Uploaded image for project: 'OpenShift Container Platform (OCP) Strategy'
  1. OpenShift Container Platform (OCP) Strategy
  2. OCPSTRAT-1236

bpfman for eBPF Program Security and Management - GA

XMLWordPrintable

    • Icon: Feature Feature
    • Resolution: Unresolved
    • Icon: Major Major
    • None
    • None
    • Networking
    • False
    • Hide

      None

      Show
      None
    • False
    • OCPSTRAT-1233eBPF Program Security and Management
    • 0
    • 0% 0%
    • 0
    • 0
    • Red Hat OpenShift Networking

      Feature Overview (aka. Goal Summary)  

      bpfman is both an eBPF program gatekeeper and manager developed by Red Hat Office of the CTO (OCTO).

      The desired outcome of this work is to:

      • complete the tech transfer from OCTO to the OpenShift SDN team so the latter can continue to develop and support bpfman as the OCTO team disengages from the project
      • enable it for targeted OpenShift components that use eBPF programs
      • fully support bpfman in OpenShift for customers to secure and manage their own eBPF programs

      Goals (aka. expected user outcomes)

      Deliver bpfman in OpenShift to manage and secure OpenShift's own eBPF deployments and fully support its use for customers eBPF programs.

      Complete the technology transfer from OCTO to OpenShift SDN the knowledge necessary to continue development of and provide support for bpfman.

      Requirements (aka. Acceptance Criteria):

      Anyone reviewing this Feature needs to know which deployment configurations that the Feature will apply to (or not) once it's been completed.  Describe specific needs (or indicate N/A) for each of the following deployment scenarios. For specific configurations that are out-of-scope for a given release, ensure you provide the OCPSTRAT (for the future to be supported configuration) as well.

      Deployment considerations List applicable specific needs (N/A = not applicable)
      Self-managed, managed, or both  
      Classic (standalone cluster)  
      Hosted control planes  
      Multi node, Compact (three node), or Single node (SNO), or all  
      Connected / Restricted Network  
      Architectures, e.g. x86_x64, ARM (aarch64), IBM Power (ppc64le), and IBM Z (s390x)  
      Operator compatibility  
      Backport needed (list applicable versions)  
      UI need (e.g. OpenShift Console, dynamic plugin, OCM)  
      Other (please specify)  

      Use Cases (Optional):

      • eBPF program gatekeeper (RBAC-like control on what programs can do and see in kernel space)
      • eBPF program manager
      • ensure the secure deployment of eBPF applications
      • provides insights on eBPF program utilization

      Questions to Answer (Optional):

      Out of Scope

      Background

      It is currently in a sandbox queue to become a CNCF incubator project and is going to be the default in Fedora 30 for this purpose. Currently, it is the only viable project with the goal of both ensuring the secure deployment of eBPF applications and providing insights on eBPF program utilization within an OpenShift cluster.

      At the time of this writing, OpenShift is using eBPF programs in 3 components of OpenShift:

      • ACS
      • Ingress Node Firewall
      • Network Observability Operator.

      Customer Considerations

      Documentation Considerations

      Interoperability Considerations

      bpfman is targeting management of eBPF use in existing OpenShift components:

      • Advanced Cluster Security (ACS)
      • Ingres Node Firewall
      • Network Observability Operator

            mcurry@redhat.com Marc Curry
            mcurry@redhat.com Marc Curry
            ANDREW MCDERMOTT, Andrew Stoycos, Dave Gordon, Dave Tucker, Mohamed Mahmoud
            Mohamed Mahmoud Mohamed Mahmoud
            Weibin Liang Weibin Liang
            Ashley Hardin Ashley Hardin
            Ben Bennett Ben Bennett
            Dave Tucker Dave Tucker
            Marc Curry Marc Curry
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated: