API-aware Networking and Security
Powered by BPF

Try one of the Getting Started Guides

Get started with Cilium on Kubernetes, Amazon EKS, Google GKE or Microsoft AKS in less than 15 minutes

Kubernetes
(Minikube)

Kubernetes
(Self-Managed)

Amazon EKS

Google GKE

Microsoft AKS

Latest Blog Posts

Nov 19, 2019 Announcing Hubble - Network, Service & Security Observability for Kubernetes
Aug 22, 2019 eBPF at Linux Plumbers 2019, Lisbon, Portugal
Aug 20, 2019 Cilium 1.6: KVstore-free operation, 100% kube-proxy replacement, Socket-based load-balancing, Generic CNI Chaining, Native AWS ENI support, ...
Jul 1, 2019 CVE-2019-13119: Policy bypass via nested encapsulation
Jun 24, 2019 License change and lack of attribution of Cilium eBPF code in Calico project

Watch a Demo About Cilium

Cilium: Helping Linux Secure Microservices

A microservices-based application is split into small independent services that communicate with each other via APIs using lightweight protocols like HTTP, gRPC, Kafka and more. However, existing Linux network security mechanisms (e.g., iptables) only operate at the network and transport layers (i.e., IP addresses and ports) and lack visibility into the microservices layer.

Cilium brings API-aware network security filtering to Linux container frameworks like Docker and Kubernetes. Using a new Linux kernel technology called BPF, Cilium provides a simple and efficient way to define and enforce both network-layer and application-layer security policies based on container/pod identity.

We believe in a future where Linux has deep network visibility and control for microservice at the API layer, making applications more secure than ever before. If this goal excites you too, we invite you to join us by contributing ideas, code, and documentation to Cilium.

Identity Based Security

Cilium visibility and security policies are based on the container orchestrator identity (e.g., Kubernetes labels). Never again worry about network subnets or container IP addresses when writing security policies, auditing, or troubleshooting.

API-Protocol Visibility + Security

Traditional firewalls only see and filter packets based on network headers like IP address and ports. Cilium can do this as well, but also understands and filters the individual HTTP, gRPC, and Kafka requests that stitch microservices together.

Blazing Performance

BPF is the underlying Linux superpower to do the heavy lifting on the datapath by providing sandboxed programmability of the Linux kernel with incredible performance.

Designed for Scale

Cilium was designed for scale, with no node-to-node interactions required when new pods are deployed, and all coordination through a highly scalable key-value store.

People Say

The latest @ciliumproject release is taking this Kubernetes networking thing to another level: multi-cluster service routing, IPVLAN support, transparent encryption, and DNS authorization. https://cilium.io/blog/2019/02/12/cilium-14/
Kelsey Hightower (@kelseyhightower) February 14, 2019

@ciliumproject as the future for containers networking, by @PalantirTech. #KubeCon & #CloundNativeCon.
Beatriz Martínez Rubio (@beatrizmrg) May 23, 2019

API-aware Networking and Security Powered by BPF