Associated Thunder episode: Cilium Explained: eBPF-Powered Kubernetes Networking
eBPF = Extended Berkeley Packet Filter
eBPF is a kernel technology that enables us to inspect and manipulate any call to the Linux kernel.
The eBPF verifier determines that code is:
- Not an endless loop
- The code is safe and it will not crash
This happens to every program that gets injected into the kernel — means the program will be run within the kernel.
NATIVE KERNEL SPEED
Cilium is a networking technology that is focused on solving networking, security, and observability in cloud and legacy environments.
-
Kubelet is creating a Pod
-
Kubelet reaches out to CNI (Cilium) — "Give me a networking stack for this Pod"
-
Cilium does that and it also generates an identity for the Pod and attaches an eBPF program to the Pod network namespace
-
That eBPF program starts generating all events in that Pod network namespace — OBSERVABILITY IS SOLVED!! (MIND BLOWING!!!) Event examples: this Pod tried to reach outside cluster, this Pod tried to talk to this other Pod, opening network socket
-
Cilium can implement network policy with eBPF (the same program that does observability in step 4). This adds security — the eBPF evaluates Network Policy for every event that is generated. Considers PACKET not SESSION.
-
NETWORKING — socket layer load balancing (low latency)
Traditional CNI: Pod → IP Tables → Pod (pod-host-iptable-host-pod)
Cilium: Pod → Pod (pod-pod)
-
Also networking — kube-proxy Replacement
IPVS = IP Virtual Server
kube-proxy is a native K8s component that implements services (ClusterIP/NodePort) using IPtables or IPVS. Cilium can replace kube-proxy and is useful in high-scale environments. With kube-proxy the IP tables were constantly updating/reloading which made the system slow to converge.
- Lower CPU
- Zero convergence time
- Networking rules are atomic (k/v, IP tables, rules are all together as one unit)
-
Cilium also can handle:
- Load balancing in data centers
- BGP — announces IPs in data centers
- IPv6
- Egress gateway — improves connectivity between K8s clusters and THE WORLD
Encryption (mTLS), advanced load balancing, observability, L7 network policy, canary deployments, service discovery, mTLS/Mutual TLS
For regulated environments — Cilium can do this in 2 ways:
-
Opportunistically encrypting all traffic with WireGuard or IPSec (node-to-node traffic)
-
Mutual authentication — Cilium decouples the encryption and authentication that mTLS does. Can do other protocols besides mTLS. Can be FIPS compliant. (FIPS = Federal Information Processing Standards)
Cilium implements Gateway API. Enables more advanced load balancing mechanisms (and Ingress). Ex: %-based load balancing.
Control traffic at the application layer. Ex: HTTP traffic allowed between client and a microservice but only on specific paths, and for GET and DELETE. THIS IS SOLVED BY CILIUM, AND FOR MANY PROTOCOLS.
Other service meshes use deep packet inspection. Cilium's observation point is the Linux kernel. This provides WAY MORE CONTEXT — can see networking layer events alongside application layer events. Cilium can tell you an event came from a particular process, not just a pod.