API-aware Networking and Security
Powered by BPF

Try one of the Getting Started Guides

Get started with Cilium on Kubernetes, Amazon EKS, Google GKE or Microsoft AKS in less than 15 minutes

Kubernetes
(Minikube)

Kubernetes
(Self-Managed)

Amazon EKS

Google GKE

Microsoft AKS

Latest Blog Posts

Jul 27, 2020 Multitenancy and Network Security in Kubernetes with Cilium
Jun 29, 2020 How Cilium Protects Against Common Network Attacks
Jun 22, 2020 Cilium 1.8: XDP Load Balancing, Cluster-wide Flow Visibility, Host Network Policy, Native GKE & Azure modes, Session Affinity, CRD-mode Scalability, Policy Audit mode, ...
May 4, 2020 最Cool Kubernetes网络方案Cilium入门
Apr 29, 2020 Building a Multi-node Environment with Cilium and K3s in Twenty Minutes or Less

Watch a Demo About Cilium

Cilium: Helping Linux Secure Microservices

A microservices-based application is split into small independent services that communicate with each other via APIs using lightweight protocols like HTTP, gRPC, Kafka and more. However, existing Linux network security mechanisms (e.g., iptables) only operate at the network and transport layers (i.e., IP addresses and ports) and lack visibility into the microservices layer.

Cilium brings API-aware network security filtering to Linux container frameworks like Docker and Kubernetes. Using a new Linux kernel technology called BPF, Cilium provides a simple and efficient way to define and enforce both network-layer and application-layer security policies based on container/pod identity.

We believe in a future where Linux has deep network visibility and control for microservice at the API layer, making applications more secure than ever before. If this goal excites you too, we invite you to join us by contributing ideas, code, and documentation to Cilium.

Identity Based Security

Cilium visibility and security policies are based on the container orchestrator identity (e.g., Kubernetes labels). Never again worry about network subnets or container IP addresses when writing security policies, auditing, or troubleshooting.

API-Protocol Visibility + Security

Traditional firewalls only see and filter packets based on network headers like IP address and ports. Cilium can do this as well, but also understands and filters the individual HTTP, gRPC, and Kafka requests that stitch microservices together.

Blazing Performance

BPF is the underlying Linux superpower to do the heavy lifting on the datapath by providing sandboxed programmability of the Linux kernel with incredible performance.

Designed for Scale

Cilium was designed for scale, with no node-to-node interactions required when new pods are deployed, and all coordination through a highly scalable key-value store.

People Say

The latest @ciliumproject release is taking this Kubernetes networking thing to another level: multi-cluster service routing, IPVLAN support, transparent encryption, and DNS authorization. https://cilium.io/blog/2019/02/12/cilium-14/
Kelsey Hightower (@kelseyhightower) February 14, 2019

@ciliumproject as the future for containers networking, by @PalantirTech. #KubeCon & #CloundNativeCon.
Beatriz Martínez Rubio (@beatrizmrg) May 23, 2019

API-aware Networking and Security Powered by BPF