Skip to main content

Cilium

Cilium is an open-source project that provides networking, security, and observability for cloud-native environments, such as Kubernetes clusters and other container orchestration platforms. It is built on top of a new Linux kernel technology called eBPF, which allows for the dynamic insertion of powerful security, visibility, and networking control logic into the Linux kernel.

Key Features

  • eBPF-based Networking: High-performance networking that leverages eBPF for efficient data plane operations.
  • Identity-based Security: Decouples security from IP addresses by assigning a security identity to groups of application containers.
  • L7 Policy Enforcement: Filters on individual application protocol requests (e.g., HTTP, gRPC, Kafka).
  • Multi-cluster and Multi-cloud Capabilities: Provides a single network for connectivity across multiple clusters and clouds.
  • Advanced Load Balancing: Supports distributed load balancing for traffic between pods and to external services, replacing components like kube-proxy.
  • Transparent Encryption: Secures communication between workloads using IPsec or WireGuard.
  • Extensive Network Security Capabilities: Offers a wide range of security features, including runtime enforcement and file integrity monitoring.
  • Hubble Observability: Provides deep visibility into network flows and application communication through a dedicated observability platform.

Installation

To get started with Cilium, you can use the Cilium CLI to install it on your Kubernetes cluster.

Prerequisites

  • A running Kubernetes cluster.
  • kubectl configured to communicate with your cluster.

Install the Cilium CLI

curl -L --remote-name-all https://github.com/cilium/cilium-cli/releases/latest/download/cilium-linux-amd64.tar.gz
sudo tar xzvfC cilium-linux-amd64.tar.gz /usr/local/bin
rm cilium-linux-amd64.tar.gz

Install Cilium

Once the CLI is installed, you can install Cilium into your Kubernetes cluster:

cilium install

To validate the installation, run:

cilium status --wait

Usage

Basic Networking

Cilium provides a simple flat Layer 3 network with the ability to span multiple clusters. It supports two main networking modes:

  • Overlay: An encapsulation-based virtual network that spans all hosts. This is the default mode and requires no special configuration of the underlying network infrastructure.
  • Native Routing: Uses the regular routing table of the Linux host. This mode is for advanced users and requires some awareness of the underlying networking infrastructure.

Network Policies

Cilium network policies are used to secure communication between services. Here is an example of a simple L3/L4 policy:

apiVersion: "cilium.io/v2"
kind: CiliumNetworkPolicy
metadata:
  name: "rule1"
spec:
  endpointSelector:
    matchLabels:
      role: backend
  ingress:
    - fromEndpoints:
        - matchLabels:
            role: frontend
      toPorts:
        - ports:
            - port: "80"
              protocol: TCP

To apply the policy, save it to a file (e.g., policy.yaml) and use kubectl:

kubectl apply -f policy.yaml

Advanced Features

Cilium offers a wide range of advanced features, including:

  • Service Mesh: Provides advanced traffic management capabilities, such as canary rollouts, rate limiting, and circuit breaking.
  • Egress Gateway: Provides a static IP for integration with external workloads.
  • BGP: Integrates into existing networks and provides load balancing in bare-metal clusters.
  • Transparent Encryption: Secures communication between workloads using IPsec or WireGuard.

Real-World Use Cases

Many leading companies across various industries have adopted Cilium to solve complex networking, security, and observability challenges. Here are a few examples:

  • Google (for Google Kubernetes Engine): Google chose Cilium as the networking data plane for GKE. By using Cilium, GKE's Dataplane V2 provides enhanced security, better observability, and high-performance networking without relying on iptables. This allows users to have better visibility into their network traffic and apply more granular security policies.

  • Datadog: As a major monitoring and analytics platform, Datadog processes immense amounts of data. They use Cilium as their Container Network Interface (CNI) and for kube-proxy replacement. This helps them achieve scalable and efficient networking for their large, multi-tenant Kubernetes clusters, ensuring reliable performance for their customers.

  • Bell Canada: As a major telecommunications company, Bell Canada leverages Cilium and eBPF to modernize its networking infrastructure. They use Cilium to handle the demanding requirements of telco networking, achieving high performance and programmability for their cloud-native network functions.

  • The New York Times: To deliver news to millions of readers, The New York Times runs multi-tenant, multi-region shared Kubernetes clusters on Amazon EKS. They use Cilium to enforce network security policies and ensure isolation between different teams and applications, all while maintaining high availability and performance across different geographical regions.

Best Practices

  • Start with the Default Configuration: The default Cilium installation is a great starting point for most use cases.
  • Leverage Hubble for Observability: Use Hubble to gain visibility into your network flows and troubleshoot connectivity issues.
  • Implement Network Policies Gradually: Start with a permissive policy and gradually tighten it as you gain more confidence.
  • Monitor Performance: Keep an eye on the performance of your cluster and adjust Cilium's configuration as needed.
  • Stay Up-to-Date: Regularly update Cilium to the latest version to take advantage of new features and security patches.