October 23, 2018

Cilium 1.3: Go extensions for Envoy, Cassandra & Memcached Support

We are excited to announce the Cilium 1.3 release. The release introduces several new features. The major highlight of the release is the addition of Go extensions for Envoy as well as Cassandra and Memcached protocol parsers with policy enforcement capability, both implemented as Envoy Go extension.

As usual, a big shout out to the entire community of Cilium developers who have contributed 785 commits in the time period between 1.2 and 1.3.

What are Envoy Go extensions?

We have been relying on Envoy for all processing of HTTP and gRPC as well as HTTP derivates such as Elasticsearch since version 1.0. As the community discussed how to extend the scope of supported L7 protocols, it became clear that Envoy is the right platform to drive future protocol additions. The focus quickly shifted to finding ways to simplify the extendability of Envoy and allow reuse of existing open source projects such as the CNCF project Vitess. The idea of Go extensions for Envoy was born.

With Cilium 1.3, we introduce Go extensions for Envoy as a Beta feature.

Envoy Golang Extension Architecture

September 26, 2018

Cilium How-To: Install with Kubernetes on Ubuntu 18.04

Cilium provides API-aware network security for cloud-native applications. Here's a How-To guide to get you going easily with Kubernetes and Cilium on Ubuntu 18.04 LTS.

bionic preview
September 20, 2018

Kubernetes Network Policies Using Cilium - Controlling Ingress/Egress from Namespaces

Kubernetes clusters are used by multiple tenants to run their containerized workloads. Often, the tenant workloads are mapped to namespaces and strict access control is required for inter-namespace communications. The access control could be needed for separation of concerns such as monitoring namespace vs application namespace; for compliance such as PCI vs non-PCI workloads; or to meet requirements of serving different end customers such as workloads serving Pepsi vs Coke. In this post, we will look at namespace based segmentation of traffic along with examples of allowing specific inter-namespace communications.

August 21, 2018

Cilium 1.2: DNS Security Policies, EKS Support, ClusterMesh, kube-router integration, ...

We are excited to announce the Cilium 1.2 release. The release introduces several new features addressing the top asks from Cilium users and community members. One of the most exciting features is the introduction of security policies based on DNS names to secure access to external services outside of the cluster. Another top ask was to introduce the ability to connect and secure multiple Kubernetes clusters. We are introducing ClusterMesh as an alpha level feature to address this ask. It allows to connect and secure pods running in different Kubernetes clusters. Equally important is the Kube-router integration with Cilium. The effort led by the team from DigitalOcean enables to combine BGP networking provided by kube-router with BPF based security and load-balancing from Cilium. As usual, a big shout out to the entire community of Cilium developers. The total number of contributors has grown to 85 and 579 commits have been contributed in the time period between 1.1 and 1.2.

August 7, 2018

Istio 1.0: How Cilium enhances Istio with socket-aware BPF programs

Istio 1.0 was released last week. From the Cilium community, we would like to congratulate all Istio contributors for this massive effort. We have been fortunate to participate in the community by contributing to Istio and by helping several users moving towards production with Istio and Cilium.

If you are interested in learning about an Istio + Cilium user story before diving into the technical details, consider reading the following Istio blog post by the HP FitStation team, one of the largest Cilium + Istio users: Istio a Game Changer for HP's FitStation Platform.

This blog will go into some of the details on how BPF and Cilium enhance Istio:

  • Increase Istio Security:

    • Least privilege security for multi-container pods using socket-aware BPF programs
    • Protect from compromised sidecar proxies and protocols that bypass the sidecar
    • Use of BPF to force all application traffic through the sidecar proxy
  • Enable Istio for external services:

    • Using socket-aware BPF programs and kTLS to provide visibility and control into TLS encrypted connections
  • Performance:

    • Efficient networking and socket redirection to accelerate Istio
July 17, 2018

Prometheus Metrics for Kubernetes Networking Using Cilium

In Kubernetes deployments, Prometheus is a popular monitoring system and time-series database for storing health and performance metrics of all the components. Equally popular is Grafana for plotting the metrics. In this post, we will provide steps to setup Prometheus and Grafana for understanding important Cilium metrics related to the security and health of service interactions in a Kubernetes cluster.

July 10, 2018

Open Source Elasticsearch Security: Using Cilium for Elasticsearch Access Control with No App/Container Changes

Elasticsearch is a dominanting open source platform for storing and analyzing all different types of data ranging from application logs, to user payment transactions and network audit logs.

A single Elasticsearch cluster is often used to store many different types of data for a variety of uses. While such multi-tenancy maximizes efficiency both compute/storage resources and ops-team resources, it also requires key elements around security. For example, if an application that is sending troubleshooting logs to an Elasticsearch cluster is compromised, the attacker should not also be able to read user transaction data or delete network access logs, simply because that data also happens to be stored in the same cluster.

In this post, we will look at how Cilium helps you lock down access to data in your Elasticsearch cluster without requiring any changes to the application code or containers. Cilium is an open source API-aware network security technology for container orchestration frameworks like Kubernetes.