Cilium is an open-source, eBPF-based networking platform for securing, observing, and managing network traffic in containerized environments. It provides a unified approach to network security, observability, and policy management for Kubernetes and other container orchestration platforms. In this documentation, we will explore the design philosophy behind Cilium, focusing on its key features and benefits.
Cilium Components
Cilium consists of several components that work together to provide network security, observability, and policy management:
- Cilium Agent: The Cilium Agent is a daemon that runs inside each container node in the cluster. It is responsible for enforcing network policies, providing observability data, and managing the data plane.
- Cilium Operator: The Cilium Operator is a Kubernetes controller that manages the Cilium Agent deployment and configuration. It ensures that the Cilium Agent is running on all nodes and applies the desired network policies.
- Hubble: Hubble is Cilium’s observability layer, which collects and aggregates network traffic metadata for visualization and analysis. It provides real-time visibility into network traffic, enabling users to identify and troubleshoot issues.
Cilium Network Policies
Cilium supports both L3/L4 (IP address and port) and L7 (application layer) network policies. Policies can be defined using the Cilium-specific API or Kubernetes NetworkPolicies. Cilium’s L7 policy is simple to use and supports HTTP rules, making it an effective solution for securing containerized applications.
Observability and Monitoring
Cilium integrates with various monitoring and observability tools, such as Grafana Cloud, to provide real-time visibility into network traffic and application performance. The Cilium Enterprise integration in Grafana Cloud allows users to monitor and analyze their Cilium deployments, making it easier to identify and troubleshoot issues.
Security and Encryption
Cilium supports pod-to-pod encryption as a recommended solution for avoiding IP address spoofing and is widely used in large-scale production deployments. By encrypting traffic between containers, Cilium helps ensure data confidentiality and integrity.
Performance and Scalability
Cilium leverages state-of-the-art congestion avoidance technologies like Earliest Departure Time and Timing Wheel to reduce latency and improve network performance. It also supports easy setup and operation, making it an efficient and powerful connectivity and security fabric for containerized environments.
Hardening and Compliance
Cilium follows best practices for security and compliance, such as using NetworkPolicies to create isolation between resources and securing the control plane. It also supports encryption of traffic and sensitive data to help protect against potential threats.
Conclusion
Cilium’s design philosophy focuses on providing a unified approach to network security, observability, and policy management for containerized environments. Its eBPF-based architecture, support for L3/L4 and L7 policies, and integration with various monitoring and observability tools make it an efficient and powerful solution for securing and managing container networks.
For more information, please refer to the following resources:
- Cilium Enterprise integration | Grafana Cloud documentation
- Installing Addons | Kubernetes documentation
- Limiting access to Kubernetes resources with RBAC
- Exploring Cilium Layer 7 Capabilities Compared to Istio
- Introducing Grafana Cloud’s Cilium Enterprise integration
- Addressing Bandwidth Exhaustion with Cilium Bandwidth Manager
- cilium-agent Image Tags History
- Use Cilium for NetworkPolicy
- A Closer Look at NSA/CISA Kubernetes Hardening Guidance
- How to easily monitor your Cilium Enterprise service
- KubeCon Europe 2023
- Provenance Information for cilium-agent Images
- cilium-operator-generic Image Variants
