Cilium is an open-source, eBPF (Extended Berkeley Packet Filter) powered Cloud Native Networking solution that provides security, observability, scalability, and superior performance for connecting clusters on the edge. It has joined the Cloud Native Computing Foundation (CNCF) as an incubating project. Cilium Cluster Mesh enables simple, high-performance cross-cluster connectivity at the edge, providing load-balancing, observability, and security between nodes across multiple clusters.
Key Technologies and Dependencies
Cilium’s design philosophy focuses on using eBPF technology to secure and observe network traffic within a cluster, while ensuring scalability and high performance. The main programming languages used are Go and C.
Some of the key technologies and dependencies include:
- Azure SDK for Go
- Go Autorest
- Active Directory Authentication Library for Azure services
- AWS SDK for the Go programming language
- AWS SDK Config package
- Instance Metadata Service for AWS
- Logrus with RUS Log format
- Cilium Checkmate
- Cilium Coverbee
- Cilium eBPF
Options and Examples
Networking the Service Mesh Proxy
Cilium can be used to network the service mesh proxy, providing connectivity for load-balancing, observability, and security between nodes across multiple clusters. The following resources provide more information on this topic:
- Networking the Service Mesh Proxy: Where We Are, Where We’re Going - Tim Swanson & John Joyce, Cisco: video
- Intro: Envoy - Matt Klein & Constance Caramanolis, Lyft: video
Connecting Kubernetes Clusters Across Cloud Providers
Cilium can be used to interconnect multiple Kubernetes clusters running in different cloud providers, establishing basic pod-to-pod connectivity, adding load balancing using standard Kubernetes services, and implementing label-based network policy to secure communication both inside the cluster and across clusters. The following resource provides more information on this topic:
- Connecting Kubernetes Clusters Across Cloud Providers - Thomas Graf, Covalent: video
Cilium Layer 7 Capabilities
Cilium provides Layer 7 capabilities through its own extension (Cilium.L7Policy) to its Envoy proxy, which can be used to enforce L7 security policies. The following resource provides more information on this topic:
- Exploring Cilium Layer 7 Capabilities Compared to Istio: blog post
Cilium Network Policy
Cilium supports Kubernetes NetworkPolicy, which can be used to restrict network traffic between pods and minimize the attack vector. The following resources provide more information on this topic:
- Kubernetes Network Policy with Cilium: official documentation
- NSA/CISA Kubernetes Hardening Guidance: blog post
Online Documentation
- Cilium Getting Started Guide: official documentation
- Chainguard Images Provenance Information for cilium-operator-generic, cilium-agent, and cilium-hubble-ui-backend: Chainguard documentation
- Grafana Cloud Cilium Enterprise Integration: Grafana documentation
Cilium is a versatile and powerful networking solution for Cloud Native environments, providing security, observability, scalability, and superior performance. By leveraging eBPF technology, Cilium offers Layer 7 capabilities, enabling users to enforce L7 security policies and restrict network traffic between pods. Cilium can be used to network the service mesh proxy, connect Kubernetes clusters across cloud providers, and integrate with popular monitoring solutions like Grafana Cloud.