cilium / cilium

Introduction to Cilium for cilium/cilium

What is Cilium?

Cilium is an open source project that provides a new way to secure and observe container traffic at scale. It is a network security and observability solution for containers, built using eBPF and the Linux kernel’s native network stack. Cilium provides network security and observability for containers, without requiring an additional user-space proxy.

Source: Cilium Project Overview

Why is Cilium important?

Cilium is important because it offers several benefits for securing and observing container traffic:

  1. Fine-grained network security: Cilium provides network security at the container level, allowing for granular control over network traffic.
  2. No additional user-space proxy: Cilium does not require an additional user-space proxy, reducing overhead and complexity.
  3. Integration with Kubernetes: Cilium integrates seamlessly with Kubernetes, making it a popular choice for securing container traffic in Kubernetes environments.
  4. Observability: Cilium provides detailed observability information, allowing for deep insights into container traffic.

Source: Benefits of Cilium

Options and Examples in Cilium

Option 1: Cilium Network Policy

Cilium Network Policy is a way to define and enforce network policies for containers. It uses a YAML format and integrates with Kubernetes for easy deployment and management.

Example:

apiVersion: networking.cilium.io/v2
          kind: NetworkPolicy
          metadata:
            name: allow-traffic-to-port-80
          spec:
            selector:
              io.kubernetes.pod.namespace: my-namespace
              io.kubernetes.pod.label.app: my-app
            egress:
            - to:
              - ip: 0.0.0.0/0
              ports:
              - protocol: TCP
                port: 80

Source: Cilium Network Policy

Option 2: Cilium Observability

Cilium Observability provides detailed information about container traffic, including network traffic logs, metrics, and traces. It integrates with popular observability tools like Prometheus and Jaeger.

Example:

apiVersion: v1
          kind: Service
          metadata:
            name: my-service
          spec:
            selector:
              app: my-app
            ports:
            - name: http
              port: 80
            - name: grpc
              port: 9001
          ---
          apiVersion: networking.cilium.io/v1alpha1
          kind: L7Policy
          metadata:
            name: my-l7-policy
          spec:
            selector:
              io.kubernetes.pod.namespace: my-namespace
              io.kubernetes.pod.label.app: my-app
            rules:
            - match:
                ports:
                - protocol: TCP
                  port: 80
              actions:
              - log:
                  level: INFO
                  message: "Request to {{.Request.RemoteAddr}}:{{.Request.RemotePort}} for path {{.Request.URL.Path}}"

Source: Cilium Observability