February 16, 2018

Cilium 1.0.0-rc4 released

We are excited to have released Cilium 1.0.0-rc4. The release contains a lot of bugfixes as usual plus a lot of CI work to ensure quality long term but there are also some enhancements highlights and tooling worth mentioning.

Read more »
February 7, 2018

Connectivity Troubleshooting with cilium-health

As we approach the upcoming 1.0 release, the Cilium community has been putting a lot of effort towards monitoring and troubleshooting. This has led to the development of several new tools in the project which we'll explore in this blog series. In this first part, we will cover cilium-health, a tool for troubleshooting intra-cluster connectivity issues.

What’s cilium-health ?

cilium-health is a new tool available in Cilium which provides visibility into the overall health of the cluster’s networking connectivity.

Read more »
December 6, 2017

Cilium 1.0.0-rc2 - gRPC, Kafka and much more

The Cilium community has been hard at work over the past weeks to get us closer to what we consider is required for a 1.0 release. We have made a ton of progress and are happy to announce the release of 1.0.0-rc2 at this point.

New functionality that was MERGED RECENTLY:

  • Security policy enforcement at application protocol level for Kafka, and gRPC.

  • Lots of tooling around operating Cilium based clusters (cluster wide connectivity monitor, bug reporting tools, Prometheus metrics, security incident process, ...) 

  • Integration of the Envoy proxy into the Cilium datapath.

  • Lots and lots of documentation and guides.

Read more »
December 6, 2017

Cilium Now Speaks gRPC!

cilium grpc

The Cilium team is happy to announce tech preview support for gRPC-aware filtering!

While the majority of existing API-based services leverage HTTP REST as their primary protocol for inter-service communication, among teams designing new platforms from scratch, gRPC is quickly gaining steam.  gRPC is based on Google's popular protobuf project, which provides a more compact and efficiently serializable RPC payload.

Microservices written using gRPC typically include a large number of RPC "methods", all of which are exposed on a single TCP port belonging to the gRPC server.  As a result, a traditional network firewall would either open or close the port of the gRPC server, exposing either all or none of the gRPC methods for a service to each RPC client.  However, Cilium's API-aware filtering enables fine-grain security policies that selectively expose RPC methods to different remote callers, eliminating unnecessary attack surface.

We have created a Cilium + gRPC "Getting Started Guide" so you can try it out yourself: http://docs.cilium.io/en/latest/gettingstarted/grpc/ .  Building on our tradition of Star Wars-themed demos, this guide explains how the lack of gRPC-aware network security helped the rebels escape from Cloud City during "The Empire Strikes Back".   Check out the video!

As always, we're very interested in your questions and feedback, so don't hesitate to reach out via Twitter (@ciliumproject) or Slack (http://www.cilium.io/slack).   And don't forget to check out the code and star us on Cilium Github .  Happy gRPC-ing!

December 5, 2017

What Cilium and BPF will bring to Istio

There is a lot of excitement around Istio this week at KubeCon. We are getting pinged multiple times a day now with questions on how exactly Cilium and Istio relate to each other. Istio abstracts away a lot of networking specific complexity and provides visibility and control to application teams. We couldn't agree more with the moving networking to Layer 7 and provide the necessary instruments for efficient operation at the layer where it makes sense: the application protocol.

This blog post serves to answer a simple question: How is Istio related to Cilium? Can I use both together? Will one benefit from the other?

Read more »
November 30, 2017

Cilium now supports Kafka!

We have released Cilium v0.12 a couple of weeks back. One of the exciting feature additions is the introduction of Kafka protocol visibility and policy enforcement in form of a tech preview.

Read more »
November 20, 2017

BPF Updates 13

The v4.15 merge window is open and LWN.net already has a summary on part 1 out. Which contains a BPF section listing some of the new things:

BPF

The user-space bpftool utility can be used to examine and manipulate BPF programs and maps; see this man page for more information.

Hooks have been added to allow security modules to control access to BPF objects; see this changelog for more information.

A new BPF-based device controller has been added; it uses the version-2 control-group interface. Documentation for this feature is entirely absent, but one can look at the sample program added in this commit that uses it.

The highlights since last time

  • New helper function bpf_getsockops to retrieve socket options. supports TCP_CONGESTION for now. The new BPF_SOCK_OPS_BASE_RTT feature significantly improves TCP-NV.
  • It is now possible to attach multiple programs to tracepoint / kprobes / uprobes. The programs will run in sequence. With the change for trace points one application does not exclude others from attaching to the same call.

More interesting topics

  • New helper function bpf_override_function under discussion to allow for error injection via kprobes.
  • BPF runtime finally gets a FAQ section in the kernel's documentation directory.
  • bpftool gets support for dumping JSON.
Read more »
October 25, 2017

BPF Updates 12

The highlights since the last time

  • Generic metadata transfer from XDP into skb via new helper function bpf_xdp_adjust_meta.
  • bpf_perf_event_read_value helper function series got merged.
  • Multiple programs can now be attached to a cgroup.
  • A new map type cpumap for XDP got merged.
Read more »