In my previous post, I deployed a GKE Kubernetes cluster. No bells. No whistles.
One of the things we didn’t get a chance to touch on was the networking and security aspects of Kubernetes.
Networking and Security are two aspects of K8s that developers would rather leave to the platform engineers or SREs. However, doing Networking and Security in a K8s cluster and between clusters is greatly different from how we have historically performed these disciplines.
Enter the CNI (Container Networking Interface). CNI defines a standard interface that container runtime environments can use to configure networking for containers.
Cilium is one such CNI.
Who the heck is Cilium?
Cilium is an open-source project to provide networking, security, and observability for cloud-native environments such as Kubernetes clusters and other container orchestration platforms.
Why do I need that?
As clusters grow, performance becomes one of the most important attributes of the CNI – how quickly can you get packets between pods or clusters whilst enforcing complex security rules?
Historically, such forwarding and rule enforcement is handled by the Linux kernel, leveraging iptables for forwarding and filtering. As you can imagine, based on the size of the node and the number of rules, this can become taxing for the kernel.
Cilium is an open-source networking and security project that uses eBPF (extended Berkeley Packet Filter) to provide container networking, security, and visibility for cloud-native applications.
Here are 5 advantages of using Cilium:
- Security: Cilium uses eBPF to implement network security policies, such as firewalls and access controls, which can help protect your applications from threats like network attacks and data breaches.
- Performance: Cilium uses eBPF to optimize network traffic between containers, which can improve the performance of your applications. It also has support for advanced networking features, such as layer 7 networking and load balancing, which can further improve performance.
- Integration with Kubernetes: Cilium is designed to work seamlessly with Kubernetes, the leading container orchestration platform. It can automatically apply security policies to containers based on their labels, and it integrates with Kubernetes APIs to provide visibility into network traffic and security events.
- Flexibility: Cilium allows you to customize your networking and security policies using eBPF, which provides a high degree of flexibility. You can use eBPF to implement custom policies, such as load-balancing algorithms or traffic-shaping rules, without modifying the kernel or requiring special privileges.
- Scalability: Cilium is designed to scale to large deployments, and it has been tested on clusters with thousands of nodes and millions of endpoints. It uses eBPF to implement its networking and security features in a way that is efficient and scalable, which makes it well-suited for use in large, distributed environments.
eBPF is a Linux kernel feature that allows you to attach custom programs to various parts of the kernel, such as socket filters, kprobes, and tracepoints. It was originally developed as a more efficient and flexible replacement for the older Berkeley Packet Filter (BPF) mechanism, which was mainly used for packet filtering.
eBPF programs are written in a restricted version of the C programming language and are compiled into a bytecode format that can be loaded into the kernel. They are then executed by the kernel in a safe and isolated environment, which prevents them from causing harm to the system or other programs.
In short, Cilium makes cluster networking and security much faster.
I need to learn this – Free Labs
I recently got an introduction to Cilium via their online lab environment and the enticement of fancy badges:
https://isovalent.com/blog/post/badges-for-cilium-labs-catch-em-over-the-holidays/
And, the other evening I completed the first lab and got a nice badge:
I have to say, these lab environments are top-notch! Well done, Cilium!
I absolutely love the Star Wars themes microservices test app as well as the connectivity validation checks.
So, my task over the Christmas holidays will be to go through them one by one.
Thanks for reading and Happy holidays. Unless you’re reading this after the holidays. In which case, simply thanks for reading 🙂