In a recent meetup I hosted alongside Kunal Kushwaha, we discussed Cilium, an eBPF-powered open-source cloud-native networking solution that offers security, observability, scalability, and superior performance. Throughout this blog I will explore how the increased usage of Kubernetes has led to the need for advanced networking, security, and observability solutions. This will allow us to take a closer look at how Cilium can benefit Kubernetes users.
What is Cilium?
Before we begin, I want to outline what Cilium is and where to find more information about this open source project. Leveraging eBPF (Extended Berkeley Packet Filter), Cilium provides advanced networking, security, and observability features for Kubernetes clusters. By abstracting eBPF, Cilium serves as a powerful CNI (Container Network Interface) plugin, offering services such as network load balancing, network policies, bandwidth management, flow and policy logging, operations, and metrics for Kubernetes workloads.
Cilium use cases
Companies are leveraging Cilium for various purposes, such as multi-tenancy security enforcement, multi-cluster load balancing, and high-performance networking. Some of Cilium's diverse use cases include:
- Container networking with high efficiency, scalability, and flexibility
- High Performance Load Balancing with eBPF powered kube-proxy replacement and built-in north-south with Maglev support
- Sidecar-less, eBPF-accelerated service mesh solutions, including Ingress and Gateway API support
- Identity-based network policies and API-aware filtering
- DNS filtering and encryption (IPsec, WireGuard, and TLS)
- Observability with Hubble, Prometheus, and Grafana support
What are the benefits of using Cilium
For those that are interested in trying Cilium out, here are some of the core benefits that you should consider:
eBPF-based networking
Cilium sets itself apart from other Kubernetes networking solutions by using eBPF for connectivity. As an agent running on each node in a cluster, Cilium provides connectivity through overlay, direct routing, or hybrid solutions. The eBPF-based data plane also allows Cilium to replace kube-proxy, leading to better performance and scalability.
Kubernetes Services with Cilium eBPF based Kube-Proxy replacement
When it comes to Kubernetes services, Cilium's eBPF-based per-CPU hash table kube-proxy replacement ensures atomic changes, providing a significant performance advantage over traditional iptables or IPVS implementations. This is especially beneficial in large-scale Kubernetes environments.
Service type load balancing
Cilium offers a standalone or distributed Layer 4 load balancer with Maglev support to bring traffic into your cluster and forward it to the appropriate endpoints.
Platform integration and native cloud support
Cilium is used with various platforms, from Minikube and Kind to managed Kubernetes services such as Civo and is the default CNI for every major cloud provider.
CNI Chaining
If you prefer using another CNI for specific functions, Cilium can be combined with other CNIs for load balancing, network policies, encryption, multi-cluster, and visibility options.
Cluster mesh
Cilium's Cluster Mesh feature enables seamless multi-cluster routing across clouds or on-premises environments, allowing exposure of backends running in different clusters using a shared global service.
Enhanced security
Cilium enhances security by providing identity-based network policies for both Kubernetes and Cilium network policies. The Cilium network policies support API-aware filtering, DNS filtering, and encryption using IPsec, WireGuard, and TLS termination and injection.
API-aware authorization
Cilium is capable of inspecting and filtering traffic at Layer 7, allowing you to enforce fine-grained, API-aware authorization policies. It supports a wide range of protocols, including HTTP, gRPC, and Kafka giving you granular control over which services can communicate and which specific API calls are allowed. This level of detail significantly enhances the security posture of your Kubernetes environment.
Launching a cluster with Cilium
When launching a cluster with Civo, you can select Cilium as the CNI provider found under the “Advanced options” section. Whilst this is currently only available with K3s cluster types, it will soon be available with Talos Linux.
If you’re looking to enable the Cilium Hubble UI in Civo, Engin Diri created a blog outlining the process:
Introducing Hubble
Hubble, Cilium's observability component, is designed to provide deep visibility into your Kubernetes clusters. It captures flow, policy, and DNS events, and presents them in an intuitive user interface, enabling you to monitor and troubleshoot your cluster with ease. It also integrates with popular monitoring tools like Prometheus and Grafana for advanced metric collection and visualization.
How does Hubble work?
Built on top of Cilium and eBPF, Hubble is split into three distinctive sections which are outlined below:
Hubble UI
Hubble UI is a web-based interface that allows you to explore and visualize the collected data. It offers an interactive topology view, network policy enforcement information, and flow details for real-time insights.
Hubble Metrics
Hubble exposes a wealth of metrics, including packet drops, latency, and policy enforcement. These metrics can be consumed by Prometheus and visualized using Grafana, making it easy for you to track the health and performance of your cluster.
Hubble Alerts
Hubble Alerts provide you with real-time notifications when specific events or conditions are met, such as excessive packet drops or policy violations. These alerts can be integrated with your preferred monitoring and alerting systems, like Slack or PagerDuty, to ensure you stay informed and can respond quickly to potential issues.
Discover more about Hubble
To start learning more about Hubble, check out these resources:
Summary
To summarize what I have gone through in this blog, Cilium truly is a powerful eBPF-based networking and security solution for Kubernetes environments. It offers an impressive suite of features that encompass everything from container networking to multi-cluster routing, and from API-aware filtering to observability.
The essence of Cilium lies in its adept utilization of eBPF, which offers remarkable improvements in performance, scalability, and flexibility. So, for organizations aiming to amplify their Kubernetes deployments, embracing Cilium might just be the perfect step forward.
