Cilium Fundamentals
Cilium is an open-source project that provides networking, security, and observability for cloud native environments such as Kubernetes. It uses the eBPF (Extended Berkeley Packet Filter) technology to enforce network policies, provide service discovery, and secure network communication.
Key Technologies and Dependencies
Cilium is built using several modern technologies and programming languages, including:
- Gatsby: A free and open-source framework based on React that helps developers build blazing fast websites and apps.
- React: A JavaScript library for building user interfaces.
- GraphQL: A query language for APIs that enables efficient and flexible data retrieval.
- MDX: A markdown format that allows for the use of components within markdown files.
- ESLint: A pluggable linting utility for JavaScript and JSX.
- Prettier: An opinionated code formatter that supports many languages.
- Gatsby plugins: Plugins that extend the functionality of Gatsby.
- Netlify: A web development platform that provides hosting and serverless functions.
- Git: A distributed version control system.
- Markdown: A lightweight markup language for creating formatted text.
Online Documentation
Cilium provides extensive documentation on its website, including:
- Limiting access to Kubernetes resources with RBAC: A guide to using Kubernetes Role-Based Access Control (RBAC) to limit access to Cilium resources.
- Provenance Information for cilium-agent Images: Information about the provenance of Cilium agent images, including verifiable signatures and software bill of materials (SBOMs).
- Cilium Enterprise integration with Grafana Cloud: A guide to integrating Cilium Enterprise with Grafana Cloud for monitoring and alerting.
- Provenance Information for cilium-operator-generic Images: Information about the provenance of Cilium operator images, including verifiable signatures and software bill of materials (SBOMs).
- Exploring Cilium Layer 7 Capabilities Compared to Istio: A comparison of Cilium’s Layer 7 capabilities with those of Istio.
- cilium-agent Image Tags History: A history of tags for the Cilium agent image.
- cilium-agent Image Variants: Detailed information about the public variants of the Cilium agent image.
- How to easily monitor your Cilium Enterprise service: A guide to monitoring Cilium Enterprise services using Grafana Cloud.
- Introducing Grafana Cloud’s Cilium Enterprise integration: An introduction to the Cilium Enterprise integration with Grafana Cloud for Kubernetes network monitoring.
- Use Cilium for NetworkPolicy: A guide to using Cilium for Kubernetes network policy.
- Installing Addons: A guide to installing addons in Kubernetes.
Code Documentation
Cilium provides code documentation in the following files:
src/posts/2021-05-20-cilium-110/index.mdsrc/posts/2020-11-10-cilium-19/index.mdsrc/posts/2020-02-18-cilium-17/index.mdsrc/posts/2019-08-20-cilium-16/index.mdcontent/events/2023-03-16-cilium-evolution/index.mdsrc/posts/2020-06-22-cilium-18/index.mdcontent/events/2023-03-30-cilium-deep-dive/index.mdsrc/posts/2022-10-27-cilium-graduation/index.mdsrc/posts/2023-10-24-meet-aditi/index.mdsrc/posts/2023-01-09-c2c/index.mdsrc/posts/2023-10-30-cilium-at-kubecon-na/index.mdsrc/posts/2024-02-02-cilium-talks-at-kubecon-eu-2024/index.mdcontent/labs/2022-11-20-bgp-on-cilium/index.mdsrc/posts/2018-12-10-cilium-14-preview/index.md
Code Snippets
Cilium provides code snippets in the following files:
src/components/pages/get-help/cilium-story/index.jssrc/components/pages/get-help/cilium-story/cilium-story.jsxsrc/pages/use-cases/cni.jsxsrc/components/pages/enterprise/training/training.jsxsrc/pages/get-started.jsxsrc/pages/industries/cloud-providers.jsxsrc/pages/use-cases/network-policy.jsxsrc/pages/industries/financial-services.jsxsrc/pages/use-cases/transparent-encryption.jsx
Cilium’s Core Functionalities
Cilium provides several core functionalities, including:
Network Policy Enforcement
Cilium uses eBPF to enforce network policies in Kubernetes. Network policies can be defined using Cilium’s own policy language or using Kubernetes NetworkPolicy objects. Cilium’s network policy engine supports both L3/L4 and L7 policies.
Here’s an example of a Cilium network policy that allows traffic from pods with label app=web to pods with label app=db:
apiVersion: "cilium.io/v2"
kind: CiliumNetworkPolicy
metadata:
name: "web-to-db"
spec:
description: "Allow web to db traffic"
endpointSelector:
matchLabels:
app: db
ingress:
- fromEndpoints:
- matchLabels:
app: web
toPorts:
- ports:
- protocol: TCP
port: "5432"
Service Discovery
Cilium provides service discovery using Kubernetes service names and labels. Cilium automatically creates network routes for Kubernetes services, allowing pods to communicate with each other using service names instead of IP addresses.
Here’s an example of a Kubernetes service that exposes a database:
apiVersion: v1
kind: Service
metadata:
name: db
spec:
selector:
app: db
ports:
- name: db
port: 5432
targetPort: 5432
Network Security
Cilium provides network security using eBPF. Cilium can enforce security policies based on L3/L4 and L7 criteria, including source and destination IP addresses, ports, and protocols. Cilium also supports encryption of network traffic using IPSec or Wireguard.
Here’s an example of a Cilium network security policy that allows traffic from pods with label app=web to pods with label app=db on port 5432:
apiVersion: "cilium.io/v2"
kind: CiliumNetworkPolicy
metadata:
name: "web-to-db-security"
spec:
description: "Allow web to db traffic on port 5432"
endpointSelector:
matchLabels:
app: db
egress:
- toEndpoints:
- matchLabels:
app: web
toPorts:
- ports:
- protocol: TCP
port: "5432"
Observability
Cilium provides observability using Hubble, Cilium’s observability layer. Hubble provides real-time network visibility, including L3/L4 and L7 traffic statistics, HTTP request and response headers, and TLS certificate information.
Here’s an example of a Hubble dashboard that shows network traffic statistics:
