We have released Cilium v0.12 a couple of weeks back. One of the exciting feature additions is the introduction of Kafka protocol visibility and policy enforcement in form of a tech preview.
The following video will take you through a quick Kafka demo:
You can also check out the Kafka Getting Started Guide to learn how to enforce Kafka-aware policies yourself.
- Iinitial implementation stages of
XDP-basedfiltering enable source IP filtering in the NIC driver, with incredible performance results for protecting a host that can be seen here. Below are the highlights from Cilium
- Simplified policy model to express connectivity for special entities "world" (outside of the cluster) and "host" (system on which endpoint is running on)
- XDP policy enforcement for filtering out source IPs and allowing host and endpoint destination IPs
- Initial framework to support multiple user-space proxies brings the ability to parse many more application protocols
- Auto-population of IPv6 routes for all hosts in the cluster to minimize IPv6 control plane routing (applicable for non-overlay mode)
- Support for L3-dependent L4 policies on ingress, enabled by expanding PolicyMap entry options in BPF
- Unified Cilium default policy behaviour: platform-agnostic enforcement behavior. Now, policy is defined as a whitelist on per-endpoint basis, globally (in-line with Kubernetes behaviour).
- Cluster-wide information on Cilium identities via CLI/API.
- Cilium support for Kubernetes 1.8
- Improved DaemonSet file to automatically derive Kubernetes API access
- Support for DaemonSet configuration, such as etcd endpoints, via ConfigMap
- Support for ingress and egress rules with IP blocks, including blacklisting
- Prioritization of Kubernetes pod CIDR for node CIDR allocation.
We’ve also grown our documentation to include several specifics varying from policy enforcement and rules to BPF debugging datapath and developer documentation in the Contributor guide. Take a closer look at our Docs page.
~ The Cilium Team