Cilium Overview

Umair KhanUmair Khan
3 min read

Table of contents

What is Cilium

Cilium is an open source, cloud native solution for providing, securing, and observing network connectivity between workloads, fueled by the revolutionary kernel technology eBPF. In a Kubernetes environment, Cilium acts as a networking plugin that provides connectivity between pods. It provides security by enforcing network policies and through transparent encryption, and the Hubble component of Cilium provides deep visibility into network traffic flows. With eBPF Cilium's networking, security and observability logic can be programmed directly into Linux kernel. Cilium was designed for large-scale contanarized enviroments. It natively undestands container and Kubernetes identites and parses API protocols like HTTP, gRPC and Kafka. Cilium is built on top eBPF so it creates networking stack optimized for runnning microservices on platforms like Kubernetes. eBPF makes LInux kernel programmable so application1xs like Cilium can hook into kernel and bring user space application context into kernel operations. Cilium harnesses the power of eBPF by layering an efficient identity concept; bringing Kubernetes contextual information, like metadata labels, to eBPF-powered networking logic.

Cilium Capabilities

Networking

  • Cilium provides network connectivity allowing pods and other components to communicate.

  • Cilium supports two networking models:

    • An overlay networking model where virtual network spans across all hosts. It only requires IP connectivity between hosts.

    • A native routing networking model which uses reguler routing table on each host to route traffic to pods or external IP.

Identity-aware Network Policy Enforcement

  • Network polices define which workloads are allowed to communicate with each other.

  • Cilium supports both native Kubernetes NetworkPolicies and enhanced CiliumNetworkPolicy.

  • Traditional firewalls like iptables do not scale in Kubernetes enviroment beacuse whenever a new pod is created firewall rules on all node hosts need to be manipulated to allow traffic.

  • To solve this problem Cilium assigns identity to containers based on Kubernetes labels. That identity is than assosiated with network packets emmited by those containers which is than validated by eBPF at reciving node without need of any firewall rules. For example, when a deployment is scaled up and a new pod is created somewhere in the cluster, the new pod shares the same identity as the existing pods. The eBPF program rules corresponding to network policy enforcement do not have to be updated again, as they already know about the pod’s identity.

  • Cilium has the ability to secure modern Layer 7 application protocols such as REST/HTTP, gRPC, and Kafka (in addition to enforcing at Layers 3 and 4).

  • It enforces network policy corresponding to application protocol request.

      Allow all HTTP requests with method GET and path /public/. Deny all other requests.
  Require the HTTP header X-Token: [0-9]+ to be present in all REST calls.

Transparent Encryption

  • Cilium supports simple to configure transparent encryption, using IPSec or WireGuard, that when enabled, secures traffic between nodes without requiring reconfiguring any workload.

Multi-cluster Networking

  • Cilium’s Cluster Mesh capabilities make it easy for workloads to communicate with services hosted in different Kubernetes clusters.

  • You can make services highly available by running them in clusters in different regions, using Cilium Cluster Mesh to connect them.

Load Balancing

  • Cilium can fully replace kube-proxy and can be used as a stadalone load balancer.

  • It implements distributed load balancing between applications and external services.

  • Load balancing is implemented in eBPF using hash tables.

Enhanced Network Observability

  • Cilium has dedicated network observability component called Hubble.

  • Hubble uses Cilium identity concept to filter traffic and provides:

    • Visiblity into layer 3/4 (IP and port) and layer 7 (API).

    • Event monitoring with metadata like label information of sender and reciver.

    • Prometheus metrics exports.

    • A graphical UI to visualize the network traffic flowing through your clusters.

Prometheus Metrics

  • Cilium and Hubble export metrics about network performance and latency via Prometheus.

Service Mesh

  • Cilium also supports both Kubernetes Ingress and Gateway API to provide a full suite of service mesh features, but without requiring the overhead of sidecar containers injected into every pod.
0
Subscribe to my newsletter

Read articles from Umair Khan directly inside your inbox. Subscribe to the newsletter, and don't miss out.

KubernetesciliumeBPF

Written by

Umair Khan
Umair Khan