Considerations
Documentation Considerations
Interoperability Considerations
bpfman is targeting management of eBPF use in existing OpenShift components:
- Advanced Cluster Security (ACS)
- Ingres Node Firewall
- Network Observability Operator
- relates to
-
-
- In Progress
-
-
-
- Closed
-
