eBPF

pod与service之间进行通讯时，都需要先查IPtables，数量大时会有性能问题。kube-proxy负责更新IP table，而eBPF主要用于替换kube-proxy。

What is Cilium?

Cilium is a modern, open-source networking and security solution for containerized environments. It provides a high-level of visibility and control over network traffic and offers advanced security features, including encryption, network policy enforcement, and more. Cilium uses eBPF (Extended Berkeley Packet Filter) to provide high-performance networking and security, and it is designed to work with container orchestration systems like Kubernetes.

eBPF (extended Berkeley Packet Filter): The eBPF technology is a Linux kernel bytecode interpreter used for packet filtering, socket filters, packet mangling, forwarding, and more. The in-kernel verifier ensures safety while the JIT compiler enables native execution efficiency. eBPF programs can run at various hooking points in the kernel. Cilium detects available kernel features and uses them as needed.

One of the key features of Cilium is its ability to enforce security policies at the network layer, allowing for fine-grained control over traffic between services. Cilium can also provide encryption and authentication for network traffic, ensuring that data is transmitted securely.

In addition to its security features, Cilium also offers a number of networking capabilities that are particularly useful in containerized environments. For example, Cilium can provide load balancing and service discovery, allowing services to be accessed by other services in a simple and scalable manner.

Hubble, built on Cilium and eBPF, offers distributed networking and security observability with deep visibility into services and network infrastructure. It provides dynamic and programmable visibility with minimized overhead and is designed to leverage eBPF.

Overall, Cilium is a powerful and flexible solution for securing and networking modern, distributed systems. Its use of eBPF technology and focus on network-level security make it particularly well-suited for containerized environments where traditional security and networking solutions may not be sufficient.

Cilium架构

Cilium的组件有以下：

Agent。cilium-agent)跑在每个K8s的节点上，与API Server建立连接，它通过K8s的API描述来实现网络策略、负载均衡，然后监听容器的启动，使用eBPF来将网络策略插入到Linux内核，以监控容器内所有进出的流量
Cilium CLI。与Cilium API server交互，管理Cilium的policy和配置

当两个pod之间进行通讯时，Cilium的数据平面(data plane)会拦截网络包，分析源和目的地，然后根据配置的网络策略决定放不放行。

Use cases for Cilium:

Cilium is a versatile tool that can be used in a variety of scenarios to provide network security and connectivity for containerized environments. Here are some examples of how Cilium can be used:

Networking

Service Load Balancing: Cilium provides robust and secure load balancing through BGP, XDP, and eBPF, operating at the kernel layer and enabling intelligent workload connection decisions, while also improving performance and eliminating the need for kube-proxy.

Scalable Kubernetes CNI: Cilium is designed for large-scale cloud environments with dynamic workloads, optimized control plane up to 5K nodes, data plane uses eBPF for efficient load-balancing, and supports IPv6.

Multi-cluster Connectivity: Cluster Mesh enables high-performance cross-cluster connectivity, creating a single zone of connectivity for load-balancing, observability, and security between nodes across multiple clusters.

Observability

Identity-aware Visibility: Cilium leverages eBPF for rich observability in Kubernetes. Its Hubble framework provides API, CLI, and a graphical UI to troubleshoot application and connectivity issues with native understanding of Kubernetes label and DNS identities.

Advanced Self Service Observability: Cilium uses eBPF to enable efficient visibility into L7 proxies such as Envoy, and applications and protocols like HTTP, gRPC, and Kafka, while gathering process context at the kernel layer. This data is available via Cilium’s Hubble framework and includes TLS-interception for HTTPS traffic.

Network Metrics + Policy Troubleshooting: Cilium provides Prometheus compatible L3/L4 and L7 network flow metrics with rich identity context, allowing teams to detect and investigate network and application behavior and faults. Flow and metric data include information on traffic allowed or denied by network policies, simplifying policy troubleshooting.

Security

Transparent Encryption: Cilium provides transparent encryption capabilities for securing data in-flight, using efficient IPsec capabilities built into the Linux kernel. It requires only a single configuration setting, with no application changes or proxying required, for encrypting communications between all workloads within, or between, Kubernetes clusters.

Security Forensics + Audit: Cilium’s Hubble provides identity-aware network flow logs and process context to enable long-term forensics for security in Kubernetes.

Advanced Network Policy: Cilium supports basic, DNS-aware, and application-aware Kubernetes network policies, as well as cluster-wide network policy and host-layer firewalling. Learn more by getting started or watching a video.

Real-world use cases and success stories:

Cilium has been adopted by a number of organizations across a variety of industries and has been used to secure large-scale, mission-critical containerized environments. Here are some examples of real-world use cases and success stories:

Datadog: Cilium is used by Datadog to secure and monitor the network traffic of their containerized applications running on Kubernetes. They were able to replace their legacy iptables-based solution with Cilium, which improved performance and provided richer observability.
Arista Networks: Cilium is used by Arista Networks to secure the network traffic of their multi-cloud Kubernetes deployments. They were able to simplify their security posture by using Cilium’s identity-based policies, which provided better visibility and control over network traffic.
Cloudflare: Cilium is used by Cloudflare to secure the network traffic of their Kubernetes-based Edge Compute platform. They were able to achieve higher performance and scalability by leveraging Cilium’s eBPF-based dataplane and identity-aware policies.
GitLab: Cilium is used by GitLab to secure the network traffic of their containerized applications running on Kubernetes. They were able to improve the reliability and security of their network traffic by using Cilium’s network policies and observability features.
OVHcloud: Cilium is used by OVHcloud to secure the network traffic of their Kubernetes-based cloud platform. They were able to achieve better network performance and security by leveraging Cilium’s eBPF-based dataplane and identity-aware policies.

Getting started with Cilium:

In this section, we will provide a step-by-step guide for getting started with Cilium, including the installation and configuration process as well as how to use Cilium to secure your containerized environment.

Prerequisites: Before getting started with Cilium, you need to have a Kubernetes cluster up and running. Additionally, you need to have the Cilium binary installed on each node of your Kubernetes cluster.
Installation: There are different ways to install Cilium depending on the type of Kubernetes environment you are running. You can install Cilium with a one-line command using a package manager like Helm or as a Kubernetes operator. You can also install Cilium manually by downloading the binary and running it on each node. The installation process is well-documented in the <strong>Cilium documentation</strong> .
Configuration: Once Cilium is installed, you need to configure it to secure your containerized environment. This includes defining network policies, setting up service meshes, and configuring your Kubernetes cluster to work with Cilium. The Cilium documentation provides detailed instructions on how to configure Cilium.
Using Cilium: After installation and configuration, you can start using Cilium to secure your containerized environment. You can define network policies to restrict traffic between services, set up service meshes to manage traffic, and use Cilium’s visibility features to monitor your network. The Cilium documentation provides detailed instructions on how to use these features.

Cilium has a steep learning curve, but its well-documented installation and configuration process and feature-rich capabilities make it a potent solution for securing containerized environments.

Official installation documentation can be found at this <strong>link</strong> .

Conclusion:

In conclusion, Cilium is a powerful and flexible solution for securing and managing container networking in modern distributed systems. Its advanced use of eBPF technology, combined with its rich set of features and policies, makes it an ideal choice for organizations seeking to improve the security and performance of their container environments.

Some of the key takeaways from this article include:

Cilium provides scalable and efficient networking and security for containerized applications.
Cilium is compatible with a wide range of container orchestration platforms, including Kubernetes and Docker.
Cilium is highly extensible and customizable, offering a rich set of APIs and integrations with other tools.

Readers are encouraged to explore Cilium further and consider its use in their own environments. A lot can be offered by Cilium, whether it is for securing Kubernetes clusters, improving microservices performance, or simply streamlining container networking.