Cilium is an open-source networking and security solution for cloud native environments. It is built using the Linux kernel’s eBPF (Extended Berkeley Packet Filter) technology, which allows for high-performance, programmable networking and security policies. Cilium provides networking, security, and observability for Kubernetes and other container orchestration platforms.
Networking capabilities
Cilium provides networking capabilities for Kubernetes through the Cilium CNI (Container Network Interface) plugin. It supports various networking modes, including overlay and native routing. Cilium also supports BGP (Border Gateway Protocol) for dynamic routing between clusters.
Here is an example of installing Cilium on a Kubernetes cluster using the Cilium CNI plugin:
# Install Cilium CNI plugin
curl -LO https://github.com/cilium/cilium-cli/releases/latest/download/cilium-linux-amd64.tar.gz
sudo tar xzvfC cilium-linux-amd64.tar.gz /usr/local/bin
rm cilium-linux-amd64.tar.gz
cilium install
Once installed, Cilium will automatically detect the cluster configuration and create and install the appropriate components for a successful installation.
Network policy configuration
Cilium provides network policy configuration through the CiliumNetworkPolicy API. This API allows for the creation of network policies based on L3-L7 criteria, including pod labels, IP addresses, and ports.
Here is an example of a CiliumNetworkPolicy that allows traffic from pods with label app: nginx to pods with label app: backend on port 80:
apiVersion: "cilium.io/v2"
kind: CiliumNetworkPolicy
metadata:
name: "nginx-to-backend"
spec:
description: "Allow traffic from nginx to backend on port 80"
endpointSelector:
matchLabels:
app: nginx
ingress:
- fromEndpoints:
- matchLabels:
app: backend
toPorts:
- ports:
- port: "80"
protocol: TCP
Service mesh features
Cilium also provides service mesh features through its integration with Envoy proxy. This integration allows for L7 traffic management, including traffic shaping, rate limiting, and retries.
Here is an example of a Cilium L7 policy that allows traffic to the my-service service on port 80 with a rate limit of 100 requests per second:
apiVersion: "cilium.io/v2"
kind: CiliumL7Policy
metadata:
name: "my-service-rate-limit"
spec:
description: "Rate limit traffic to my-service on port 80"
endpointSelector:
matchLabels:
app: my-service
rules:
- http:
path: "/"
methods:
- GET
rateLimit:
requestsPerSecond: 100
Advanced networking scenarios
Cilium supports advanced networking scenarios, including IPv6 and load balancing.
For IPv6 support, Cilium can be configured to use IPv6 addresses for pods and services. Here is an example of a CiliumNetworkPolicy that allows traffic to a pod with IPv6 address 2001:db8::1:
apiVersion: "cilium.io/v2"
kind: CiliumNetworkPolicy
metadata:
name: "ipv6-policy"
spec:
description: "Allow traffic to IPv6 address"
endpointSelector:
matchLabels:
app: my-app
ingress:
- fromEndpoints:
- matchLabels:
app: other-app
toEndpoints:
- matchIP:
ip: "2001:db8::1"
For load balancing, Cilium can be configured to use Kubernetes services for load balancing traffic to pods. Here is an example of a CiliumNetworkPolicy that allows traffic to a Kubernetes service named my-service:
apiVersion: "cilium.io/v2"
kind: CiliumNetworkPolicy
metadata:
name: "service-policy"
spec:
description: "Allow traffic to Kubernetes service"
endpointSelector:
matchLabels:
app: my-app
ingress:
- fromEndpoints:
- matchLabels:
app: other-app
toServices:
- name: "my-service"
Sources:
