Join us at Kubecon NA @ Booth S9
August 7, 2018

Istio 1.0: How Cilium enhances Istio with socket-aware BPF programs

Istio 1.0 was released last week. From the Cilium community, we would like to congratulate all Istio contributors for this massive effort. We have been fortunate to participate in the community by contributing to Istio and by helping several users moving towards production with Istio and Cilium.

If you are interested in learning about an Istio + Cilium user story before diving into the technical details, consider reading the following Istio blog post by the HP FitStation team, one of the largest Cilium + Istio users: Istio a Game Changer for HP's FitStation Platform.

This blog will go into some of the details on how BPF and Cilium enhance Istio:

  • Increase Istio Security:

    • Least privilege security for multi-container pods using socket-aware BPF programs
    • Protect from compromised sidecar proxies and protocols that bypass the sidecar
    • Use of BPF to force all application traffic through the sidecar proxy
  • Enable Istio for external services:

    • Using socket-aware BPF programs and kTLS to provide visibility and control into TLS encrypted connections
  • Performance:

    • Efficient networking and socket redirection to accelerate Istio
July 17, 2018

Prometheus Metrics for Kubernetes Networking Using Cilium

In Kubernetes deployments, Prometheus is a popular monitoring system and time-series database for storing health and performance metrics of all the components. Equally popular is Grafana for plotting the metrics. In this post, we will provide steps to setup Prometheus and Grafana for understanding important Cilium metrics related to the security and health of service interactions in a Kubernetes cluster.

July 10, 2018

Open Source Elasticsearch Security: Using Cilium for Elasticsearch Access Control with No App/Container Changes

Elasticsearch is a dominanting open source platform for storing and analyzing all different types of data ranging from application logs, to user payment transactions and network audit logs.

A single Elasticsearch cluster is often used to store many different types of data for a variety of uses. While such multi-tenancy maximizes efficiency both compute/storage resources and ops-team resources, it also requires key elements around security. For example, if an application that is sending troubleshooting logs to an Elasticsearch cluster is compromised, the attacker should not also be able to read user transaction data or delete network access logs, simply because that data also happens to be stored in the same cluster.

In this post, we will look at how Cilium helps you lock down access to data in your Elasticsearch cluster without requiring any changes to the application code or containers. Cilium is an open source API-aware network security technology for container orchestration frameworks like Kubernetes.

June 26, 2018

Cilium 1.1: Istio sidecar mode, cri-o/containerd support, improved efficiency & scale, init policies

We are excited to announce Cilium 1.1. 33 contributors have contributed 965 commits to this release. Below is a list of highlighted features and architectural improvements that have made the 1.1 release in addition to the countless bugfixes.

April 24, 2018

Cilium - Rethinking Linux Networking and Security for the Age of Microservices

To celebrate the Cilium project hitting 1.0, we wanted to take a moment to share the broader story behind how BPF and Cilium are driving the biggest change in the past two decades of Linux networking and security, and invite you to join in on the fun. We're just getting started!

April 24, 2018

Cilium 1.0: Bringing the BPF Revolution to Kubernetes Networking and Security

The last couple of months have been tremendously exciting for everyone working on Cilium and BPF. We have witnessed a fast growing community of Cilium users as well as the rapid increase of BPF usage and development with companies such as Google joining the existing already strong BPF community of engineers from Facebook, Netflix, Red Hat and many more. Possibly the strongest signal of the success of BPF has been the decision of the Linux kernel community to replace the in-kernel implementation of iptables with BPF.

All of this has allowed us to advance BPF quickly and mature the Cilium project very effectively. Our warmest shoutouts go to everyone who has joined us on this incredible journey since we initially announced Cilium at DockerCon 2017. Your support in the form of contributing code, providing feedback and spreading the word has been incredible.

April 17, 2018

Why is the kernel community replacing iptables with BPF?

The Linux kernel community recently announced bpfilter, which will replace the long-standing in-kernel implementation of iptables with high-performance network filtering powered by Linux BPF, all while guaranteeing a non-disruptive transition for Linux users.

From humble roots as the packet filtering capability underlying popular tools like tcpdump and Wireshark, BPF has grown into a rich framework to extend the capabilities of Linux in a highly flexible manner without sacrificing key properties like performance and safety. This powerful combination has led forward-leaning users of Linux kernel technology like Google, Facebook, and Netflix to choose BPF for use cases ranging from network security and load-balancing to performance monitoring and troubleshooting. Brendan Gregg at Netflix first called BPF Superpowers for Linux. This post will cover how these “superpowers” render long-standing kernel sub-systems like iptables redundant while simultaneously enabling new in-kernel use cases that few would have previously imagined were possible.

April 2, 2018

Cilium 1.0.0-rc9 - Feature Freeze for 1.0!

We are excited to announce Cilium 1.0.0-rc9 with many, many bugfixes and the delivery of the final feature we were waiting on prior for 1.0: Egress policy enforcement support. It is therefore only logical that we announce full feature freeze with rc9. This means that we will only merge critical bugfixes and release 1.0 as soon as we have resolved all release blockers. More on this below. We are thrilled to have come this far and appreciate all of the efforts by the wide range of contributors that have helped to get us here.

As usual, the full release notes are attached at the end of the blog but can be found on the 1.0.0-rc9 release page. The vast majority of the work in this release has been around bugfixes and testing. Here is a list of some highlights: