传统的安全措施并不适用于现代化应用,Cilium提供了容器内低延迟的网络安全方案
pod与service之间进行通讯时,都需要先查IPtables,数量大时会有性能问题。kube-proxy负责更新IP table, 而eBPF主要用于替换kube-proxy。
Cilium is a modern, open-source networking and security solution for containerized environments. It provides a high-level of visibility and control over network traffic and offers advanced security features, including encryption, network policy enforcement, and more. Cilium uses eBPF (Extended Berkeley Packet Filter) to provide high-performance networking and security, and it is designed to work with container orchestration systems like Kubernetes.
eBPF (extended Berkeley Packet Filter): The eBPF technology is a Linux kernel bytecode interpreter used for packet filtering, socket filters, packet mangling, forwarding, and more. The in-kernel verifier ensures safety while the JIT compiler enables native execution efficiency. eBPF programs can run at various hooking points in the kernel. Cilium detects available kernel features and uses them as needed.
One of the key features of Cilium is its ability to enforce security policies at the network layer, allowing for fine-grained control over traffic between services. Cilium can also provide encryption and authentication for network traffic, ensuring that data is transmitted securely.
In addition to its security features, Cilium also offers a number of networking capabilities that are particularly useful in containerized environments. For example, Cilium can provide load balancing and service discovery, allowing services to be accessed by other services in a simple and scalable manner.
Hubble, built on Cilium and eBPF, offers distributed networking and security observability with deep visibility into services and network infrastructure. It provides dynamic and programmable visibility with minimized overhead and is designed to leverage eBPF.
Overall, Cilium is a powerful and flexible solution for securing and networking modern, distributed systems. Its use of eBPF technology and focus on network-level security make it particularly well-suited for containerized environments where traditional security and networking solutions may not be sufficient.
Cilium的组件有以下:
Agent。cilium-agent
)跑在每个K8s的节点上,与API Server建立连接,它通过K8s的API描述来实现网络策略、负载均衡,然后监听容器的启动,使用eBPF来将网络策略插入到Linux内核,以监控容器内所有进出的流量
Cilium CLI。与Cilium API server
交互,管理Cilium的policy和配置
当两个pod之间进行通讯时,Cilium的数据平面(data plane)
会拦截网络包,分析源和目的地,然后根据配置的网络策略决定放不放行。
Cilium is a versatile tool that can be used in a variety of scenarios to provide network security and connectivity for containerized environments. Here are some examples of how Cilium can be used:
Service Load Balancing: Cilium provides robust and secure load balancing through BGP, XDP, and eBPF, operating at the kernel layer and enabling intelligent workload connection decisions, while also improving performance and eliminating the need for kube-proxy.
Scalable Kubernetes CNI: Cilium is designed for large-scale cloud environments with dynamic workloads, optimized control plane up to 5K nodes, data plane uses eBPF for efficient load-balancing, and supports IPv6.
Multi-cluster Connectivity: Cluster Mesh enables high-performance cross-cluster connectivity, creating a single zone of connectivity for load-balancing, observability, and security between nodes across multiple clusters.
Identity-aware Visibility: Cilium leverages eBPF for rich observability in Kubernetes. Its Hubble framework provides API, CLI, and a graphical UI to troubleshoot application and connectivity issues with native understanding of Kubernetes label and DNS identities.
Advanced Self Service Observability: Cilium uses eBPF to enable efficient visibility into L7 proxies such as Envoy, and applications and protocols like HTTP, gRPC, and Kafka, while gathering process context at the kernel layer. This data is available via Cilium’s Hubble framework and includes TLS-interception for HTTPS traffic.
Network Metrics + Policy Troubleshooting: Cilium provides Prometheus compatible L3/L4 and L7 network flow metrics with rich identity context, allowing teams to detect and investigate network and application behavior and faults. Flow and metric data include information on traffic allowed or denied by network policies, simplifying policy troubleshooting.
Transparent Encryption: Cilium provides transparent encryption capabilities for securing data in-flight, using efficient IPsec capabilities built into the Linux kernel. It requires only a single configuration setting, with no application changes or proxying required, for encrypting communications between all workloads within, or between, Kubernetes clusters.
Security Forensics + Audit: Cilium’s Hubble provides identity-aware network flow logs and process context to enable long-term forensics for security in Kubernetes.
Advanced Network Policy: Cilium supports basic, DNS-aware, and application-aware Kubernetes network policies, as well as cluster-wide network policy and host-layer firewalling. Learn more by getting started or watching a video.
Cilium has been adopted by a number of organizations across a variety of industries and has been used to secure large-scale, mission-critical containerized environments. Here are some examples of real-world use cases and success stories:
In this section, we will provide a step-by-step guide for getting started with Cilium, including the installation and configuration process as well as how to use Cilium to secure your containerized environment.
Cilium has a steep learning curve, but its well-documented installation and configuration process and feature-rich capabilities make it a potent solution for securing containerized environments.
Official installation documentation can be found at this <strong>link</strong> .
In conclusion, Cilium is a powerful and flexible solution for securing and managing container networking in modern distributed systems. Its advanced use of eBPF technology, combined with its rich set of features and policies, makes it an ideal choice for organizations seeking to improve the security and performance of their container environments.
Some of the key takeaways from this article include:
Readers are encouraged to explore Cilium further and consider its use in their own environments. A lot can be offered by Cilium, whether it is for securing Kubernetes clusters, improving microservices performance, or simply streamlining container networking.